Added WEEK02

2026-04-01 09:00:18 +02:00 · 2026-01-11 09:49:46 -05:00
parent 3289317dad
commit ebf909f4d1
5 changed files with 2080 additions and 0 deletions
--- a/WEEK02/WEEK02-01.md
+++ b/WEEK02/WEEK02-01.md
@@ -0,0 +1,104 @@
+# Embedded Systems Reverse Engineering
+[Repository](https://github.com/mytechnotalent/Embedded-Hacking)
+
+## Week 2
+Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2
+
+### Exercise 1: Change the Message
+
+#### Objective
+Write your own message into SRAM and redirect `r0` so the running program prints it without changing the source code.
+
+#### Prerequisites
+- Raspberry Pi Pico 2 with debug probe connected
+- OpenOCD and `arm-none-eabi-gdb` available in your PATH
+- Serial monitor (PuTTY/minicom/screen) set to 115200 baud
+- `build/0x0001_hello-world.elf` present and flashed to the board
+- Week 2 setup steps (0a–0e) completed: OpenOCD, serial monitor, and GDB ready
+
+#### Task Description
+You will create a custom string in SRAM at `0x20000000`, point `r0` at it just before `puts()` runs, and watch the live output change to your message.
+
+#### Step-by-Step Instructions
+
+##### Step 1: Start OpenOCD
+
+```bash
+openocd ^
+  -s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
+  -f interface/cmsis-dap.cfg ^
+  -f target/rp2350.cfg ^
+  -c "adapter speed 5000"
+```
+
+##### Step 2: Start the Serial Monitor
+- Open PuTTY (Serial), choose the correct COM port, set speed to `115200`, then click **Open**.
+
+##### Step 3: Launch GDB
+
+```bash
+arm-none-eabi-gdb build/0x0001_hello-world.elf
+```
+
+##### Step 4: Connect and Halt
+
+```gdb
+(gdb) target extended-remote :3333
+(gdb) monitor reset halt
+```
+
+##### Step 5: Break Before `puts()`
+
+```gdb
+(gdb) b *0x1000023c
+```
+
+##### Step 6: Run to the Breakpoint
+
+```gdb
+(gdb) c
+```
+
+##### Step 7: Inject Your Message into SRAM
+Replace the characters with your name as needed.
+
+```gdb
+(gdb) set {char[20]} 0x20000000 = {'Y','o','u','r',' ','N','a','m','e','!','\r','\0'}
+```
+
+##### Step 8: Point `r0` to Your Message
+
+```gdb
+(gdb) set $r0 = 0x20000000
+```
+
+##### Step 9: Resume and Observe
+
+```gdb
+(gdb) c
+```
+
+Check PuTTY for your custom string replacing "hello, world".
+
+#### Expected Output
+- GDB stops at `0x1000023c` before `__wrap_puts`.
+- `x/s 0x20000000` shows your injected message.
+- PuTTY displays your custom message after you continue execution.
+
+#### Questions for Reflection
+
+###### Question 1: Why does the string have to live in SRAM instead of flash during runtime?
+
+###### Question 2: What would happen if you forgot the null terminator in your injected string?
+
+###### Question 3: How does changing `r0` alter the behavior of `puts()` without touching source code?
+
+#### Tips and Hints
+- Keep your string length within the allocated array (`char[20]`).
+- If you miss the breakpoint, confirm OpenOCD is running and the address matches `Week 2` disassembly.
+- Use `x/s $r0` to confirm the register points to the intended address before continuing.
+
+#### Next Steps
+- Repeat the exercise with different messages to verify repeatability.
+- Try smaller or larger buffers (still within SRAM) to see how size affects safety.
+- Move on to Exercise 2 to practice using alternate SRAM addresses.
--- a/WEEK02/WEEK02-02.md
+++ b/WEEK02/WEEK02-02.md
@@ -0,0 +1,91 @@
+# Embedded Systems Reverse Engineering
+[Repository](https://github.com/mytechnotalent/Embedded-Hacking)
+
+## Week 2
+Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2
+
+### Exercise 2: Use a Different SRAM Address
+
+#### Objective
+Practice writing to an alternate SRAM location and redirecting `r0` so your message prints from `0x20001000` instead of `0x20000000`.
