所以����,讓我們來找出“解鎖”字節(jié)的準確位置���。通過追蹤字符串”Do not need passwordauthentication for configuration!”����,在ROM:801F9168的指令中�,看起來“解鎖”字節(jié)在地址0x8034FF94上�,F(xiàn)在���,讓我們來驗證它���。通過0×80000000的內(nèi)存?zhèn)浞荩碳慕鈮汗ぷ髟诘刂?x80014BC0之前已經(jīng)完成�,還有通過指令”jalr $s0”跳轉(zhuǎn)到 0×80020000地址���。通過IDA Pro,我們可以知道$at 等于0×80020000,如果我們把ROM:0x80014BC0的指令”jalr $s0”更改到”sw $s0, -4($at)”���,那么當鏡像被解壓后�����,它會復制$s0里面的內(nèi)容到0x8001FFFC,然后在這停止啟動���。所以通過讀取地址0x8001FFFC的內(nèi)容,我們可以知道zynos將要跳轉(zhuǎn)到0×80020000或者其他地方����。
讓我們試一試:
BootbaseVersion: VTC_SPI1.26 | 2012/12/2616:00:00
RAM: Size= 8192 Kbytes
Found SPIFlash 2MiB Winbond W25Q16 at 0xbfc00000
SPI FlashQuad Enable
Turn offQuad Mode
RASVersion: 1.0.0 Build 121121 Rel.08870
System ID: $2.12.58.23(G04.BZ.4)3.20.7.020120518_V003 | 2012/05/18
Press anykey to enter debug mode within 3 seconds.
............
EnterDebug Mode
ATEN1,A847D6B1
OK
ATWL80014BC0, ac30fffc
OK
atgr
(Compressed)
Version: FDATA, start: bfc85830
Length: A94C, Checksum: DCEE
Compressed Length: 1D79, Checksum: 01BB
Flash datais the same!!
(Compressed)
Version: ADSL ATU-R, start: bfc95830
Length: 3E7004, Checksum: 3336
Compressed Length: 122D57, Checksum: 3612
ERROR
atrl8001fffc
8001FFFC:80020000
