mirror of
https://github.com/mytechnotalent/Embedded-Hacking.git
synced 2026-07-11 22:56:39 +02:00
92 lines
2.7 KiB
Markdown
92 lines
2.7 KiB
Markdown
# Embedded Systems Reverse Engineering
|
|
[Repository](https://github.com/mytechnotalent/Embedded-Hacking)
|
|
|
|
## Week 2
|
|
Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2
|
|
|
|
### Non-Credit Practice Exercise 2: Use a Different SRAM Address
|
|
|
|
#### Objective
|
|
Practice writing to an alternate SRAM location and redirecting `r0` so your message prints from `0x20041000` instead of `0x20040000`.
|
|
|
|
#### Prerequisites
|
|
- Raspberry Pi Pico 2 with debug probe connected
|
|
- OpenOCD, `arm-none-eabi-gdb`, and a serial monitor ready (Week 2 steps 0a�0e complete)
|
|
- `build\0x0001_hello-world.elf` flashed and running
|
|
- Comfortable setting breakpoints at `0x1000023c`
|
|
|
|
#### Task Description
|
|
You will inject a short string into `0x20041000`, point `r0` there, and verify the live output changes, demonstrating that any safe SRAM slot can host your payload.
|
|
|
|
#### Step-by-Step Instructions
|
|
|
|
##### Step 1: Start OpenOCD
|
|
|
|
```powershell
|
|
openocd ^
|
|
-s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
|
|
-f interface/cmsis-dap.cfg ^
|
|
-f target/rp2350.cfg ^
|
|
-c "adapter speed 5000"
|
|
```
|
|
|
|
##### Step 2: Start the Serial Monitor
|
|
- Open PuTTY (Serial) on the correct COM port at `115200` baud.
|
|
|
|
##### Step 3: Launch GDB and Halt
|
|
|
|
```gdb
|
|
(gdb) target extended-remote :3333
|
|
(gdb) monitor reset halt
|
|
```
|
|
|
|
##### Step 4: Break Before `puts()`
|
|
|
|
```gdb
|
|
(gdb) b *0x1000023c
|
|
(gdb) c
|
|
```
|
|
|
|
##### Step 5: Write a Payload at `0x20041000`
|
|
|
|
```gdb
|
|
(gdb) set {char[14]} 0x20041000 = {'h','a','c','k','e','d','!','!','!','\r','\0'}
|
|
```
|
|
|
|
##### Step 6: Redirect `r0`
|
|
|
|
```gdb
|
|
(gdb) set $r0 = 0x20041000
|
|
```
|
|
|
|
##### Step 7: Continue and Verify
|
|
|
|
```gdb
|
|
(gdb) c
|
|
```
|
|
|
|
Check PuTTY for the new output sourced from the alternate address.
|
|
|
|
#### Expected Output
|
|
- `x/s 0x20041000` shows `"hacked!!!\r"` (or your variant).
|
|
- PuTTY prints the injected message instead of the original string.
|
|
- The program continues looping with your modified output.
|
|
|
|
#### Questions for Reflection
|
|
|
|
###### Question 1: How can you ensure `0x20041000` does not collide with stack usage?
|
|
|
|
###### Question 2: What symptoms would indicate you overwrote an active stack frame?
|
|
|
|
###### Question 3: How would you pick a safe SRAM offset in a larger program with dynamic allocations?
|
|
|
|
#### Tips and Hints
|
|
- Keep payloads short; avoid overrunning the allocated bytes.
|
|
- If you see crashes, choose a lower SRAM address away from the stack top (stack grows downward).
|
|
- Use `info registers sp` and compare with your chosen address to gauge separation.
|
|
|
|
#### Next Steps
|
|
- Try other safe addresses (e.g., `0x20002000`) and verify stability.
|
|
- Map out stack usage by stepping deeper and watching `sp` move.
|
|
- Proceed to Exercise 3 to inspect memory around your payload.
|