Smartcard Undocumented Commands: THC-SmartBrute

2014-09-17T11:39:20
ID N0WHERE:21905
Type n0where
Reporter N0where
Modified 2014-09-17T11:39:20

Description

This tools finds undocumented and secret commands implemented in a smartcard. An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. … iterates through all the possible values of CLA and INS to find a valid combination.

Furthermore it tries to find out what parameters are valid for a given class and instruction number.

Requirements

You need a PC/SC compatible smartcard reader that is supported by the PCSC-LITE library.
A list of supported devices can be found here

Compiling

Install the PCSC-LITE library first ( Download )
Edit Makefile to your needs and run make.

~$ ./configure
~$ make
~$ make install

Usage

[cyberpunk@n0where.net]# ./thcsmartbrute –help
./thcsmartbrute Version 1.0 gamma@thc.org

Parameters:

  • chv1 pin1 – sets the CHV1 to pin1
  • chv2 pin2 – sets the CHV2 to pin2
  • simmode – work in sim mode
  • tmode mode – sets the transfer mode to T0 or T1
  • skipcriticalk – skip potential critical smartcard instructions
  • undoconly – just give out undocumented instructions
  • fastresults – fast results, does not work with -u
  • help – shows this help

Parameter probing functions:

  • –class <CLASS>[,<CLASS>,<CLASS>….] – set the classes to be tested (hex)
  • –ins – set the instruction value of the tested instruction
  • –p1 – gives parameter p1
  • –p2 – gives parameter p2
  • –p3 – gives parameter p3
  • –brutep1p2 – probes for valid p1/p2 parameters with p3=0
  • –brutep3 – probes valid p3 with given –p1 and –p2

Examples

~$ ./thc-smartbrute

– run thcsmartbrute without any arguments to brute force for valid instructions

~$ ./thc-smartbrute --undoconly

– find valid instructions but only print out non-standard instructions

~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2

– find the first two arguments for the GSM instruction SELECT FILE

~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3

– find the 3rd argument for the already found first two arguments for the GSM instruction SELECT FILE

Source && Download

Smartcard Undocumented Commands: THC-SmartBrute download