FreeCalypso > hg > freecalypso-sw

comparison rvinterf/lowlevel/tfc139.c @ 359:144b5d222de8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tfc139 hack utility started, compiles
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Thu, 15 May 2014 10:32:30 +0000
parents
children f9d78057d766
comparison
equal deleted inserted replaced
358:b39802cd9329 359:144b5d222de8
1 /*
2 * This program is a contender for the title of the ugliest hack
3 * in the FreeCalypso project. It will attempt to break into a
4 * locked-down TracFone C139 by mimicking the actions of the
5 * mot931c.exe TF "unlocker".
6 */
7
8 #include <sys/types.h>
9 #include <sys/errno.h>
10 #include <stdio.h>
11 #include <string.h>
12 #include <strings.h>
13 #include <stdlib.h>
14 #include <unistd.h>
15 #include <time.h>
16 #include "../include/pktmux.h"
17 #include "../include/limits.h"
18
19 extern int target_fd;
20 extern char *baudrate_name;
21
22 extern u_char rxpkt[];
23 extern size_t rxpkt_len;
24
25 char *logfname;
26 FILE *logF;
27 time_t logtime;
28 int no_output; /* for output.c */
29
30 int wakeup_after_sec = 7;
31
32 /* see ../../target-utils/tf-breakin/payload.S for the source */
33 static u_char iram_payload[112] = {
34 0xD3, 0xF0, 0x21, 0xE3, 0x58, 0x10, 0x9F, 0xE5,
35 0xF5, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1,
36 0xA0, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1,
37 0x48, 0x60, 0x9F, 0xE5, 0x05, 0x00, 0xD6, 0xE5,
38 0x20, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A,
39 0x2C, 0x10, 0x8F, 0xE2, 0x06, 0x20, 0xA0, 0xE3,
40 0x01, 0x00, 0xD1, 0xE4, 0x00, 0x00, 0xC6, 0xE5,
41 0x01, 0x20, 0x52, 0xE2, 0xFB, 0xFF, 0xFF, 0x1A,
42 0x05, 0x00, 0xD6, 0xE5, 0x40, 0x00, 0x10, 0xE3,
43 0xFC, 0xFF, 0xFF, 0x0A, 0x18, 0x10, 0x9F, 0xE5,
44 0x01, 0x2C, 0xA0, 0xE3, 0xB0, 0x20, 0xC1, 0xE1,
45 0x00, 0xF0, 0xA0, 0xE3, 0x02, 0x02, 0x02, 0x4F,
46 0x4B, 0x02, 0x00, 0x00, 0x02, 0xF8, 0xFF, 0xFF,
47 0x00, 0x58, 0xFF, 0xFF, 0x10, 0xFB, 0xFF, 0xFF
48 };
49
50 static unsigned iram_load_addr = 0x800000;
51 static unsigned stack_smash_addr = 0x837C54;
52
53 static void
54 send_compal_memwrite(addr, payload, payload_len)
55 unsigned addr;
56 u_char *payload;
57 {
58 u_char pkt[MAX_PKT_TO_TARGET];
59 int i, csum, csum_offset;
60
61 pkt[0] = RVT_TM_HEADER;
62 pkt[1] = 0x40; /* Compal's non-standard addition */
63 pkt[2] = addr;
64 pkt[3] = addr >> 8;
65 pkt[4] = addr >> 16;
66 pkt[5] = addr >> 24;
67 bcopy(payload, pkt + 6, payload_len);
68 csum_offset = payload_len + 6;
69 csum = 0;
70 for (i = 1; i < csum_offset; i++)
71 csum ^= pkt[i];
72 pkt[i] = csum;
73 send_pkt_to_target(pkt, i + 1);
74 }
75
76 main(argc, argv)
77 char **argv;
78 {
79 extern char *optarg;
80 extern int optind;
81 int c;
82 fd_set fds;
83
84 while ((c = getopt(argc, argv, "l:")) != EOF)
85 switch (c) {
86 case 'l':
87 logfname = optarg;
88 continue;
89 case '?':
90 default:
91 usage: fprintf(stderr,
92 "usage: %s [options] ttyport\n", argv[0]);
93 exit(1);
94 }
95 if (argc - optind != 1)
96 goto usage;
97 baudrate_name = "57600"; /* what Compal phones use */
98 open_target_serial(argv[optind]);
99
100 set_serial_nonblock(0);
101 setlinebuf(stdout);
102 if (logfname) {
103 logF = fopen(logfname, "w");
104 if (!logF) {
105 perror(logfname);
106 exit(1);
107 }
108 setlinebuf(logF);
109 fprintf(logF, "*** Log of TFC139 break-in session ***\n");
110 }
111 output_line("Sending IRAM payload");
112 send_compal_memwrite(iram_load_addr, iram_payload, sizeof iram_payload);
113 for (;;) {
114 FD_ZERO(&fds);
115 FD_SET(target_fd, &fds);
116 c = select(target_fd+1, &fds, 0, 0, 0);
117 time(&logtime);
118 if (c < 0) {
119 if (errno == EINTR)
120 continue;
121 perror("select");
122 exit(1);
123 }
124 if (FD_ISSET(target_fd, &fds))
125 process_serial_rx();
126 }
127 }
128
129 handle_rx_packet()
130 {
131 switch (rxpkt[0]) {
132 case RVT_RV_HEADER:
133 if (rxpkt_len < 6)
134 goto unknown;
135 print_rv_trace();
136 return;
137 case RVT_L1_HEADER:
138 print_l1_trace();
139 return;
140 case RVT_L23_HEADER:
141 print_g23_trace();
142 return;
143 case RVT_TM_HEADER:
144 print_etm_output_raw();
145 return;
146 default:
147 unknown:
148 print_unknown_packet();
149 }
150 }