diff --git a/WEEK09/WEEK09.md b/WEEK09/WEEK09.md index 6c312aa..8076562 100644 --- a/WEEK09/WEEK09.md +++ b/WEEK09/WEEK09.md @@ -175,8 +175,8 @@ bool result = (x > y) && (y > x); // false AND true = false Bitwise operators work on the binary representation of numbers: ```c -int x = 6; // Binary: 0b00000110 -int result = x << 1; // Shift left by 1: 0b00001100 = 12 +int x = 6; // Binary: 0b00000110 +int result = x << 1; // Shift left by 1: 0b00001100 = 12 ``` ``` @@ -436,14 +436,14 @@ Let's trace through what happens to `x`: | Variable x Through the Program | | | | Line | x value | Result | -| ------------------+---------+--------------------------------- | +| ------------------+---------+--------------------------------- | | int x = 5; | 5 | x initialized to 5 | | x * y | 5 | arithmetic = 5 * 10 = 50 | -| x++ | 5->6 | increment = 5 (then x becomes 6) | +| x++ | 5->6 | increment = 5 (then x becomes 6)| | x > y | 6 | relational = (6 > 10) = false | | (x>y) && (y>x) | 6 | logical = false && true = false | | x << 1 | 6 | bitwise = 6 << 1 = 12 | -| x += 5 | 6->11 | assignment = 6 + 5 = 11 | +| x += 5 | 6->11 | assignment = 6 + 5 = 11 | | | +-----------------------------------------------------------------+ ``` @@ -534,11 +534,11 @@ x/60i 0x10000234 You should see the operator calculations and function calls: ``` -0x10000234: push {r4, r5, r6, r7, lr} -0x10000236: sub sp, #20 -0x10000238: bl 0x10003014 ; stdio_init_all -0x1000023c: movs r0, #4 ; GPIO 4 for DHT11 -0x1000023e: bl 0x100003b4 ; dht11_init + 0x10000234
: push {r4, r5, r6, r7, lr} + 0x10000236 : sub sp, #20 + 0x10000238 : bl 0x10003384 + 0x1000023c : movs r0, #4 + 0x1000023e : bl 0x100002d4 ... ``` @@ -549,20 +549,12 @@ b *0x10000234 c ``` -GDB responds: -``` -Breakpoint 1 at 0x10000234 -Continuing. - -Breakpoint 1, 0x10000234 in ?? () -``` - ### Step 11: Find the Operator Calculations The compiler likely optimized many of these calculations at compile time. Look for immediate values: ``` -x/30i 0x10000240 +x/32i 0x10000240 ``` You may see values like: @@ -576,7 +568,7 @@ You may see values like: Set a breakpoint before the first printf and examine registers: -``` +```gdb b *0x10000262 c i r r0 r1 @@ -584,18 +576,22 @@ i r r0 r1 You should see: - `r0` = address of format string -- `r1` = value to print (50 for arithmetic_operator) +- `r1` = value to print ### Step 13: Examine the Format Strings -``` -x/s 0x10003xxx +```gdb +x/s 0x10003978 ``` -Find the format strings like: -``` -"arithmetic_operator: %d\r\n" -"increment_operator: %d\r\n" +Find the format strings and value for print: +```gdb +(gdb) x/s 0x10003978 +0x10003978: "Humidity: %.1f%%, Temperature: %.1fA°C\r\n" +(gdb) x/x 0x4037cccc +0x4037cccc: 0x00 +(gdb) x/x $r1 +0x4037cccc: 0x00 ... ``` @@ -603,23 +599,24 @@ Find the format strings like: Find where dht11_read is called: -``` -x/10i 0x100002a0 +```gdb +(gdb) x/3i 0x1000029f ``` You'll see stack addresses being passed as arguments: ``` -add r0, sp, #0x8 ; Address of hum variable -add r1, sp, #0xc ; Address of temp variable -bl dht11_read + 0x1000029f : add r1, sp, #12 + 0x100002a1 : add r0, sp, #8 + 0x100002a3 : bl 0x100002f4 ``` ### Step 15: Watch the Float Values After dht11_read returns, examine the float values on the stack: -``` -x/2fw $sp+8 +```gdb +(gdb) x/2fw $sp+8 +0x20081fe0: 62 23.7999992 ``` This shows the humidity and temperature as floats. @@ -628,7 +625,7 @@ This shows the humidity and temperature as floats. Continue