view rvinterf/doc/tfc139.usage @ 793:c77d5b1fd6a2

aci: got to cmh_mmq.c, compilation failure (something to do with RTC), remains to be investigated and fixed
author Space Falcon <falcon@ivan.Harhan.ORG>
date Fri, 13 Mar 2015 00:29:36 +0000
parents 2d8ab1b0df8d
children
line wrap: on
line source

The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the
rvinterf/rvtdump skeleton, and it needs to be invoked as follows:

tfc139 [options] /dev/ttyXXX

In the well-tested use case of breaking into TFC139 phones with fw version
8.8.17, no options are normally needed, but the following options are supported:

-a address

	This option changes the RAM address into which the "shellcode" is to be
	written; the argument is always interpreted as hex.  The default is
	0x800000, as used by the mot931c.exe closed source tool on whose
	reverse-engineering our hack-utility is based.

-B baud

	This option changes the serial baud rate just like in rvinterf and
	rvtdump, but the default is 57600 as needed for breaking into TFC139
	firmware.

-l logfile

	Log activity in a file, just like rvinterf and rvtdump.

-s address

	Just like mot931c.exe has been observed to do, we start our stack
	smashing attempts at a certain address, and keep incrementing by 4
	until we either succeed or crash the fw in some other way that does not
	help us.  This option changes the starting address for these stack
	smashing attempts; the argument is always interpreted as hex.  The
	default is 0x837C54, as observed from the reverse engineering of
	mot931c.

-w number_in_seconds

	See rvinterf.usage; the option is the same for tfc139 as for rvinterf.