Kevin Thomas
@mytechnotalent.bsky.social
Author of the world’s most popular Reverse Engineering Tutorial
Just finished writing a bare-metal #RISCV SG90 servo motor driver with an ESP32-C3 entirely in Assembler. I will be releasing it soon for others to learn from and expand their Embedded #ReverseEngineering skills for this incredible open-source platform.
November 9, 2025 at 1:37 PM
Just finished writing a bare-metal #RISCV SG90 servo motor driver with an ESP32-C3 entirely in Assembler. I will be releasing it soon for others to learn from and expand their Embedded #ReverseEngineering skills for this incredible open-source platform.
Looks like my PWM is way off in Assembler. 28us + 330us is 2.79 kHz total period. Oh well. #ReverseEngineering
November 8, 2025 at 11:34 PM
Looks like my PWM is way off in Assembler. 28us + 330us is 2.79 kHz total period. Oh well. #ReverseEngineering
So much of #ReverseEngineering Embedded Systems is datasheet digging, scope probing and reading register values in GDB. Take the time and try it for yourself!
November 8, 2025 at 9:05 PM
So much of #ReverseEngineering Embedded Systems is datasheet digging, scope probing and reading register values in GDB. Take the time and try it for yourself!
An RP2350 UART driver written entirely in Assembler. #Embedded #ReverseEngineering github.com/mytechnotale...
November 2, 2025 at 3:46 PM
An RP2350 UART driver written entirely in Assembler. #Embedded #ReverseEngineering github.com/mytechnotale...
I got a request to make an PURE Assembler driver in RISC-V so here it is. No SDK as it will teach you the basics of a RISC-V chip specifically the ESP32-C3. #Embedded #ReverseEngineering github.com/mytechnotale...
November 1, 2025 at 7:35 PM
I got a request to make an PURE Assembler driver in RISC-V so here it is. No SDK as it will teach you the basics of a RISC-V chip specifically the ESP32-C3. #Embedded #ReverseEngineering github.com/mytechnotale...
0x000C: RP2350 crt0.S weak .thumb_func ISR stubs (decl_isr_bkpt) vector table exec bkpt #0. Unhandled USER IRQs to __unhandled_user_irq (puts IRQ in r0 via mrs r0, ipsr / subs r0,#16) so bkpt label has exact faulting vector. #Embedded #ReverseEngineering github.com/mytechnotale...
November 1, 2025 at 1:40 PM
0x000C: RP2350 crt0.S weak .thumb_func ISR stubs (decl_isr_bkpt) vector table exec bkpt #0. Unhandled USER IRQs to __unhandled_user_irq (puts IRQ in r0 via mrs r0, ipsr / subs r0,#16) so bkpt label has exact faulting vector. #Embedded #ReverseEngineering github.com/mytechnotale...
RP2350 deep-dive: XIP vector table @0x10000000 (memmap_default.ld/crt0.S). Word0=__StackTop (SCRATCH_Y: ORIGIN 0x20081000 + LEN 0x1000 = 0x20082000), Word1=reset handler. Bootrom VTOR; ISRs (isr_usagefault @0x10000110) follow. #Embedded #ReverseEngineering github.com/mytechnotale...
October 26, 2025 at 1:34 PM
RP2350 deep-dive: XIP vector table @0x10000000 (memmap_default.ld/crt0.S). Word0=__StackTop (SCRATCH_Y: ORIGIN 0x20081000 + LEN 0x1000 = 0x20082000), Word1=reset handler. Bootrom VTOR; ISRs (isr_usagefault @0x10000110) follow. #Embedded #ReverseEngineering github.com/mytechnotale...
Little Halloween fun chillin with Baab about to hear The Last Rewind band.
October 25, 2025 at 10:39 PM
Little Halloween fun chillin with Baab about to hear The Last Rewind band.
Learn the basics of #Embedded #ARM #Assembler w/ #RP2350 as here is a simple blinky driver from scratch with no SDK to teach you the basics of how the RP2350 works! #ReverseEngineering github.com/mytechnotale...
October 25, 2025 at 8:59 PM
Learn the basics of #Embedded #ARM #Assembler w/ #RP2350 as here is a simple blinky driver from scratch with no SDK to teach you the basics of how the RP2350 works! #ReverseEngineering github.com/mytechnotale...
0x000A: On the RP2350 boot flow - reset handler checks (cbz r0) core0 cont; other core back to bootrom. Core0 runs crt0.S: copy init data flash→RAM via data_copy_table, zero BSS, call runtime_init (C runtime) then blx main. #Embedded #ReverseEngineering github.com/mytechnotale...
October 25, 2025 at 1:30 PM
0x000A: On the RP2350 boot flow - reset handler checks (cbz r0) core0 cont; other core back to bootrom. Core0 runs crt0.S: copy init data flash→RAM via data_copy_table, zero BSS, call runtime_init (C runtime) then blx main. #Embedded #ReverseEngineering github.com/mytechnotale...
0x0009: The RP2350 uses XIP where firmware executes directly from non-volatile memory rather than being copied into RAM. We notice our MSP is first 4 bytes at flash followed by the Reset_Handler! THIS CAN COME IN HANDY when reversing! #Embedded #ReverseEngineering github.com/mytechnotale...
October 19, 2025 at 1:14 PM
0x0009: The RP2350 uses XIP where firmware executes directly from non-volatile memory rather than being copied into RAM. We notice our MSP is first 4 bytes at flash followed by the Reset_Handler! THIS CAN COME IN HANDY when reversing! #Embedded #ReverseEngineering github.com/mytechnotale...
