- 积分
- 211
- 实力分
- 点
- 金钱数
- 两
- 技术分
- 分
- 贡献分
- 分
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有帐号?注册会员
x
===========================================
Fullflash - this complete contents of the memory of telephone.
fw (firmware) - software, in the common parlance piercing. Approximately the same, that Windows on your PK is, strictly, the "operating system" of telephone, with its rakes and omissions, which, strictly, and are removed (but in this case frequently they are added new rakes! ) in the subsequent versions of piercing.
However, there can be pleasant moments, as that: the appearance of a modem, if earlier it was absent, or the acceleration of work Java- applications. Everyone can be!
Flex - these are the region the memory of telephone, the singularly accessible to user, in which are stored any pleasant to us the trifles: pictures, melodies, themes still such are other - i.e., user kontent.
FFS - complete contents flex in accordance with the plant installations. Flex, by the way, contains not only that is loaded by user, but also the files, necessary for telephone for the work and usual user for the manipulations inaccessible: for example, these are the standard and neudaryaemye pictures and melody, the files of configuration, certificates, all possible specifications is file, etc.
===========================================
Marking the address space K700:
CPU is ARM 926, revision 3, architecture 6
Inst Cache Size Is 16.00 kb, ya-.shay, 32 bytes/line.
Data Cache Size Is 8.00 kb, ya-.shay, 32 bytes/line.
Physical (physical)
Type_______.Start________.End_________.Size(.HEX)_____.Size(.Dec)
RAM1(.in)?___.0x00000000__.0x00004000___.0x00004000___16 k
RAM2(.in)?_________.0x0000B475___.0x00002000__________8 k
//.Vendor (0x89): Intel
to //.Deviche ID: 0x880D
NOR________.0x44000000__.0x45FFFFFF____.0x02000000___32 m
RAM(.exit)____.0x4C000000__.0x4C7FFFFF___.0x00800000___8 m
//.Vendor (0xEC): Samsung
to //.Deviche ID: 0x0035
NAND_______.0x50000000__.0x51FFFFFF____.0x02000000___32 m
Watchdog?/.timers?/.UART?:
0x14000000
0x14000008
0x4200F4BC
0x4700A000
0x4B000000
0xF6000100
0xF6000200
0xF6000208
0xF6000210
0xF9090002
0xF9090008
0xF900000A
0xF9000014
0xF900001E
0xF9000032
0xF9000036
0xFE004000
0xFE004034
0xF000F000
Logical (logical)
BootCore____.0x44000000____.0x44020000____.0x00020000____128 k
Firmware____.0x44000000____.0x4РљFFFFF____.0x00f00000______15 m
GDFS_______.0x44f00000_____.0x44FFFFFF____.0x00100000_____1 m
FFS_________.0x45000000____.0x45FFFFFF____.0x01000000_____16 m
FFS_________.0x50000000____.0x51FFFFFF____.0x02000000_____32 m
//.YAYAD2DDCH0 - 44F00000 - Free memory
===========================================
1. for the beginning we must obtain FullFlash. For K700 size Fullflash = 64 to megas-byte. We rock program SeTool2 from here: http://pappfer.hu/faq/prg/st2.rar or http://www.latronik.ru/temp/speed_.unlock.rar
We further start that quacked SeTool2, in the tuning we advance our kilohms port, speed, the model of telephone.
We place (for K"00) in the field of “.StartAdress: $yaya000000̶y; to “.Lengtyu: $y000000̶y; and we press ReadFlash. After this, we preserve our file by the name of yaya000000_y000000..bin
Now again we advance “.StartAdress: $yashch000000̶y; to “.Lengtyu: $y000000̶y; and we press ReadFlash. After this, we preserve our file by the name of yashch000000_y000000..bin
Also the very we repeat for: (can not rock, it does not support loader SeTool2)
“.StartAdress: $shch0000000̶y; to “.Lengtyu: $y000000̶y;
“.StartAdress: $shchy000000̶y; to “.Lengtyu: $y000000̶y;
If you do not have cable (as in me), or it is terrible "to torture" telephone, then we rock these files from here (respect densoft'u):
yaya000000_0y000000..bin - 6,8 megas-byte
yashch000000_0y000000..bin - 13 megas-byte (second file it is possible not to rock, in this file only FFS)
2. we rock IDA IDA 4.9 , start, File - > Open we select our yaya000000_y00000..bin of ->v new window we advance “.Prochessor type: ARM processor ARM710a” and we harvest ok.
New window will appear, we there advance BY “.ROM start address 0x44000000” “.Loading address 0x44000000” we harvest ok.
In the new window, where speak wait to ishyut'sya String it is possible to harvest Cancel. We further make the following: File>.Load File>.Additional Binary File. We select for example the file: yashch000000_y000000..bin in you to appear window, we place into Loading Segment: 0x0 but in Loading offset: 0x45000000 we remove jackdaw Code Segment.
So to repeat with all files, only the different offset to put. After this, it is possible to preserve idb, after leaving IDA. Press in IDA, to key "s" with address 44000000 and you will obtain the code, after which you should analyze him. The interpretation of commands we rock according to the reference below, file is called “.TsRCh000yYu_.rvcht_.v2.y_.arm.rar̶y;
Information is undertaken here: http://forum.allsiemens.com/viewtopic.php?....der=.asch&.start=0
===========================================
Structure FFS K700:
0x45000000 - 0x45FFFFFF = 64 blocs
0x50000000 - 0x51FFFFFF = 128 blocs
1 bloc = 0x00080000 = 512 k
In the beginning of each block lies the massif of 256 dword
First word in each block always FFFFFF1F
=========================================== |
评分
-
查看全部评分
|
IP卡
狗仔卡
发表于 2007-2-16 22:16:42
提升卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主
发表于 2007-9-4 18:38:09
发表于 2009-6-21 13:31:54