view rvinterf/doc/tfc139.usage @ 1011:6d9b10633f10

etmsync Pirelli IMEI retrieval: fix poor use of printf() Bug reported by Vadim Yanitskiy <fixeria@osmocom.org>: the construct where a static-allocated string was passed to printf() without any format arguments causes newer compilers to report a security problem. Given that formatted output is not needed here, just fixed string output, change printf() to fputs(), and direct the error message to stderr while at it.
author Mychaela Falconia <falcon@freecalypso.org>
date Thu, 23 May 2024 17:29:57 +0000
parents e7502631a0f9
children
line wrap: on
line source

The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the
rvinterf/rvtdump skeleton, and it needs to be invoked as follows:

tfc139 [options] /dev/ttyXXX

In the well-tested use case of breaking into TFC139 phones with fw version
8.8.17, no options are normally needed, but the following options are supported:

-a address

	This option changes the RAM address into which the "shellcode" is to be
	written; the argument is always interpreted as hex.  The default is
	0x800000, as used by the mot931c.exe closed source tool on whose
	reverse-engineering our hack-utility is based.

-B baud

	This option changes the serial baud rate just like in rvinterf and
	rvtdump, but the default is 57600 as needed for breaking into TFC139
	firmware.

-l logfile

	Log activity in a file, just like rvinterf and rvtdump.

-s address

	Just like mot931c.exe has been observed to do, we start our stack
	smashing attempts at a certain address, and keep incrementing by 4
	until we either succeed or crash the fw in some other way that does not
	help us.  This option changes the starting address for these stack
	smashing attempts; the argument is always interpreted as hex.  The
	default is 0x837C54, as observed from the reverse engineering of
	mot931c.

-w number_in_seconds

	See rvinterf.usage; the option is the same for tfc139 as for rvinterf.