5.2 KiB
Embedded Systems Reverse Engineering
Week 9
Operators in Embedded Systems: Debugging and Hacking Operators w/ DHT11 Temperature & Humidity Sensor Single-Wire Protocol Basics
Non-Credit Practice Exercise 2: Invert the Temperature Reading
Objective
Using GDB to locate the IEEE-754 scaling constant 0.1f at file offset 0x42C, patch it to -0.1f using a hex editor, and verify on hardware that the serial output now displays negative temperature values.
Prerequisites
- Completed Week 9 tutorial (GDB, Ghidra, and hex editor sections)
0x001a_operators.elfand0x001a_operators.binavailable in your build directory- GDB (
arm-none-eabi-gdb) and OpenOCD installed - A hex editor (HxD, ImHex, or similar)
- Python installed (for UF2 conversion)
- Raspberry Pi Pico 2 with DHT11 sensor connected
Task Description
The DHT11 driver uses a scaling constant of 0.1f stored at address 0x1000042C (file offset 0x42C) to convert raw sensor data into human-readable values. By changing this constant to -0.1f, you will invert the decimal component of the temperature calculation, causing the reported temperature to drop. This exercise teaches IEEE-754 float encoding and how a single 4-byte patch can dramatically change sensor behavior.
Step-by-Step Instructions
Step 1: Start the Debug Session
Terminal 1 - Start OpenOCD:
openocd ^
-s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
-f interface/cmsis-dap.cfg ^
-f target/rp2350.cfg ^
-c "adapter speed 5000"
Terminal 2 - Start GDB:
arm-none-eabi-gdb build\0x001a_operators.elf
Connect to target:
(gdb) target remote :3333
(gdb) monitor reset halt
Step 2: Verify the Current Scaling Constant
Examine the float constant at the known address:
(gdb) x/wx 0x1000042c
Output:
0x1000042c: 0x3dcccccd
This is 0.1f in IEEE-754 encoding (approximately — the repeating binary fraction makes it 0x3dcccccd).
Step 3: Understand the IEEE-754 Encoding
Current value (0.1f):
| Field | Bits | Value |
|---|---|---|
| Sign | 0 |
Positive |
| Exponent | 01111011 |
123 (biased) |
| Mantissa | 10011001100110011001101 |
~1.6 |
New value (-0.1f):
- Flip only the sign bit (bit 31) from
0to1 0x3dcccccd→0xbdcccccd
| Value | Hex | Little-Endian Bytes |
|---|---|---|
| 0.1f | 0x3dcccccd |
cd cc cc 3d |
| -0.1f | 0xbdcccccd |
cd cc cc bd |
💡 Key insight: To negate an IEEE-754 float, you only need to flip the most significant bit. In little-endian, this is the last byte — change
3dtobd.
Step 4: Patch with HxD
- In HxD, open
C:\Users\flare-vm\Desktop\Embedded-Hacking-main\0x001a_operators\build\0x001a_operators.bin - Press Ctrl+G and enter offset:
42C - You should see:
cd cc cc 3d(orcc cc cc 3d) - Replace with:
cd cc cc bd(orcc cc cc bd)
⚠️ Note: The exact bytes may be
cc cc cc 3dorcd cc cc 3ddepending on compiler rounding. Just change the last byte from3dtobd.
Step 5: Save and Convert
- Click File → Save As →
0x001a_operators-h.bin
cd C:\Users\flare-vm\Desktop\Embedded-Hacking-main\0x001a_operators
python ..\uf2conv.py build\0x001a_operators-h.bin --base 0x10000000 --family 0xe48bff59 --output build\hacked.uf2
Step 6: Flash and Verify
- Hold BOOTSEL and plug in your Pico 2
- Drag and drop
hacked.uf2onto the RPI-RP2 drive
Check the serial monitor:
- All operator values remain unchanged (50, 5, 0, 0, 12, 11)
- Temperature should now display with an inverted decimal component
- Humidity will also be affected (same constant is shared)
Expected Output
After completing this exercise, you should be able to:
- Decode and encode IEEE-754 floating-point values
- Understand that flipping one bit (sign bit) negates a float
- Patch floating-point constants in compiled binaries
- Predict how a constant change propagates through calculations
Questions for Reflection
Question 1: Why does changing one byte (3d → bd) negate the entire float value? What does the sign bit (bit 31) control in IEEE-754?
Question 2: The scaling constant 0.1f is used by BOTH the humidity and temperature vfma.f32 instructions. Why does patching this single constant affect both readings?
Question 3: If you wanted to change the constant to 0.5f (0x3f000000, little-endian 00 00 00 3f) instead of -0.1f, how would the temperature reading change? If the raw decimal part is 8, what would the new output be?
Question 4: Could you achieve negative temperature by patching the vfma.f32 instruction itself instead of the constant? What instruction might you replace it with?
Tips and Hints
- IEEE-754 sign bit is the MSB (bit 31) —
0= positive,1= negative - In little-endian, the sign bit is in the last (highest address) byte
- Use an online IEEE-754 converter to verify your understanding
- If the output looks completely wrong (NaN, inf), you may have changed the wrong byte — start over with a fresh copy of the
.binfile