大家好,欢迎来到IT知识分享网。
一个bin 文件在存储上是按下面的结构存储的
组成:标记(7)+Image开始地址(1)+Image长度(1)
记录0地址+记录0长+记录0校验和+记录0内容(文件内容)
记录1地址+记录1长+记录1校验和+记录1内容(文件内容)
……
最后一条记录是表示结束,Start = 0x00000000, Length = 0x8C072C3C是StartUp地址, Chksum = 0x00000000,我的xip.bin的最后12个字节就是00 00 00 00 E4 B4 29 80 00 00 00 00,
当RecAddr和RecChk为0时表示READDATA完毕,即:DownloadBin()函数中的
while( OEMReadData (sizeof (DWORD), (LPBYTE) &dwRecAddr) &&
OEMReadData (sizeof (DWORD), (LPBYTE) &dwRecLen) &&
OEMReadData (sizeof (DWORD), (LPBYTE) &dwRecChk) )
循环退出
由 if (!dwRecAddr && !dwRecChk)
{
break;
}
得出以上的结论
bin 文件的头部(不包括记录)可以用下面的结构表示
struct BinFile{
BYTE signature[7]; // = { ”B”, ”0”, ”0”, ”0”, ”F”, ”F”, ”/a” }
DWORD ImageStart
DWORD ImageLength
};
一般xipkernel.bin,nk.bin 都符合正常bin文件格式,包含记录开始0,1,2 记录为特殊记录,2做为cece的标记,其后4byte表示 TOC地址(指向ROMHDR结构的数据),3记录开始都是文件记录,
比如coredll.dll等等。。。
//—————————————————————————————————————————————————————
比如nk.bin 文件的viewbin 查看的内容:
//—————————————————————————————————————————————————————
ViewBin… nk.bin
Image Start = 0x8C, length = 0x00DE9910
Record [ 0] : Start = 0x8C, Length = 0x00000040, Chksum = 0x00001A63 //->注意这里就是对应到结构struct Record{DWORD recaddress; DWORD reclength; DWORD chksum;void * recdata}的内容
0x8C : 4083F601 8096F601 3C18F801 64D7F901 @…….<…d…
0x8C : D025F701 0C85F601 6C26F701 C488F901 .%……l&……
0x8C : 10B6F601 0C85F601 5830F601 E086F901 ……..X0……
0x8C : 2074F601 2E 00000000 t..gwes.exe….
Chksum valid
Record [ 1] : Start = 0x8C, Length = 0x00000008, Chksum = 0x0000032D
0x8C : 048FFE8C ECEC…. //这里ECEC是我们设置的#define ROM_SIGNATURE 0x (Romldr.h),后面4byte就是pToc的内容
Chksum valid
Record [ 2] : Start = 0x8C, Length = 0x00000004, Chksum = 0x00000161
0x8C : 047FDE00 ….
Chksum valid
Record [ 3] : Start = 0x8C, Length = 0x000A37BC, Chksum = 0x043BF7FA
0x8C : 00000000 0 00000000 0 …..@uF ……..
0x8C : D D x….S…G.. …
0x8C : 45004D00 2F004700 S.Y.S.T.E.M./.G.
。。。。。。
Chksum valid
Record [131] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
Checking record #129 for potential TOC (ROMOFFSET = 0x00000000)
Found pTOC = 0x8cfe8f04
ROMOFFSET = 0x00000000
//—————————————————————————————————————————————————————
xipkernel.bin viewbin 的内容:
//—————————————————————————————————————————————————————
ViewBin… xipkernel.bin
Image Start = 0x8C000000, length = 0x001BCE90
Record [ 0] : Start = 0x8C000000, Length = 0x00000004, Chksum = 0x000001C3
0x8C000000 : 0DCB01EA ….
Chksum valid
Record [ 1] : Start = 0x8C000040, Length = 0x00000008, Chksum = 0x00000327
0x8C000040 : A0DA118C ECEC…. //注意这里的A0DA118C 就是8C11DAF4 指向record9 就是pToc的值
Chksum valid
Record [ 2] : Start = 0x8C000048, Length = 0x00000004, Chksum = 0x0000018B
0x8C000048 : A0DA1100 ….
Chksum valid
Record [ 3] : Start = 0x8C001000, Length = 0x000C5180, Chksum = 0x064E2C03
0x8C001000 : 00000000 96F37746 00000000 0 ……wF……..
