FreeCalypso > hg > freecalypso-sw

diff doc/Compal-unlock @ 974:3f67d5bf96ef

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc: TFC139-breakin written, Compal-unlock updated
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Sun, 15 Nov 2015 03:47:19 +0000
parents 2d8ab1b0df8d
children 7a55a3eb985a
line wrap: on
line diff
--- a/doc/Compal-unlock	Sun Nov 15 01:42:50 2015 +0000
+++ b/doc/Compal-unlock	Sun Nov 15 03:47:19 2015 +0000
@@ -44,15 +44,10 @@
 
 Fortunately though, these maliciously-locked firmwares (or at least the most
 common TFC139 one) have been found to have another hole through which we can
-break in, as described here:
-
-http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004451.html
-http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004455.html
-
-We can exploit this hole in the TFC139 firmware to gain code execution access
-to the Calypso, and then use the latter to reprogram the flash, replacing the
-ultra-malicious firmware with some other version that, although still
-proprietary, is a little less evil.
+break in, as described in the TFC139-breakin article.  We can exploit this hole
+in the TFC139 firmware to gain code execution access to the Calypso, and then
+use the latter to reprogram the flash, replacing the ultra-malicious firmware
+with some other version that, although still proprietary, is a little less evil.
 
 Making first contact
 ====================
@@ -120,14 +115,13 @@
 
    tfc139 /dev/ttyXXX
 
-Compal's firmware has some non-standard commands of their own invention added
-to TI's RVT/ETM interface, and one of these commands is a raw memory write.
-Our tfc139 hack-utility will try to break into the phone (gain code execution
-access) by using this Compal ETM command to write a little payload into a
-particular RAM location (beginning of IRAM), and then doing more memory writes
-by the same method, seeking to smash the stack and cause control to be
-transferred to the sent payload by overwriting a function return address on the
-stack.
+Compal's TI-based firmware implements some of TI's Test Mode commands, and one
+of these commands is a raw memory write.  Our tfc139 hack-utility will try to
+break into the phone (gain code execution access) by using this Test Mode
+command to write a little payload into a particular RAM location (beginning of
+IRAM), and then doing more memory writes by the same method, seeking to smash
+the stack and cause control to be transferred to the sent payload by
+overwriting a function return address on the stack.
 
 If the stack smashing hack succeeds, the code injected by tfc139 will send a
 message out the serial port indicating this success, and then re-enable the
@@ -246,7 +240,7 @@
 loadtools to flash this version into your C139 whether it came with Cingular or
 TF branding originally.  Download this file:
 
-ftp.ifctf.org:/pub/GSM/Compal/c139-unlocked-fw.zip
+ftp.freecalypso.org:/pub/GSM/Compal/c139-unlocked-fw.zip
 
 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need
 to flash into your phone.  Get in with fc-loadtool (using tfc139 if necessary