mirror of
https://github.com/mytechnotalent/Embedded-Hacking.git
synced 2026-07-07 04:58:00 +02:00
Updated WEEK09
This commit is contained in:
+62
-44
@@ -175,8 +175,8 @@ bool result = (x > y) && (y > x); // false AND true = false
|
||||
Bitwise operators work on the binary representation of numbers:
|
||||
|
||||
```c
|
||||
int x = 6; // Binary: 0b00000110
|
||||
int result = x << 1; // Shift left by 1: 0b00001100 = 12
|
||||
int x = 6; // Binary: 0b00000110
|
||||
int result = x << 1; // Shift left by 1: 0b00001100 = 12
|
||||
```
|
||||
|
||||
```
|
||||
@@ -436,14 +436,14 @@ Let's trace through what happens to `x`:
|
||||
| Variable x Through the Program |
|
||||
| |
|
||||
| Line | x value | Result |
|
||||
| ------------------+---------+--------------------------------- |
|
||||
| ------------------+---------+--------------------------------- |
|
||||
| int x = 5; | 5 | x initialized to 5 |
|
||||
| x * y | 5 | arithmetic = 5 * 10 = 50 |
|
||||
| x++ | 5->6 | increment = 5 (then x becomes 6) |
|
||||
| x++ | 5->6 | increment = 5 (then x becomes 6)|
|
||||
| x > y | 6 | relational = (6 > 10) = false |
|
||||
| (x>y) && (y>x) | 6 | logical = false && true = false |
|
||||
| x << 1 | 6 | bitwise = 6 << 1 = 12 |
|
||||
| x += 5 | 6->11 | assignment = 6 + 5 = 11 |
|
||||
| x += 5 | 6->11 | assignment = 6 + 5 = 11 |
|
||||
| |
|
||||
+-----------------------------------------------------------------+
|
||||
```
|
||||
@@ -534,11 +534,11 @@ x/60i 0x10000234
|
||||
You should see the operator calculations and function calls:
|
||||
|
||||
```
|
||||
0x10000234: push {r4, r5, r6, r7, lr}
|
||||
0x10000236: sub sp, #20
|
||||
0x10000238: bl 0x10003014 ; stdio_init_all
|
||||
0x1000023c: movs r0, #4 ; GPIO 4 for DHT11
|
||||
0x1000023e: bl 0x100003b4 ; dht11_init
|
||||
0x10000234 <main>: push {r4, r5, r6, r7, lr}
|
||||
0x10000236 <main+2>: sub sp, #20
|
||||
0x10000238 <main+4>: bl 0x10003384 <stdio_init_all>
|
||||
0x1000023c <main+8>: movs r0, #4
|
||||
0x1000023e <main+10>: bl 0x100002d4 <dht11_init>
|
||||
...
|
||||
```
|
||||
|
||||
@@ -549,20 +549,12 @@ b *0x10000234
|
||||
c
|
||||
```
|
||||
|
||||
GDB responds:
|
||||
```
|
||||
Breakpoint 1 at 0x10000234
|
||||
Continuing.
|
||||
|
||||
Breakpoint 1, 0x10000234 in ?? ()
|
||||
```
|
||||
|
||||
### Step 11: Find the Operator Calculations
|
||||
|
||||
The compiler likely optimized many of these calculations at compile time. Look for immediate values:
|
||||
|
||||
```
|
||||
x/30i 0x10000240
|
||||
x/32i 0x10000240
|
||||
```
|
||||
|
||||
You may see values like:
|
||||
@@ -576,7 +568,7 @@ You may see values like:
|
||||
|
||||
Set a breakpoint before the first printf and examine registers:
|
||||
|
||||
```
|
||||
```gdb
|
||||
b *0x10000262
|
||||
c
|
||||
i r r0 r1
|
||||
@@ -584,18 +576,22 @@ i r r0 r1
|
||||
|
||||
You should see:
|
||||
- `r0` = address of format string
|
||||
- `r1` = value to print (50 for arithmetic_operator)
|
||||
- `r1` = value to print
|
||||
|
||||
### Step 13: Examine the Format Strings
|
||||
|
||||
```
|
||||
x/s 0x10003xxx
|
||||
```gdb
|
||||
x/s 0x10003978
|
||||
```
|
||||
|
||||
Find the format strings like:
|
||||
```
|
||||
"arithmetic_operator: %d\r\n"
|
||||
"increment_operator: %d\r\n"
|
||||
Find the format strings and value for print:
|
||||
```gdb
|
||||
(gdb) x/s 0x10003978
|
||||
0x10003978: "Humidity: %.1f%%, Temperature: %.1fA°C\r\n"
|
||||
(gdb) x/x 0x4037cccc
|
||||
0x4037cccc: 0x00
|
||||
(gdb) x/x $r1
|
||||
0x4037cccc: 0x00
|
||||
...
