处理一个应该采用预先准备好的iBSS图像并使用limera1n基础跳转到它的项目。这是代码:
@constants -----------------------------------
.pool
.set BOOTROM_A4, 0x00342e34
.set a4_jump_to, 0x5a5d
.set a4_usb_wait_for_image, 0x4c85
.set a4_aes_crypto_cmd, 0x686d
.text
@main code -----------------------------------
.code 16
_start: .global _start
MOV R7, PC
B entry_point
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
entry_point:
@LSR R7, #2
@LSL R7, #2
LDR R1, =a4_usb_wait_for_image
LDR R0, =loadaddr
LDR R1, =max_size
@ boot that image
MOV R0, #0
LDR R1, =loadaddr
MOV R2, #0
LDR R3, [R7, #8]
BLX R3 @ device vanishes from USB pool after this
@-----------------------------------------------------
memcpy:
_memcpy_loop:
LDRB R3, [R1]
STRB R3, [R0]
ADD R0, #1
ADD R1, #1
SUB R2, #1
CMP R2, #0
BNE _memcpy_loop
BX LR
@-----------------------------------------------------
.end
关键是,能够使用limera1n或stage-2 SHAtter在引导链的早期USB向设备发送自定义加载器。唯一的问题是,一旦代码命中最后一个BLX R3,设备就会停止响应USB命令,因此我无法上传第二阶段。