全部博文(2005)
分类:
2009-03-29 19:39:43
| CE5.0 - Lanch地址是怎么获得的_romimage和viewbin工具 使用ADS仿真软件AXD以加载memory的方式加载eboot.nb0或者nk.nb0,会发现它们image的头4个字节就是相对跳转指令b, 它们都会向后跳转使用viewbin看到的偏移值大小,比如下面的b 0x2B7B4,所以对于nk.nb0位于TOC中的jumpaddr,完全可以是 nk.nb0的编译地址,而不用非要是它的经过b 0x2B7B4相加该偏移地址之后0x80001000+0x2B7B4=0x8002C7B4虚拟地址,直接跳到0x80001000虚拟地址即可, 该处的b 0x2B7B4指令会自动向后跳0x2B7B4字节,去执行程序,eboot.nb0原理类似[lutehr.gliethttp] 可以将C:\WINCE500\PUBLIC\COMMON\OAK\BIN\I386目录添加到系统环境PATH中,最好将它追加大路径最后,这样保证只有当在所有路径都找不到指令后才来这里查找, 让这里的.exe文件优先级最低[luther.gliethttp]. Microsoft Windows XP [版本 5.1.2600] (C) 版权所有 1985-2001 Microsoft Corp. C:\WINCE500\PBWorkspaces\QT2440\RelDir\smdk2440a_ARMV4I_Release>viewbin Filename required Usage: viewbin [ options ] Options: -d[ata] Prints all data bytes (potentially huge output!) -t[oc] Prints Table of Contents -o[bj] Prints Table of Contents and Objects Information //可以打印该bin文件包含的所有module对象[luther.gliethttp] -r[ec] Prints Record Information -sym Prints Profiling Symbol Information C:\WINCE500\PBWorkspaces\QT2440\RelDir\smdk2440a_ARMV4I_Release>viewbin -o NK.bin ViewBin... NK.bin Image Start = 0x80001000, length = 0x0190FD94 Start address = 0x8002C7B4 //这就是pTOC中的dwJumpAddress地址,也就是nk.exe的存储地址[luther.gliethttp] //其值等效于《CE5.0 - eboot烧写NK.nb0的详细流程》中*pdwLaunchAddr = 0x8002C794;// lanch地址也是固定的 //所以对于该nk.nb0这里就应该改为*pdwLaunchAddr = 0x8002C7B4;[luther.gliethttp] Checking record #152 for potential TOC (ROMOFFSET = 0x00000000) Found pTOC = 0x8190edc8 ROMOFFSET = 0x00000000 ROMHDR ---------------------------------------- DLL First : 0x01DA01E3 DLL Last : 0x02000000 Physical First : 0x80001000 Physical Last : 0x81910D94 RAM Start : 0x8C200000 RAM Free : 0x8C229000 RAM End : 0x8E000000 Kernel flags : 0x00000002 Prof Symbol Offset : 0x00000000 Num Copy Entries : 1 Copy Entries Offset : 0x80C23E44 Num Modules : 173 Num Files : 90 MiscFlags : 0x00000002 CPU : 0x01c2 (Thumb) Extensions : 0x80003210 ROMHDR Extensions ----------------------------- PID[0] = 0x00000000 PID[1] = 0x00000000 PID[2] = 0x00000000 PID[3] = 0x00000000 PID[4] = 0x00000000 PID[5] = 0x00000000 PID[6] = 0x00000000 PID[7] = 0x00000000 PID[8] = 0x00000000 PID[9] = 0x00000000 Next: 00000000 COPY Sections --------------------------------- Src: 0x80C88BF4 Dest: 0x8C206000 CLen: 0x3F4 DLen: 0x2266C MODULES --------------------------------------- ==== nk.exe =============================== TOCentry (nk.exe) ------------------------- dwFileAttributes : 0x7 ftTime : 3/25/2009 04:37:48 nFileSize : 0x6B000 (438272) ulE32Offset : 0x8085BF7C //入口虚拟地址,对应nk.nb0偏移值为0x8085BF7C-0x80001000=0x85AF7C //从nk.nb0的0x85AF7C偏移处读到如下数据: //0085AF70 : 00 00 00 00 00 00 00 00 E0 11 72 03 04 00 2E 01 //0085AF80 : B4 B7 02 00 00 10 00 80 05 00 00 00 00 00 01 00 //0085AF90 : 00 70 09 00 00 00 00 00 00 00 00 00 1B B5 C9 49 //e32_rom->e32_objcnt = 0x0004; //e32_rom->e32_imageflags = 0x012E; //e32_rom->e32_entryrva = 0x0002B7B4; //e32_rom->e32_vbase = 0x80001000; //e32_rom->e32_subsysmajor = 0x0005; //e32_rom->e32_subsysminor = 0x0000; //e32_rom->e32_stackmax = 0x00010000; //e32_rom->e32_vsize = 0x00097000; //e32_rom->e32_sect14rva = 0x00000000; //e32_rom->e32_sect14size = 0x00000000; //e32_rom->e32_timestamp = 0x49C9B51B; romimage.exe源码位于WINCE500\PRIVATE\WINCEOS\COREOS\NK\TOOLS\ROMIMAGE\ROMIMAGE目录下 