#07 - How To Emulate Firmware With QEMU - Hardware Hacking Tutorial

Рет қаралды 68,914

4 жыл бұрын

If you have successfully identified some interesting executable binary in the firmware file of your device, and if you want to run it or reverse engineer it in a debugging friendly, reverse-engineering friendly, emulation environment, this is the video for you!
We will talk about using QEMU as an emulation environment, reasonably similar to our device, where to run, debug, and reverse engineer interesting device executable binaries.
"QEMU", can "Quick EMUlate" hundreds of different CPU architectures, and it is the most important building block of our emulation environment.
We want to have an emulation environment that can run the device executable binaries we are interested in, this means that our emulation environment must have, at least, the same CPU architecture and instruction set as our device.
There is a fantastic, Open Source, software, that can emulate hundreds of different boards with hundreds of different CPU architectures, and it is also very efficient e quite fast in this emulation, it is QEMU the Quick Emulator.
There many other emulators, but many of them are not free, some of them are more specialized for a certain architecture, but, for our purpose, QEMU is, by far, the best emulation software.
Installing QEMU, on Linux systems, is easy, you will find some instructions below.
QEMU has 3 modes of operation:
- a "system mode" operation, in this mode it emulates an entire system, an entire board with a certain type of CPU, a certain amount of RAM and disk, with some other chips like EEPROM and so on. You can only emulate boards already included in QEMU, unless you want to modify its source to add additional boards; this is not impossible, but it has a quite steep learning curve;
- a "user mode" operation, in this mode it doesn't emulate a different board but does some sort of "machine code translation", from the machine code of, for example, a MIPS or ARM executable binary to the machine code of our x64 Linux PC; it does a good job at mapping original kernel system calls to system calls in our x64 Linux PC. It is a useful operation mode, because it can be used immediately, without building a full emulation environment, but, sometimes, it cannot run our device executable binaries and, some other times, can give weird results. We will see an example very soon;
- the last QEMU mode is the "virtualization mode", we are not interested in this mode because it is used to run a virtual machine in our PC with the same x86 architecture. This is the mode used by the KVM and XEN virtualization environments.
Installing QEMU
On Ubuntu QEMU can be installed with the following installation command:
$ sudo apt-get install qemu qemu-block-extra qemu-kvm qemu-slof qemu-system \
qemu-system-arm qemu-system-common qemu-system-mips qemu-system-misc \
qemu-system-ppc qemu-system-s390x qemu-system-sparc qemu-system-x86 \
qemu-user qemu-user-binfmt qemu-utils
In other distributions you have to use corresponding installation commands.
Kernel, root file system image, and "qr.sh" script
uk2.digiampietro.com:/hht/make...
Links with additional Information
Channel's Author: www.makemehack.com/2020/02/a-...
Channel's Web Site: www.makemehack.com/
The sample router (Gemtek WVRTM-127ACN) on techinfodepot: en.techinfodepot.shoutwiki.com...
The sample router (Gemtek WVRTM-127ACN) reverse-engineered on GitHub, includes scripts to dump the EEPROM to a text file and to convert it back to binary file: github.com/digiampietro/hacki...
QEMU, the Quick EMUlator: www.qemu.org/
Buildroot, a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation: buildroot.org/
The Yocto Project, to create custom Linux-based systems regardless of the hardware architecture: www.yoctoproject.org/
OpenWRT Build System: openwrt.org/docs/guide-develo...
Linux Kernel Device Tree: elinux.org/Device_Tree_What_I...
MIPS Malta Evaluation Board: www.linux-mips.org/wiki/MIPS_...
QEMU MIPS System Emulator: www.qemu.org/docs/master/qemu...
Available platforms in QEMU: wiki.qemu.org/Testing/Acceptance
QEMU User Documentation: www.qemu.org/docs/master/qemu...
Linux Memory Technology Devices: www.linux-mtd.infradead.org/in...
How to use the Linux kernel NAND simulator: www.linux-mtd.infradead.org/fa...
UBI and the UBIFS File System: www.linux-mtd.infradead.org/do...
Kernel, root file system image, and qr.sh script: uk2.digiampietro.com/hht/makem...

Пікірлер: 75

@xDR1TeK Жыл бұрын

I'm confused, finding Valerio on KZfaq giving so much of himself, so much experience, and cross discipline information that some of us find quite challenging and yet here they are in a few videos, how? I've never seen such generosity from anyone like this before. Not even my professors during my academic years have I received from them such valuable information, not in electrical, electronics, RF and comms. I've done some embedded work but nothing this sophisticated. I feel like my whole life was wasted, this video gave me meaning. I was asleep but now I'm awake. Thank you friend Valerio.

