comparison rvinterf/doc/tfc139.usage @ 0:e7502631a0f9

initial import from freecalypso-sw rev 1033:5ab737ac3ad7
author Mychaela Falconia <falcon@freecalypso.org>
date Sat, 11 Jun 2016 00:13:35 +0000
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:e7502631a0f9
1 The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the
2 rvinterf/rvtdump skeleton, and it needs to be invoked as follows:
3
4 tfc139 [options] /dev/ttyXXX
5
6 In the well-tested use case of breaking into TFC139 phones with fw version
7 8.8.17, no options are normally needed, but the following options are supported:
8
9 -a address
10
11 This option changes the RAM address into which the "shellcode" is to be
12 written; the argument is always interpreted as hex. The default is
13 0x800000, as used by the mot931c.exe closed source tool on whose
14 reverse-engineering our hack-utility is based.
15
16 -B baud
17
18 This option changes the serial baud rate just like in rvinterf and
19 rvtdump, but the default is 57600 as needed for breaking into TFC139
20 firmware.
21
22 -l logfile
23
24 Log activity in a file, just like rvinterf and rvtdump.
25
26 -s address
27
28 Just like mot931c.exe has been observed to do, we start our stack
29 smashing attempts at a certain address, and keep incrementing by 4
30 until we either succeed or crash the fw in some other way that does not
31 help us. This option changes the starting address for these stack
32 smashing attempts; the argument is always interpreted as hex. The
33 default is 0x837C54, as observed from the reverse engineering of
34 mot931c.
35
36 -w number_in_seconds
37
38 See rvinterf.usage; the option is the same for tfc139 as for rvinterf.