There are various reasons you might want to emulate firmware. If you want to do security research on router firmware, for example, emulation can help you debug certain services and look for vulnerabilities. You could also debug IoT firmware without emulating it. In that case you would gain root on the device via hardware hacking and drop gdbserver on the device and debug services remotely. But what if you don’t have the device? You download the firmware and emulate it.
In this post, I will show you how to emulate Arm router firmware. First, you need an Arm environment. Don’t have a spare Arm processor? No problem, QEMU is your friend!
For those of you who want to save time and get straight into it, I have prepared a new Lab VM that contains:
- QEMU emulated Armv7 environment ready to start
- Two different Tenda router firmware versions (AC6 and AC15)
- All scripts necessary to start the firmware emulation
- Two small Arm exploitation challenges to learn the basics of bypassing XN (more details in the next blog post)