@techstudy8722 5 ай бұрын

00:06 Using QEMU for emulation environment 03:23 QEMU offers three modes of operation for emulation. 10:40 Emulate a complete system using QEMU 14:14 Emulating firmware with QEMU requires rebuilding the kernel for the emulated board 21:28 Challenges of managing versions and impact on security and efficiency 24:57 Tools like Yocto Project, Buildroot, and OpenWrt are used to build kernel and root file system for embedded devices or QEMU emulated boards. 31:46 Emulating firmware with QEMU provides insights into the hardware and system details. 35:16 Emulating NAND EEPROM with nandsim module 42:20 Setting up a debugging and reverse-engineering friendly emulation environment. Crafted by Merlin AI.

@horacesiskin 4 жыл бұрын

Valerio: These videos are fantastic! Great content, excellent video production, and the Italian accent makes it even better! Many thanks!

@MakeMeHack 3 жыл бұрын

Hello Horace Siskin, thank you very much for your appreciation and support.!

@jirehla-ab1671 Ай бұрын

Its hard to find arm devices that have uefi firmware@@MakeMeHack

@trw8777 Жыл бұрын

I've seen many tutorials but none have been as good as this series. Your explanation leaves absolutely no questions.

@edgeeffect 3 жыл бұрын

I used to work with embedded developers.... I heard about all these things from them.... but this intro has done a much better job of helping me REALLY understand.... this is great stuff.

@tylerstarkey9141 3 жыл бұрын

These tutorials are a god send. I've wanted to get into hardware/software hacking for a while but had no idea where to start. I've learned so much by watching your videos, and my own trial and error. Its really nice that you gave us novice hackers a blueprint. Thanks, I really appreciate it. Please have a good day..

@luizboina3187 9 ай бұрын

You are Amazing, Valerio!!! Congrats on making this concise, didactic and useful material for us, I have 100% certain that a lot of people that don't comment on this series have the same feeling that I'm feeling right now. I'm Brazilian and I'm not confident about my English speaking as well but I can understand you perfectly, You're amazing!!!

@alexdonofrio6140 3 жыл бұрын

Thank you so much for this, emulating arm systems / consoles to root and release mods has been a topic I wanted to learn for awhile now

@jacythomas1112 5 ай бұрын

Like the others, I’m a few videos in your series so far, an am enjoying it and finding very helpful. After you mentioned it, I will admit my very first impression was that the accenting was a little heavy, but as I listened further, I always know exactly what you’re saying and so far have had no trouble at all. I’m subscribed and look forward to you content

@knyshov 5 ай бұрын

Now this... is very interesting. :) I did not expect this much detail at NAND emulation.

@typedeaf Жыл бұрын

Very thoruugh coverage of topics. Great stuff.

@liberatemi9642 2 жыл бұрын

Dude you’re frighteningly intelligent - the English is excellent and makes the videos very friendly. (I’m English)

@murrij 4 жыл бұрын

Thank you so much for these. Who says you can't learn anything in quarantine??? Sincerely, you are appreciated for the whole series.

@MakeMeHack 4 жыл бұрын

Hello murrij, thank you for your appreciation and support.

@manussos 4 жыл бұрын

Once more, an excellent presentation! Can't wait for the next video!

@MakeMeHack 4 жыл бұрын

Hi Μανούσος Πουλινάκης, thank you again for your continued support!

@victorchorques4893 Жыл бұрын

Incredible content. You're a master on this topic and an incredible teacher. I hope you release more videos on this topic.

@jacythomas1112 5 ай бұрын

I’m so glad you identified as Italian in this video, is been trying to localize your dialect. At first, when I was passing very little attention and It was just going in the background, my first guess was Russian/Eastern Bloc area, then by like you 3rd video I head some patterns sounding Dutch or German… I was just about to pay attention and try to guess for real and you gave the answer away at the same time lol.

@barrcall 2 жыл бұрын

G'day Valerio, great video instruction, I became curious about UART as it is something I have never had to get involved in, even though I have had my own Electrical / Electronics / Comms business for nearly 50 years, I was recently ask by a couple of young blokes for some assistance with it & I couldn't so i decided to catch up; I'll have to repeat the videos a few times to get a true grasp of it, but it's not because of your english, it's because i'm 75 Anni; by the way, in Australia as a young bloke I studied studied Italian at College, loved it & always remember Father Briffa, the teacher, telling us to "Roll your "R's" ! , your accent is very similar to his & therefore "Very Italian" Thanks a lot & best of luck

@user-eb8eb6og5g 3 жыл бұрын

Thank you! Great video series!

@krouviere 3 жыл бұрын

Excellent videos. I'm really enjoying them. Thank you !

