THC-SmartBrute - Finds Undocumented and Secret Commands Implemented In a Smart Card

THC-SmartBrute - Finds Undocumented and Secret Commands Implemented In a Smart Card

THC-SmartBrute is a tool for finding undocumented and secret commands implemented in a smart card.

An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.

Furthermore, it tries to find out what parameters are valid for a given class and instruction number.

Requirements:

  • You need a PC/SC compatible smart card reader that is supported by the PCSC-LITE library.
A list of supported devices can be found on the following page:

Compiling

Install the PCSC-LITE library first (Download)
Edit Makefile to your needs and run make.
  ~$ ./configure
~$ make
~$ make install

Usage:

  ./thcsmartbrute [Options]

--verbose
prints a lot of debugging messages to stderr *FIXME*
--undoconly
only prints found instruction if its not element of the standard
instruction list
--fastresults
before iterating through all possible combinates of class and
instruction-number typical class/instruction-values are verified for
availability.
After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
simmode
work in sim mode
tmode mode
sets the transfer mode to T0 or T1
skipcriticalk
skip potential critical smartcard instructions
--help
prints out the usage
--chv1 pin1
a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
finds valid parameter p1 and p2 combinations for the instruction
the user defined with --cla and --ins .
For parameter p1 the value 0x00 is assumed.

--brutep3
find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
sets the instruction class to CLASS
--ins INS
sets the instruction-number to INS
--p1 P1
sets parameter p1 to P1
--p2 P2
sets parameter p2 to P2
--p3 P3
sets parameter p3 to P3

Examples:

  ~$ ./thc-smartbrute  
        run thcsmartbrute without any arguments to brute force for valid instructions
  ~$ ./thc-smartbrute --undoconly  
        find valid instructions but only print out non-standard instructions
  ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2  
        find the first two arguments for the GSM instruction SELECT FILE
  ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3  
        find the 3rd argument for the already found first two arguments for the GSM instruction                SELECT FILE





from Effect Hacking full article here