- 积分
- 1387
- 实力分
- 点
- 金钱数
- 两
- 技术分
- 分
- 贡献分
- 分
|
发表于 2005-8-9 00:23:00
|
显示全部楼层
如何寻找西门子菜单的入口地址
此为RizaPN宗师所写,为英文,我不想翻译了,因为想作PATCH修改的人应该懂得E文。希望对大家有所帮助。
Siemens Entry Point (for Menu Items)
I want to share this with all of you, who really like to read the Siemens full flash file. It is about to check the entry point for each menu items. Of course this is not the only or the best way, it just based on my experience, hope it is usefull for others.
1) Create your own language pack with its own index the beginning of each string. Refer to SkyLord software output (lgp file), modify all String xxx, "teks" to become String xxx, "xxx.teks". Use this as your menu language. Using this package, you will see, each menu items with their string index. Most of text-display function inside the flash use index as their parameter.
2) Take a look for a single menu. For example, Organiser menu (I use SL45v56 as an example). The sequence of their items index are : 014.Addressbook, 23B.SIM Location, 159.Calendar, 29C.Appointments ... 128. Help. These index are saved in the flash file in this format :
w00 w01 wIdx02 wIdx03 w04 w05 w06 w07 w08
w10 w11 wIdx12 wIdx13 w14 w15 w16 w17 w18
w00..w08 is data (word format, lo-byte,hi-byte) for the 1st menu item, w10..w18 for 2nd item ...
wIdx02 is the string index of menu item, 0014 (saved as 14 00 in the flash) for Addressbook, 023B for SIM Location, etc.
wIdx03 is the string index of menu item in Big Letter mode, 0013 for Addressbook, 080D for SIM Location, etc.
3) Search inside the flash file, the sequence of one wIdx2 and wIdx3 (index of menu item in normal mode and Big Letter mode). For example, search for 14 00 13 00 to find Addressbook menu item string index location.
4) The location of w00 of the 1st menu item (for ex. Addressbook in the Organiser menu), is saved in the flash together with the address of their function entry-point and the number of menu items.
For example, 14 00 13 00 for Addressbook is found at address 0x1A07E4 and the other format is match (wIdx12 wIdx13 are values 3B 02 0D 08 ...), it means the w00 address for Organiser menu is : 0x1A07E4 - 4 = 0x1A07E0
0x1A07E0 in the file is equal with the address 0xBA07E0 in the flash (base address for SL4x is 0xA00000), and recognized with this format : 02E8:07E0 ... 2E8 is BA07E0 div 4000 and 07E0 is BA07E0 mod 4000.
Search for that address (02E8:07E0 => E0 07 E8 02) in the location near the address of w00. The following 4 bytes (after those address bytes) are subroutines/functions address, and the word after that is the number of menu items.
Let's assume that we found : 94 08 E8 02 0A 00 as the bytes after those (E0 07 E8 02) bytes, then we know that : 02E8:0894 is the location of each subroutine, and 000A is the number of menu items.
5) Check the subroutine location, and we should found this format :
B03 B02 B01 B00 B13 B12 B11 B10 ...
B03..B00 is the address of the 1st menu item function/subroutine.
If it is : 3C EF DB 00 => then the entry point of that menu item is 00DBEF3C.
====================
6) Almost all string are called by their index. Sometimes, also usefull if we search their location in the flash by this byte sequence :
E6 F? ib2 ib1 ... => mov r?, ib1ib2
for example : E6 FC 14 00 for mov r12, 0014
7) Some of string are called indirectly. Their index is saved in the flash, and the function use that location as their parameter. Some of them use this format :
ib2 ib1 FF 7F
to save index ib1ib2 in the flash.
Allaaahu Akbar,
RizaPN |
|
IP卡
狗仔卡
发表于 2005-8-9 00:20:00
显身卡
发表于 2005-8-9 00:21:00
发表于 2005-8-9 00:32:00