execution and watch the values: -``` +```gdb c ``` @@ -826,8 +823,8 @@ bl FUN_xxxxx ; sleep_ms This is trickier! Look for a function call with TWO address arguments: ```assembly -add r0, sp, #0x8 ; Address of hum on stack add r1, sp, #0xc ; Address of temp on stack +add r0, sp, #0x8 ; Address of hum on stack bl FUN_xxxxx ; dht11_read ``` @@ -931,11 +928,11 @@ Navigate to the `dht11_read` function you identified earlier. ### Step 35: Find the Scaling Constant -At the end of the `dht11_read` function, look for floating-point instructions. You'll find instructions like: +At the end of the `dht11_read` function, and around `0x10000410`, look for floating-point instructions. You'll find instructions like: ```assembly -vfma.f32 s14, s12, s11 ; Fused multiply-add for humidity -vfma.f32 s15, s13, s11 ; Fused multiply-add for temperature +vfma.f32 s14, s12, s11 ; Fused multiply-add for humidity +vfma.f32 s15, s13, s11 ; Fused multiply-add for temperature ``` The constant `0.1` (at address `0x1000042c`) is loaded into register `s11` and used to scale the raw sensor readings. @@ -1005,6 +1002,20 @@ new = struct.unpack('>> import struct +>>> +>>> # Original value +>>> original = struct.unpack('>> print(f"Original: {original}") # 0.1 +Original: 0.10000000149011612 +>>> +>>> # New value +>>> new = struct.unpack('>> print(f"New: {new}") # 5.0 +New: 5.0 +``` + --- ## Part 19: Exporting and Testing @@ -1012,7 +1023,7 @@ print(f"New: {new}") # 5.0 ### Step 41: Export the Patched Binary 1. Click **File** -> **Export Program** -2. Set **Format** to **Binary** +2. Set **Format** to **Raw Bytes** 3. Navigate to your build directory 4. Name the file `0x001a_operators-h.bin` 5. Click **OK** @@ -1034,6 +1045,16 @@ python ..\uf2conv.py build\0x001a_operators-h.bin --base 0x10000000 --family 0xe You should see dramatically increased temperature readings! +``` +Humidity: 60.0%, Temperature: 63.0°C +arithmetic_operator: 50 +increment_operator: 5 +relational_operator: 0 +logical_operator: 0 +bitwise_operator: 12 +assignment_operator: 11 +``` + --- ## Part 20: Summary and Review @@ -1181,7 +1202,4 @@ By manipulating sensor readings, an attacker could: **Remember:** The techniques you learned today can be used for good (security research, debugging) or bad (sabotage, fraud). Always use your skills ethically and legally. Understanding how attacks work helps us build more secure systems! -Happy hacking! ? - - - +Happy hacking! diff --git a/WEEK09/slides/WEEK09-IMG00.svg b/WEEK09/slides/WEEK09-IMG00.svg new file mode 100644 index 0000000..3aadd8e --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG00.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + 4F 70 65 6E 4F 43 44 + 10 00 02 34 08 B5 01 + 47 44 42 20 52 45 56 + 20 08 20 00 FF AA 00 + 52 50 32 33 35 30 00 + 0A 0A 0F 12 12 1A 1A + 41 52 4D 76 38 2D 4D + 00 FF 41 00 D4 FF 88 + 47 48 49 44 52 41 00 + FF 00 40 C0 C0 C0 00 + + + + + + + + + + + + +Embedded Systems +Reverse Engineering + + + + + +// WEEK 09 + + +Operators in Embedded Systems: +Debugging and Hacking Operators +w/ DHT11 Sensor Single-Wire Protocol + + + + + +George Mason University + + + +RP2350 // ARM Cortex-M33 + diff --git a/WEEK09/slides/WEEK09-IMG01.svg b/WEEK09/slides/WEEK09-IMG01.svg new file mode 100644 index 0000000..b431706 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG01.svg @@ -0,0 +1,74 @@ + + + + +C Operators Overview +Six Types of Operators in C + + + +Arithmetic + ++ - * / % +Math operations +5 * 10 = 50 + + +Increment + +x++ ++x x-- +Add/subtract by 1 +x++ returns old val + + +Relational + +> < >= <= == != +Compare values +(6 > 10) = false + + + +Logical + +&& || ! +Combine conditions +AND, OR, NOT + + +Bitwise + +<< >> & | ^ ~ +Manipulate bits +6 << 1 = 12 + + +Assignment + ++= -= *= /= +Assign and modify +x += 5 (x=x+5) + + + +This Week's Program +0x001a_operators.c demonstrates all 6 types +DHT11 temperature/humidity sensor + operator calculations + + + +KEY: +Compiler pre-computes constant expressions +In the binary, most operators become immediate values + \ No newline at end of file diff --git a/WEEK09/slides/WEEK09-IMG02.svg b/WEEK09/slides/WEEK09-IMG02.svg new file mode 100644 index 0000000..3ba9f91 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG02.svg @@ -0,0 +1,75 @@ + + + + +Arithmetic & Increment +Math Operations and Post/Pre Increment + + + +Arithmetic Operators + ++ +5 + 10 = 15 +Addition +- +10 - 5 = 5 +Subtraction +* +5 * 10 = 50 +Multiplication +/ +10 / 5 = 2 +Division +% +10 % 3 = 1 +Modulus + + + +Post vs Pre Increment + + +Post: x++ +Use value THEN increment +a = x++ --> a=5, x=6 + + +Pre: ++x +Increment THEN use value +b = ++x --> x=7, b=7 + + + +Post-Increment Step by Step + + +int x = 5; +int result = x++; + +Step 1: result = x +result gets 5 +Step 2: x = x + 1 +x becomes 6 + +Final: result = 5 +x = 6 +"Use first, THEN increment" + + + +In our code: +int increment_operator = x++; +x was 5, so increment_operator = 5, then x becomes 6 + \ No newline at end of file diff --git a/WEEK09/slides/WEEK09-IMG03.svg b/WEEK09/slides/WEEK09-IMG03.svg new file mode 100644 index 0000000..1244936 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG03.svg @@ -0,0 +1,95 @@ + + + + +Relational & Logical +Comparing Values and Combining Conditions + + + +Relational Operators +Compare two values --> true (1) or false (0) + +> +6 > 10 +false +Greater than +< +6 < 10 +true +Less than +>= +6 >= 6 +true +Greater/equal +<= +6 <= 10 +true +Less or equal +== +6 == 10 +false +Equal to +!= +6 != 10 +true +Not equal + + + +Logical Operators +Combine conditions into one result + +&& +AND -- both must be true +|| +OR -- at least one true +! +NOT -- inverts result + + +AND Truth Table + +A +B +A && B +false +false +false +false +true +false +true +false +false +true +true +true + + + +In Our Code (x=6, y=10) + +bool relational = (x > y); +(6 > 10) = false = 0 +bool logical = (x>y) && (y>x); +false && true = false = 0 + + + +In the binary: +Both compile to immediate #0 +Compiler pre-computes: constants are known at compile time +Result 0 = false, Result 1 = true + \ No newline at end of file diff --git a/WEEK09/slides/WEEK09-IMG04.svg b/WEEK09/slides/WEEK09-IMG04.svg new file mode 100644 index 0000000..02cb827 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG04.svg @@ -0,0 +1,89 @@ + + + + +Bitwise & Assignment +Bit Manipulation and Compound Assignment + + + +Bitwise Operators + +<< +6 << 1 = 12 +Left shift +>> +6 >> 1 = 3 +Right shift +& +6 & 3 = 2 +AND +| +6 | 3 = 7 +OR +^ +6 ^ 3 = 5 +XOR +~ +~6 +NOT (invert) + + +Left shift = multiply by 2 + +0 0 0 0 0 1 1 0 += 6 +0 0 0 0 1 1 0 0 += 12 + + + +Assignment Operators +Shorthand for math + assign + ++= +x += 5 +x = x + 5 +-= +x -= 2 +x = x - 2 +*= +x *= 3 +x = x * 3 +/= +x /= 2 +x = x / 2 +%= +x %= 4 +x = x % 4 + + +In our code (x=6 after x++): + +x += 5 --> 6 + 5 = 11 + + + +In Our Code (x=6, y=10) + +int bitwise = (x<<1); +6 << 1 = 12 (0b0110 --> 0b1100) + + + +Expected Output +bitwise_operator: 12 +assignment_operator: 11 +Both pre-computed by compiler as immediates + \ No newline at end of file diff --git a/WEEK09/slides/WEEK09-IMG05.svg b/WEEK09/slides/WEEK09-IMG05.svg new file mode 100644 index 0000000..4975302 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG05.svg @@ -0,0 +1,72 @@ + + + + +DHT11 Sensor +Single-Wire Temperature and Humidity + + + +DHT11 Pinout + + +DHT11 +1:VCC 2:DATA 3:NC 4:GND + +Humidity: 20-90% RH (+/-5%) +Temp: 0-50C (+/-2C) +Protocol: custom one-wire + + + +Wiring to Pico 2 + + +Pico + + +DHT11 + + + + +GPIO 4 = DATA +3.3V = VCC +GND = GND + + + +1. Host pulls LOW 18ms +2. DHT11 responds, sends 40 bits + + + +Source Code: 0x001a_operators.c + +int x = 5, y = 10; +int arithmetic = (x * y); +// 50 +int increment = x++; +// 5 (post) +bool relational = (x > y); +// false +bool logical = (x>y)&&(y>x); +// false +int bitwise = (x<<1); +// 12 +int assignment = (x += 5); +// 11 +float hum, temp; +dht11_read(&hum, &temp); + \ No newline at end of file diff --git a/WEEK09/slides/WEEK09-IMG06.svg b/WEEK09/slides/WEEK09-IMG06.svg new file mode 100644 index 0000000..ef11927 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG06.svg @@ -0,0 +1,75 @@ + + + + +Variable Flow +Tracing x Through Every Operator + + + +Tracing x Step-by-Step + + +Line +x +Result + + + +int x = 5, y = 10; +5 +x initialized to 5 + + +int arithmetic = (x * y); +5 +arithmetic = 50 + + +int increment = x++; +5-->6 +increment = 5 +use THEN increment + + +bool relational = (x > y); +6 +relational = false +6 > 10 is false + + +bool logical = (x>y)&&(y>x); +6 +logical = false +false AND true = false + + +int bitwise = (x<<1); +6 +bitwise = 12 +0b0110 << 1 = 0b1100 + + +int assignment = (x += 5); +6-->11 +assignment = 11 +6 + 5 = 11 + + + +DHT11 Output +Humidity: 51.0% +Temperature: 23.8C +dht11_read(&hum, &temp) -- passes addresses so function can write values + diff --git a/WEEK09/slides/WEEK09-IMG07.svg b/WEEK09/slides/WEEK09-IMG07.svg new file mode 100644 index 0000000..1e5d297 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG07.svg @@ -0,0 +1,77 @@ + + + + +Vector Table +Finding Reset_Handler and main() + + + +ARM Vector Table +Base address: 0x10000000 + +Offset +Contents +Purpose + + +0x00 +Initial SP +Stack ptr + +0x04 +Reset_Handler +Entry point + +0x08 +NMI_Handler +NMI + +0x0C +HardFault +Fault + + + +Decoding the Address + +At 0x10000004: +Bytes: 5d 01 00 10 + +Step 1: Reverse (little-endian) +10 00 01 5d = 0x1000015d + +Step 2: Remove Thumb bit +0x1000015d - 1 = 0x1000015c + + + +Reset_Handler --> main() + +Reset_Handler at 0x1000015c calls 3 functions: + + +Call 1: some_init() +Hardware initialization + +Call 2: main() +THIS IS WHAT WE WANT +Address: 0x10000234 + +Call 3: exit() +Never returns + +The MIDDLE function call is always main() +Navigate to 0x10000234 in Ghidra to find it + diff --git a/WEEK09/slides/WEEK09-IMG08.svg b/WEEK09/slides/WEEK09-IMG08.svg new file mode 100644 index 0000000..f520db0 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG08.svg @@ -0,0 +1,81 @@ + + + + +IEEE-754 Floats +How Computers Store Decimal Numbers + + + +32-bit Float Structure + + + +S +1 bit + + +Exponent +8 bits + + +Mantissa (Fraction) +23 bits + +Value = (-1)^S x (1 + Mantissa) x 2^(Exponent - 127) + + + +Example: Decoding 0.1f + +Little-endian bytes: +cd cc cc 3d + +Reversed (big-endian): +0x3dcccccd + +Sign: 0 +Exp: 01111011 = 