|
||||
```
|
||||
|
||||
@@ -603,23 +599,24 @@ Find the format strings like:
|
||||
|
||||
Find where dht11_read is called:
|
||||
|
||||
```
|
||||
x/10i 0x100002a0
|
||||
```gdb
|
||||
(gdb) x/3i 0x1000029f
|
||||
```
|
||||
|
||||
You'll see stack addresses being passed as arguments:
|
||||
```
|
||||
add r0, sp, #0x8 ; Address of hum variable
|
||||
add r1, sp, #0xc ; Address of temp variable
|
||||
bl dht11_read
|
||||
0x1000029f <main+106>: add r1, sp, #12
|
||||
0x100002a1 <main+108>: add r0, sp, #8
|
||||
0x100002a3 <main+110>: bl 0x100002f4 <dht11_read>
|
||||
```
|
||||
|
||||
### Step 15: Watch the Float Values
|
||||
|
||||
After dht11_read returns, examine the float values on the stack:
|
||||
|
||||
```
|
||||
x/2fw $sp+8
|
||||
```gdb
|
||||
(gdb) x/2fw $sp+8
|
||||
0x20081fe0: 62 23.7999992
|
||||
```
|
||||
|
||||
This shows the humidity and temperature as floats.
|
||||
@@ -628,7 +625,7 @@ This shows the humidity and temperature as floats.
|
||||
|
||||
Continue execution and watch the values:
|
||||
|
||||
```
|
||||
```gdb
|
||||
c
|
||||
```
|
||||
|
||||
@@ -826,8 +823,8 @@ bl FUN_xxxxx ; sleep_ms
|
||||
This is trickier! Look for a function call with TWO address arguments:
|
||||
|
||||
```assembly
|
||||
add r0, sp, #0x8 ; Address of hum on stack
|
||||
add r1, sp, #0xc ; Address of temp on stack
|
||||
add r0, sp, #0x8 ; Address of hum on stack
|
||||
bl FUN_xxxxx ; dht11_read
|
||||
```
|
||||
|
||||
@@ -931,11 +928,11 @@ Navigate to the `dht11_read` function you identified earlier.
|
||||
|
||||
### Step 35: Find the Scaling Constant
|
||||
|
||||
At the end of the `dht11_read` function, look for floating-point instructions. You'll find instructions like:
|
||||
At the end of the `dht11_read` function, and around `0x10000410`, look for floating-point instructions. You'll find instructions like:
|
||||
|
||||
```assembly
|
||||
vfma.f32 s14, s12, s11 ; Fused multiply-add for humidity
|
||||
vfma.f32 s15, s13, s11 ; Fused multiply-add for temperature
|
||||
vfma.f32 s14, s12, s11 ; Fused multiply-add for humidity
|
||||
vfma.f32 s15, s13, s11 ; Fused multiply-add for temperature
|
||||
```
|
||||
|
||||
The constant `0.1` (at address `0x1000042c`) is loaded into register `s11` and used to scale the raw sensor readings.
|
||||
@@ -1005,6 +1002,20 @@ new = struct.unpack('<f', bytes.fromhex('0000a040'))[0]
|
||||
print(f"New: {new}") # 5.0
|
||||
```
|
||||
|
||||
```python
|
||||
>>> import struct
|
||||
>>>
|
||||
>>> # Original value
|
||||
>>> original = struct.unpack('<f', bytes.fromhex('cdcccc3d'))[0]
|
||||
>>> print(f"Original: {original}") # 0.1
|
||||
Original: 0.10000000149011612
|
||||
>>>
|
||||
>>> # New value
|
||||
>>> new = struct.unpack('<f', bytes.fromhex('0000a040'))[0]
|
||||
>>> print(f"New: {new}") # 5.0
|
||||
New: 5.0
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Part 19: Exporting and Testing
|
||||
@@ -1012,7 +1023,7 @@ print(f"New: {new}") # 5.0
|
||||
### Step 41: Export the Patched Binary
|
||||
|
||||
1. Click **File** -> **Export Program**
|
||||
2. Set **Format** to **Binary**
|
||||
2. Set **Format** to **Raw Bytes**
|
||||
3. Navigate to your build directory
|
||||
4. Name the file `0x001a_operators-h.bin`
|
||||
5. Click **OK**
|
||||
@@ -1034,6 +1045,16 @@ python ..\uf2conv.py build\0x001a_operators-h.bin --base 0x10000000 --family 0xe
|
||||
|
||||
You should see dramatically increased temperature readings!
|
||||
|
||||
```
|
||||
Humidity: 60.0%, Temperature: 63.0°C
|
||||
arithmetic_operator: 50
|
||||
increment_operator: 5
|
||||
relational_operator: 0
|
||||
logical_operator: 0
|
||||
bitwise_operator: 12
|
||||
assignment_operator: 11
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Part 20: Summary and Review
|
||||
@@ -1181,7 +1202,4 @@ By manipulating sensor readings, an attacker could:
|
||||
|
||||
**Remember:** The techniques you learned today can be used for good (security research, debugging) or bad (sabotage, fraud). Always use your skills ethically and legally. Understanding how attacks work helps us build more secure systems!
|
||||
|
||||
Happy hacking! ?
|
||||
|
||||
|
||||
|
||||
Happy hacking!
|
||||
|
||||
Reference in New Issue
Block a user