FreeCalypso > hg > freecalypso-sw
comparison doc/Compal-unlock @ 987:7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
| author | Mychaela Falconia <falcon@ivan.Harhan.ORG> |
|---|---|
| date | Sat, 12 Dec 2015 08:24:08 +0000 |
| parents | 3f67d5bf96ef |
| children | 0654212e5c53 |
comparison
equal
deleted
inserted
replaced
| 986:65418b391513 | 987:7a55a3eb985a |
|---|---|
| 38 provision for interrupting the boot process and diverting it to an externally- | 38 provision for interrupting the boot process and diverting it to an externally- |
| 39 supplied piece of code loaded over the serial line. Older fw versions have | 39 supplied piece of code loaded over the serial line. Older fw versions have |
| 40 this feature enabled unconditionally, but some of the newer versions have a | 40 this feature enabled unconditionally, but some of the newer versions have a |
| 41 malfeature whereby the serial boot interrupt and code download possibility may | 41 malfeature whereby the serial boot interrupt and code download possibility may |
| 42 be disabled. Some C1xx phones out in the wild, particularly all North American | 42 be disabled. Some C1xx phones out in the wild, particularly all North American |
| 43 C139s with TracFone branding, have such maliciously-locked firmware in them. | 43 C139s with TracFone branding and some of the Cingular-branded ones as well, |
| 44 | 44 have such maliciously-locked firmware in them. |
| 45 Fortunately though, these maliciously-locked firmwares (or at least the most | 45 |
| 46 common TFC139 one) have been found to have another hole through which we can | 46 Fortunately though, these maliciously-locked firmwares (or at least all versions |
| 47 break in, as described in the TFC139-breakin article. We can exploit this hole | 47 we've encountered so far) have been found to have another hole through which we |
| 48 in the TFC139 firmware to gain code execution access to the Calypso, and then | 48 can break in, as described in the TFC139-breakin article. We can exploit this |
| 49 use the latter to reprogram the flash, replacing the ultra-malicious firmware | 49 hole in the firmware to gain code execution access to the Calypso, and then use |
| 50 with some other version that, although still proprietary, is a little less evil. | 50 the latter to reprogram the flash, replacing the ultra-malicious firmware with |
| 51 some other version that, although still proprietary, is a little less evil. | |
| 51 | 52 |
| 52 Making first contact | 53 Making first contact |
| 53 ==================== | 54 ==================== |
| 54 | 55 |
| 55 If you have a C1xx phone which you are seeking to free, your first step should | 56 If you have a C1xx phone which you are seeking to free, your first step should |
| 109 jack. Because Mot/Compal's firmware is based on TI's reference architecture, | 110 jack. Because Mot/Compal's firmware is based on TI's reference architecture, |
| 110 the interface presented by the running fw on this serial port is TI's RVTMUX, | 111 the interface presented by the running fw on this serial port is TI's RVTMUX, |
| 111 albeit at 57600 baud instead of TI's default of 115200. | 112 albeit at 57600 baud instead of TI's default of 115200. |
| 112 | 113 |
| 113 4. Connect the headset jack serial cable if it wasn't already connected, and | 114 4. Connect the headset jack serial cable if it wasn't already connected, and |
| 114 run this FreeCalypso hack-utility: | 115 run this FreeCalypso utility: |
| 115 | 116 |
| 116 tfc139 /dev/ttyXXX | 117 tfc139 /dev/ttyXXX |
| 117 | 118 |
| 119 (The name tfc139 is historical; the current version is expected to work with | |
| 120 all Mot C1xx firmwares.) | |
| 121 | |
| 118 Compal's TI-based firmware implements some of TI's Test Mode commands, and one | 122 Compal's TI-based firmware implements some of TI's Test Mode commands, and one |
| 119 of these commands is a raw memory write. Our tfc139 hack-utility will try to | 123 of these commands is a raw memory write. It also implements some of TI's GPF |
| 120 break into the phone (gain code execution access) by using this Test Mode | 124 "system primitive" commands, including the MEMCHECK command that causes the |
| 121 command to write a little payload into a particular RAM location (beginning of | 125 firmware to report some info on all running GPF tasks, including the location |
| 122 IRAM), and then doing more memory writes by the same method, seeking to smash | 126 of each task's stack. Our tfc139 utility will try to break into the phone |
| 123 the stack and cause control to be transferred to the sent payload by | 127 (gain code execution access) by querying the target fw for the location of the |
| 124 overwriting a function return address on the stack. | 128 L1A task's stack, and then using Test Mode memory write commands to write a |
| 125 | 129 piece of shellcode into an unused RAM location and to make this code execute by |
| 126 If the stack smashing hack succeeds, the code injected by tfc139 will send a | 130 overwriting a function return address on the stack of the L1A task that |
| 127 message out the serial port indicating this success, and then re-enable the | 131 processes these Test Mode commands. |
| 132 | |
| 133 If the stack smashing hack succeeds, the shellcode injected by tfc139 will send | |
| 134 a message out the serial port indicating this success, and then re-enable the | |
| 128 Calypso boot ROM and jump to it. Once the boot ROM code gains control, it will | 135 Calypso boot ROM and jump to it. Once the boot ROM code gains control, it will |
