# HG changeset patch # User Michael Spacefalcon # Date 1403396264 0 # Node ID 2d8ab1b0df8d5933c986b0c2131ef6117a77f0e7 # Parent 15e69d31c96fee835a2283dae18d1129887e1d1e rvinterf/doc/tfc139.usage: written doc/Compal-unlock: typo fix diff -r 15e69d31c96f -r 2d8ab1b0df8d doc/Compal-unlock --- a/doc/Compal-unlock Sat Jun 21 23:50:25 2014 +0000 +++ b/doc/Compal-unlock Sun Jun 22 00:17:44 2014 +0000 @@ -142,7 +142,7 @@ proceed directly to feeding loadagent to the Calypso boot ROM. You should now be in full control of the phone via fc-loadtool. -There is one additional quick worth mentioning. It appears that Mot/Compal's +There is one additional quirk worth mentioning. It appears that Mot/Compal's main fw (at least TF's version 8.8.17, which is the version we break into with tfc139; other versions are anyone's guess) keeps resetting the RTC alarm registers in the Calypso DBB as it runs, always keeping the alarm time in the @@ -164,7 +164,7 @@ (powered on with the "Insert SIM" message on the LCD), but it reaches this state almost instantly, without going through the power-on LCD logo and buzz phase. Odd, but harmless. This explanation has been included to save other hackers -the hours of bewildered head-scratching I spent chasing this quick down. +the hours of bewildered head-scratching I spent chasing this quirk down. Dumping and reloading flash =========================== diff -r 15e69d31c96f -r 2d8ab1b0df8d rvinterf/doc/tfc139.usage --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/rvinterf/doc/tfc139.usage Sun Jun 22 00:17:44 2014 +0000 @@ -0,0 +1,38 @@ +The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the +rvinterf/rvtdump skeleton, and it needs to be invoked as follows: + +tfc139 [options] /dev/ttyXXX + +In the well-tested use case of breaking into TFC139 phones with fw version +8.8.17, no options are normally needed, but the following options are supported: + +-a address + + This option changes the RAM address into which the "shellcode" is to be + written; the argument is always interpreted as hex. The default is + 0x800000, as used by the mot931c.exe closed source tool on whose + reverse-engineering our hack-utility is based. + +-B baud + + This option changes the serial baud rate just like in rvinterf and + rvtdump, but the default is 57600 as needed for breaking into TFC139 + firmware. + +-l logfile + + Log activity in a file, just like rvinterf and rvtdump. + +-s address + + Just like mot931c.exe has been observed to do, we start our stack + smashing attempts at a certain address, and keep incrementing by 4 + until we either succeed or crash the fw in some other way that does not + help us. This option changes the starting address for these stack + smashing attempts; the argument is always interpreted as hex. The + default is 0x837C54, as observed from the reverse engineering of + mot931c. + +-w number_in_seconds + + See rvinterf.usage; the option is the same for tfc139 as for rvinterf.