FreeCalypso > hg > freecalypso-sw
comparison doc/TFC139-breakin @ 987:7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
| author | Mychaela Falconia <falcon@ivan.Harhan.ORG> |
|---|---|
| date | Sat, 12 Dec 2015 08:24:08 +0000 |
| parents | 3f67d5bf96ef |
| children |
comparison
equal
deleted
inserted
replaced
| 986:65418b391513 | 987:7a55a3eb985a |
|---|---|
| 46 * Once the word at 0x2060 has been programmed (in the flash memory sense) from | 46 * Once the word at 0x2060 has been programmed (in the flash memory sense) from |
| 47 0xDDDDDDDD down to 0x00000000, the phone is irreversibly locked and has lost | 47 0xDDDDDDDD down to 0x00000000, the phone is irreversibly locked and has lost |
| 48 its ability to ever run a different firmware version, like a kamikaze pilot's | 48 its ability to ever run a different firmware version, like a kamikaze pilot's |
| 49 plane that has discarded its landing gear and can only crash now. | 49 plane that has discarded its landing gear and can only crash now. |
| 50 | 50 |
| 51 TFC139 recovery | 51 Recovery procedure |
| 52 =============== | 52 ================== |
| 53 | 53 |
| 54 While it probably was Compal's, Motorola's and TracFone's intent that the | 54 While it probably was Compal's, Motorola's and various carriers' intent that the |
| 55 bootloader lock on their phones be truly irreversible, some genius out there | 55 bootloader lock on their phones be truly irreversible, the unlocking community |
| 56 (we may never know who this person was/is) has found a way to recover the | 56 has now developed a method for recovering these phones (restoring their ability |
| 57 reflashing capability on at least one very common flock of locked-down phones: | 57 to run any firmware of the user's choice) which (we hope) will work with all of |
| 58 North American C139 units (1900+850 MHz hardware) sold with TracFone branding, | 58 the existing locked-down firmware versions. It works as follows: |
| 59 firmware version 8.8.17. Here is how it goes: | |
| 60 | 59 |
| 61 * Even though the bootloader is locked down, if one boots the full fw regularly, | 60 * Even though the bootloader is locked down, if one boots the full fw regularly, |
| 62 one can still access the RVTMUX interface which the TI-based fw implements | 61 one can still access the RVTMUX interface which the TI-based fw implements |
| 63 for debug trace and factory programming functions. One needs to key in the | 62 for debug trace and factory programming functions. One needs to key in the |
| 64 magic sequence **16379# into the running fw, and a hidden menu will appear, | 63 magic sequence **16379# into the running fw, and a hidden menu will appear, |
| 72 Test Mode commands, and these TM commands just happen to include raw memory | 71 Test Mode commands, and these TM commands just happen to include raw memory |
| 73 read and write operations at an arbitrary address. (For a while we were | 72 read and write operations at an arbitrary address. (For a while we were |
| 74 under a mistaken belief that these commands were Compal's inventions, until | 73 under a mistaken belief that these commands were Compal's inventions, until |
| 75 we discovered TI's original TM predating ETM.) | 74 we discovered TI's original TM predating ETM.) |
| 76 | 75 |
| 77 * The ingenious idea our hero came up with is that one can use the RVTMUX TM | 76 * The ability to write arbitrary bytes into arbitrary RAM locations while the |
| 78 memory write command to write a piece of "shellcode" into an unused RAM | 77 phone firmware is running means that we can inject a piece of shellcode into |
| 79 location, and then use those very same memory write commands to cause a | 78 an unused RAM location and then cause this shellcode to gain execution by |
| 80 transfer of control to this code by overwriting a function return address on | 79 overwriting a function return address on the stack. |
| 81 the stack! | |
| 82 | 80 |
| 83 * Once you can execute your own code on the Calypso, everything becomes possible | 81 * Once you can execute your own code on the Calypso, everything becomes possible |
| 84 once again. At that point one can trivially reverse the bootloader lock by | 82 once again. At that point one can trivially reverse the bootloader lock by |
| 85 erasing flash sector 0 and rewriting it with 0xDDDDDDDD in the 0x2060 word, | 83 erasing flash sector 0 and rewriting it with 0xDDDDDDDD in the 0x2060 word, |
| 86 or even better, rewriting this boot sector with an older version of the boot | 84 or even better, rewriting this boot sector with an older version of the boot |
| 87 code that lacks the locking malfeature altogether. | 85 code that lacks the locking malfeature altogether. |
| 88 | 86 |
| 89 In the FreeCalypso suite the tfc139 host utility performs the break-in using | 87 Procedure variations: old mot931c.exe vs. new tfc139 |
| 90 the RVTMUX TM memory write and stack smashing method just described. The | 88 ==================================================== |
| 91 "shellcode" injected by tfc139 re-enables the Calypso chip's own boot ROM and | 89 |
| 90 We first became aware of the possibility of recovering locked-down phones as | |
| 91 described above in the spring of 2014 when FreeCalypso developer Space Falcon | |
| 92 became aware of the existence of Windows utility mot931c.exe (binary w/o source) | |
| 93 that performs a variant of this unlocking procedure specific to one particular | |
| 94 locked-down firmware version: C139 phones with TracFone branding, fw version | |
| 95 8.8.17. At first we had replicated the operation of this Windows tool verbatim | |
| 96 in our own Unix/Linux-based tfc139 libre tool; this variant of the shellcode- | |
| 97 based unlocking procedure worked well on TFC139 units, but could not crack other | |
| 98 locked-down fw versions, e.g., Cingular-branded C139 phones with fw version | |
| 99 1.9.24. | |
| 100 | |
| 101 Subsequent investigation revealed that whoever wrote that mot931c.exe Windows | |
| 102 tool had not studied the operation of Motorola/Compal's TI-based firmware deeply | |
| 103 enough, and implemented their shellcode injection quite suboptimally: the stack | |
| 104 smashing process is hitting the wrong stack (not the stack of the L1A task in | |
| 105 whose context the Test Mode commands sent over the UART are executing), and it | |
| 106 is only through dumb luck that this version of the break-in procedure worked | |
| 107 at all. The limitation of working only with one specific fw version results | |
| 108 from this poor method of shellcode injection (mindless choice of the wrong stack | |
| 109 for smashing), and instead of adapting it in a version-specific manner to other | |
| 110 particular locked-down fw versions at hand, I (Space Falcon) reimplemented our | |
| 111 tfc139 utility to smash the right stack (that of the L1A task), and thereby | |
| 112 made it generic to all Mot C1xx firmware versions. | |
| 113 | |
| 114 Our Compal firmware break-in utility is still called tfc139, but it is no longer | |
| 115 specific to TFC139 phones; instead it should work with all Mot C1xx firmwares. | |
| 116 The shellcode injected by tfc139 re-enables the Calypso chip's own boot ROM and | |
| 92 jumps to it; this boot ROM will endlessly wait for a serial download because | 117 jumps to it; this boot ROM will endlessly wait for a serial download because |
| 93 the word at 0x2000 contains neither 0 nor 1 (it is part of an identifying ASCII | 118 the word at 0x2000 contains neither 0 nor 1 (it is part of an identifying ASCII |
| 94 string in Mot/Compal's fw), and the operator can then run fc-loadtool to | 119 string in Mot/Compal's fw), and the operator can then run fc-loadtool to |
| 95 perform arbitrary flash operations. | 120 perform arbitrary flash operations. |