changeset 359:144b5d222de8

tfc139 hack utility started, compiles
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Thu, 15 May 2014 10:32:30 +0000
parents b39802cd9329
children f9d78057d766
files .hgignore rvinterf/lowlevel/Makefile rvinterf/lowlevel/tfc139.c
diffstat 3 files changed, 157 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/.hgignore	Thu May 15 09:50:23 2014 +0000
+++ b/.hgignore	Thu May 15 10:32:30 2014 +0000
@@ -26,6 +26,7 @@
 ^rvinterf/g23sh/g23sh$
 ^rvinterf/lowlevel/rvinterf$
 ^rvinterf/lowlevel/rvtdump$
+^rvinterf/lowlevel/tfc139$
 ^rvinterf/misc/fc-sendsp$
 ^rvinterf/old/etmsend$
 ^rvinterf/old/rvtdump$
--- a/rvinterf/lowlevel/Makefile	Thu May 15 09:50:23 2014 +0000
+++ b/rvinterf/lowlevel/Makefile	Thu May 15 10:32:30 2014 +0000
@@ -1,6 +1,6 @@
 CC=	gcc
 CFLAGS=	-O2
-PROGS=	rvtdump rvinterf
+PROGS=	rvtdump rvinterf tfc139
 INSTBIN=/usr/local/bin
 LIBG23=	../libg23/libg23.a
 
@@ -9,6 +9,8 @@
 RVINTERF_OBJS=	clientcmd.o format.o localsock.o logsent.o openport.o output.o \
 		packetrx.o packettx.o pktfwd.o rvifmain.o
 
+TFC139_OBJS=	format.o openport.o output.o packetrx.o packettx.o tfc139.o
+
 all:	${PROGS}
 
 rvtdump:	${RVTDUMP_OBJS} ${LIBG23}
@@ -17,6 +19,9 @@
 rvinterf:	${RVINTERF_OBJS} ${LIBG23}
 	${CC} ${CFLAGS} -o $@ ${RVINTERF_OBJS} ${LIBG23}
 
