view doc/Brute-force-search @ 68:c5e7c9e1d857

GSM7 to qstring decoding: rework in a new way, emit \E for Euro
author Mychaela Falconia <falcon@freecalypso.org>
date Thu, 25 Mar 2021 00:04:08 +0000
parents da6e9d0b2ee6
children
line wrap: on
line source

Brute force search of card file system file ID space
====================================================

The two protocols for accessing the file system of SIM cards (the original GSM
11.11 SIM protocol and the UICC protocol of ETSI TS 102 221) allow for selecting
directories and elementary files (EFs) by file IDs, but there is no provision
in either protocol for listing or enumerating what file IDs exist - there is no
'ls' operation.

I (Mother Mychaela) really wanted to see the complete file system tree (all
directories and files) on SIM and UICC cards that are sold as programmable, made
by vendors such as Grcard and Sysmocom - my philosophy is that customers of such
programmable SIMs have a natural right to know about every file on those cards
and to exercise full control over the file system.  But the unfortunate reality
with all currently available "programmable" SIMs on the market (or at least all
known ones) is that not only are their vendors not giving us a way to reformat
their cards and to recreate an entirely new file system layout as we like it,
but they don't even document the complete file system content their cards are
shipped with - and because there is no 'ls' operation in either of the two
standard protocols, there is no trivial way for us to just see it.

In order to see the true undocumented file system content of both Grcard and
Sysmocom SIMs, I have implemented a brute force search of the file ID space.
This brute force search works as follows:

* Starting with MF (file ID 3F00), try selecting every possible file ID from
  0000 to FFFF, skipping only 3F00.  For every file ID where the SELECT command
  returns something other than "file ID not found" error (SW 9404 for SIM or
  6A82 for UICC), follow up with GET RESPONSE and report what is found.  For
  every found file ID that turns out to be a DF when the full response is
  parsed, the brute force search code takes note of it for further descent.

* For every found DF, repeat the same brute force search inside that DF.  File
  IDs to be skipped at this search level include MF, the DF being searched, and
  siblings of the current DF.  If there are further nested DFs, the search has
  to continue recursively.

In the case of the classic GSM 11.11 SIM protocol and fc-simtool, there is only
one bfsearch-mf command, performing the search from MF - in this protocol there
is only one file system tree.  In the case of UICC-architecture cards, there are
multiple file system trees that are independent and disjoint: there is the main
file system tree starting at MF, and then each application of the USIM/ISIM kind
has its own ADF and a separate file system tree under that ADF, practically
meaning ADF.USIM, ADF.ISIM and whatever other applications are present.

bfsearch-mf command is implemented in both fc-simtool and fc-uicc-tool; this
command takes no arguments and should work the same way irrespective of any
prior card session state.  fc-uicc-tool also adds a complementary bfsearch-adf
command for searching ADF-based directory trees; in order to use bfsearch-adf,
you have to first select the desired application (select-aid, select-usim or
select-isim) in the same card session.

Please note that these brute force searches are very slow - in the Mother's
experience with Grcard and Sysmocom cards, each bfsearch run took about an hour.

Findings on GrcardSIM2 and sysmoISIM-SJA2
=========================================

The data directory in this code repository contains some findings that have been
captured with brute force searches.  As one can see from these data captures,
both Grcard and Sysmocom cards have plenty of additional directories and files
beyond the standard ones called for SIM/USIM/ISIM, and we can only guess at what
purpose all those extra proprietary directories and files may be serving.  There
is one proprietary file on GrcardSIM2 and a few on sysmoISIM-SJA2 that are
documented, but what we have found with bfsearch goes far beyond these few
documented proprietary files.  I wonder if perhaps various card-resident
applications are using some of these proprietary files for their internal
purposes.