所以,让我们来找出“解锁”字节的准确位置。通过追踪字符串”Do not need passwordauthentication for configuration!”,在ROM:801F9168的指令中,看起来“解锁”字节在地址0x8034FF94上。现在,让我们来验证它。通过0×80000000的内存备份,固件的解压工作在地址0x80014BC0之前已经完成,还有通过指令”jalr $s0”跳转到 0×80020000地址。通过IDA Pro,我们可以知道$at 等于0×80020000,如果我们把ROM:0x80014BC0的指令”jalr $s0”更改到”sw $s0, -4($at)”,那么当镜像被解压后,它会复制$s0里面的内容到0x8001FFFC,然后在这停止启动。所以通过读取地址0x8001FFFC的内容,我们可以知道zynos将要跳转到0×80020000或者其他地方。
让我们试一试:
BootbaseVersion: VTC_SPI1.26 | 2012/12/2616:00:00 RAM: Size= 8192 Kbytes Found SPIFlash 2MiB Winbond W25Q16 at 0xbfc00000 SPI FlashQuad Enable Turn offQuad Mode RASVersion: 1.0.0 Build 121121 Rel.08870 System ID: $2.12.58.23(G04.BZ.4)3.20.7.020120518_V003 | 2012/05/18 Press anykey to enter debug mode within 3 seconds. ............ EnterDebug Mode ATEN1,A847D6B1 OK ATWL80014BC0, ac30fffc OK atgr (Compressed) Version: FDATA, start: bfc85830 Length: A94C, Checksum: DCEE Compressed Length: 1D79, Checksum: 01BB Flash datais the same!! (Compressed) Version: ADSL ATU-R, start: bfc95830 Length: 3E7004, Checksum: 3336 Compressed Length: 122D57, Checksum: 3612 ERROR atrl8001fffc 8001FFFC:80020000
