CalvinBackup/Embedded-Hacking
1
0
Fork 0
mirror of https://github.com/mytechnotalent/Embedded-Hacking.git synced 2026-04-01 17:10:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
af15ba5ffe396d024dae439bf89edd63d2a68336
Embedded-Hacking/WEEK02/WEEK02-01.md
Kevin Thomas ebf909f4d1 Added WEEK02
2026-01-11 09:49:46 -05:00

2.9 KiB
Raw Blame History

Embedded Systems Reverse Engineering

Repository

Week 2

Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2

Exercise 1: Change the Message

Objective

Write your own message into SRAM and redirect r0 so the running program prints it without changing the source code.

Prerequisites

  • Raspberry Pi Pico 2 with debug probe connected
  • OpenOCD and arm-none-eabi-gdb available in your PATH
  • Serial monitor (PuTTY/minicom/screen) set to 115200 baud
  • build/0x0001_hello-world.elf present and flashed to the board
  • Week 2 setup steps (0a0e) completed: OpenOCD, serial monitor, and GDB ready

Task Description

You will create a custom string in SRAM at 0x20000000, point r0 at it just before puts() runs, and watch the live output change to your message.

Step-by-Step Instructions

Step 1: Start OpenOCD
openocd ^
  -s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
  -f interface/cmsis-dap.cfg ^
  -f target/rp2350.cfg ^
  -c "adapter speed 5000"
Step 2: Start the Serial Monitor
  • Open PuTTY (Serial), choose the correct COM port, set speed to 115200, then click Open.
Step 3: Launch GDB
arm-none-eabi-gdb build/0x0001_hello-world.elf
Step 4: Connect and Halt
(gdb) target extended-remote :3333
(gdb) monitor reset halt
Step 5: Break Before puts()
(gdb) b *0x1000023c
Step 6: Run to the Breakpoint
(gdb) c
Step 7: Inject Your Message into SRAM

Replace the characters with your name as needed.

(gdb) set {char[20]} 0x20000000 = {'Y','o','u','r',' ','N','a','m','e','!','\r','\0'}
Step 8: Point r0 to Your Message
(gdb) set $r0 = 0x20000000
Step 9: Resume and Observe
(gdb) c

Check PuTTY for your custom string replacing "hello, world".

Expected Output

  • GDB stops at 0x1000023c before __wrap_puts.
  • x/s 0x20000000 shows your injected message.
  • PuTTY displays your custom message after you continue execution.

Questions for Reflection

Question 1: Why does the string have to live in SRAM instead of flash during runtime?
Question 2: What would happen if you forgot the null terminator in your injected string?
Question 3: How does changing r0 alter the behavior of puts() without touching source code?

Tips and Hints

  • Keep your string length within the allocated array (char[20]).
  • If you miss the breakpoint, confirm OpenOCD is running and the address matches Week 2 disassembly.
  • Use x/s $r0 to confirm the register points to the intended address before continuing.

Next Steps

  • Repeat the exercise with different messages to verify repeatability.
  • Try smaller or larger buffers (still within SRAM) to see how size affects safety.
  • Move on to Exercise 2 to practice using alternate SRAM addresses.
Reference in New Issue View Git Blame Copy Permalink