| 129 wait forever for a serial code download following its standard protocol. If | 136 wait forever for a serial code download following its standard protocol. If |
| 130 tfc139 gets the success indication from the target, it will announce this | 137 tfc139 gets the success indication from the target, it will announce this |
| 131 success and direct you to run: | 138 success and direct you to run: |
| 132 | 139 |
| 135 Do as it says. The -c none option tells fc-loadtool to skip compalstage and | 142 Do as it says. The -c none option tells fc-loadtool to skip compalstage and |
| 136 proceed directly to feeding loadagent to the Calypso boot ROM. You should now | 143 proceed directly to feeding loadagent to the Calypso boot ROM. You should now |
| 137 be in full control of the phone via fc-loadtool. | 144 be in full control of the phone via fc-loadtool. |
| 138 | 145 |
| 139 There is one additional quirk worth mentioning. It appears that Mot/Compal's | 146 There is one additional quirk worth mentioning. It appears that Mot/Compal's |
| 140 main fw (at least TF's version 8.8.17, which is the version we break into with | 147 main fw keeps resetting the RTC alarm registers in the Calypso DBB as it runs, |
| 141 tfc139; other versions are anyone's guess) keeps resetting the RTC alarm | 148 always keeping the alarm time in the near future relative to the current time. |
| 142 registers in the Calypso DBB as it runs, always keeping the alarm time in the | 149 When one breaks into this firmware with tfc139 and takes over the control of |
| 143 near future relative to the current time. When one breaks into this firmware | 150 the device with fc-loadtool, this alarm time will almost certainly be reached, |
| 144 with tfc139 and takes over the control of the device with fc-loadtool, this | 151 and the RTC alarm will go off. This alarm has no effect on loadtool operation |
| 145 alarm time will almost certainly be reached, and the RTC alarm will go off. | 152 (i.e., it cannot reset the CPU or otherwise wrestle control away from loadtool, |
| 146 This alarm has no effect on loadtool operation (i.e., it cannot reset the CPU | 153 so it doesn't add any bricking risk), but it has one quite surprising effect |
| 147 or otherwise wrestle control away from loadtool, so it doesn't add any bricking | 154 upon exit, i.e., when you are done with your loadtool session and give it the |
| 148 risk), but it has one quite surprising effect upon exit, i.e., when you are | 155 exit command. |
| 149 done with your loadtool session and give it the exit command. | |
| 150 | 156 |
| 151 Loadtool's configured default exit action for this target is to send a power-off | 157 Loadtool's configured default exit action for this target is to send a power-off |
| 152 command to the Iota ABB, leaving the device cleanly powered off. However, if | 158 command to the Iota ABB, leaving the device cleanly powered off. However, if |
| 153 the RTC alarm has gone off previously during the session, the ABB will instantly | 159 the RTC alarm has gone off previously during the session, the ABB will instantly |
| 154 power the phone back on, and put it through a new boot cycle. The firmware | 160 power the phone back on, and put it through a new boot cycle. The firmware |
| 155 (again, the only version this stuff can be tested on is the one that works with | 161 handles this special form of boot rather oddly: it proceeds to the same end |
| 156 tfc139) handles this special form of boot rather oddly: it proceeds to the same | 162 state it would have reached via a normal power button hold-down boot (powered |
| 157 end state it would have reached via a normal power button hold-down boot | 163 on with the "Insert SIM" message on the LCD), but it reaches this state almost |
| 158 (powered on with the "Insert SIM" message on the LCD), but it reaches this state | 164 instantly, without going through the power-on LCD logo and buzz phase. Odd, |
| 159 almost instantly, without going through the power-on LCD logo and buzz phase. | 165 but harmless. This explanation has been included to save other hackers the |
| 160 Odd, but harmless. This explanation has been included to save other hackers | 166 hours of bewildered head-scratching I spent chasing this quirk down. |
| 161 the hours of bewildered head-scratching I spent chasing this quirk down. | |
| 162 | 167 |
| 163 Dumping and reloading flash | 168 Dumping and reloading flash |
| 164 =========================== | 169 =========================== |
| 165 | 170 |
| 166 Once you break in with fc-loadtool (either through the bootloader or through | 171 Once you break in with fc-loadtool (either through the bootloader or through |
| 242 | 247 |
| 243 ftp.freecalypso.org:/pub/GSM/Compal/c139-unlocked-fw.zip | 248 ftp.freecalypso.org:/pub/GSM/Compal/c139-unlocked-fw.zip |
| 244 | 249 |
| 245 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need | 250 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need |
| 246 to flash into your phone. Get in with fc-loadtool (using tfc139 if necessary | 251 to flash into your phone. Get in with fc-loadtool (using tfc139 if necessary |
| 247 for locked-down Tracfones) and make a backup of the original flash content. | 252 for bootloader-locked phones) and make a backup of the original flash content. |
| 248 Then reflash the firmware as follows: | 253 Then reflash the firmware as follows: |
| 249 | 254 |
| 250 flash erase-program-boot c139-unlocked-fw.bin 2000 | 255 flash erase-program-boot c139-unlocked-fw.bin 2000 |
| 251 flash erase 10000 360000 | 256 flash erase 10000 360000 |
| 252 flash program-bin 2000 c139-unlocked-fw.bin 2000 | 257 flash program-bin 2000 c139-unlocked-fw.bin 2000 |