Capstones and Next Steps

TL;DR

• You’ll get hands-on capstone projects that combine the series skills: compiling RV32 C, inspecting ELF internals, understanding stack frames, debugging under QEMU, triaging firmware, and validating with hardware interfaces.
• Each capstone includes a suggested deliverable, test plan, and “stretch goals”.
• You’ll also get a study plan for teaching this material to others: how to run labs, evaluate exercises, and keep students moving.

Capstone 1: RV32 “binaryISC” - a tiny firmware monitor in QEMU

Goal

Build a minimal bare-metal RV32 program that:

• starts at a known address (via linker script),
• maintains a few global variables,
• exposes a tiny “monitor loop” (even if it’s just a state machine),
• and can be debugged deterministically.

Deliverables

• monitor.c, monitor.ld
• monitor.elf, monitor.bin
• monitor.map (link map)
• a short write-up:
  • memory map (what is at which address)
  • how to connect with GDB and inspect state

Suggested implementation sketch

• A global command variable that changes state
• A loop that checks the variable and updates a counter
• Optionally: a “software breakpoint” label you can jump to

Test plan

• Verify _start address with readelf -h and readelf -s.
• Verify .text/.data/.bss placement with the .map file.
• Debug with qemu-system-riscv32 -S -gdb tcp::1234 and GDB.

Stretch goals

• Add .data copy-down and .bss zeroing in startup code.
• Add a basic UART output via QEMU virt UART (advanced).

Capstone 2: “C → Assembly” explanation pack (teaching deliverable)

Goal

Create a set of teaching artifacts that explain how 5 small C functions compile to assembly at -O0 and -O2.

Pick functions that cover:

• arithmetic + bitwise
• if/else
• loop over array
• switch
• a function call with stack frame

Deliverables

• a PDF or markdown write-up with:
  • original C
  • disassembly excerpts
  • “how to read this” notes
• a short quiz for each function (students answer from disassembly)

Test plan

• For each function, include a GDB session snippet that confirms the behavior.

Capstone 3: Firmware triage report (static-first)

Goal

Take a firmware image (your own or a known training image) and produce a structured triage report.

Deliverables

A report containing:

• file type identification results (file, entropy notes)
• strings highlights and hypotheses
• embedded artifacts found (ELF headers, compressed regions)
• extracted sub-images (if applicable)
• an initial memory map guess (for .bin)
• next steps (which functions/subsystems to analyze)

Test plan

• Provide the exact commands used.
• Provide offsets and hashes for extracted pieces.

Capstone 4: Dynamic analysis mini-lab (Frida)

Goal

Hook a decision point in a userland program:

• log inputs
• log outputs
• optionally patch behavior

Deliverables

• Frida script(s)
• before/after behavior evidence
• explanation of why you chose that hook point

Stretch goals

• Convert to address-based hooking and handle stripped symbols.

Capstone 5: Hardware validation worksheet (UART/SPI/I2C)

Goal

Create a “field worksheet” that students can use on any board.

Deliverables

A template that includes:

• power rails and expected voltages
• ground points
• suspected UART header pins and test results
• suspected SPI flash chip ID, pin mapping, and sniff results
• I2C scan plan and capture notes

Test plan

• Try it on a dev board you own and fill out a real worksheet.

Teaching plan: how to run this series for a class

Recommended pacing

• Week 1: Chapters 1–3 (setup, ELF, ABI)
• Week 2: Chapters 4–6 (optimization, control flow, stack)
• Week 3: Chapters 7–9 (linker scripts, floats, debugging)
• Week 4: Chapters 10–12 (firmware workflow, dynamic analysis, hardware interfaces)
• Week 5+: Capstones

How to evaluate students

• Require “evidence artifacts”:
  • map files, disassembly excerpts, GDB transcripts
  • small scripts (Python) that verify constants
• Use small oral checks:
  • “show me where the return value is”
  • “show me which instruction loads struct field X”

Exercises

1. Choose one capstone and write a 1-page project plan with milestones.
2. Create a rubric for grading Capstone 2 (C→assembly explanation pack).
3. Write 10 “micro-questions” students can answer from objdump output.

How to test your answers

• If your plan has clear milestones, another student should be able to follow it.
• If your rubric is specific, two graders should score similarly.

Summary

You now have a set of realistic projects that combine the entire toolchain: compilation, ELF reading, assembly reasoning, stack/ABI understanding, debugging, firmware triage, and hardware interface validation.

If you want to expand this book next, the most valuable additions are:

• deeper startup/runtime topics (crt0 (C runtime zero) and initialization),
• exception/trap handling on RISC-V,
• and a full “emulated Linux firmware” lab with a filesystem and services.