@Picatchoof2011 2 жыл бұрын

Hello Really great job and really great exeriance. BTW your english is goog and the speed of talking make it really easy to follow and understand. keep going and good luck.

@mysterium364 2 ай бұрын

24:41 That exists? Mind blowing. I am new to this kind of thing and the concept of what you are describing sounds so powerful it's like a deus ex machina

@TheTacticalDood 3 жыл бұрын

This channel is a gem! Glad I found it.

@MakeMeHack 3 жыл бұрын

Hello Amr Mustafa, thank you for your appreciation!.

@JoaoPaulo-kc6ng 3 жыл бұрын

Your videos have a lot of value !!! Thanks

@superviperr 2 жыл бұрын

Great job. Like your passion and great knowladge which you are willing to share. Thank you very much!

@edgeeffect 3 жыл бұрын

At my old job, I think they used to make custom QEMU board files from time to time.... I wonder if this is simple or too complex. I never understood why "mipsel" not "mipsle" ... now I know!!

@lantapaukku7629 Жыл бұрын

Enlightening and enjoyable experience... this teaches a lot to start understanding how to get into chinese surveillance cameras. No, no your english isn't an obstacle... keep it going!!!

@foo-bar6302 Жыл бұрын

You are fantastic. Thank you for sharing.

@mohelm97 2 жыл бұрын

Thanks a lot, great video

@johnsgresham7237 Жыл бұрын

great video, thank you!

@hassanmibtal7367 2 жыл бұрын

Hi Valerio Your Videos are so helpful and rich with important information thanks a lot. It will be great full if you do some practice of RE on some old mcu like Motorola, 8051, Fujitsu, Hitachi, ... on popular devices different than routers like automotive ECU, vending machine, coin changer ...Again thanks a lot and happy RE with beautiful Italian accent.

@cralx2k 3 жыл бұрын

Love it... Thanks again

@kakasasaytb Жыл бұрын

Thank you very much for this series of videos you recorded. I learned a lot from them. I am a novice in QEMU. The found usage of -serial is to redirect the output information to the host for display. I would like to know whether QEMU can communicate with the USB device serial port of the host in the QEMU simulation firmware solution?

@linuxinside6188 3 жыл бұрын

Please make more videos , thanks 🙏

@mforrest85 Жыл бұрын

I can understand you just fine.

@mohadjermohamed4668 3 жыл бұрын

THIS IS THE BEST CHANNEL EVER

@finnbin1 3 жыл бұрын

wow... high info level....

@davegarneau 2 жыл бұрын

Most underrated channel. You're videos are simply amazing

@edgeeffect 3 жыл бұрын

I've recently got a router with the serial port and JTAG clearly labelled but no easy Open WRT support.... I'm really keen to try "all of this".

@TymexComputing Жыл бұрын

7:07 - thanks and i never knew that - in fact i didnt know what who invented the little endian architecture :) - probably somebody that was hoping that the machine word and registers will grow longer and longer A, AX , EAX, RAX! SIMD-somthing-A register :)

@electrotsmishar Жыл бұрын

Fantastic video

@kamalpreetkaur7648 9 ай бұрын

can you please make more videos on qemu which explains what is qemu and how it is used in pc virtualization? thanks in advance

@bennguyen1313 2 жыл бұрын

I'm interested in learning the Stm32 microcontroller, and was surprised to find that there is no official tool / plugin for their Stm32 IDE that allows you to simulate a processor (ex. Stm32H743) without actual target hardware to download to! I'm just interested in stepping thru the code, and seeing how registers react. I understand there are (expensive) commercial solutions (Keil / proteus ), but this QEMU looks promising.. but seems like learning linux is needed first?

@MakeMeHack 2 жыл бұрын

Qemu is available for Windows or MacOS also. You can try the Windows or Mac version.

@hunterrules0_o 2 жыл бұрын

Could I use this to run uefi firmware. Ive ran old bioses on qemu before but I want to know if its possiable with uefi firmware

@b1ng05_beny4 2 жыл бұрын

Do yourself a favor and put the Playback speed at 1.25 ;) Great content btw (y)

@AliceyBob 2 жыл бұрын

Magnific !!

@asddfgh7074 11 ай бұрын

Do it support emulation of IBM PALM processor?

@johndripper 3 жыл бұрын

can i use it to run old cellphone firmwares like nokia s30

@thanwinaung2107 2 жыл бұрын

Mr Valerio please do more video for beginner.

@CarlosLopez-ws6cq Жыл бұрын

Can you help me to know how to modify this firmware or img of an ont because I want to save that so that even if it resets, it will save the configuration that I loaded.

