mirror of
https://github.com/mytechnotalent/Embedded-Hacking.git
synced 2026-07-18 18:07:30 +02:00
Updated DS refs
This commit is contained in:
@@ -0,0 +1,186 @@
|
||||
# Week 2 Quiz: Debugging and Hacking Basics
|
||||
|
||||
## Instructions
|
||||
Choose the best answer for each question. There is only one correct answer per question.
|
||||
|
||||
---
|
||||
|
||||
## Questions
|
||||
|
||||
### Question 1
|
||||
What does "live hacking" mean in the context of embedded systems?
|
||||
|
||||
A) Recompiling source code to change what a program does
|
||||
B) Modifying a program while it is actively running on real hardware
|
||||
C) Writing a new program to replace an existing one
|
||||
D) Using Wi-Fi to remotely update firmware
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 1 – "What is Live Hacking?"
|
||||
|
||||
**Correct Answer: B**
|
||||
|
||||
---
|
||||
|
||||
### Question 2
|
||||
Which GDB command connects to the OpenOCD debug server running on the default port?
|
||||
|
||||
A) `connect localhost:3333`
|
||||
B) `attach openocd`
|
||||
C) `target extended-remote :3333`
|
||||
D) `link remote 3333`
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 6, Step 4 – "Connect to the Remote Debug Server"
|
||||
|
||||
**Correct Answer: C**
|
||||
|
||||
---
|
||||
|
||||
### Question 3
|
||||
Why is the string `"hello, world"` stored in flash memory (starting with address `0x10...`) rather than in RAM?
|
||||
|
||||
A) Flash memory is faster to read than RAM
|
||||
B) The string is a constant defined at compile time and stored in read-only flash
|
||||
C) The compiler always puts strings in flash to save RAM
|
||||
D) The Pico SDK forces all strings into flash for security
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 2 – "Why This Matters for Our Hack"
|
||||
|
||||
**Correct Answer: B**
|
||||
|
||||
---
|
||||
|
||||
### Question 4
|
||||
Why does the command `set $r0 = "hacky, world\r"` fail when used in GDB on a bare-metal embedded system?
|
||||
|
||||
A) GDB does not support the `set` command
|
||||
B) The string is too long to fit in the register
|
||||
C) There is no `malloc()` available because there is no operating system or C runtime
|
||||
D) Flash memory prevents any write operations through GDB
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 10 – "The Failed Hack Attempt (Learning Why)"
|
||||
|
||||
**Correct Answer: C**
|
||||
|
||||
---
|
||||
|
||||
### Question 5
|
||||
Why is address `0x20000000` (the start of SRAM) a safe place to write an injected string during the hack?
|
||||
|
||||
A) It is in flash memory which is permanently writable
|
||||
B) The stack lives at the bottom of SRAM so there is no risk of collision
|
||||
C) It is in read-write SRAM and far from the stack, which grows downward from the top of SRAM
|
||||
D) The bootrom reserves this address specifically for debug payloads
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 11, Step 12 – "Understanding the Solution"
|
||||
|
||||
**Correct Answer: C**
|
||||
|
||||
---
|
||||
|
||||
### Question 6
|
||||
Which GDB command correctly writes the string `"hacky, world\r"` into SRAM at address `0x20000000`?
|
||||
|
||||
A) `write 0x20000000 "hacky, world\r"`
|
||||
B) `set {char[14]} 0x20000000 = {'h','a','c','k','y',',',' ','w','o','r','l','d','\r','\0'}`
|
||||
C) `poke 0x20000000 "hacky, world\r"`
|
||||
D) `memset 0x20000000 "hacky, world\r" 14`
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 11, Step 13 – "Create Our Malicious String in SRAM"
|
||||
|
||||
**Correct Answer: B**
|
||||
|
||||
---
|
||||
|
||||
### Question 7
|
||||
What is the purpose of the `b.n 0x1000023a` instruction found at the end of `main`?
