Kevin Thomas
6.2 KiB
Week 2 Quiz: Debugging and Hacking Basics
Instructions
Choose the best answer for each question. There is only one correct answer per question.
Questions
Question 1
What does "live hacking" mean in the context of embedded systems?
A) Recompiling source code to change what a program does
B) Modifying a program while it is actively running on real hardware
C) Writing a new program to replace an existing one
D) Using Wi-Fi to remotely update firmware
📖 Reference: Week 2, Part 1 – "What is Live Hacking?"
Correct Answer: B
Question 2
Which GDB command connects to the OpenOCD debug server running on the default port?
A) connect localhost:3333
B) attach openocd
C) target extended-remote :3333
D) link remote 3333
📖 Reference: Week 2, Part 6, Step 4 – "Connect to the Remote Debug Server"
Correct Answer: C
Question 3
Why is the string "hello, world" stored in flash memory (starting with address 0x10...) rather than in RAM?
A) Flash memory is faster to read than RAM
B) The string is a constant defined at compile time and stored in read-only flash
C) The compiler always puts strings in flash to save RAM
D) The Pico SDK forces all strings into flash for security
📖 Reference: Week 2, Part 2 – "Why This Matters for Our Hack"
Correct Answer: B
Question 4
Why does the command set $r0 = "hacky, world\r" fail when used in GDB on a bare-metal embedded system?
A) GDB does not support the set command
B) The string is too long to fit in the register
C) There is no malloc() available because there is no operating system or C runtime
D) Flash memory prevents any write operations through GDB
📖 Reference: Week 2, Part 10 – "The Failed Hack Attempt (Learning Why)"
Correct Answer: C
Question 5
Why is address 0x20000000 (the start of SRAM) a safe place to write an injected string during the hack?
A) It is in flash memory which is permanently writable
B) The stack lives at the bottom of SRAM so there is no risk of collision
C) It is in read-write SRAM and far from the stack, which grows downward from the top of SRAM
D) The bootrom reserves this address specifically for debug payloads
📖 Reference: Week 2, Part 11, Step 12 – "Understanding the Solution"
Correct Answer: C
Question 6
Which GDB command correctly writes the string "hacky, world\r" into SRAM at address 0x20000000?
A) write 0x20000000 "hacky, world\r"
B) set {char[14]} 0x20000000 = {'h','a','c','k','y',',',' ','w','o','r','l','d','\r','\0'}
C) poke 0x20000000 "hacky, world\r"
D) memset 0x20000000 "hacky, world\r" 14
📖 Reference: Week 2, Part 11, Step 13 – "Create Our Malicious String in SRAM"
Correct Answer: B
Question 7
What is the purpose of the b.n 0x1000023a instruction found at the end of main?
A) It calls the puts() function
B) It returns from the main function back to the reset handler
C) It creates an infinite loop by jumping back to the ldr r0 instruction
D) It branches to a NMI (Non-Maskable Interrupt) handler
📖 Reference: Week 2, Part 7, Step 6 – "Examine the Main Function" (instruction table)
Correct Answer: C
Question 8
In the ARM Cortex-M33 calling convention, which register holds the first argument passed to a function?
A) r1
B) r0
C) sp
D) lr
📖 Reference: Week 2, Part 7 – "The Key Insight" and Part 12, Step 15 – "Change r0 to Point to Our String"
Correct Answer: B
Question 9
What does the GDB command x/s $r0 display?
A) The hexadecimal value stored in register r0
B) The 10 bytes of memory starting at the address in r0
C) The null-terminated string stored at the memory address contained in r0
D) The assembly instruction located at the address in r0
📖 Reference: Week 2, Part 9, Step 10 – "Examine What's in r0"
Correct Answer: C
Question 10
Why does GDB say "automatically using hardware breakpoints for read-only addresses" when setting a breakpoint in flash?
A) Hardware breakpoints are faster than software breakpoints
B) Software breakpoints work by modifying code in memory, but flash is read-only at runtime
C) The Pico 2 does not support software breakpoints at all
D) GDB defaults to hardware breakpoints for all embedded targets
📖 Reference: Week 2, Part 8, Step 7 – "Set a Strategic Breakpoint" (hardware breakpoints explanation)
Correct Answer: B
Answer Key
- B - Live hacking means modifying a program while it is actively running on real hardware
- C -
target extended-remote :3333connects to the OpenOCD server on port 3333 - B - The string is a compile-time constant stored in read-only flash memory (.rodata)
- C - Bare-metal systems have no OS and no
malloc()for GDB to allocate string memory - C - SRAM starting at 0x20000000 is read-write and far from the stack at the top of SRAM
- B - The
set {char[N]} ADDRESS = {...}syntax writes individual characters directly to memory - C -
b.nis a branch instruction that jumps back to create the infinite loop - B - Register
r0holds the first argument to a function in ARM calling convention - C -
x/sexamines memory and displays it as a null-terminated string - B - Software breakpoints require writing to code memory, which is impossible in read-only flash
Scoring Guide
- 10 correct: Excellent! You have a strong grasp of Week 2 concepts
- 8-9 correct: Very good! Review the topics you missed
- 6-7 correct: Good start. Go back and review the key concepts
- 5 or fewer: Review the Week 2 material again and try the practice exercises
Topics Covered
This quiz tests your understanding of:
- Live hacking and its real-world applications
- GDB connection and debug session setup
- Flash vs SRAM memory properties (read-only vs read-write)
- Why bare-metal systems lack
malloc() - Writing data directly to SRAM with GDB
- ARM calling convention and register
r0 - The infinite loop instruction
b.n - Hardware vs software breakpoints
- Examining memory and strings with GDB
- The complete attack flow: breakpoint → examine → inject → hijack → continue