mirror of
https://github.com/JGoyd/CS35L27-Covert-Channel-Analysis.git
synced 2026-02-12 17:22:48 +00:00
26 lines
1.3 KiB
Markdown
26 lines
1.3 KiB
Markdown
# Analysis Methods
|
|
|
|
This document describes only the data sources and factual binary/trace analysis techniques used in this forensic investigation.
|
|
|
|
## Data Sources
|
|
- CS35L27 8051 firmware binary (Region 32, 4096 bytes) extracted from hardware.
|
|
- `codecctl.txt`: Registry and configuration dump obtained via device utilities; used for register offset and initialization value analysis.
|
|
- TraceV3 files:
|
|
- logdata_LiveData.tracev3 (3.3 MB)
|
|
- 00000000000076e4.tracev3 (7.6 MB)
|
|
- 000000000000442d.tracev3 (870 KB)
|
|
- 00000000000012fa.tracev3 (643 KB)
|
|
- 0000000000000005.timesync (46 KB)
|
|
|
|
## Objective Analysis Techniques
|
|
|
|
- Static code analysis of 8051 binaries using Ghidra and Binwalk.
|
|
- String and pattern search via `strings`, regex, and custom scripts.
|
|
- Use of `codecctl.txt` for mapping register use and initialization state.
|
|
- Function boundary, call/return and jump/dispatch analysis via 8051 disassembly.
|
|
- Entropy mapping of binary regions for obfuscation/encryption checks.
|
|
- Systematic cross-check of firmware code/constant addresses with observed runtime behaviors in TraceV3 (hex and ASCII context).
|
|
- Counting and cataloging of event types including extended I2C commands, GPIO toggling, and I2S register values.
|
|
|
|
No non-public sources, inference, or speculation beyond direct result of binary/runtime/config file examination are recorded here.
|