FreeCalypso > hg > fc-pcsc-tools
comparison doc/Brute-force-search @ 170:13b8d90eb5c7
doc/Brute-force-search article written
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Mon, 01 Mar 2021 00:25:49 +0000 |
| parents | |
| children | efe944a5c4e3 |
comparison
equal
deleted
inserted
replaced
| 169:c37a3cc0fafe | 170:13b8d90eb5c7 |
|---|---|
| 1 Brute force search of card file system file ID space | |
| 2 ==================================================== | |
| 3 | |
| 4 The two protocols for accessing the file system of SIM cards (the original GSM | |
| 5 11.11 SIM protocol and the UICC protocol of ETSI TS 102 221) allow for selecting | |
| 6 directories and elementary files (EFs) by file IDs, but there is no provision | |
| 7 in either protocol for listing or enumerating what file IDs exist - there is no | |
| 8 'ls' operation. | |
| 9 | |
| 10 I (Mother Mychaela) really wanted to see the complete file system tree (all | |
| 11 directories and files) on SIM and UICC cards that are sold as programmable, made | |
| 12 by vendors such as Grcard and Sysmocom - my philosophy is that customers of such | |
| 13 programmable SIMs have a natural right to know about every file on those cards | |
| 14 and to exercise full control over the file system. But the unfortunate reality | |
| 15 with all currently available "programmable" SIMs on the market (or at least all | |
| 16 known ones) is that not only are their vendors not giving us a way to reformat | |
| 17 their cards and to recreate an entirely new file system layout as we like it, | |
| 18 but they don't even document the complete file system content their cards are | |
| 19 shipped with - and because there is no 'ls' operation in either of the two | |
| 20 standard protocols, there is no trivial way for us to just see it. | |
| 21 | |
| 22 In order to see the true undocumented file system content of both Grcard and | |
| 23 Sysmocom SIMs, I have implemented a brute force search of the file ID space. | |
| 24 This brute force search works as follows: | |
| 25 | |
| 26 * Starting with MF (file ID 3F00), try selecting every possible file ID from | |
| 27 0000 to FFFF, skipping only 3F00. For every file ID where the SELECT command | |
| 28 returns something other than "file ID not found" error (SW 9404 for SIM or | |
| 29 6A82 for UICC), follow up with GET RESPONSE and report what is found. For | |
| 30 every found file ID that turns out to be a DF when the full response is | |
| 31 parsed, the brute force search code takes note of it for further descent. | |
| 32 | |
| 33 * For every found DF, repeat the same brute force search inside that DF. File | |
| 34 IDs to be skipped at this search level include MF, the DF being searched, and | |
| 35 siblings of the current DF. If there are further nested DFs, the search has | |
| 36 to continue recursively. | |
| 37 | |
| 38 In the case of the classic GSM 11.11 SIM protocol and fc-simtool, there is only | |
| 39 one bfsearch-mf command, performing the search from MF - in this protocol there | |
| 40 is only one file system tree. In the case of UICC-architecture cards, there are | |
| 41 multiple file system trees that are independent and disjoint: there is the main | |
| 42 file system tree starting at MF, and then each application of the USIM/ISIM kind | |
| 43 has its own ADF and a separate file system tree under that ADF, practically | |
| 44 meaning ADF.USIM, ADF.ISIM and whatever other applications are present. | |
| 45 | |
| 46 bfsearch-mf command is implemented in both fc-simtool and fc-uicc-tool; this | |
| 47 command takes no arguments and should work the same way irrespective of any | |
| 48 prior card session state. fc-uicc-tool also adds a complementary bfsearch-adf | |
| 49 command for searching ADF-based directory trees; in order to use bfsearch-adf, | |
| 50 you have to first select the desired application (select-aid, select-usim or | |
| 51 select-isim) in the same card session. | |
| 52 | |
| 53 Please note that these brute force searches are very slow - in the Mother's | |
| 54 experience with Grcard and Sysmocom cards, each bfsearch run took about an hour. | |
| 55 | |
| 56 Findings on GrcardSIM2 and sysmoISIM-SJA2 | |
| 57 ========================================= | |
| 58 | |
| 59 bfsearch-booty directory in this code repository contains some findings that | |
| 60 have been captured with brute force searches. As one can see from these data | |
| 61 captures, both Grcard and Sysmocom cards have plenty of additional directories | |
| 62 and files beyond the standard ones called for SIM/USIM/ISIM, and we can only | |
| 63 guess at what purpose all those extra proprietary directories and files may be | |
| 64 serving. There is one proprietary file on GrcardSIM2 and a few on sysmoISIM- | |
| 65 SJA2 that are documented, but what we have found with bfsearch goes far beyond | |
| 66 these few documented proprietary files. I wonder if perhaps various card- | |
| 67 resident applications are using some of these proprietary files for their | |
| 68 internal purposes. |