Tame the (q)emu: debug firmware on custom emulated board — Damien Cauquil
Date : 07 June 2024 à 11:15 — 15 min.
QEMU is one of the most used software to perform efficient executable files and systems emulation, and inspired multiple tools like Avatar2, Panda or the Unicorn Engine using CPU emulation for security research and training. Emulating a computer or an embedded system with QEMU is quite straightforward and documented, but emulating a board based on a microcontroller or a system-on-chip is a different story. Therefore, modifying QEMU to emulate a specific target system is sometimes the only option regarding performances and other benefits QEMU provides, but is often seen by security researchers or trainers as very difficultor impossible to do because of the complexity of QEMU.
In this paper, we first briefly explain the main core concepts of QEMU including some of its internals and the QEMU Object Model. Then, we demonstrate that adding a custom board in QEMU is not a tedious task and can be done with little knowledge of its API, based on a specific board we use in trainings and hardware CTFs. Finally, we quickly demonstrate how this custom emulated board can be used for dynamic analysis and vulnerability research using QEMU debugging capabilities.