THC-SmartBrute – Finds undocumented and secret commands implemented in a smartcard

This tool finds undocumented and secret commands implemented in a smartcard. An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.
Furthermore it tries to find out what parameters are valid for a given class and instruction number.

Requirements
You need a PC/SC compatible smartcard reader that is supported by the PCSC-LITE library.
A list of supported devices can be found here
THC-SMARTBRUTE was developped with the XXX smartcard reader.

Command line arguments

--verbose
prints a lot of debugging messages to stderr *FIXME*
--undoconly
only prints found instruction if its not element of the standard
instruction list
--fastresults
before iterating through all possible combinates of class and
instruction-number typical class/instruction-values are verified for
availability.
After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
--help
prints out the usage
--chv1 pin1
a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
finds valid parameter p1 and p2 combinations for the instruction
the user defined with --cla and --ins .
For parameter p1 the value 0x00 is assumed.

--brutep3
find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
sets the instruction class to CLASS
--ins INS
sets the instruction-number to INS
--p1 P1
sets parameter p1 to P1
--p2 P2
sets parameter p2 to P2
--p3 P3
sets parameter p3 to P3

Examples

1. ~$ ./thc-smartbrute
run thcsmartbrute without any arguments to brute force for valid instructions
2. ~$ ./thc-smartbrute --undoconly
find valid instructions but only print out non-standard instructions

3. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2
find the first two arguments for the GSM instruction SELECT FILE

4. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3
find the 3rd argument for the already found first two arguments
for the GSM instruction SELECT FILE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s