changeset 433:2d8ab1b0df8d

rvinterf/doc/tfc139.usage: written doc/Compal-unlock: typo fix
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Sun, 22 Jun 2014 00:17:44 +0000
parents 15e69d31c96f
children 3822f3b198d4
files doc/Compal-unlock rvinterf/doc/tfc139.usage
diffstat 2 files changed, 40 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/doc/Compal-unlock	Sat Jun 21 23:50:25 2014 +0000
+++ b/doc/Compal-unlock	Sun Jun 22 00:17:44 2014 +0000
@@ -142,7 +142,7 @@
 proceed directly to feeding loadagent to the Calypso boot ROM.  You should now
 be in full control of the phone via fc-loadtool.
 
-There is one additional quick worth mentioning.  It appears that Mot/Compal's
+There is one additional quirk worth mentioning.  It appears that Mot/Compal's
 main fw (at least TF's version 8.8.17, which is the version we break into with
 tfc139; other versions are anyone's guess) keeps resetting the RTC alarm
 registers in the Calypso DBB as it runs, always keeping the alarm time in the
@@ -164,7 +164,7 @@
 (powered on with the "Insert SIM" message on the LCD), but it reaches this state
 almost instantly, without going through the power-on LCD logo and buzz phase.
 Odd, but harmless.  This explanation has been included to save other hackers
-the hours of bewildered head-scratching I spent chasing this quick down.
+the hours of bewildered head-scratching I spent chasing this quirk down.
 
 Dumping and reloading flash
 ===========================
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/rvinterf/doc/tfc139.usage	Sun Jun 22 00:17:44 2014 +0000
@@ -0,0 +1,38 @@
+The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the
+rvinterf/rvtdump skeleton, and it needs to be invoked as follows:
+
+tfc139 [options] /dev/ttyXXX
+
+In the well-tested use case of breaking into TFC139 phones with fw version
+8.8.17, no options are normally needed, but the following options are supported:
+
+-a address
+
+	This option changes the RAM address into which the "shellcode" is to be
+	written; the argument is always interpreted as hex.  The default is
+	0x800000, as used by the mot931c.exe closed source tool on whose
+	reverse-engineering our hack-utility is based.
+
+-B baud
+
+	This option changes the serial baud rate just like in rvinterf and
+	rvtdump, but the default is 57600 as needed for breaking into TFC139
+	firmware.
+
+-l logfile
+
+	Log activity in a file, just like rvinterf and rvtdump.
+
+-s address
+
+	Just like mot931c.exe has been observed to do, we start our stack
+	smashing attempts at a certain address, and keep incrementing by 4
+	until we either succeed or crash the fw in some other way that does not
+	help us.  This option changes the starting address for these stack
+	smashing attempts; the argument is always interpreted as hex.  The
+	default is 0x837C54, as observed from the reverse engineering of
+	mot931c.
+
+-w number_in_seconds
+
+	See rvinterf.usage; the option is the same for tfc139 as for rvinterf.