CalvinBackup/Embedded-Hacking
1
0
Fork 0
mirror of https://github.com/mytechnotalent/Embedded-Hacking.git synced 2026-04-01 17:10:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Embedded-Hacking/WEEK02/WEEK02-02.md
Kevin Thomas 1457a4bb8e Refactor E and S
2026-03-19 15:01:07 -04:00

2.7 KiB
Raw Permalink Blame History

Embedded Systems Reverse Engineering

Repository

Week 2

Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2

Non-Credit Practice Exercise 2: Use a Different SRAM Address

Objective

Practice writing to an alternate SRAM location and redirecting r0 so your message prints from 0x20001000 instead of 0x20000000.

Prerequisites

  • Raspberry Pi Pico 2 with debug probe connected
  • OpenOCD, arm-none-eabi-gdb, and a serial monitor ready (Week 2 steps 0a0e complete)
  • build\0x0001_hello-world.elf flashed and running
  • Comfortable setting breakpoints at 0x1000023c

Task Description

You will inject a short string into 0x20001000, point r0 there, and verify the live output changes, demonstrating that any safe SRAM slot can host your payload.

Step-by-Step Instructions

Step 1: Start OpenOCD
openocd ^
  -s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
  -f interface/cmsis-dap.cfg ^
  -f target/rp2350.cfg ^
  -c "adapter speed 5000"
Step 2: Start the Serial Monitor
  • Open PuTTY (Serial) on the correct COM port at 115200 baud.
Step 3: Launch GDB and Halt
(gdb) target extended-remote :3333
(gdb) monitor reset halt
Step 4: Break Before puts()
(gdb) b *0x1000023c
(gdb) c
Step 5: Write a Payload at 0x20001000
(gdb) set {char[14]} 0x20001000 = {'h','a','c','k','e','d','!','!','!','\r','\0'}
Step 6: Redirect r0
(gdb) set $r0 = 0x20001000
Step 7: Continue and Verify
(gdb) c

Check PuTTY for the new output sourced from the alternate address.

Expected Output

  • x/s 0x20001000 shows "hacked!!!\r" (or your variant).
  • PuTTY prints the injected message instead of the original string.
  • The program continues looping with your modified output.

Questions for Reflection

Question 1: How can you ensure 0x20001000 does not collide with stack usage?
Question 2: What symptoms would indicate you overwrote an active stack frame?
Question 3: How would you pick a safe SRAM offset in a larger program with dynamic allocations?

Tips and Hints

  • Keep payloads short; avoid overrunning the allocated bytes.
  • If you see crashes, choose a lower SRAM address away from the stack top (stack grows downward).
  • Use info registers sp and compare with your chosen address to gauge separation.

Next Steps

  • Try other safe addresses (e.g., 0x20002000) and verify stability.
  • Map out stack usage by stepping deeper and watching sp move.
  • Proceed to Exercise 3 to inspect memory around your payload.
Reference in New Issue View Git Blame Copy Permalink