comparison doc/TFC139-breakin @ 987:7a55a3eb985a

doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Sat, 12 Dec 2015 08:24:08 +0000
parents 3f67d5bf96ef
children
comparison
equal deleted inserted replaced
986:65418b391513 987:7a55a3eb985a
46 * Once the word at 0x2060 has been programmed (in the flash memory sense) from 46 * Once the word at 0x2060 has been programmed (in the flash memory sense) from
47 0xDDDDDDDD down to 0x00000000, the phone is irreversibly locked and has lost 47 0xDDDDDDDD down to 0x00000000, the phone is irreversibly locked and has lost
48 its ability to ever run a different firmware version, like a kamikaze pilot's 48 its ability to ever run a different firmware version, like a kamikaze pilot's
49 plane that has discarded its landing gear and can only crash now. 49 plane that has discarded its landing gear and can only crash now.
50 50
51 TFC139 recovery 51 Recovery procedure
52 =============== 52 ==================
53 53
54 While it probably was Compal's, Motorola's and TracFone's intent that the 54 While it probably was Compal's, Motorola's and various carriers' intent that the
55 bootloader lock on their phones be truly irreversible, some genius out there 55 bootloader lock on their phones be truly irreversible, the unlocking community
56 (we may never know who this person was/is) has found a way to recover the 56 has now developed a method for recovering these phones (restoring their ability
57 reflashing capability on at least one very common flock of locked-down phones: 57 to run any firmware of the user's choice) which (we hope) will work with all of
58 North American C139 units (1900+850 MHz hardware) sold with TracFone branding, 58 the existing locked-down firmware versions. It works as follows:
59 firmware version 8.8.17. Here is how it goes:
60 59
61 * Even though the bootloader is locked down, if one boots the full fw regularly, 60 * Even though the bootloader is locked down, if one boots the full fw regularly,
62 one can still access the RVTMUX interface which the TI-based fw implements 61 one can still access the RVTMUX interface which the TI-based fw implements
63 for debug trace and factory programming functions. One needs to key in the 62 for debug trace and factory programming functions. One needs to key in the
64 magic sequence **16379# into the running fw, and a hidden menu will appear, 63 magic sequence **16379# into the running fw, and a hidden menu will appear,
72 Test Mode commands, and these TM commands just happen to include raw memory 71 Test Mode commands, and these TM commands just happen to include raw memory
73 read and write operations at an arbitrary address. (For a while we were 72 read and write operations at an arbitrary address. (For a while we were
74 under a mistaken belief that these commands were Compal's inventions, until 73 under a mistaken belief that these commands were Compal's inventions, until
75 we discovered TI's original TM predating ETM.) 74 we discovered TI's original TM predating ETM.)
76 75
77 * The ingenious idea our hero came up with is that one can use the RVTMUX TM 76 * The ability to write arbitrary bytes into arbitrary RAM locations while the
78 memory write command to write a piece of "shellcode" into an unused RAM 77 phone firmware is running means that we can inject a piece of shellcode into
79 location, and then use those very same memory write commands to cause a 78 an unused RAM location and then cause this shellcode to gain execution by
80 transfer of control to this code by overwriting a function return address on 79 overwriting a function return address on the stack.
81 the stack!
82 80
83 * Once you can execute your own code on the Calypso, everything becomes possible 81 * Once you can execute your own code on the Calypso, everything becomes possible
84 once again. At that point one can trivially reverse the bootloader lock by 82 once again. At that point one can trivially reverse the bootloader lock by
85 erasing flash sector 0 and rewriting it with 0xDDDDDDDD in the 0x2060 word, 83 erasing flash sector 0 and rewriting it with 0xDDDDDDDD in the 0x2060 word,
86 or even better, rewriting this boot sector with an older version of the boot 84 or even better, rewriting this boot sector with an older version of the boot
87 code that lacks the locking malfeature altogether. 85 code that lacks the locking malfeature altogether.
88 86
89 In the FreeCalypso suite the tfc139 host utility performs the break-in using 87 Procedure variations: old mot931c.exe vs. new tfc139
90 the RVTMUX TM memory write and stack smashing method just described. The 88 ====================================================
91 "shellcode" injected by tfc139 re-enables the Calypso chip's own boot ROM and 89
90 We first became aware of the possibility of recovering locked-down phones as
91 described above in the spring of 2014 when FreeCalypso developer Space Falcon
92 became aware of the existence of Windows utility mot931c.exe (binary w/o source)
93 that performs a variant of this unlocking procedure specific to one particular
94 locked-down firmware version: C139 phones with TracFone branding, fw version
95 8.8.17. At first we had replicated the operation of this Windows tool verbatim
96 in our own Unix/Linux-based tfc139 libre tool; this variant of the shellcode-
97 based unlocking procedure worked well on TFC139 units, but could not crack other
98 locked-down fw versions, e.g., Cingular-branded C139 phones with fw version
99 1.9.24.
100
101 Subsequent investigation revealed that whoever wrote that mot931c.exe Windows
102 tool had not studied the operation of Motorola/Compal's TI-based firmware deeply
103 enough, and implemented their shellcode injection quite suboptimally: the stack
104 smashing process is hitting the wrong stack (not the stack of the L1A task in
105 whose context the Test Mode commands sent over the UART are executing), and it
106 is only through dumb luck that this version of the break-in procedure worked
107 at all. The limitation of working only with one specific fw version results
108 from this poor method of shellcode injection (mindless choice of the wrong stack
109 for smashing), and instead of adapting it in a version-specific manner to other
110 particular locked-down fw versions at hand, I (Space Falcon) reimplemented our
111 tfc139 utility to smash the right stack (that of the L1A task), and thereby
112 made it generic to all Mot C1xx firmware versions.
113
114 Our Compal firmware break-in utility is still called tfc139, but it is no longer
115 specific to TFC139 phones; instead it should work with all Mot C1xx firmwares.
116 The shellcode injected by tfc139 re-enables the Calypso chip's own boot ROM and
92 jumps to it; this boot ROM will endlessly wait for a serial download because 117 jumps to it; this boot ROM will endlessly wait for a serial download because
93 the word at 0x2000 contains neither 0 nor 1 (it is part of an identifying ASCII 118 the word at 0x2000 contains neither 0 nor 1 (it is part of an identifying ASCII
94 string in Mot/Compal's fw), and the operator can then run fc-loadtool to 119 string in Mot/Compal's fw), and the operator can then run fc-loadtool to
95 perform arbitrary flash operations. 120 perform arbitrary flash operations.