经过romimage加工成的nk.nb0[luther.gliethttp] 其e32_exe数据不遵循个下面的比较完全的typedef struct e32_exe结构体,而是这样的一个精简必须项typedef struct e32_rom结构体[luther.gliethttp] typedef struct e32_rom { unsigned short e32_objcnt; /* Number of memory objects */ unsigned short e32_imageflags; /* Image flags */ unsigned long e32_entryrva; /* Relative virt. addr. of entry point */ unsigned long e32_vbase; /* Virtual base address of module */ unsigned short e32_subsysmajor;/* The subsystem major version number */ unsigned short e32_subsysminor;/* The subsystem minor version number */ unsigned long e32_stackmax; /* Maximum stack size */ unsigned long e32_vsize; /* Virtual size of the entire image */ unsigned long e32_sect14rva; /* section 14 rva */ unsigned long e32_sect14size; /* section 14 size */ unsigned long e32_timestamp; /* Time EXE/DLL was created/modified */ struct info e32_unit[ROM_EXTRA]; /* Array of extra info units */ unsigned short e32_subsys; /* The subsystem type */ } e32_rom; nk.bin其对应数据结构为 typedef struct e32_exe { /* PE 32-bit .EXE header */ unsigned char e32_magic[4]; /* Magic number E32_MAGIC */ unsigned short e32_cpu; /* The CPU type */ unsigned short e32_objcnt; /* Number of memory objects */ unsigned long e32_timestamp; /* Time EXE file was created/modified */ unsigned long e32_symtaboff; /* Offset to the symbol table */ unsigned long e32_symcount; /* Number of symbols */ unsigned short e32_opthdrsize; /* Optional header size */ unsigned short e32_imageflags; /* Image flags */ unsigned short e32_coffmagic; /* Coff magic number (usually 0x10b) */ unsigned char e32_linkmajor; /* The linker major version number */ unsigned char e32_linkminor; /* The linker minor version number */ unsigned long e32_codesize; /* Sum of sizes of all code sections */ unsigned long e32_initdsize; /* Sum of all initialized data size */ unsigned long e32_uninitdsize;/* Sum of all uninitialized data size */ unsigned long e32_entryrva; /* Relative virt. addr. of entry point */ unsigned long e32_codebase; /* Address of beginning of code section*/ unsigned long e32_database; /* Address of beginning of data section*/ unsigned long e32_vbase; /* Virtual base address of module */ unsigned long e32_objalign; /* Object Virtual Address align. factor*/ unsigned long e32_filealign; /* Image page alignment/truncate factor*/ unsigned short e32_osmajor; /* The operating system major ver. no. */ unsigned short e32_osminor; /* The operating system minor ver. no. */ unsigned short e32_usermajor; /* The user major version number */ unsigned short e32_userminor; /* The user minor version number */ unsigned short e32_subsysmajor;/* The subsystem major version number */ unsigned short e32_subsysminor;/* The subsystem minor version number */ unsigned long e32_res1; /* Reserved bytes - must be 0 */ unsigned long e32_vsize; /* Virtual size of the entire image */ unsigned long e32_hdrsize; /* Header information size */ unsigned long e32_filechksum; /* Checksum for entire file */ unsigned short e32_subsys; /* The subsystem type */ unsigned short e32_dllflags; /* DLL flags */ unsigned long e32_stackmax; /* Maximum stack size */ unsigned long e32_stackinit; /* Initial committed stack size */ unsigned long