简单总结
1) 最初的执行是从地址0xbfc00000开始的 我们可以通过下面操作来验证:
atgobfc00000 BootbaseVersion: VTC_SPI1.26 | 2012/12/2616:00:00 RAM: Size= 8192 Kbytes Found SPIFlash 2MiB Winbond W25Q16 at 0xbfc00000 SPI FlashQuad Enable Turn offQuad Mode RASVersion: 1.0.0 Build 121121 Rel.08870 System ID: $2.12.58.23(G04.BZ.4)3.20.7.020120518_V003 | 2012/05/18 Press anykey to enter debug mode within 3 seconds. ......... EnterDebug Mode
2) zynosbootloader 从地址0×80000000开始的。在执行的前一阶段它会解包和解压。如下所示,这并不完全是在ras固件的0x14C33镜像
cawan$binwalk ras DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 61315 0xEF83 ZyXEL rom-0 configuration block,name: "dbgarea", ... 61564 0xF07C ZyXEL rom-0 configuration block, name:"dbgarea", ... 85043 0x14C33 LZMA compressed data, properties: 0x5D... 118036 0x1CD14 Unix path: /usr/share/tabset/vt100: 118804 0x1D014 ZyXEL rom-0 configuration block, name:"spt.dat", ... 118824 0x1D028 ZyXEL rom-0 configuration block, name:"autoexec.net", ... 128002 0x1F402 GIF image data, version"89a", 200 x 50 136194 0x21402 GIF image data, version"89a", 560 x 50 244317 0x3BA5D Neighborly text, "neighbor ofyour ADSL Router that ... 281224 0x44A88 Unix path: /I/J/L/M 328173 0x501ED Copyright string: "Copyright (c)2001 - 2012 TP-LINK ... 350259 0x55833 LZMA compressed data, properties:0x5D, ... 415795 0x65833 LZMA compressed data, properties:0x5D, ...
