comparison rvinterf/doc/tfc139.usage @ 433:2d8ab1b0df8d

rvinterf/doc/tfc139.usage: written doc/Compal-unlock: typo fix
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Sun, 22 Jun 2014 00:17:44 +0000
parents
children
comparison
equal deleted inserted replaced
432:15e69d31c96f 433:2d8ab1b0df8d
1 The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the
2 rvinterf/rvtdump skeleton, and it needs to be invoked as follows:
3
4 tfc139 [options] /dev/ttyXXX
5
6 In the well-tested use case of breaking into TFC139 phones with fw version
7 8.8.17, no options are normally needed, but the following options are supported:
8
9 -a address
10
11 This option changes the RAM address into which the "shellcode" is to be
12 written; the argument is always interpreted as hex. The default is
13 0x800000, as used by the mot931c.exe closed source tool on whose
14 reverse-engineering our hack-utility is based.
15
16 -B baud
17
18 This option changes the serial baud rate just like in rvinterf and
19 rvtdump, but the default is 57600 as needed for breaking into TFC139
20 firmware.
21
22 -l logfile
23
24 Log activity in a file, just like rvinterf and rvtdump.
25
26 -s address
27
28 Just like mot931c.exe has been observed to do, we start our stack
29 smashing attempts at a certain address, and keep incrementing by 4
30 until we either succeed or crash the fw in some other way that does not
31 help us. This option changes the starting address for these stack
32 smashing attempts; the argument is always interpreted as hex. The
33 default is 0x837C54, as observed from the reverse engineering of
34 mot931c.
35
36 -w number_in_seconds
37
38 See rvinterf.usage; the option is the same for tfc139 as for rvinterf.