6.2 KiB
Embedded Systems Reverse Engineering
Week 7
Constants in Embedded Systems: Debugging and Hacking Constants w/ 1602 LCD I2C Basics
Non-Credit Practice Exercise 2: Find All String Literals in the Binary
Objective
Systematically search through the 0x0017_constants binary using GDB and a hex editor to locate every human-readable string literal, catalog their addresses, contents, and purposes, and gain experience identifying data structures in compiled binaries.
Prerequisites
- Completed Week 7 tutorial (GDB section)
0x0017_constants.elfand0x0017_constants.binavailable in your build directory- GDB (
arm-none-eabi-gdb) and OpenOCD installed - A hex editor (HxD, ImHex, or similar)
Task Description
Compiled binaries contain string literals in the .rodata section — format strings for printf, LCD messages, library strings, and more. You will use two techniques to find them: (1) searching with GDB's x/s command to examine suspected string regions, and (2) visually scanning the binary in a hex editor for ASCII sequences. You will document every string you find, its address, and its likely purpose.
Step-by-Step Instructions
Step 1: Start the Debug Session
Terminal 1 - Start OpenOCD:
openocd ^
-s "C:\Users\flare-vm\.pico-sdk\openocd\0.12.0+dev\scripts" ^
-f interface/cmsis-dap.cfg ^
-f target/rp2350.cfg ^
-c "adapter speed 5000"
Terminal 2 - Start GDB:
arm-none-eabi-gdb build\0x0017_constants.elf
Connect to target:
(gdb) target remote :3333
(gdb) monitor reset halt
Step 2: Locate the Known Strings
We already know about these strings from the tutorial:
(gdb) x/s 0x10003ee8
0x10003ee8: "Reverse"
(gdb) x/s 0x10003ef0
0x10003ef0: "Engineering"
These are the LCD display strings. Now let's find more.
Step 3: Find printf Format Strings
The program uses printf("FAV_NUM: %d\r\n", ...) and printf("OTHER_FAV_NUM: %d\r\n", ...). These format strings must be somewhere in flash. Look in the .rodata section near the LCD strings:
(gdb) x/10s 0x10003ec0
This displays 10 consecutive strings starting from that address. Examine the output — you should find the printf format strings. Try different starting addresses if needed:
(gdb) x/20s 0x10003e00
Step 4: Search the Binary Systematically
Use GDB to scan through flash memory in large chunks, looking for readable strings:
(gdb) x/50s 0x10003d00
Many results will be garbage (non-ASCII data interpreted as text), but real strings will stand out. Look for:
- Format strings containing
%d,%s,%f,\r\n - Error messages from the Pico SDK
- Function names or debug info
Step 5: Open the Binary in a Hex Editor
- Open
C:\Users\flare-vm\Desktop\Embedded-Hacking-main\0x0017_constants\build\0x0017_constants.binin HxD - Switch to the "Text" pane (right side) to see ASCII representation
- Scroll through the binary and look for readable text sequences
In HxD, printable ASCII characters (0x20–0x7E) are displayed as text; non-printable bytes appear as dots.
Step 6: Use Hex Editor Search
Most hex editors can search for ASCII text:
- Press Ctrl+F (Find)
- Switch to "Text" or "String" search mode
- Search for known strings like
Reverse,FAV_NUM,Engineering - For each hit, note the file offset
Step 7: Catalog Your Findings
Create a table of all strings you find:
| Address | File Offset | String Content | Purpose |
|---|---|---|---|
0x10003ee8 |
0x3EE8 |
"Reverse" | LCD line 1 text |
0x10003ef0 |
0x3EF0 |
"Engineering" | LCD line 2 text |
0x10003eXX |
0x3EXX |
"FAV_NUM: %d\r\n" | printf format string |
0x10003eXX |
0x3EXX |
"OTHER_FAV_NUM: %d\r\n" | printf format string |
| ... | ... | ... | ... |
Fill in the actual addresses you discover.
Step 8: Identify SDK and Library Strings
The Pico SDK may include additional strings (error messages, assert messages, etc.). Look for text patterns like:
- "panic" or "assert"
- File paths (e.g., paths from the SDK source)
- Function names
These strings reveal internal SDK behavior that isn't visible in the source code.
Expected Output
After completing this exercise, you should be able to:
- Systematically enumerate string literals in a compiled binary
- Use both GDB (
x/s) and hex editor text view to find strings - Distinguish between application strings, format strings, and SDK/library strings
- Understand that string literals reveal program functionality to a reverse engineer
Questions for Reflection
Question 1: How many distinct strings did you find? Were any of them surprising or unexpected?
Question 2: Why are strings so valuable to a reverse engineer? What can an attacker learn about a program just from its strings?
Question 3: What technique could a developer use to make strings harder to find in a binary? (Think about what the strings look like in memory.)
Question 4: The printf format strings contain \r\n. In the binary, these appear as two bytes: 0x0D 0x0A. Why two bytes instead of the four characters \, r, \, n?
Tips and Hints
- In GDB,
x/streats any address as the start of a null-terminated string — it will print garbage if the address isn't really a string - Use
x/Ns addresswhere N is a number to print N consecutive strings (useful for scanning regions) - In HxD, use Edit ? Select Block to highlight a region and examine the text pane
- Real strings are typically 4+ printable ASCII characters followed by a null byte (
0x00) - The
.rodatasection is usually located after the.text(code) section in the binary
Next Steps
- Proceed to Exercise 3 to trace the I²C struct pointer chain
- Try the
stringscommand if available:strings 0x0017_constants.binwill extract all printable character sequences - Consider: if you found a password string in an embedded device binary, what security implications would that have?