# Embedded Systems Reverse Engineering
[Repository](https://github.com/mytechnotalent/Embedded-Hacking)

## Week 2
Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2

### Non-Credit Practice Exercise 1: Change the Message

#### Objective
Write your own message into SRAM and redirect `r0` so the running program prints it without changing the source code.

#### Prerequisites
- Raspberry Pi Pico 2 with debug probe connected
- OpenOCD and `arm-none-eabi-gdb` available in your PATH
- Serial monitor (PuTTY/minicom/screen) set to 115200 baud
- `build\0x0001_hello-world.elf` present and flashed to the board
- Week 2 setup steps (0a–0e) completed: OpenOCD, serial monitor, and GDB ready

#### Task Description
You will create a custom string in SRAM at `0x20000000`, point `r0` at it just before `puts()` runs, and watch the live output change to your message.

#### Step-by-Step Instructions

##### Step 1: Start OpenOCD

```powershell
openocd ^
  -s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
  -f interface/cmsis-dap.cfg ^
  -f target/rp2350.cfg ^
  -c "adapter speed 5000"
```

##### Step 2: Start the Serial Monitor
- Open PuTTY (Serial), choose the correct COM port, set speed to `115200`, then click **Open**.

##### Step 3: Launch GDB

```powershell
arm-none-eabi-gdb build\0x0001_hello-world.elf
```

##### Step 4: Connect and Halt

```gdb
(gdb) target extended-remote :3333
(gdb) monitor reset halt
```

##### Step 5: Break Before `puts()`

```gdb
(gdb) b *0x1000023c
```

##### Step 6: Run to the Breakpoint

```gdb
(gdb) c
```

##### Step 7: Inject Your Message into SRAM
Replace the characters with your name as needed.

```gdb
(gdb) set {char[20]} 0x20000000 = {'Y','o','u','r',' ','N','a','m','e','!','\r','\0'}
```

##### Step 8: Point `r0` to Your Message

```gdb
(gdb) set $r0 = 0x20000000
```

##### Step 9: Resume and Observe

```gdb
(gdb) c
```

Check PuTTY for your custom string replacing "hello, world".

#### Expected Output
- GDB stops at `0x1000023c` before `__wrap_puts`.
- `x/s 0x20000000` shows your injected message.
- PuTTY displays your custom message after you continue execution.

#### Questions for Reflection

###### Question 1: Why does the string have to live in SRAM instead of flash during runtime?

###### Question 2: What would happen if you forgot the null terminator in your injected string?

###### Question 3: How does changing `r0` alter the behavior of `puts()` without touching source code?

#### Tips and Hints
- Keep your string length within the allocated array (`char[20]`).
- If you miss the breakpoint, confirm OpenOCD is running and the address matches `Week 2` disassembly.
- Use `x/s $r0` to confirm the register points to the intended address before continuing.

#### Next Steps
- Repeat the exercise with different messages to verify repeatability.
- Try smaller or larger buffers (still within SRAM) to see how size affects safety.
- Move on to Exercise 2 to practice using alternate SRAM addresses.