# Embedded Systems Reverse Engineering
[Repository](https://github.com/mytechnotalent/Embedded-Hacking)

## Week 2
Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2

### Non-Credit Practice Exercise 2: Use a Different SRAM Address

#### Objective
Practice writing to an alternate SRAM location and redirecting `r0` so your message prints from `0x20001000` instead of `0x20000000`.

#### Prerequisites
- Raspberry Pi Pico 2 with debug probe connected
- OpenOCD, `arm-none-eabi-gdb`, and a serial monitor ready (Week 2 steps 0a–0e complete)
- `build\0x0001_hello-world.elf` flashed and running
- Comfortable setting breakpoints at `0x1000023c`

#### Task Description
You will inject a short string into `0x20001000`, point `r0` there, and verify the live output changes, demonstrating that any safe SRAM slot can host your payload.

#### Step-by-Step Instructions

##### Step 1: Start OpenOCD

```powershell
openocd ^
  -s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
  -f interface/cmsis-dap.cfg ^
  -f target/rp2350.cfg ^
  -c "adapter speed 5000"
```

##### Step 2: Start the Serial Monitor
- Open PuTTY (Serial) on the correct COM port at `115200` baud.

##### Step 3: Launch GDB and Halt

```gdb
(gdb) target extended-remote :3333
(gdb) monitor reset halt
```

##### Step 4: Break Before `puts()`

```gdb
(gdb) b *0x1000023c
(gdb) c
```

##### Step 5: Write a Payload at `0x20001000`

```gdb
(gdb) set {char[14]} 0x20001000 = {'h','a','c','k','e','d','!','!','!','\r','\0'}
```

##### Step 6: Redirect `r0`

```gdb
(gdb) set $r0 = 0x20001000
```

##### Step 7: Continue and Verify

```gdb
(gdb) c
```

Check PuTTY for the new output sourced from the alternate address.

#### Expected Output
- `x/s 0x20001000` shows `"hacked!!!\r"` (or your variant).
- PuTTY prints the injected message instead of the original string.
- The program continues looping with your modified output.

#### Questions for Reflection

###### Question 1: How can you ensure `0x20001000` does not collide with stack usage?

###### Question 2: What symptoms would indicate you overwrote an active stack frame?

###### Question 3: How would you pick a safe SRAM offset in a larger program with dynamic allocations?

#### Tips and Hints
- Keep payloads short; avoid overrunning the allocated bytes.
- If you see crashes, choose a lower SRAM address away from the stack top (stack grows downward).
- Use `info registers sp` and compare with your chosen address to gauge separation.

#### Next Steps
- Try other safe addresses (e.g., `0x20002000`) and verify stability.
- Map out stack usage by stepping deeper and watching `sp` move.
- Proceed to Exercise 3 to inspect memory around your payload.