+
+#### Prerequisites
+- Raspberry Pi Pico 2 with debug probe connected
+- OpenOCD, `arm-none-eabi-gdb`, and a serial monitor ready (Week 2 steps 0a–0e complete)
+- `build/0x0001_hello-world.elf` flashed and running
+- Comfortable setting breakpoints at `0x1000023c`
+
+#### Task Description
+You will inject a short string into `0x20001000`, point `r0` there, and verify the live output changes, demonstrating that any safe SRAM slot can host your payload.
+
+#### Step-by-Step Instructions
+
+##### Step 1: Start OpenOCD
+
+```bash
+openocd ^
+  -s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
+  -f interface/cmsis-dap.cfg ^
+  -f target/rp2350.cfg ^
+  -c "adapter speed 5000"
+```
+
+##### Step 2: Start the Serial Monitor
+- Open PuTTY (Serial) on the correct COM port at `115200` baud.
+
+##### Step 3: Launch GDB and Halt
+
+```gdb
+(gdb) target extended-remote :3333
+(gdb) monitor reset halt
+```
+
+##### Step 4: Break Before `puts()`
+
+```gdb
+(gdb) b *0x1000023c
+(gdb) c
+```
+
+##### Step 5: Write a Payload at `0x20001000`
+
+```gdb
+(gdb) set {char[14]} 0x20001000 = {'h','a','c','k','e','d','!','!','!','\r','\0'}
+```
+
+##### Step 6: Redirect `r0`
+
+```gdb
+(gdb) set $r0 = 0x20001000
+```
+
+##### Step 7: Continue and Verify
+
+```gdb
+(gdb) c
+```
+
+Check PuTTY for the new output sourced from the alternate address.
+
+#### Expected Output
+- `x/s 0x20001000` shows `"hacked!!!\r"` (or your variant).
+- PuTTY prints the injected message instead of the original string.
+- The program continues looping with your modified output.
+
+#### Questions for Reflection
+
+###### Question 1: How can you ensure `0x20001000` does not collide with stack usage?
+
+###### Question 2: What symptoms would indicate you overwrote an active stack frame?
+
+###### Question 3: How would you pick a safe SRAM offset in a larger program with dynamic allocations?
+
+#### Tips and Hints
+- Keep payloads short; avoid overrunning the allocated bytes.
+- If you see crashes, choose a lower SRAM address away from the stack top (stack grows downward).
+- Use `info registers sp` and compare with your chosen address to gauge separation.
+
+#### Next Steps
+- Try other safe addresses (e.g., `0x20002000`) and verify stability.
+- Map out stack usage by stepping deeper and watching `sp` move.
+- Proceed to Exercise 3 to inspect memory around your payload.
--- a/WEEK02/WEEK02-03.md
+++ b/WEEK02/WEEK02-03.md
@@ -0,0 +1,82 @@
+# Embedded Systems Reverse Engineering
+[Repository](https://github.com/mytechnotalent/Embedded-Hacking)
+
+## Week 2
+Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2
+
+### Exercise 3: Examine Memory Around Your String
+
+#### Objective
+Inspect the byte-level layout of your injected string in SRAM and correlate bytes to characters.
+
+#### Prerequisites
+- Pico 2 connected with OpenOCD, GDB, and a serial monitor ready
+- `build/0x0001_hello-world.elf` flashed and running
+- Ability to break before `__wrap_puts` at `0x1000023c`
+- A payload already written to SRAM (e.g., at `0x20000000` from Exercise 1)
+
+#### Task Description
+You will use `x/20b` to view the bytes surrounding your injected string, decode the characters, and confirm the presence of control characters and the null terminator.
+
+#### Step-by-Step Instructions
+
+##### Step 1: Connect and Halt
+
+```gdb
+(gdb) target extended-remote :3333
+(gdb) monitor reset halt
+```
+
+##### Step 2: Break Before `puts()` and Run
+
+```gdb
+(gdb) b *0x1000023c
+(gdb) c
+```
+
+##### Step 3: Ensure a String Exists in SRAM
+If needed, re-inject a payload:
+
+```gdb
+(gdb) set {char[14]} 0x20000000 = {'h','a','c','k','y',',',' ','w','o','r','l','d','\r','\0'}
+(gdb) set $r0 = 0x20000000
+```
+
+##### Step 4: Examine Bytes Around the String
+
+```gdb
+(gdb) x/20b 0x20000000
+```
+
+##### Step 5: Decode the Output
+- Map each byte to ASCII: e.g., `0x68` → `h`, `0x0d` → `\r`, `0x00` → `\0`.