|
||||
|
||||
A) It calls the `puts()` function
|
||||
B) It returns from the `main` function back to the reset handler
|
||||
C) It creates an infinite loop by jumping back to the `ldr r0` instruction
|
||||
D) It branches to a NMI (Non-Maskable Interrupt) handler
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 7, Step 6 – "Examine the Main Function" (instruction table)
|
||||
|
||||
**Correct Answer: C**
|
||||
|
||||
---
|
||||
|
||||
### Question 8
|
||||
In the ARM Cortex-M33 calling convention, which register holds the first argument passed to a function?
|
||||
|
||||
A) `r1`
|
||||
B) `r0`
|
||||
C) `sp`
|
||||
D) `lr`
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 7 – "The Key Insight" and Part 12, Step 15 – "Change r0 to Point to Our String"
|
||||
|
||||
**Correct Answer: B**
|
||||
|
||||
---
|
||||
|
||||
### Question 9
|
||||
What does the GDB command `x/s $r0` display?
|
||||
|
||||
A) The hexadecimal value stored in register `r0`
|
||||
B) The 10 bytes of memory starting at the address in `r0`
|
||||
C) The null-terminated string stored at the memory address contained in `r0`
|
||||
D) The assembly instruction located at the address in `r0`
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 9, Step 10 – "Examine What's in r0"
|
||||
|
||||
**Correct Answer: C**
|
||||
|
||||
---
|
||||
|
||||
### Question 10
|
||||
Why does GDB say "automatically using hardware breakpoints for read-only addresses" when setting a breakpoint in flash?
|
||||
|
||||
A) Hardware breakpoints are faster than software breakpoints
|
||||
B) Software breakpoints work by modifying code in memory, but flash is read-only at runtime
|
||||
C) The Pico 2 does not support software breakpoints at all
|
||||
D) GDB defaults to hardware breakpoints for all embedded targets
|
||||
|
||||
> 📖 **Reference:** Week 2, Part 8, Step 7 – "Set a Strategic Breakpoint" (hardware breakpoints explanation)
|
||||
|
||||
**Correct Answer: B**
|
||||
|
||||
---
|
||||
|
||||
## Answer Key
|
||||
|
||||
1. B - Live hacking means modifying a program while it is actively running on real hardware
|
||||
2. C - `target extended-remote :3333` connects to the OpenOCD server on port 3333
|
||||
3. B - The string is a compile-time constant stored in read-only flash memory (.rodata)
|
||||
4. C - Bare-metal systems have no OS and no `malloc()` for GDB to allocate string memory
|
||||
5. C - SRAM starting at 0x20000000 is read-write and far from the stack at the top of SRAM
|
||||
6. B - The `set {char[N]} ADDRESS = {...}` syntax writes individual characters directly to memory
|
||||
7. C - `b.n` is a branch instruction that jumps back to create the infinite loop
|
||||
8. B - Register `r0` holds the first argument to a function in ARM calling convention
|
||||
9. C - `x/s` examines memory and displays it as a null-terminated string
|
||||
10. B - Software breakpoints require writing to code memory, which is impossible in read-only flash
|
||||
|
||||
---
|
||||
|
||||
## Scoring Guide
|
||||
|
||||
- **10 correct**: Excellent! You have a strong grasp of Week 2 concepts
|
||||
- **8-9 correct**: Very good! Review the topics you missed
|
||||
- **6-7 correct**: Good start. Go back and review the key concepts
|
||||
- **5 or fewer**: Review the Week 2 material again and try the practice exercises
|
||||
|
||||
---
|
||||
|
||||
## Topics Covered
|
||||
|
||||
This quiz tests your understanding of:
|
||||
- Live hacking and its real-world applications
|
||||
- GDB connection and debug session setup
|
||||
- Flash vs SRAM memory properties (read-only vs read-write)
|
||||
- Why bare-metal systems lack `malloc()`
|
||||
- Writing data directly to SRAM with GDB
|
||||
- ARM calling convention and register `r0`
|
||||
- The infinite loop instruction `b.n`
|
||||
- Hardware vs software breakpoints
|
||||
- Examining memory and strings with GDB
|
||||
- The complete attack flow: breakpoint → examine → inject → hijack → continue
|
||||
Reference in New Issue
Block a user