# HG changeset patch # User Michael Spacefalcon # Date 1400149950 0 # Node ID 144b5d222de8ebe5c837386696830a1e18ae0240 # Parent b39802cd93297a98ba963a9f29c98e2f7848c18f tfc139 hack utility started, compiles diff -r b39802cd9329 -r 144b5d222de8 .hgignore --- a/.hgignore Thu May 15 09:50:23 2014 +0000 +++ b/.hgignore Thu May 15 10:32:30 2014 +0000 @@ -26,6 +26,7 @@ ^rvinterf/g23sh/g23sh$ ^rvinterf/lowlevel/rvinterf$ ^rvinterf/lowlevel/rvtdump$ +^rvinterf/lowlevel/tfc139$ ^rvinterf/misc/fc-sendsp$ ^rvinterf/old/etmsend$ ^rvinterf/old/rvtdump$ diff -r b39802cd9329 -r 144b5d222de8 rvinterf/lowlevel/Makefile --- a/rvinterf/lowlevel/Makefile Thu May 15 09:50:23 2014 +0000 +++ b/rvinterf/lowlevel/Makefile Thu May 15 10:32:30 2014 +0000 @@ -1,6 +1,6 @@ CC= gcc CFLAGS= -O2 -PROGS= rvtdump rvinterf +PROGS= rvtdump rvinterf tfc139 INSTBIN=/usr/local/bin LIBG23= ../libg23/libg23.a @@ -9,6 +9,8 @@ RVINTERF_OBJS= clientcmd.o format.o localsock.o logsent.o openport.o output.o \ packetrx.o packettx.o pktfwd.o rvifmain.o +TFC139_OBJS= format.o openport.o output.o packetrx.o packettx.o tfc139.o + all: ${PROGS} rvtdump: ${RVTDUMP_OBJS} ${LIBG23} @@ -17,6 +19,9 @@ rvinterf: ${RVINTERF_OBJS} ${LIBG23} ${CC} ${CFLAGS} -o $@ ${RVINTERF_OBJS} ${LIBG23} +tfc139: ${TFC139_OBJS} ${LIBG23} + ${CC} ${CFLAGS} -o $@ ${TFC139_OBJS} ${LIBG23} + install: ${PROGS} mkdir -p ${INSTBIN} install -c ${PROGS} ${INSTBIN} diff -r b39802cd9329 -r 144b5d222de8 rvinterf/lowlevel/tfc139.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/rvinterf/lowlevel/tfc139.c Thu May 15 10:32:30 2014 +0000 @@ -0,0 +1,150 @@ +/* + * This program is a contender for the title of the ugliest hack + * in the FreeCalypso project. It will attempt to break into a + * locked-down TracFone C139 by mimicking the actions of the + * mot931c.exe TF "unlocker". + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "../include/pktmux.h" +#include "../include/limits.h" + +extern int target_fd; +extern char *baudrate_name; + +extern u_char rxpkt[]; +extern size_t rxpkt_len; + +char *logfname; +FILE *logF; +time_t logtime; +int no_output; /* for output.c */ + +int wakeup_after_sec = 7; + +/* see ../../target-utils/tf-breakin/payload.S for the source */ +static u_char iram_payload[112] = { + 0xD3, 0xF0, 0x21, 0xE3, 0x58, 0x10, 0x9F, 0xE5, + 0xF5, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1, + 0xA0, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1, + 0x48, 0x60, 0x9F, 0xE5, 0x05, 0x00, 0xD6, 0xE5, + 0x20, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A, + 0x2C, 0x10, 0x8F, 0xE2, 0x06, 0x20, 0xA0, 0xE3, + 0x01, 0x00, 0xD1, 0xE4, 0x00, 0x00, 0xC6, 0xE5, + 0x01, 0x20, 0x52, 0xE2, 0xFB, 0xFF, 0xFF, 0x1A, + 0x05, 0x00, 0xD6, 0xE5, 0x40, 0x00, 0x10, 0xE3, + 0xFC, 0xFF, 0xFF, 0x0A, 0x18, 0x10, 0x9F, 0xE5, + 0x01, 0x2C, 0xA0, 0xE3, 0xB0, 0x20, 0xC1, 0xE1, + 0x00, 0xF0, 0xA0, 0xE3, 0x02, 0x02, 0x02, 0x4F, + 0x4B, 0x02, 0x00, 0x00, 0x02, 0xF8, 0xFF, 0xFF, + 0x00, 0x58, 0xFF, 0xFF, 0x10, 0xFB, 0xFF, 0xFF +}; + +static unsigned iram_load_addr = 0x800000; +static unsigned stack_smash_addr = 0x837C54; + +static void +send_compal_memwrite(addr, payload, payload_len) + unsigned addr; + u_char *payload; +{ + u_char pkt[MAX_PKT_TO_TARGET]; + int i, csum, csum_offset; + + pkt[0] = RVT_TM_HEADER; + pkt[1] = 0x40; /* Compal's non-standard addition */ + pkt[2] = addr; + pkt[3] = addr >> 8; + pkt[4] = addr >> 16; + pkt[5] = addr >> 24; + bcopy(payload, pkt + 6, payload_len); + csum_offset = payload_len + 6; + csum = 0; + for (i = 1; i < csum_offset; i++) + csum ^= pkt[i]; + pkt[i] = csum; + send_pkt_to_target(pkt, i + 1); +} + +main(argc, argv) + char **argv; +{ + extern char *optarg; + extern int optind; + int c; + fd_set fds; + + while ((c = getopt(argc, argv, "l:")) != EOF) + switch (c) { + case 'l': + logfname = optarg; + continue; + case '?': + default: +usage: fprintf(stderr, + "usage: %s [options] ttyport\n", argv[0]); + exit(1); + } + if (argc - optind != 1) + goto usage; + baudrate_name = "57600"; /* what Compal phones use */ + open_target_serial(argv[optind]); + + set_serial_nonblock(0); + setlinebuf(stdout); + if (logfname) { + logF = fopen(logfname, "w"); + if (!logF) { + perror(logfname); + exit(1); + } + setlinebuf(logF); + fprintf(logF, "*** Log of TFC139 break-in session ***\n"); + } + output_line("Sending IRAM payload"); + send_compal_memwrite(iram_load_addr, iram_payload, sizeof iram_payload); + for (;;) { + FD_ZERO(&fds); + FD_SET(target_fd, &fds); + c = select(target_fd+1, &fds, 0, 0, 0); + time(&logtime); + if (c < 0) { + if (errno == EINTR) + continue; + perror("select"); + exit(1); + } + if (FD_ISSET(target_fd, &fds)) + process_serial_rx(); + } +} + +handle_rx_packet() +{ + switch (rxpkt[0]) { + case RVT_RV_HEADER: + if (rxpkt_len < 6) + goto unknown; + print_rv_trace(); + return; + case RVT_L1_HEADER: + print_l1_trace(); + return; + case RVT_L23_HEADER: + print_g23_trace(); + return; + case RVT_TM_HEADER: + print_etm_output_raw(); + return; + default: + unknown: + print_unknown_packet(); + } +}