CalvinBackup/Embedded-Hacking
1
0
Fork 0
mirror of https://github.com/mytechnotalent/Embedded-Hacking.git synced 2026-04-01 09:00:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Embedded-Hacking/WEEK07/WEEK07-01-S.md
Kevin Thomas 1457a4bb8e Refactor E and S
2026-03-19 15:01:07 -04:00

4.2 KiB
Raw Permalink Blame History

Embedded Systems Reverse Engineering

Repository

Week 7

Constants in Embedded Systems: Debugging and Hacking Constants w/ 1602 LCD I2C Basics

Non-Credit Practice Exercise 1 Solution: Change Both LCD Lines

Answers

String Locations in Flash
String Address File Offset Length (bytes) Hex Encoding
"Reverse" 0x10003ee8 0x3EE8 8 (7 + null) 52 65 76 65 72 73 65 00
"Engineering" 0x10003ef0 0x3EF0 12 (11 + null) 45 6E 67 69 6E 65 65 72 69 6E 67 00
Line 1 Patch: "Reverse" → "Exploit"
Character Hex
E 0x45
x 0x78
p 0x70
l 0x6c
o 0x6f
i 0x69
t 0x74
\0 0x00 
Offset 0x3EE8:
Before: 52 65 76 65 72 73 65 00  ("Reverse")
After:  45 78 70 6C 6F 69 74 00  ("Exploit")
Line 2 Patch: "Engineering" → "Hacking!!!!"
Character Hex
H 0x48
a 0x61
c 0x63
k 0x6b
i 0x69
n 0x6e
g 0x67
! 0x21
! 0x21
! 0x21
! 0x21
\0 0x00 
Offset 0x3EF0:
Before: 45 6E 67 69 6E 65 65 72 69 6E 67 00  ("Engineering")
After:  48 61 63 6B 69 6E 67 21 21 21 21 00  ("Hacking!!!!")
Conversion and Flash
cd C:\Users\flare-vm\Desktop\Embedded-Hacking-main\0x0017_constants
python ..\uf2conv.py build\0x0017_constants-h.bin --base 0x10000000 --family 0xe48bff59 --output build\hacked.uf2
LCD Verification
Line 1: Exploit
Line 2: Hacking!!!!

Reflection Answers

  1. Why must the replacement string be the same length (or shorter) as the original? What specific data would you corrupt if you used a longer string? Strings are stored consecutively in the .rodata section. "Reverse" occupies 8 bytes starting at 0x10003ee8 and "Engineering" starts immediately at 0x10003ef0. If the replacement string is longer than 8 bytes, the extra bytes would overwrite the beginning of "Engineering" (or whatever data follows). The .rodata section has no gaps—it's a packed sequence of constants, format strings, and other read-only data. Corrupting adjacent data could break LCD line 2, crash printf format strings, or cause undefined behavior.

  2. The two strings are stored only 8 bytes apart (0x3EE8 to 0x3EF0). "Reverse" is 7 characters + null = 8 bytes. What would happen if you patched "Reverse" with "Reversal" (8 characters + null = 9 bytes)? "Reversal" needs 9 bytes (8 chars + null terminator). The 9th byte (the 0x00 null terminator) would be written to address 0x10003ef0, which is the first byte of "Engineering" — the letter 'E' (0x45). This would overwrite 'E' with 0x00, turning "Engineering" into an empty string. The LCD would display "Reversal" on line 1 and nothing on line 2, because lcd_puts would see a null terminator immediately at the start of the second string.

  3. If you wanted the LCD to display "Hello" on line 1 (5 characters instead of 7), what would you put in the remaining 2 bytes plus null? Write out the full 8-byte hex sequence. "Hello" = 5 characters, followed by the null terminator and 2 padding null bytes:

    48 65 6C 6C 6F 00 00 00
H  e  l  l  o  \0 \0 \0

    The first 0x00 at position 5 terminates the string. The remaining two 0x00 bytes are padding that fills the original 8-byte allocation. These padding bytes are never read by lcd_puts because it stops at the first null terminator.

  4. Could you change the LCD to display nothing on line 1 by patching just one byte? Which byte and what value? Yes. Change the first byte at offset 0x3EE8 from 0x52 ('R') to 0x00 (null). This makes the string start with a null terminator, so lcd_puts sees an empty string and displays nothing. Only one byte needs to change: the byte at file offset 0x3EE8, from 0x52 to 0x00.

Reference in New Issue View Git Blame Copy Permalink