1.So this RCM message buffer is the header where it checks this length, for example.

因，例， RCM 息缓冲区检查长度的标头。

2.It has no other chance than to go into RCM, so we can exploit it.

除了进入 RCM，它没有其他机会，所以们可以利用它。

3.This is what one of these RCM messages looks like.

这其中一条 RCM 息的样子。

4.And then here is the RCM payload buffer.

然后这里 RCM 有效负载缓冲区。

5.For example, this one here is right now used for the bulk transfer to receive the RCM message.

例，这里的这个现在用于批量传以接收 RCM 息。

6.We started looking at the RCM code.

们开始查看 RCM 代码。

7.And it turns out the bug is actually in the RCM code.

事实证明，该错误实际上存在于 RCM 代码中。

8.And that RCM receive message function comes before RCM message validate signatures.

并且 RCM 接收息函数出现在 RCM 息验证签名之前。

9.So it never returns from this RCM receive message function.

所以它永远不会从 RCM 接收息函数返回。

10.And yeah, we just put our code here into that RCM payload.

的，们只们的代码放入 RCM 负载中。

11.So what the boot ROM does is the RCM message, the 680 bytes will be put here into the global variables.

所以boot ROM做的就RCM信息，这680字节会被放到这里的全局变量中。

12.And yeah, we can use this RCM to execute our own code without any kind of signature checks.

的，们可以使用这个 RCM 来执行们自己的代码，而无需任何类型的签名检查。

13.Of course, we can't just use this because RCM as well enforces security.

当然，们不能只使用它，因为 RCM 也会强制执行安全性。

14.And then the following code that calls try to load from RCM is just going to jump into the code that you just downloaded.

然后调用尝试从 RCM 加载的以下代码跳转到您刚刚下载的代码中。

15.After that, we call a function that's called RCM receive message.

之后，们调用一个名为 RCM 接收息的函数。

16.Then we jump into this RCM thing.

然后们跳进这个 RCM 的事情。

17.You hold plus, turn it on, and you're in RCM, and you can launch the exploit.

你按住加号，打开它，你就在 RCM 中，你可以启动漏洞利用。

18.So we have this try load from RCM call.

所以们从 RCM 调用中尝试加载。

19.So then it copies the payload also into memory into a different place than this RCM message buffer.

因，它有效负载也复制到内存中与 RCM 息缓冲区不同的位置。

20.And it directly goes into the RCM path.

它直接进入 RCM 路径。