+tfc139:		${TFC139_OBJS} ${LIBG23}
+	${CC} ${CFLAGS} -o $@ ${TFC139_OBJS} ${LIBG23}
+
 install:	${PROGS}
 	mkdir -p ${INSTBIN}
 	install -c ${PROGS} ${INSTBIN}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/rvinterf/lowlevel/tfc139.c	Thu May 15 10:32:30 2014 +0000
@@ -0,0 +1,150 @@
+/*
+ * This program is a contender for the title of the ugliest hack
+ * in the FreeCalypso project.  It will attempt to break into a
+ * locked-down TracFone C139 by mimicking the actions of the
+ * mot931c.exe TF "unlocker".
+ */
+
+#include <sys/types.h>
+#include <sys/errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <strings.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <time.h>
+#include "../include/pktmux.h"
+#include "../include/limits.h"
+
+extern int target_fd;
+extern char *baudrate_name;
+
+extern u_char rxpkt[];
+extern size_t rxpkt_len;
+
+char *logfname;
+FILE *logF;
+time_t logtime;
+int no_output;	/* for output.c */
+
+int wakeup_after_sec = 7;
+
+/* see ../../target-utils/tf-breakin/payload.S for the source */
+static u_char iram_payload[112] = {
+	0xD3, 0xF0, 0x21, 0xE3, 0x58, 0x10, 0x9F, 0xE5,
+	0xF5, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1,
+	0xA0, 0x00, 0xA0, 0xE3, 0xB2, 0x00, 0xC1, 0xE1,
+	0x48, 0x60, 0x9F, 0xE5, 0x05, 0x00, 0xD6, 0xE5,
+	0x20, 0x00, 0x10, 0xE3, 0xFC, 0xFF, 0xFF, 0x0A,
+	0x2C, 0x10, 0x8F, 0xE2, 0x06, 0x20, 0xA0, 0xE3,
+	0x01, 0x00, 0xD1, 0xE4, 0x00, 0x00, 0xC6, 0xE5,
+	0x01, 0x20, 0x52, 0xE2, 0xFB, 0xFF, 0xFF, 0x1A,
+	0x05, 0x00, 0xD6, 0xE5, 0x40, 0x00, 0x10, 0xE3,
+	0xFC, 0xFF, 0xFF, 0x0A, 0x18, 0x10, 0x9F, 0xE5,
+	0x01, 0x2C, 0xA0, 0xE3, 0xB0, 0x20, 0xC1, 0xE1,
+	0x00, 0xF0, 0xA0, 0xE3, 0x02, 0x02, 0x02, 0x4F,
+	0x4B, 0x02, 0x00, 0x00, 0x02, 0xF8, 0xFF, 0xFF,
+	0x00, 0x58, 0xFF, 0xFF, 0x10, 0xFB, 0xFF, 0xFF
+};
+
+static unsigned iram_load_addr = 0x800000;
+static unsigned stack_smash_addr = 0x837C54;
+
+static void
+send_compal_memwrite(addr, payload, payload_len)
+	unsigned addr;
+	u_char *payload;
+{
+	u_char pkt[MAX_PKT_TO_TARGET];
+	int i, csum, csum_offset;
+
+	pkt[0] = RVT_TM_HEADER;
+	pkt[1] = 0x40;		/* Compal's non-standard addition */
+	pkt[2] = addr;
+	pkt[3] = addr >> 8;
+	pkt[4] = addr >> 16;
+	pkt[5] = addr >> 24;
+	bcopy(payload, pkt + 6, payload_len);
+	csum_offset = payload_len + 6;
+	csum = 0;
+	for (i = 1; i < csum_offset; i++)
+		csum ^= pkt[i];
+	pkt[i] = csum;
+	send_pkt_to_target(pkt, i + 1);
+}
+
+main(argc, argv)
+	char **argv;
+{
+	extern char *optarg;
+	extern int optind;
+	int c;
+	fd_set fds;
+
+	while ((c = getopt(argc, argv, "l:")) != EOF)
+		switch (c) {
+		case 'l':
+			logfname = optarg;
+			continue;
+		case '?':
+		default:
+usage:			fprintf(stderr,
+				"usage: %s [options] ttyport\n", argv[0]);
+			exit(1);
+		}
+	if (argc - optind != 1)
+		goto usage;
+	baudrate_name = "57600";	/* what Compal phones use */
+	open_target_serial(argv[optind]);
+
+	set_serial_nonblock(0);
+	setlinebuf(stdout);
+	if (logfname) {
+		logF = fopen(logfname, "w");
+		if (!logF) {
+			perror(logfname);
+			exit(1);
+		}
+		setlinebuf(logF);
+		fprintf(logF, "*** Log of TFC139 break-in session ***\n");
+	}
+	output_line("Sending IRAM payload");
+	send_compal_memwrite(iram_load_addr, iram_payload, sizeof iram_payload);
+	for (;;) {
+		FD_ZERO(&fds);
+		FD_SET(target_fd, &fds);
+		c = select(target_fd+1, &fds, 0, 0, 0);
+		time(&logtime);
+		if (c < 0) {
+			if (errno == EINTR)
+				continue;
+			perror("select");
+			exit(1);
+		}
+		if (FD_ISSET(target_fd, &fds))
+			process_serial_rx();
+	}
+}
+
+handle_rx_packet()
+{
+	switch (rxpkt[0]) {
+	case RVT_RV_HEADER:
+		if (rxpkt_len < 6)
+			goto unknown;
+		print_rv_trace();
+		return;
+	case RVT_L1_HEADER:
+		print_l1_trace();
+		return;
+	case RVT_L23_HEADER:
+		print_g23_trace();
+		return;
+	case RVT_TM_HEADER:
+		print_etm_output_raw();
+		return;
+	default:
+	unknown:
+		print_unknown_packet();
+	}
+}