diff doc/TFC139-breakin @ 987:7a55a3eb985a

doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Sat, 12 Dec 2015 08:24:08 +0000
parents 3f67d5bf96ef
children
line wrap: on
line diff
--- a/doc/TFC139-breakin	Sat Dec 12 03:48:19 2015 +0000
+++ b/doc/TFC139-breakin	Sat Dec 12 08:24:08 2015 +0000
@@ -48,15 +48,14 @@
   its ability to ever run a different firmware version, like a kamikaze pilot's
   plane that has discarded its landing gear and can only crash now.
 
-TFC139 recovery
-===============
+Recovery procedure
+==================
 
-While it probably was Compal's, Motorola's and TracFone's intent that the
-bootloader lock on their phones be truly irreversible, some genius out there
-(we may never know who this person was/is) has found a way to recover the
-reflashing capability on at least one very common flock of locked-down phones:
-North American C139 units (1900+850 MHz hardware) sold with TracFone branding,
-firmware version 8.8.17.  Here is how it goes:
+While it probably was Compal's, Motorola's and various carriers' intent that the
+bootloader lock on their phones be truly irreversible, the unlocking community
+has now developed a method for recovering these phones (restoring their ability
+to run any firmware of the user's choice) which (we hope) will work with all of
+the existing locked-down firmware versions.  It works as follows:
 
 * Even though the bootloader is locked down, if one boots the full fw regularly,
   one can still access the RVTMUX interface which the TI-based fw implements
@@ -74,11 +73,10 @@
   under a mistaken belief that these commands were Compal's inventions, until
   we discovered TI's original TM predating ETM.)
 
-* The ingenious idea our hero came up with is that one can use the RVTMUX TM
-  memory write command to write a piece of "shellcode" into an unused RAM
-  location, and then use those very same memory write commands to cause a
-  transfer of control to this code by overwriting a function return address on
-  the stack!
+* The ability to write arbitrary bytes into arbitrary RAM locations while the
+  phone firmware is running means that we can inject a piece of shellcode into
+  an unused RAM location and then cause this shellcode to gain execution by
+  overwriting a function return address on the stack.
 
 * Once you can execute your own code on the Calypso, everything becomes possible
   once again.  At that point one can trivially reverse the bootloader lock by
@@ -86,9 +84,36 @@
   or even better, rewriting this boot sector with an older version of the boot
   code that lacks the locking malfeature altogether.
 
-In the FreeCalypso suite the tfc139 host utility performs the break-in using
-the RVTMUX TM memory write and stack smashing method just described.  The
-"shellcode" injected by tfc139 re-enables the Calypso chip's own boot ROM and
+Procedure variations: old mot931c.exe vs. new tfc139
+====================================================
+
+We first became aware of the possibility of recovering locked-down phones as
+described above in the spring of 2014 when FreeCalypso developer Space Falcon
+became aware of the existence of Windows utility mot931c.exe (binary w/o source)
+that performs a variant of this unlocking procedure specific to one particular
+locked-down firmware version: C139 phones with TracFone branding, fw version
+8.8.17.  At first we had replicated the operation of this Windows tool verbatim
+in our own Unix/Linux-based tfc139 libre tool; this variant of the shellcode-
+based unlocking procedure worked well on TFC139 units, but could not crack other
+locked-down fw versions, e.g., Cingular-branded C139 phones with fw version
+1.9.24.
+
+Subsequent investigation revealed that whoever wrote that mot931c.exe Windows
+tool had not studied the operation of Motorola/Compal's TI-based firmware deeply
+enough, and implemented their shellcode injection quite suboptimally: the stack
+smashing process is hitting the wrong stack (not the stack of the L1A task in
+whose context the Test Mode commands sent over the UART are executing), and it
+is only through dumb luck that this version of the break-in procedure worked
+at all.  The limitation of working only with one specific fw version results
+from this poor method of shellcode injection (mindless choice of the wrong stack
+for smashing), and instead of adapting it in a version-specific manner to other
+particular locked-down fw versions at hand, I (Space Falcon) reimplemented our
+tfc139 utility to smash the right stack (that of the L1A task), and thereby
+made it generic to all Mot C1xx firmware versions.
+
+Our Compal firmware break-in utility is still called tfc139, but it is no longer
+specific to TFC139 phones; instead it should work with all Mot C1xx firmwares.
+The shellcode injected by tfc139 re-enables the Calypso chip's own boot ROM and
 jumps to it; this boot ROM will endlessly wait for a serial download because
 the word at 0x2000 contains neither 0 nor 1 (it is part of an identifying ASCII
 string in Mot/Compal's fw), and the operator can then run fc-loadtool to