0x0008: The RP2350 boot2 config QMI for 0x03 serial reads, sets timing (short cooldown, clock div, RX delay), performs a dummy transfer to init flash & enable cont/XIP (prefix_len=0). Ret to bootrom which jmp to reset_vector. #Embedded #ReverseEngineering github.com/mytechnotale...
October 18, 2025 at 1:21 PM
0x0008: The RP2350 boot2 config QMI for 0x03 serial reads, sets timing (short cooldown, clock div, RX delay), performs a dummy transfer to init flash & enable cont/XIP (prefix_len=0). Ret to bootrom which jmp to reset_vector. #Embedded #ReverseEngineering github.com/mytechnotale...
0x0007: The RP2350 has an on-chip bootloader (bootrom) that executes immediately when the chip gets power. Here we see flash init, boot path selection, and hardware setup. #Embedded #ReverseEngineering github.com/mytechnotale...
October 12, 2025 at 12:56 PM
0x0007: The RP2350 has an on-chip bootloader (bootrom) that executes immediately when the chip gets power. Here we see flash init, boot path selection, and hardware setup. #Embedded #ReverseEngineering github.com/mytechnotale...
Robot firmware for Waveshare Pico2Go (RP2350-Plus) in Embedded C; leverages RP2350 for reliable motor control plus integrated IR remote support and robust capabilities. #Embedded #C github.com/mytechnotale...
October 11, 2025 at 1:49 PM
Robot firmware for Waveshare Pico2Go (RP2350-Plus) in Embedded C; leverages RP2350 for reliable motor control plus integrated IR remote support and robust capabilities. #Embedded #C github.com/mytechnotale...
Rust-Robot - Async robot firmware for Waveshare Pico2Go (RP2350-Plus) in Embedded Rust with Embassy; leverages RP2350 for reliable motor control plus integrated IR remote support and robust capabilities. #Embedded #Rust #Embassy github.com/mytechnotale...
October 9, 2025 at 1:10 PM
Rust-Robot - Async robot firmware for Waveshare Pico2Go (RP2350-Plus) in Embedded Rust with Embassy; leverages RP2350 for reliable motor control plus integrated IR remote support and robust capabilities. #Embedded #Rust #Embassy github.com/mytechnotale...
An RP2350 blink driver written entirely in Assembler, without the Pico SDK. #Embedded #ReverseEngineering github.com/mytechnotale...
October 5, 2025 at 6:48 PM
An RP2350 blink driver written entirely in Assembler, without the Pico SDK. #Embedded #ReverseEngineering github.com/mytechnotale...
0x0006: Just hijacked the SRAM at 0x20000000 on the RP2350! Injected a new string in memory and patched r0 to point to our hack. Check out the proof, "hacky, world" appears at the bottom of the serial output! #Embedded #ReverseEngineering github.com/mytechnotale...
October 5, 2025 at 1:34 PM
0x0006: Just hijacked the SRAM at 0x20000000 on the RP2350! Injected a new string in memory and patched r0 to point to our hack. Check out the proof, "hacky, world" appears at the bottom of the serial output! #Embedded #ReverseEngineering github.com/mytechnotale...
0x0005: The RP2350 main function continues where we step over stdio_init_all and verify that the string hello, world exists at 0x10000244 which is moved into r0 as an arg to puts. #Embedded #ReverseEngineering github.com/mytechnotale...
October 4, 2025 at 1:30 PM
0x0005: The RP2350 main function continues where we step over stdio_init_all and verify that the string hello, world exists at 0x10000244 which is moved into r0 as an arg to puts. #Embedded #ReverseEngineering github.com/mytechnotale...
I found the pins
September 28, 2025 at 6:08 PM
I found the pins
Working with UART we need to identify RX, TX and GND. This Netgear router has 6 pins so let’s get our tools to figure it out. #ReverseEngineering
September 28, 2025 at 4:43 PM
Working with UART we need to identify RX, TX and GND. This Netgear router has 6 pins so let’s get our tools to figure it out. #ReverseEngineering
A little JTAG hackery on a Sunday. #ReverseEngineering
September 28, 2025 at 2:41 PM
A little JTAG hackery on a Sunday. #ReverseEngineering
0x0004: The RP2350 main function begins by pushing the r3 and link register to the stack, we see that at 0x20082000 before the push the stack has all 0's. After pushing, we re-examine the stack and see the two values in reverse order. #ReverseEngineering github.com/mytechnotale...
September 28, 2025 at 1:30 PM
0x0004: The RP2350 main function begins by pushing the r3 and link register to the stack, we see that at 0x20082000 before the push the stack has all 0's. After pushing, we re-examine the stack and see the two values in reverse order. #ReverseEngineering github.com/mytechnotale...
0x0003: The RP2350 main function begins at 0x10000234 as we can examine a non-stripped ELF binary of a simple hello world application. This is evident using GDB. #ReverseEngineering #Embedded github.com/mytechnotale...
September 27, 2025 at 1:47 PM
0x0003: The RP2350 main function begins at 0x10000234 as we can examine a non-stripped ELF binary of a simple hello world application. This is evident using GDB. #ReverseEngineering #Embedded github.com/mytechnotale...
Saleae logic analyzer on a EdgeRouterX #reverseengineering #embedded
September 25, 2025 at 12:13 AM
Saleae logic analyzer on a EdgeRouterX #reverseengineering #embedded