+- Note any bytes before/after the string to ensure you did not overwrite adjacent data.
+
+##### Step 6: Resume Execution
+
+```gdb
+(gdb) c
+```
+
+#### Expected Output
+- A byte dump where the sequence matches your string (`68 61 63 6b 79 2c 20 77 6f 72 6c 64 0d 00`).
+- Confirmation of the carriage return (`0x0d`) and null terminator (`0x00`).
+- Stable program output in PuTTY after resuming.
+
+#### Questions for Reflection
+
+###### Question 1: Which bytes mark the end of the printable string, and why are they needed?
+
+###### Question 2: How would misaligned writes show up in the byte view?
+
+###### Question 3: What risks arise if you overwrite bytes immediately after your string?
+
+#### Tips and Hints
+- Use `x/20bx` if you prefer hex with ASCII side-by-side.
+- Keep the dump length modest (20 bytes) to avoid clutter while still seeing context.
+- If the bytes look incorrect, re-run the injection command to reset the buffer.
+
+#### Next Steps
+- Try viewing a different address (e.g., `0x20001000`) to compare layouts.
+- Experiment with longer strings and observe how the byte dump grows.
+- Move on to Exercise 4 to automate the hack workflow.
--- a/WEEK02/WEEK02-04.md
+++ b/WEEK02/WEEK02-04.md
@@ -0,0 +1,71 @@
+# Embedded Systems Reverse Engineering
+[Repository](https://github.com/mytechnotalent/Embedded-Hacking)
+
+## Week 2
+Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2
+
+### Exercise 4: Automate the Hack
+
+#### Objective
+Create a reusable GDB command that injects a string into SRAM, repoints `r0`, and resumes execution with a single call.
+
+#### Prerequisites
+- Pico 2 connected with OpenOCD, GDB, and serial monitor ready
+- `build/0x0001_hello-world.elf` available
+- Familiarity with breaking at `0x1000023c` and injecting strings from prior exercises
+
+#### Task Description
+You will define a custom GDB command `hack` that writes a payload to `0x20000000`, repoints `r0`, and continues execution automatically.
+
+#### Step-by-Step Instructions
+
+##### Step 1: Connect, Halt, and Break
+
+```gdb
+(gdb) target extended-remote :3333
+(gdb) monitor reset halt
+(gdb) b *0x1000023c
+(gdb) c
+```
+
+##### Step 2: Define the `hack` Command
+
+```gdb
+(gdb) define hack
+> set {char[14]} 0x20000000 = {'h','a','c','k','y',',',' ','w','o','r','l','d','\r','\0'}
+> set $r0 = 0x20000000
+> c
+> end
+```
+
+##### Step 3: Invoke the Command
+
+```gdb
+(gdb) hack
+```
+
+##### Step 4: Observe Output
+- PuTTY should immediately show your injected string after the command runs.
+- The breakpoint will be re-hit on the next loop iteration; rerun `hack` if you want to reapply after changes.
+
+#### Expected Output
+- `hack` executes without errors, writes the payload, updates `r0`, and resumes execution.
+- Serial output reflects the injected message.
+
+#### Questions for Reflection
+
+###### Question 1: How could you parameterize the command to accept different strings or addresses?
+
+###### Question 2: What happens if you define `hack` before setting the breakpoint—will it still work as expected?
+
+###### Question 3: How would you adapt this pattern for multi-step routines (e.g., patch, dump, continue)?
+
+#### Tips and Hints
+- Redefine `hack` any time you want a different payload; GDB will overwrite the prior definition.
+- Keep the payload length aligned with the buffer size to avoid stray bytes.
+- If the target keeps running past the breakpoint, ensure hardware breakpoints are available and set correctly.
+
+#### Next Steps
+- Create additional helper commands (e.g., `dumpstr`, `retarget`) to streamline experiments.
+- Explore GDB scripting files (`.gdbinit`) to auto-load your helpers on startup.
+- Try combining `hack` with watchpoints to observe memory changes live.
--- a/WEEK02/WEEK02.md
+++ b/WEEK02/WEEK02.md