@baghdadiabdellatif1581 5 ай бұрын

WOW mind blown

@isthereanyname 2 жыл бұрын

great video

@Nohope__ 2 ай бұрын

great

@JiriAltman 3 жыл бұрын

👍

@legalelegage5498 5 күн бұрын

Buongiorno )

@MarKac9090 4 жыл бұрын

Good video! Would be great if you could share all the scripts and image for download so people play around quickly

@MakeMeHack 4 жыл бұрын

Hello MarKac, thank you for your appreciation and your suggestion. You can download the kernel, the root file system image, and the "qr.sh" script, to start QEMU, from: uk2.digiampietro.com/hht/makemehack-linux4mips.tar.gz (i added this link also in the description). Inside the image there is the nandsim related script to emulate the NAND EEPROM. I wasn't able, for copyright reasons, to add the actual firmware of the device in the image; anyway, the image is fully functional.

@tirtha9 2 ай бұрын

Hi Valerio, I want to do a P2V migration where a windows 11 system is to be converted to a virtual machine which will be hosted on a different windows system with different set of hardware. Now the catch is the Virtual machine should think its on the exact same hardware as in the physical system. It should show exact same information in system information as in the physical system. If we do a 'wmic bios get serialnumber' the result should be same on both systems. Not looking for any registry hacks like changing string values in Computer\HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS .vmx editing will have limited scope, as i need to emulate the processor motherboard everything I tried editing the vmware bios rom file there also limited strings can be changed like mothorboad version vendor etc. How do i emulate the gpu harddisk vendor etc? looking for some sort of hardware emulation/virtualization. I am not expecting same hardware capability just that the OS should 'think' its on the same hardware. if we go under device manager disk drives/mouse it should not show vmware or virtual box, rather show the name of the disk/mouse as in the physical system. again this should not be some registry string modification, rather the OS should 'think' its on the simulated hardware Possible?

@vigneshsachin4285 3 жыл бұрын

Great Video :)

@MakeMeHack 3 жыл бұрын

Thanks!

@NoName_silent 4 ай бұрын

Are you available help for iot?

@y4nhu1 4 жыл бұрын

How to choose between qemu-mipsel and qemu-mipsel-static?

@MakeMeHack 4 жыл бұрын

Hi 乔嬿晖, thank you for your question. qemu-mipsel-static is usually used with a chroot command. For example, you can extract the root file system of your device in /home/username/device-root, then copy qemu-mipsel-static in this directory, and then you can execute something similar to "sudo chroot /home/username/device-root /qemu-mipsel-static bin/cat /etc/os-release" also without using the "-L" option. With "chroot" you have to use the static version of Qemu, because, otherwise, it will not be able to find the dynamic linker and the other libraries that are not available in the new root. The result is very similar to using the "-L" option with the non-static version of Qemu, and, in this case you don't need to be root because you don't need "chroot" that requires root privileges. Sometimes if, in the new root, you have links that point to an absolute path, you cannot execute them in qemu-mipsel but you can execute them in qemu-mipsel-static; below one of this example: valerio@ubuntu-hp:squashfs-root$ ls -l bin/sh lrwxrwxrwx 1 valerio valerio 12 gen 22 2016 bin/sh -> /bin/busybox* valerio@ubuntu-hp:squashfs-root$ qemu-mipsel -L . bin/sh bin/sh: Invalid ELF image for this architecture valerio@ubuntu-hp:squashfs-root$ sudo chroot . /qemu-mipsel-static bin/sh bin/sh: can't access tty; job control turned off valerio@ubuntu-hp:$ pwd / With qemu-mipsel, bin/sh points to /bin/busybox, that exists also in my Ubuntu machine, but it is for the x64 architecture, and qemu-mipsel gives the error. With chroot and qemu-mipsel-static, /bin/busybox is the busybox in the new root, so the busybox of our device and it is executed normally. We have some issues because the /dev dir in the new root does not contain our devices, like tty devices, we could overcome this with something similar to "sudo mount --bind /dev `pwd`/dev" to be executed int he new root, before chroot. In general, I prefer to use, whenever possible, "qemu-mipsel" with the "-L" option.

@y4nhu1 4 жыл бұрын

@@MakeMeHack Thanks! Very helpful~XD

@amlamarra 4 жыл бұрын

Some of those qemu options are deprecated. Like -net. Now it's -netdev.

@MakeMeHack 4 жыл бұрын

Hello amlamarra, thank you for comment, you're right, the "-net" is a legacy option than can be replaced with "-netdev" and "-device" and the "-nic" option. Anyway, the QEMU version available in the Ubuntu repository for Ubuntu 18.04 is quite old (2.11.1), doesn't support the new "-nic" option and, for an unknown reason, the "-netdev" option, wasn't functioning with ipv6; for this reason, I used the "-net" legacy option.