CS35L27-Covert-Channel-Analysis/docs/analysis-methods.md

Analysis Methods

This document describes only the data sources and factual binary/trace analysis techniques used in this forensic investigation.

Data Sources

• CS35L27 8051 firmware binary (Region 32, 4096 bytes) extracted from hardware.
• codecctl.txt: Registry and configuration dump obtained via device utilities; used for register offset and initialization value analysis.
• TraceV3 files:
  • logdata_LiveData.tracev3 (3.3 MB)
  • 00000000000076e4.tracev3 (7.6 MB)
  • 000000000000442d.tracev3 (870 KB)
  • 00000000000012fa.tracev3 (643 KB)
  • 0000000000000005.timesync (46 KB)

Objective Analysis Techniques

• Static code analysis of 8051 binaries using Ghidra and Binwalk.
• String and pattern search via strings, regex, and custom scripts.
• Use of codecctl.txt for mapping register use and initialization state.
• Function boundary, call/return and jump/dispatch analysis via 8051 disassembly.
• Entropy mapping of binary regions for obfuscation/encryption checks.
• Systematic cross-check of firmware code/constant addresses with observed runtime behaviors in TraceV3 (hex and ASCII context).
• Counting and cataloging of event types including extended I2C commands, GPIO toggling, and I2S register values.

No non-public sources, inference, or speculation beyond direct result of binary/runtime/config file examination are recorded here.