FreeCalypso > hg > freecalypso-tools
view rvinterf/doc/tfc139.usage @ 921:74d284add54d
fc-fsio: guard against bogus readdir results from the target
If the FFS being operated on contains SE K2x0 extended filenames,
readdir will return strings that are bad for printing. We need to
guard against this possibility, and also against possible other
bogosity that could be sent by other alien firmwares.
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sat, 31 Dec 2022 22:55:23 +0000 |
parents | e7502631a0f9 |
children |
line wrap: on
line source
The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the rvinterf/rvtdump skeleton, and it needs to be invoked as follows: tfc139 [options] /dev/ttyXXX In the well-tested use case of breaking into TFC139 phones with fw version 8.8.17, no options are normally needed, but the following options are supported: -a address This option changes the RAM address into which the "shellcode" is to be written; the argument is always interpreted as hex. The default is 0x800000, as used by the mot931c.exe closed source tool on whose reverse-engineering our hack-utility is based. -B baud This option changes the serial baud rate just like in rvinterf and rvtdump, but the default is 57600 as needed for breaking into TFC139 firmware. -l logfile Log activity in a file, just like rvinterf and rvtdump. -s address Just like mot931c.exe has been observed to do, we start our stack smashing attempts at a certain address, and keep incrementing by 4 until we either succeed or crash the fw in some other way that does not help us. This option changes the starting address for these stack smashing attempts; the argument is always interpreted as hex. The default is 0x837C54, as observed from the reverse engineering of mot931c. -w number_in_seconds See rvinterf.usage; the option is the same for tfc139 as for rvinterf.