So this RCM message buffer is the header where it checks this length, for example.

因此，例如，此 RCM 消息冲区是检查此长度的标头。

It has no other chance than to go into RCM, so we can exploit it.

除了进入 RCM，它没有其他机会，所以我们可以利用它。

This is what one of these RCM messages looks like.

这是其中一条 RCM 消息的样子。

And then here is the RCM payload buffer.

然后这里是 RCM 有效冲区。

For example, this one here is right now used for the bulk transfer to receive the RCM message.

例如，这里的这个现在用于批量传以接收 RCM 消息。

We started looking at the RCM code.

我们开始查看 RCM 代码。

And it turns out the bug is actually in the RCM code.

事实证，误实际上存在于 RCM 代码中。

And that RCM receive message function comes before RCM message validate signatures.

并且 RCM 接收消息函数出现在 RCM 消息验证签名之前。

So it never returns from this RCM receive message function.

所以它永远不会从此 RCM 接收消息函数返回。

And yeah, we just put our code here into that RCM payload.

是的，我们只是将我们的代码放入 RCM 中。

So what the boot ROM does is the RCM message, the 680 bytes will be put here into the global variables.

所以boot ROM做的就是RCM信息，这680字节会被放到这里的全局变量中。

And yeah, we can use this RCM to execute our own code without any kind of signature checks.

是的，我们可以使用这个 RCM 来执行我们自己的代码，而无需任何类型的签名检查。

Of course, we can't just use this because RCM as well enforces security.

当然，我们不能只使用它，因为 RCM 也会强制执行安全性。

And then the following code that calls try to load from RCM is just going to jump into the code that you just downloaded.

然后调用尝试从 RCM 加的以下代码将跳转到您刚刚下的代码中。

After that, we call a function that's called RCM receive message.

之后，我们调用一个名为 RCM 接收消息的函数。

Then we jump into this RCM thing.

然后我们跳进这个 RCM 的事情。

You hold plus, turn it on, and you're in RCM, and you can launch the exploit.

你按住加号，打开它，你就在 RCM 中，你可以启动漏洞利用。

So we have this try load from RCM call.

所以我们从 RCM 调用中尝试加。

So then it copies the payload also into memory into a different place than this RCM message buffer.

因此，它将有效也复制到内存中与此 RCM 消息冲区不同的位置。

And it directly goes into the RCM path.

它直接进入 RCM 路径。