comparison doc/Brute-force-search @ 170:13b8d90eb5c7

doc/Brute-force-search article written
author Mychaela Falconia <falcon@freecalypso.org>
date Mon, 01 Mar 2021 00:25:49 +0000
parents
children efe944a5c4e3
comparison
equal deleted inserted replaced
169:c37a3cc0fafe 170:13b8d90eb5c7
1 Brute force search of card file system file ID space
2 ====================================================
3
4 The two protocols for accessing the file system of SIM cards (the original GSM
5 11.11 SIM protocol and the UICC protocol of ETSI TS 102 221) allow for selecting
6 directories and elementary files (EFs) by file IDs, but there is no provision
7 in either protocol for listing or enumerating what file IDs exist - there is no
8 'ls' operation.
9
10 I (Mother Mychaela) really wanted to see the complete file system tree (all
11 directories and files) on SIM and UICC cards that are sold as programmable, made
12 by vendors such as Grcard and Sysmocom - my philosophy is that customers of such
13 programmable SIMs have a natural right to know about every file on those cards
14 and to exercise full control over the file system. But the unfortunate reality
15 with all currently available "programmable" SIMs on the market (or at least all
16 known ones) is that not only are their vendors not giving us a way to reformat
17 their cards and to recreate an entirely new file system layout as we like it,
18 but they don't even document the complete file system content their cards are
19 shipped with - and because there is no 'ls' operation in either of the two
20 standard protocols, there is no trivial way for us to just see it.
21
22 In order to see the true undocumented file system content of both Grcard and
23 Sysmocom SIMs, I have implemented a brute force search of the file ID space.
24 This brute force search works as follows:
25
26 * Starting with MF (file ID 3F00), try selecting every possible file ID from
27 0000 to FFFF, skipping only 3F00. For every file ID where the SELECT command
28 returns something other than "file ID not found" error (SW 9404 for SIM or
29 6A82 for UICC), follow up with GET RESPONSE and report what is found. For
30 every found file ID that turns out to be a DF when the full response is
31 parsed, the brute force search code takes note of it for further descent.
32
33 * For every found DF, repeat the same brute force search inside that DF. File
34 IDs to be skipped at this search level include MF, the DF being searched, and
35 siblings of the current DF. If there are further nested DFs, the search has
36 to continue recursively.
37
38 In the case of the classic GSM 11.11 SIM protocol and fc-simtool, there is only
39 one bfsearch-mf command, performing the search from MF - in this protocol there
40 is only one file system tree. In the case of UICC-architecture cards, there are
41 multiple file system trees that are independent and disjoint: there is the main
42 file system tree starting at MF, and then each application of the USIM/ISIM kind
43 has its own ADF and a separate file system tree under that ADF, practically
44 meaning ADF.USIM, ADF.ISIM and whatever other applications are present.
45
46 bfsearch-mf command is implemented in both fc-simtool and fc-uicc-tool; this
47 command takes no arguments and should work the same way irrespective of any
48 prior card session state. fc-uicc-tool also adds a complementary bfsearch-adf
49 command for searching ADF-based directory trees; in order to use bfsearch-adf,
50 you have to first select the desired application (select-aid, select-usim or
51 select-isim) in the same card session.
52
53 Please note that these brute force searches are very slow - in the Mother's
54 experience with Grcard and Sysmocom cards, each bfsearch run took about an hour.
55
56 Findings on GrcardSIM2 and sysmoISIM-SJA2
57 =========================================
58
59 bfsearch-booty directory in this code repository contains some findings that
60 have been captured with brute force searches. As one can see from these data
61 captures, both Grcard and Sysmocom cards have plenty of additional directories
62 and files beyond the standard ones called for SIM/USIM/ISIM, and we can only
63 guess at what purpose all those extra proprietary directories and files may be
64 serving. There is one proprietary file on GrcardSIM2 and a few on sysmoISIM-
65 SJA2 that are documented, but what we have found with bfsearch goes far beyond
66 these few documented proprietary files. I wonder if perhaps various card-
67 resident applications are using some of these proprietary files for their
68 internal purposes.