FreeCalypso > hg > freecalypso-tools
view rvinterf/doc/tfc139.usage @ 1011:6d9b10633f10 default tip
etmsync Pirelli IMEI retrieval: fix poor use of printf()
Bug reported by Vadim Yanitskiy <fixeria@osmocom.org>: the construct
where a static-allocated string was passed to printf() without any
format arguments causes newer compilers to report a security problem.
Given that formatted output is not needed here, just fixed string
output, change printf() to fputs(), and direct the error message
to stderr while at it.
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Thu, 23 May 2024 17:29:57 +0000 |
| parents | e7502631a0f9 |
| children |
line wrap: on
line source
The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the rvinterf/rvtdump skeleton, and it needs to be invoked as follows: tfc139 [options] /dev/ttyXXX In the well-tested use case of breaking into TFC139 phones with fw version 8.8.17, no options are normally needed, but the following options are supported: -a address This option changes the RAM address into which the "shellcode" is to be written; the argument is always interpreted as hex. The default is 0x800000, as used by the mot931c.exe closed source tool on whose reverse-engineering our hack-utility is based. -B baud This option changes the serial baud rate just like in rvinterf and rvtdump, but the default is 57600 as needed for breaking into TFC139 firmware. -l logfile Log activity in a file, just like rvinterf and rvtdump. -s address Just like mot931c.exe has been observed to do, we start our stack smashing attempts at a certain address, and keep incrementing by 4 until we either succeed or crash the fw in some other way that does not help us. This option changes the starting address for these stack smashing attempts; the argument is always interpreted as hex. The default is 0x837C54, as observed from the reverse engineering of mot931c. -w number_in_seconds See rvinterf.usage; the option is the same for tfc139 as for rvinterf.