123 +Mantissa: 1001100... + +Exp - 127 = -4, so value = 1.6 x 2^(-4) += 0.1 + + + +IEEE-754 Quick Reference + +Value +Hex +Bytes (LE) + + +0.1 +0x3dcccccd +cd cc cc 3d +1.0 +0x3f800000 +00 00 80 3f + +5.0 +0x40a00000 +00 00 a0 40 +10.0 +0x41200000 +00 00 20 41 + +-1.0 +0xbf800000 +00 00 80 bf + diff --git a/WEEK09/slides/WEEK09-IMG09.svg b/WEEK09/slides/WEEK09-IMG09.svg new file mode 100644 index 0000000..5c40649 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG09.svg @@ -0,0 +1,64 @@ + + + + +Hacking the Float +Changing the DHT11 Scaling Constant + + + +DHT11 Scaling Calculation +result = integer + (decimal x 0.1) +Example: temp = 23 + (8 x 0.1) = 23.8C +0.1f is our target! + + + +Key Offsets in Binary + +Offset +Bytes +Meaning + + +0x410 +a6 ee 25 7a +vfma.f32 s14,s12,s11 (humidity) + +0x414 +e6 ee a5 7a +vfma.f32 s15,s13,s11 (temp) + +0x42C +cd cc cc 3d +0.1f -- the scaling constant + + + +The Hack: 0.1f --> 5.0f + +At offset 0x42C, change: + + +Original: cd cc cc 3d +(0.1f) + + +Patched: 00 00 a0 40 +(5.0f) + +New result: 23 + (8 x 5.0) = 63.0C +Decimal part is now multiplied by 5.0 instead of 0.1 +Export .bin from Ghidra, convert to UF2, flash to Pico + diff --git a/WEEK09/slides/WEEK09-IMG10.svg b/WEEK09/slides/WEEK09-IMG10.svg new file mode 100644 index 0000000..9655865 --- /dev/null +++ b/WEEK09/slides/WEEK09-IMG10.svg @@ -0,0 +1,97 @@ + + + + +Operators & DHT11 Hacking +Operators, DHT11, IEEE-754, and Hacking + + + +6 Operator Types + +Arithmetic +x * y = 50 + +Increment +x++ returns 5, x becomes 6 + +Relational +(6 > 10) = false + +Logical +false && true = false + +Bitwise +6 << 1 = 12 + +Assignment +x += 5 = 11 + +Post-increment: use THEN increment + + + +Key Addresses + +0x10000000 +Vector table + +0x10000004 +Reset_Handler addr + +0x10000234 +main() + +0x10000410 +Humidity vfma + +0x10000414 +Temp vfma + +0x1000042C +0.1f constant (hack) + + + +IEEE-754 Format +S(1) + Exp(8) + Mantissa(23) +(-1)^S x (1+M) x 2^(E-127) +0.1f = 0x3dcccccd = cd cc cc 3d + + + +Hack Workflow +1. Analyze in Ghidra +2. Find float at 0x42C +3. Patch cd cc cc 3d + + + +Binary Hacking Steps + +Analyze +--> +Identify +--> +Offset +--> +Patch +--> +Export +--> +Test + +Project: 0x001a_operators +Source: 0x001a_operators.c with DHT11 sensor on GPIO 4 + diff --git a/WEEK11/WEEK11.md b/WEEK11/WEEK11.md index 485b497..bb069e5 100644 --- a/WEEK11/WEEK11.md +++ b/WEEK11/WEEK11.md @@ -875,17 +875,17 @@ Create a mental (or written) map: +-----------------------------------------------------------------+ | Struct Member Mapping | | | -| Assembly Value -> Struct Member -> Physical LED | +| Assembly Value -> Struct Member -> Physical LED | | ------------------------------------------------------------- | -| 0x10 (16) -> led1_pin -> Red LED | -| 0x11 (17) -> led2_pin -> Green LED | -| 0x12 (18) -> led3_pin -> Yellow LED | +| 0x10 (16) -> led1_pin -> Red LED | +| 0x11 (17) -> led2_pin -> Green LED | +| 0x12 (18) -> led3_pin -> Yellow LED | | | -| NEC Code -> State Member -> Action | +| NEC Code -> State Member -> Action | | ------------------------------------------------------------- | -| 0x0C -> led1_state=true -> Red LED ON | -| 0x18 -> led2_state=true -> Green LED ON | -| 0x5E -> led3_state=true -> Yellow LED ON | +| 0x0C -> led1_state=true -> Red LED ON | +| 0x18 -> led2_state=true -> Green LED ON | +| 0x5E -> led3_state=true -> Yellow LED ON | | | +-----------------------------------------------------------------+ ```