e32_heapmax; /* Maximum heap size */ unsigned long e32_heapinit; /* Initial committed heap size */ unsigned long e32_res2; /* Reserved bytes - must be 0 */ unsigned long e32_hdrextra; /* Number of extra info units in header*/ struct info e32_unit[STD_EXTRA]; /* Array of extra info units */ } e32_exe, *LPe32_exe; ulO32Offset : 0x80C20FA0 ulLoadOffset : 0x80001000 e32_rom (nk.exe) -------------------------- e32_objcnt : 4 e32_imageflags : 0x12E e32_entryrva : 0x2B7B4 //这个就是偏移地址,所以0x80001000+0x2B7B4=0x8002C7B4 e32_vbase : 0x80001000 e32_subsysmajor : 0x5 e32_subsysminor : 0x0 e32_stackmax : 0x10000 e32_vsize : 0x97000 e32_timestamp : 0x49C9B51B o32_rom[0] (nk.exe) ------------------------ o32_vsize : 0x660E8 o32_rva : 0x1000 o32_psize : 0x66200 o32_dataptr : 0x80002000 o32_realaddr : 0x80002000 o32_flags : 0x60000020 o32_rom[1] (nk.exe) ------------------------ o32_vsize : 0x6000 o32_rva : 0x68000 o32_psize : 0x0 o32_dataptr : 0x806AAFFC o32_realaddr : 0x8C200000 o32_flags : 0xC0000080 o32_rom[2] (nk.exe) ------------------------ o32_vsize : 0x2266C o32_rva : 0x6E000 o32_psize : 0x3F4 o32_dataptr : 0x80C88BF4 o32_realaddr : 0x8C206000 o32_flags : 0xC0000040 o32_rom[3] (nk.exe) ------------------------ o32_vsize : 0x2098 o32_rva : 0x68000 o32_psize : 0x2200 o32_dataptr : 0x80069000 o32_realaddr : 0x80092000 o32_flags : 0x40000040 ==== coredll.dll =============================== TOCentry (coredll.dll) ------------------------- dwFileAttributes : 0x1007 ftTime : 3/25/2009 04:38:32 nFileSize : 0x88400 (558080) ulE32Offset : 0x80386F5C ulO32Offset : 0x8045FF94 ulLoadOffset : 0x80099000 e32_rom (coredll.dll) -------------------------- e32_objcnt : 4 e32_imageflags : 0x212E e32_entryrva : 0x7A68 e32_vbase : 0x3F70000 e32_subsysmajor : 0x5 e32_subsysminor : 0x0 e32_stackmax : 0x10000 e32_vsize : 0x8D000 e32_timestamp : 0x49C9B41E o32_rom[0] (coredll.dll) ------------------------ o32_vsize : 0x78298 o32_rva : 0x1000 o32_psize : 0x78400 o32_dataptr : 0x8006C000 o32_realaddr : 0x3F71000 o32_flags : 0x60000020 o32_rom[1] (coredll.dll) ------------------------ o32_vsize : 0x12A4 o32_rva : 0x7A000 o32_psize : 0x58C o32_dataptr : 0x80BE8A40 o32_realaddr : 0x1FFE000 o32_flags : 0xC0002040 o32_rom[2] (coredll.dll) ------------------------ o32_vsize : 0x5040 o32_rva : 0x7C000 o32_psize : 0x2489 o32_dataptr : 0x80D1B000 o32_realaddr : 0x3FEC000 o32_flags : 0x40002040 o32_rom[3] (coredll.dll) ------------------------ o32_vsize : 0x62AC o32_rva : 0x82000 o32_psize : 0x6400 o32_dataptr : 0x800E5000 o32_realaddr : 0x3FF2000 o32_flags : 0x40000040 ==== filesys.exe =============================== TOCentry (filesys.exe) ------------------------- dwFileAttributes : 0x7 ftTime : 3/25/2009 04:38:32 nFileSize : 0x37E00 (228864) ulE32Offset : 0x8034AF84 ulO32Offset : 0x8041CF98 ulLoadOffset : 0x80127000 e32_rom (filesys.exe) -------------------------- e32_objcnt : 4 e32_imageflags : 0x12F e32_entryrva : 0xBBD0 e32_vbase : 0x10000 e32_subsysmajor : 0x5 e32_subsysminor : 0x0 e32_stackmax : 0x10000 e32_vsize : 0x45000 e32_timestamp : 0x49C9B0E2 ...... C:\WINCE500\PBWorkspaces\QT2440\RelDir\smdk2440a_ARMV4I_Release> viewbin.exe源码位于:PRIVATE\WINCEOS\COREOS\NK\TOOLS\ROMIMAGE\VIEWBIN\viewbin.c [luther.gliethttp] |
