After a couple of hours trying to find free smartcard app on my tinkering time, finally I found this Cardpeek. Simple yet light smartcard reader app.
My objective is to create simple APDU “bruteforce” to the smart card by iterate some EF values using standards APDU SELECT. By bruteforce means that the SELECT command is sent to the smartcard for any possible EF value.
Finding this Cardpeek app + powered with Lua script is enough for me. For now.
The bruteforcing idea is to create iteration of EF value using 2 bytes length, this assumed the smartcard is having 2 bytes EF structures. With this iterations hopefully some approved response (SW1-SW2 = 0x9000) is given by the smartcard, and do further exploit using known approved EF.
Following is the Lua script I created to bruteforce SELECT APDU (or you can download directly here):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
if card.connect() then CRoot=card.tree_startup("Processing Bruteforce..") log.print(log.INFO,"Brute force SELECT start") for i=0x0000,0xFFFF,1 do cmd=bytes.new(8,0x00,0xA4,0x00,0x00,0x02,bit.SHR(i,8),bit.AND(i,0xFF)) sw, resp = card.send(cmd) if (sw==0x9000) then -- Approved response on SELECT APVnod=nodes.append(CRoot, {classname="record",label="Approved CAPDU",val=cmd}) nodes.append(APVnod, {classname="item",label="Received RAPDU data",val=bytes.format(resp,"%D")}) -- Trying to send BINARY READ for first 8 bytes sw, resp = card.send(bytes.new(8, "00 B0 00 00 08")) end end log.print(log.INFO,"Brute force SELECT end") card.disconnect() end |
And I tested the script using Commuter Line Kartu Multi Trip card, and here is some interesting responses from the card 😀
