6.5 KiB
Embedded Systems Reverse Engineering
Week 7
Constants in Embedded Systems: Debugging and Hacking Constants w/ 1602 LCD I2C Basics
Non-Credit Practice Exercise 4: Display Your Own Custom Message on the LCD
Objective
Patch both LCD string literals in the binary to display your name (or any custom message) on the 1602 LCD, respecting the character length constraints, converting your text to hex bytes, and verifying the result on hardware.
Prerequisites
- Completed Week 7 tutorial (hex editor section) and Exercise 1
0x0017_constants.binbinary available in your build directory- A hex editor (HxD, ImHex, or similar)
- Python installed (for UF2 conversion)
- Raspberry Pi Pico 2 with 1602 LCD connected via I²C
Task Description
You will choose two custom messages to display on the LCD — one for each line. Line 1 replaces "Reverse" (7 characters max) and line 2 replaces "Engineering" (11 characters max). You must convert your chosen text to ASCII hex, handle the case where your text is shorter than the original (pad with null bytes), patch the binary, and flash it to see your custom message on the physical LCD.
Step-by-Step Instructions
Step 1: Choose Your Messages
Plan two messages that fit the constraints:
| Line | Original | Max Length | Your Message | Length | Valid? |
|---|---|---|---|---|---|
| 1 | "Reverse" | 7 chars | |||
| 2 | "Engineering" | 11 chars |
Examples that work:
- Line 1: "Hello!!" (7 chars) ✅
- Line 2: "World!!" (7 chars, pad with 4 null bytes) ✅
- Line 1: "Hi" (2 chars, pad with 5 null bytes) ✅
- Line 2: "My Name Here" — ❌ (12 chars, too long!)
⚠️ Remember: The 1602 LCD can display up to 16 characters per line, but the binary only allocates 8 bytes for "Reverse" and 12 bytes for "Engineering". You cannot exceed these byte allocations.
Step 2: Convert Your Messages to Hex
Use an ASCII table to convert each character:
Common ASCII values:
| Character | Hex | Character | Hex | Character | Hex |
|---|---|---|---|---|---|
| Space | 0x20 |
0-9 | 0x30-0x39 |
A-Z | 0x41-0x5A |
| ! | 0x21 |
: | 0x3A |
a-z | 0x61-0x7A |
| " | 0x22 |
? | 0x3F |
\0 (null) | 0x00 |
Write out the hex bytes for each message, including the null terminator and any padding:
Line 1 (8 bytes total):
[char1] [char2] [char3] [char4] [char5] [char6] [char7] [0x00]
If your message is shorter than 7 characters, fill the remaining bytes with 0x00.
Line 2 (12 bytes total):
[char1] [char2] [char3] [char4] [char5] [char6] [char7] [char8] [char9] [char10] [char11] [0x00]
If your message is shorter than 11 characters, fill the remaining bytes with 0x00.
Step 3: Open the Binary and Navigate
- In HxD, open
C:\Users\flare-vm\Desktop\Embedded-Hacking-main\0x0017_constants\build\0x0017_constants.bin - Press Ctrl+G and enter offset:
3EE8(Line 1: "Reverse") - Verify you see:
52 65 76 65 72 73 65 00("Reverse\0")
Step 4: Patch Line 1
Replace the 8 bytes starting at offset 0x3EE8 with your prepared hex sequence.
For example, to write "Hello!!" (7 chars + null):
Before: 52 65 76 65 72 73 65 00 (Reverse)
After: 48 65 6C 6C 6F 21 21 00 (Hello!!)
For a shorter message like "Hi" (2 chars + null + padding):
Before: 52 65 76 65 72 73 65 00 (Reverse)
After: 48 69 00 00 00 00 00 00 (Hi\0\0\0\0\0\0)
Step 5: Patch Line 2
- Press Ctrl+G and enter offset:
3EF0(Line 2: "Engineering") - Verify you see:
45 6E 67 69 6E 65 65 72 69 6E 67 00 - Replace the 12 bytes with your prepared hex sequence
Step 6: Save the Patched Binary
- Click File → Save As →
0x0017_constants-h.bin
Step 7: Convert to UF2 and Flash
cd C:\Users\flare-vm\Desktop\Embedded-Hacking-main\0x0017_constants
python ..\uf2conv.py build\0x0017_constants-h.bin --base 0x10000000 --family 0xe48bff59 --output build\hacked.uf2
- Hold BOOTSEL and plug in your Pico 2
- Drag and drop
hacked.uf2onto the RPI-RP2 drive
Step 8: Verify on the LCD
Check the physical LCD display. Your custom messages should appear on lines 1 and 2.
If the LCD shows garbled text or nothing at all:
- Verify your hex conversion was correct
- Ensure you included the null terminator (
0x00) - Confirm you didn't accidentally modify bytes outside the string regions
- Re-open the binary and double-check offsets
0x3EE8and0x3EF0
Expected Output
After completing this exercise, you should be able to:
- Convert any ASCII text to hex bytes for binary patching
- Handle strings shorter than the allocated space using null padding
- Patch string literals in any compiled binary
- Verify patches work on real hardware
Questions for Reflection
Question 1: You padded short strings with 0x00 null bytes. Would it also work to pad with 0x20 (space characters)? What would be the difference on the LCD display?
Question 2: The LCD is a 1602 (16 columns × 2 rows). What would happen if you could somehow put a 20-character string in memory? Would the LCD display all 20, or only the first 16?
Question 3: If you wanted to combine the string hacks from Exercise 1 (changing both LCD lines) AND a hypothetical numeric hack (e.g., changing the movs r1, #42 encoding at offset 0x28E), could you do all patches in a single .bin file? What offsets would you need to modify?
Question 4: Besides LCD text, what other strings could you patch in a real-world embedded device to change its behavior? Think about Wi-Fi SSIDs, Bluetooth device names, HTTP headers, etc.
Tips and Hints
- HxD shows the ASCII representation of bytes in the right panel — use this to verify your patches look correct
- A quick way to compute ASCII: lowercase letter hex = uppercase letter hex +
0x20 - If you make a mistake, close the file WITHOUT saving and start over with the original
.bin - Take a photo of your custom LCD display for your portfolio!
Next Steps
- Review all four WEEK07 exercises and verify you understand string patching, data analysis, struct tracing, and custom message creation
- Try patching the
printfformat strings to display different labels in the serial output - Challenge: can you make the LCD display emoji-like characters using the LCD's custom character feature (if supported by the backpack)?