Files
Embedded-Hacking/WEEK02/WEEK02-02.md
T
Kevin Thomas 7c956ee514 Updated WEEK02
2026-05-03 15:08:34 -04:00

92 lines
2.7 KiB
Markdown

# Embedded Systems Reverse Engineering
[Repository](https://github.com/mytechnotalent/Embedded-Hacking)
## Week 2
Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2
### Non-Credit Practice Exercise 2: Use a Different SRAM Address
#### Objective
Practice writing to an alternate SRAM location and redirecting `r0` so your message prints from `0x20041000` instead of `0x20040000`.
#### Prerequisites
- Raspberry Pi Pico 2 with debug probe connected
- OpenOCD, `arm-none-eabi-gdb`, and a serial monitor ready (Week 2 steps 0a0e complete)
- `build\0x0001_hello-world.elf` flashed and running
- Comfortable setting breakpoints at `0x1000023c`
#### Task Description
You will inject a short string into `0x20041000`, point `r0` there, and verify the live output changes, demonstrating that any safe SRAM slot can host your payload.
#### Step-by-Step Instructions
##### Step 1: Start OpenOCD
```powershell
openocd ^
-s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
-f interface/cmsis-dap.cfg ^
-f target/rp2350.cfg ^
-c "adapter speed 5000"
```
##### Step 2: Start the Serial Monitor
- Open PuTTY (Serial) on the correct COM port at `115200` baud.
##### Step 3: Launch GDB and Halt
```gdb
(gdb) target extended-remote :3333
(gdb) monitor reset halt
```
##### Step 4: Break Before `puts()`
```gdb
(gdb) b *0x1000023c
(gdb) c
```
##### Step 5: Write a Payload at `0x20041000`
```gdb
(gdb) set {char[14]} 0x20041000 = {'h','a','c','k','e','d','!','!','!','\r','\0'}
```
##### Step 6: Redirect `r0`
```gdb
(gdb) set $r0 = 0x20041000
```
##### Step 7: Continue and Verify
```gdb
(gdb) c
```
Check PuTTY for the new output sourced from the alternate address.
#### Expected Output
- `x/s 0x20041000` shows `"hacked!!!\r"` (or your variant).
- PuTTY prints the injected message instead of the original string.
- The program continues looping with your modified output.
#### Questions for Reflection
###### Question 1: How can you ensure `0x20041000` does not collide with stack usage?
###### Question 2: What symptoms would indicate you overwrote an active stack frame?
###### Question 3: How would you pick a safe SRAM offset in a larger program with dynamic allocations?
#### Tips and Hints
- Keep payloads short; avoid overrunning the allocated bytes.
- If you see crashes, choose a lower SRAM address away from the stack top (stack grows downward).
- Use `info registers sp` and compare with your chosen address to gauge separation.
#### Next Steps
- Try other safe addresses (e.g., `0x20002000`) and verify stability.
- Map out stack usage by stepping deeper and watching `sp` move.
- Proceed to Exercise 3 to inspect memory around your payload.