FreeCalypso > hg > freecalypso-tools

view rvinterf/doc/tfc139.usage @ 921:74d284add54d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fc-fsio: guard against bogus readdir results from the target If the FFS being operated on contains SE K2x0 extended filenames, readdir will return strings that are bad for printing. We need to guard against this possibility, and also against possible other bogosity that could be sent by other alien firmwares.
author Mychaela Falconia <falcon@freecalypso.org>
date Sat, 31 Dec 2022 22:55:23 +0000
parents e7502631a0f9
children
line wrap: on
line source

The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the
rvinterf/rvtdump skeleton, and it needs to be invoked as follows:

tfc139 [options] /dev/ttyXXX

In the well-tested use case of breaking into TFC139 phones with fw version
8.8.17, no options are normally needed, but the following options are supported:

-a address

	This option changes the RAM address into which the "shellcode" is to be
	written; the argument is always interpreted as hex.  The default is
	0x800000, as used by the mot931c.exe closed source tool on whose
	reverse-engineering our hack-utility is based.

-B baud

	This option changes the serial baud rate just like in rvinterf and
	rvtdump, but the default is 57600 as needed for breaking into TFC139
	firmware.

-l logfile

	Log activity in a file, just like rvinterf and rvtdump.

-s address

	Just like mot931c.exe has been observed to do, we start our stack
	smashing attempts at a certain address, and keep incrementing by 4
	until we either succeed or crash the fw in some other way that does not
	help us.  This option changes the starting address for these stack
	smashing attempts; the argument is always interpreted as hex.  The
	default is 0x837C54, as observed from the reverse engineering of
	mot931c.

-w number_in_seconds

	See rvinterf.usage; the option is the same for tfc139 as for rvinterf.