Make Me Hack

Hardware Hacking, Reverse Engineering and more …

How To Emulate Firmware With QEMU

I released the seventh episode of the series Hardware Hacking Tutorial in the Make Me Hack YouTube channel.
This episode is about “How To Emulate Firmware With QEMU”.

The Hardware Hacking Tutorial series is to share information on how to do hardware hacking and how to do reverse engineering. The series is useful both for beginners and experts.

If you have successfully identified some interesting executable binary in the firmware file of your device, and if you want to run it or reverse engineer it in a debugging friendly, reverse-engineering friendly, emulation environment, this is the video for you!

We will talk about using QEMU as an emulation environment, reasonably similar to our device, where to run, debug, and reverse engineer interesting device executable binaries.

“QEMU”, can “Quick EMUlate” hundreds of different CPU architectures, and it is the most important building block of our emulation environment.

This episode is about QEMU setup, that is the first step in building an emulation environment.

We will talk about the requirements for the emulation environment, the different QEMU emulation modes, and how to emulate an entire board, that is reasonably similar to our IoT device.

We will also introduce a tool for building the kernel and the root file system of our emulated board.

We want to have an emulation environment that can run the device executable binaries we are interested in, this means that our emulation environment must have, at least, the same CPU architecture and instruction set as our device. We will not be able to entirely emulate our device with all of its internal components and peripherals like, in our case, the ethernet switch included in our router, or the VOIP chip to drive a Plain Old Telephone System set, or the specific WiFi chip, but we will be able to emulate a reasonably similar board that can run the executable binaries we are interested in.

There is a fantastic, Open Source, software, that can emulate hundreds of different boards with hundreds of different CPU architectures, and it is also very efficient e quite fast in this emulation, it is QEMU the Quick Emulator.

There many other emulators, but many of them are not free, some of them are more specialized for a certain architecture, more accurate for that architecture being able to emulate each CPU cycle; but, for our purpose, QEMU is, by far, the best emulation software.

Installing QEMU, on Linux systems, is easy, you will find some instructions in the description below.

QEMU has 3 modes of operation:

  • a “system mode” operation, in this mode it emulates an entire system, an entire board with a certain type of CPU, a certain amount of RAM and disk, with some other chips like EEPROM and so on. You can only emulate boards already included in QEMU, unless you want to modify its source to add additional boards; this is not impossible, but it has a quite steep learning curve;
  • a “user mode” operation, in this mode it doesn’t emulate a different board but does some sort of “machine code translation”, from the machine code of, for example, a MIPS or ARM executable binary to the machine code of our x64 Linux PC; it does a good job at mapping original kernel system calls to system calls in our x64 Linux PC. It is a useful operation mode, because it can be used immediately, without building a full emulation environment, but, sometimes, it cannot run our device executable binaries and, some other times, can give weird results. We will see an example very soon;
  • the last QEMU mode is the “virtualization mode”, we are not interested in this mode because it is used to run a virtual machine in our PC with the same x86 architecture. This is the mode used by the KVM and XEN virtualization environments.