FreeCalypso > hg > freecalypso-tools

annotate rvinterf/doc/tfc139.usage @ 648:3229940734e5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
loadagent: binary memload command implemented
author Mychaela Falconia <falcon@freecalypso.org>
date Mon, 02 Mar 2020 02:32:18 +0000
parents e7502631a0f9
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
1 The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
2 rvinterf/rvtdump skeleton, and it needs to be invoked as follows:
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
3
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
4 tfc139 [options] /dev/ttyXXX
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
5
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
6 In the well-tested use case of breaking into TFC139 phones with fw version
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
7 8.8.17, no options are normally needed, but the following options are supported:
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
8
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
9 -a address
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
10
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
11 This option changes the RAM address into which the "shellcode" is to be
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
12 written; the argument is always interpreted as hex. The default is
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
13 0x800000, as used by the mot931c.exe closed source tool on whose
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
14 reverse-engineering our hack-utility is based.
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
15
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
16 -B baud
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
17
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
18 This option changes the serial baud rate just like in rvinterf and
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
19 rvtdump, but the default is 57600 as needed for breaking into TFC139
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
20 firmware.
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
21
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
22 -l logfile
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
23
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
24 Log activity in a file, just like rvinterf and rvtdump.
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
25
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
26 -s address
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
27
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
28 Just like mot931c.exe has been observed to do, we start our stack
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
29 smashing attempts at a certain address, and keep incrementing by 4
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
30 until we either succeed or crash the fw in some other way that does not
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
31 help us. This option changes the starting address for these stack
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
32 smashing attempts; the argument is always interpreted as hex. The
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
33 default is 0x837C54, as observed from the reverse engineering of
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
34 mot931c.
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
35
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
36 -w number_in_seconds
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
37
e7502631a0f9 initial import from freecalypso-sw rev 1033:5ab737ac3ad7
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
38 See rvinterf.usage; the option is the same for tfc139 as for rvinterf.