0x8C001010 : DC2B0700 DC1F0700 U….+……APIS
0x8C001020 : 0 C 00000000 00000000 ….0………..
0x8C001030 : B05A078C 7CA3078C 505B078C 0C5D078C .Z..|…P[…]..
0x8C001040 : 745D078C 00000000 0 t]……….A.R.
。。。。。。
0x8C072C30 : 00000000 740A0D00 060000EA ….start……. //
0x8C072C40 : FDFFFFEA FCFFFFEA FBFFFFEA FAFFFFEA …………….
Chksum valid
Record [ 9] : Start = 0x8C11DAA0, Length = 0x00000054, Chksum = 0x00000CB3 //就是上面的pToc所指块,是一个ROMHDR结构
0x8C11DAA0 : FF01F501 00000002 0000008C 90CE1B8C …………….
0x8C11DAB0 : 0 0010208C 0000278C 00E0E68F …… …’…..
0x8C11DAC0 : 0 F0FF1A8C 00000000 00000000 …………….
0x8C11DAD0 : 0 00000000 00000000 …………….
0x8C11DAE0 : 00000000 C C 00000000 ………”……
0x8C11DAF0 : 00000000 ….
Chksum valid
Record [ 10] : Start = 0x8C11DAF4, Length = 0x0000018C, Chksum = 0x0000895E
0x8C11DAF4 : 0 005C33FC 84B2C701 00BE0C00 …../3………
0x8C11DB04 : D4BF118C CCDE0F8C 3CDF0F8C 0000008C ……..<…….
0x8C11DB14 : 0 00A1CC46 EAB0C701 00 …….F…..`..
0x8C11DB24 : DCBF118C 6CFD1A8C 9CDF0F8C 00F0128C ….l………..
0x8C11DB34 : 0 0052626B C5B0C701 00 …..Rbk…..8..
0x8C11DB44 : E8BF118C DCFD1A8C 4CFE1A8C 0020178C ……..L…. ..
。。。。。。
Chksum valid
Record [ 14] : Start = 0x00000000, Length = 0x8C072C3C, Chksum = 0x00000000 //这就是xipkernel.bin的最后一条记录其内容表示0x8C072C3C 是startup 的入口地址 // 那行就是
Start address = 0x8C072C3C //060000EA=>EA000060 的一条跳转指令 (1110[cond always] +1010[branch]+offset)
Checking record #9 for potential TOC (ROMOFFSET = 0x00000000)
Found pTOC = 0x8c11daa0
ROMOFFSET = 0x00000000
Done.
//—————————————————————————————————————————————————————
xip.bin viewbin 的内容: 是上面两个bin的结合
//—————————————————————————————————————————————————————
ViewBin… xip.bin
Image Start = 0x8C000000, length = 0x00FEA910
Start address = 0x8C072C3C
Checking record #9 for potential TOC (ROMOFFSET = 0x00000000)
Found pTOC = 0x8c11daa0
ROMOFFSET = 0x00000000
Checking record #9 for potential TOC (ROMOFFSET = 0xFF134B9C) //-》FF134B9C-》ECB464 =14m多??????
Checking record #144 for potential TOC (ROMOFFSET = 0x00000000)
Found pTOC = 0x8cfe8f04
ROMOFFSET = 0x00000000
//—————————————————————————————————————————————————————
chain.bin viewbin 的内容: 是上面两个bin的结合
//—————————————————————————————————————————————————————
ViewBin… chain.bin
Image Start = 0x8C, length = 0x00000528
Record [ 0] : Start = 0x8C, Length = 0x00000528, Chksum = 0x0000084B
0x8C : 0 0000008C 90CE1B00 00002000 ………….. . //填充xipkernel部分的_XIPCHAIN_ENTRY 的内容
0x8C : 0 00000000 B 45524E45 ……..XIPKERNE
0x8C : 4C000000 00000000 00000000 00000000 L……………
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C2000A0 : 00000000 00000000 00000000 00000000 …………….
0x8C2000B0 : 00000000 00000000 00000000 00000000 …………….
0x8C2000C0 : 00000000 00000000 00000000 00000000 …………….
0x8C2000D0 : 00000000 00000000 00000000 00000000 …………….
0x8C2000E0 : 00000000 00000000 00000000 00000000 …………….
0x8C2000F0 : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C2001A0 : 00000000 00000000 00000000 00000000 …………….
0x8C2001B0 : 00000000 00000000 00000000 00000000 …………….
0x8C2001C0 : 00000000 00000000 00000000 00000000 …………….
