FreeCalypso > hg > freecalypso-sw
comparison doc/Compal-unlock @ 974:3f67d5bf96ef
doc: TFC139-breakin written, Compal-unlock updated
| author | Mychaela Falconia <falcon@ivan.Harhan.ORG> |
|---|---|
| date | Sun, 15 Nov 2015 03:47:19 +0000 |
| parents | 2d8ab1b0df8d |
| children | 7a55a3eb985a |
comparison
equal
deleted
inserted
replaced
| 973:285505f98013 | 974:3f67d5bf96ef |
|---|---|
| 42 be disabled. Some C1xx phones out in the wild, particularly all North American | 42 be disabled. Some C1xx phones out in the wild, particularly all North American |
| 43 C139s with TracFone branding, have such maliciously-locked firmware in them. | 43 C139s with TracFone branding, have such maliciously-locked firmware in them. |
| 44 | 44 |
| 45 Fortunately though, these maliciously-locked firmwares (or at least the most | 45 Fortunately though, these maliciously-locked firmwares (or at least the most |
| 46 common TFC139 one) have been found to have another hole through which we can | 46 common TFC139 one) have been found to have another hole through which we can |
| 47 break in, as described here: | 47 break in, as described in the TFC139-breakin article. We can exploit this hole |
| 48 | 48 in the TFC139 firmware to gain code execution access to the Calypso, and then |
| 49 http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004451.html | 49 use the latter to reprogram the flash, replacing the ultra-malicious firmware |
| 50 http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004455.html | 50 with some other version that, although still proprietary, is a little less evil. |
| 51 | |
| 52 We can exploit this hole in the TFC139 firmware to gain code execution access | |
| 53 to the Calypso, and then use the latter to reprogram the flash, replacing the | |
| 54 ultra-malicious firmware with some other version that, although still | |
| 55 proprietary, is a little less evil. | |
| 56 | 51 |
| 57 Making first contact | 52 Making first contact |
| 58 ==================== | 53 ==================== |
| 59 | 54 |
| 60 If you have a C1xx phone which you are seeking to free, your first step should | 55 If you have a C1xx phone which you are seeking to free, your first step should |
| 118 4. Connect the headset jack serial cable if it wasn't already connected, and | 113 4. Connect the headset jack serial cable if it wasn't already connected, and |
| 119 run this FreeCalypso hack-utility: | 114 run this FreeCalypso hack-utility: |
| 120 | 115 |
| 121 tfc139 /dev/ttyXXX | 116 tfc139 /dev/ttyXXX |
| 122 | 117 |
| 123 Compal's firmware has some non-standard commands of their own invention added | 118 Compal's TI-based firmware implements some of TI's Test Mode commands, and one |
| 124 to TI's RVT/ETM interface, and one of these commands is a raw memory write. | 119 of these commands is a raw memory write. Our tfc139 hack-utility will try to |
| 125 Our tfc139 hack-utility will try to break into the phone (gain code execution | 120 break into the phone (gain code execution access) by using this Test Mode |
| 126 access) by using this Compal ETM command to write a little payload into a | 121 command to write a little payload into a particular RAM location (beginning of |
| 127 particular RAM location (beginning of IRAM), and then doing more memory writes | 122 IRAM), and then doing more memory writes by the same method, seeking to smash |
| 128 by the same method, seeking to smash the stack and cause control to be | 123 the stack and cause control to be transferred to the sent payload by |
| 129 transferred to the sent payload by overwriting a function return address on the | 124 overwriting a function return address on the stack. |
| 130 stack. | |
| 131 | 125 |
| 132 If the stack smashing hack succeeds, the code injected by tfc139 will send a | 126 If the stack smashing hack succeeds, the code injected by tfc139 will send a |
| 133 message out the serial port indicating this success, and then re-enable the | 127 message out the serial port indicating this success, and then re-enable the |
| 134 Calypso boot ROM and jump to it. Once the boot ROM code gains control, it will | 128 Calypso boot ROM and jump to it. Once the boot ROM code gains control, it will |
| 135 wait forever for a serial code download following its standard protocol. If | 129 wait forever for a serial code download following its standard protocol. If |
| 244 to the right place. We have an unlocked and non-carrier-branded (Mot branding | 238 to the right place. We have an unlocked and non-carrier-branded (Mot branding |
| 245 only) version of the fw that runs on these phones, and you can use FreeCalypso | 239 only) version of the fw that runs on these phones, and you can use FreeCalypso |
| 246 loadtools to flash this version into your C139 whether it came with Cingular or | 240 loadtools to flash this version into your C139 whether it came with Cingular or |
| 247 TF branding originally. Download this file: | 241 TF branding originally. Download this file: |
| 248 | 242 |
| 249 ftp.ifctf.org:/pub/GSM/Compal/c139-unlocked-fw.zip | 243 ftp.freecalypso.org:/pub/GSM/Compal/c139-unlocked-fw.zip |
| 250 | 244 |
| 251 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need | 245 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need |
| 252 to flash into your phone. Get in with fc-loadtool (using tfc139 if necessary | 246 to flash into your phone. Get in with fc-loadtool (using tfc139 if necessary |
| 253 for locked-down Tracfones) and make a backup of the original flash content. | 247 for locked-down Tracfones) and make a backup of the original flash content. |
| 254 Then reflash the firmware as follows: | 248 Then reflash the firmware as follows: |