So this RCM message buffer is the header where it checks this length, for example.

因此，例如，此 RCM 消缓冲区检查此长度的标头。

It has no other chance than to go into RCM, so we can exploit it.

除了进入 RCM，它没有他机会，所以我们可以利用它。

This is what one of these RCM messages looks like.

中一条 RCM 消的样子。

And then here is the RCM payload buffer.

然后里 RCM 有效负载缓冲区。

For example, this one here is right now used for the bulk transfer to receive the RCM message.

例如，里的个现在用于批量传以接收 RCM 消。

We started looking at the RCM code.

我们开始查看 RCM 代码。

And it turns out the bug is actually in the RCM code.

事实证明，该错误实际上存在于 RCM 代码中。

And that RCM receive message function comes before RCM message validate signatures.

并且 RCM 接收消出现在 RCM 消验证签名之前。

So it never returns from this RCM receive message function.

所以它永远不会从此 RCM 接收消返回。

And yeah, we just put our code here into that RCM payload.

的，我们只将我们的代码放入 RCM 负载中。

So what the boot ROM does is the RCM message, the 680 bytes will be put here into the global variables.

所以boot ROM做的就RCM信，680字节会被放到里的全局变量中。

And yeah, we can use this RCM to execute our own code without any kind of signature checks.

的，我们可以使用个 RCM 来执行我们自己的代码，而无需任何类型的签名检查。

Of course, we can't just use this because RCM as well enforces security.

当然，我们不能只使用它，因为 RCM 也会强制执行安全性。

And then the following code that calls try to load from RCM is just going to jump into the code that you just downloaded.

然后调用尝试从 RCM 加载的以下代码将跳转到您刚刚下载的代码中。

After that, we call a function that's called RCM receive message.

之后，我们调用一个名为 RCM 接收消的。

Then we jump into this RCM thing.

然后我们跳进个 RCM 的事情。

You hold plus, turn it on, and you're in RCM, and you can launch the exploit.

你按住加号，打开它，你就在 RCM 中，你可以启动漏洞利用。

So we have this try load from RCM call.

所以我们从 RCM 调用中尝试加载。

So then it copies the payload also into memory into a different place than this RCM message buffer.

因此，它将有效负载也复制到内存中与此 RCM 消缓冲区不同的位置。

And it directly goes into the RCM path.

它直接进入 RCM 路径。