0x8C2001D0 : 00000000 00000000 00000000 00000000 …………….
0x8C2001E0 : 00000000 00000000 00000000 00000000 …………….
0x8C2001F0 : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 0010208C 1099DE00 00009001 …… ……… //0010208C 开始就是 填充nk部分的_XIPCHAIN_ENTRY 的内容
0x8C2002A0 : 0 00000000 4E4B0000 00000000 ……..NK……
0x8C2002B0 : 00000000 00000000 00000000 00000000 …………….
0x8C2002C0 : 00000000 00000000 00000000 00000000 …………….
0x8C2002D0 : 00000000 00000000 00000000 00000000 …………….
0x8C2002E0 : 00000000 00000000 00000000 00000000 …………….
0x8C2002F0 : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C2003A0 : 00000000 00000000 00000000 00000000 …………….
0x8C2003B0 : 00000000 00000000 00000000 00000000 …………….
0x8C2003C0 : 00000000 00000000 00000000 00000000 …………….
0x8C2003D0 : 00000000 00000000 00000000 00000000 …………….
0x8C2003E0 : 00000000 00000000 00000000 00000000 …………….
0x8C2003F0 : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C2004A0 : 00000000 00000000 00000000 00000000 …………….
0x8C2004B0 : 00000000 00000000 00000000 00000000 …………….
0x8C2004C0 : 00000000 00000000 00000000 00000000 …………….
0x8C2004D0 : 00000000 00000000 00000000 00000000 …………….
0x8C2004E0 : 00000000 00000000 00000000 00000000 …………….
0x8C2004F0 : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 00000000 00000000 …………….
0x8C : 00000000 00000000 ……..
Chksum valid
Record [ 1] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
只有1条有效记录,一条记录分成两部分对应xipkernel.bin 和nk.bin,使用结构
typedef struct _XIPCHAIN_ENTRY {
LPVOID pvAddr; // address of the XIP // 根据这个地址可以找到pToc!!!!!!
DWORD dwLength; // the size of the XIP
DWORD dwMaxLength; // the biggest it can grow to
USHORT usOrder; // where to put into ROMChain_t
USHORT usFlags; // flags/status of XIP
DWORD dwVersion; // version info
CHAR szName[XIP_NAMELEN]; // Name of XIP, typically the bin file’s name, w/o .bin
DWORD dwAlgoFlags; // algorithm to use for signature verification
DWORD dwKeyLen; // length of key in byPublicKey
BYTE byPublicKey[596]; // public key data
} XIPCHAIN_ENTRY, *PXIPCHAIN_ENTRY;
//其他相关结构:
typedef struct ROMHDR {
ULONG dllfirst; // first DLL address
ULONG dlllast; // last DLL address
ULONG physfirst; // first physical address
ULONG physlast; // highest physical address
ULONG nummods; // number of TOCentry’s
ULONG ulRAMStart; // start of RAM
ULONG ulRAMFree; // start of RAM free space
ULONG ulRAMEnd; // end of RAM
ULONG ulCopyEntries; // number of copy section entries
ULONG ulCopyOffset; // offset to copy section
ULONG ulProfileLen; // length of PROFentries RAM
ULONG ulProfileOffset; // offset to PROFentries
ULONG numfiles; // number of FILES
ULONG ulKernelFlags; // optional kernel flags from ROMFLAGS .bib config option
ULONG ulFSRamPercent; // Percentage of RAM used for filesystem
// from FSRAMPERCENT .bib config option
// byte 0 = #4K chunks/Mbyte of RAM for filesystem 0-2Mbytes 0-255
// byte 1 = #4K chunks/Mbyte of RAM for filesystem 2-4Mbytes 0-255
// byte 2 = #4K chunks/Mbyte of RAM for filesystem 4-6Mbytes 0-255
// byte 3 = #4K chunks/Mbyte of RAM for filesystem > 6Mbytes 0-255
ULONG ulDrivglobStart; // device driver global starting address
ULONG ulDrivglobLen; // device driver global length
USHORT usCPUType; // CPU (machine) Type
USHORT usMiscFlags; // Miscellaneous flags
PVOID pExtensions; // pointer to ROM Header extensions
ULONG ulTrackingStart; // tracking memory starting address
ULONG ulTrackingLen; // tracking memory ending address
} ROMHDR;
本文来自CSDN博客,转载请标明出处:bin文件格式分析
免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://haidsoft.com/154667.html
