FreeCalypso > hg > freecalypso-tools
view rvinterf/doc/tfc139.usage @ 416:30f6d1c32c6f
doc/Flash-boot-defect article removed (no longer relevant)
This article is no longer relevant because the issue in question
only affected one (1) defective FCDEV3B board which was not
and never will be sold.
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Fri, 26 Oct 2018 07:11:08 +0000 |
parents | e7502631a0f9 |
children |
line wrap: on
line source
The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the rvinterf/rvtdump skeleton, and it needs to be invoked as follows: tfc139 [options] /dev/ttyXXX In the well-tested use case of breaking into TFC139 phones with fw version 8.8.17, no options are normally needed, but the following options are supported: -a address This option changes the RAM address into which the "shellcode" is to be written; the argument is always interpreted as hex. The default is 0x800000, as used by the mot931c.exe closed source tool on whose reverse-engineering our hack-utility is based. -B baud This option changes the serial baud rate just like in rvinterf and rvtdump, but the default is 57600 as needed for breaking into TFC139 firmware. -l logfile Log activity in a file, just like rvinterf and rvtdump. -s address Just like mot931c.exe has been observed to do, we start our stack smashing attempts at a certain address, and keep incrementing by 4 until we either succeed or crash the fw in some other way that does not help us. This option changes the starting address for these stack smashing attempts; the argument is always interpreted as hex. The default is 0x837C54, as observed from the reverse engineering of mot931c. -w number_in_seconds See rvinterf.usage; the option is the same for tfc139 as for rvinterf.