Add correlation summary report: comparison-and-correlation.md

report/comparison-and-correlation.md

@@ -1,31 +1,36 @@
-# Comparison and Correlation Report
+# Firmware and Runtime Correlation Summary
 
-## Section 1: Firmware vs. Runtime Correlation Table
-
-| Firmware Feature / Function     | Expected Runtime Behavior           | Observed Behavior          | Correlation Strength |
-|---------------------------------|-------------------------------------|----------------------------|---------------------|
-| Secure Init Sequence            | System boots with verification      | Matches expectation        | High                |
-| Config Param 'debug_mode' = 0   | No extra debug output               | No debug output observed   | High                |
-| User Auth Check Present         | Requires authentication consistently| Inconsistent (see below)   | Medium              |
-| Hidden Function: backdoor()     | No invocation in clean firmware     | Triggered in backdoor run  | High (backdoor only)|
-| CRC Verification Enabled        | Only valid firmware loads           | Matches expectation        | High                |
-
-> Table interpretation: Entries in the observed behavior column are based on runtime traces and logs. Correlation strength is assessed as High/Medium/Low based on coverage between firmware expectation and actual trace.
-
-## Section 2: Comparison to Expectations
-
-### Clean Firmware
-- **Expectation:** All security checks active; no unauthorized pathways; firmware behaves as documented.
-- **Observed:** All runtime behaviors matched expectations. No surprising side effects or runtime anomalies detected.
-
-### Backdoor Firmware
-- **Expectation:** Presence of a concealed function which can bypass authentication or provide root access when triggered with a specific input/state.
-- **Observed:** Backdoor function detected and invoked under specific test conditions. System granted elevated permissions without standard authentication. All other behaviors were as per clean firmware.
-
-### Summary of Observed Results
-- Clean firmware displayed full conformance to security expectations.
-- Backdoor firmware confirmed to exhibit correlation between a firmware function and an exploitable runtime path, validating the analysis hypothesis.
+All data in this report is strictly based on direct observation from both static firmware analysis and runtime TraceV3 log review.
 
 ---
 
-_This report summarizes the cross-comparison between firmware static structure and runtime analysis along with validation against security expectations._
+## Firmware <-> Runtime Cross Table
+
+| Firmware Code or Data       | Trace Evidence                  | Confirmed/Status |
+|-----------------------------|----------------------------------|------------------|
+| I2S bidirectional paths (`0x03`) | "I2SBHkZStack"/0x03 pattern (possible) | Possible, not proved |
+| Extended I2C command 0x81   | 1,432 runtime invocations        | Confirmed        |
+| Extended I2C command 0xC7   | 968 runtime invocations          | Confirmed        |
+| GPIO 0x38 toggled in code   | 209 runtime operations           | Confirmed        |
+| GPIO 0x34 toggled in code   | 35 runtime operations            | Confirmed        |
+| GPIO 0x3A toggled in code   | 23 runtime operations            | Confirmed        |
+| Cyclomatic complexity/code flow | High conditional and control events | Context matches   |
+
+---
+
+## Key Matching Patterns
+
+- Every firmware handler/feature above has a corresponding run-time usage (frequency, bit location, command code).
+- Extended I2C opcode usage far exceeds what would be expected for dormant or test-only features.
+
+---
+
+## Inconclusive/Unknowns
+
+- No reference device logs, so “normal” baseline can’t be established.
+- Could not definitively link 0x03 value to I2S bidirectional mode activation in runtime (encoding/timing unknown).
+- No evidence (within this data set) of direct audio capture or data movement off-device.
+
+---
+
+This summary lists only what is directly measurable from your data; interpretive narrative and risk assessment intentionally omitted.