ARM-X Firmware Emulation Framework

by Saumil Shah @therealsaumil

June 2020


The ARM-X Firmware Emulation Framework is a collection of scripts, kernels and filesystems to be used with QEMU to emulate ARM/Linux IoT devices. ARM-X is aimed to facilitate IoT research by virtualising as much of the physical device as possible. It is the closest we can get to an actual IoT VM.

Devices successfully emulated with ARM-X so far:

Precursors of ARM-X have been used in Saumil Shah's popular ARM IoT Exploit Laboratory training classes where students have found four 0-day vulnerabilities in various ARM/Linux IoT devices.

ARM-X Architecture and Operations

ARM-X is a collection of scripts, kernels and filesystems residing in the /armx directory. It uses qemu-system-arm to boot up a virtual ARM/Linux environment. The /armx directory is exported over NFS to also make the contents available within the QEMU guest.

The host system running qemu-system-arm is assigned the IP address and the QEMU guest is assigned via tap0 interface.


The /armx directory is organised as follows:

Directory Structure

The run/ directory also contains a few commands that can be used from the host to interact with processes running within an ARM-X emulated device.

armxps, armxmaps and armxgdb are explained in detail in the Debugging With ARM-X tutorial.

Each emulated device contains the following files/directories:

The diagram below describes each stage of ARM-X:

ARM-X Operations

  1. Invoke /armx/run/launcher. This will display a menu as shown below. In this example, we select the Trivision TRI227WF Wireless IP Camera.

ARM-X Launcher

  1. Selecting one of the devices will launch it under QEMU. The kernel which is included in the kernel/ directory of the Trivision IP Camera's device configuration, is booted in qemu-system-arm and uses a pre-built Buildroot filesystem, which is referred to as hostfs.ext2. Host and guest IP addresses are assigned to and respectively.

ARM-X Kernel Boot Up

  1. hostfs.ext2 contains several scripts and tools useful for running and dynamic analysis of the emulated device. The init scripts in hostfs.ext2 mount the /armx directory over NFS. Thus, the contents of /armx are shared by both the host and the QEMU guest.

  2. To kick off the rest of the device startup, connect to the QEMU guest using SSH ssh root@ This brings up a menu as shown below:

ARM-X Trivision Init

  1. Selecting the option to launch the userland init scripts of the device results in run-init being invoked from the corresponding device configuration directory within /armx. First, the contents of nvram.ini are loaded into the kernel's emulated nvram driver. Next, a chroot jail is created using the rootfs of the device. Lastly, the registered initialisation commands are invoked in the newly chrooted rootfs, bringing up the device's services and init scripts.

ARM-X Trivision Started

  1. Once the device has fully "booted up" in ARM-X, it is available for testing and analysis. The image below shows the administration interface of the IP Camera loaded in a browser:

ARM-X Admin Interface

Creating your own emulated IoT Device

Before you begin to emulate an IoT device, you will need the following:

The following diagram outlines the overall process of IoT device emulation.

Adding a new device

Steps involved:

  1. Copy the template directory to make a new device configuration.
  2. Compile a matching kernel from source, and place it in the kernel/ directory.
  3. Copy the extracted rootfs from the device's firmware into the rootfs/ directory. Typically these would be SquashFS or CramFS filesystems, uncompressed using binwalk or unsquashfs or cramfsck.
  4. Place the contents of extracted nvram in nvram.ini
  5. Edit the config file with the newly populated device firmware contents.
  6. Create a new device record in the devices file. Pay close attention to QEMU command line options.

The following sample kernels are provided with the template.

However, it is encouraged to build a compatible kernel from source.

ARM-X Presentations

Presentation at Countermeasure 2019 on 7 November 2019.

INSIDE ARM-X - Countermeasure 2019 from Saumil Shah

Release presentation at HITB+Cyberweek on 16 October 2019.

Introducing ARM-X from Saumil Shah

The ARM IoT Firmware Laboratory - NEW TRAINING

An all new class where the ARM IoT EXPLOIT LABORATORY leaves off. The ARM IoT Firmware Laboratory dives into analysis, extraction and emulation of IoT device firmware, using a variety of techniques. Students shall be given ample hands on practice in emulating a variety of IoT devices. Lab exercises feature firmware extraction directly from the hardware, building a custom kernel and buildroot environment, extracting contents of nvram and emulating the device under ARM-X. The class also goes on to fuzzing and exploit development exercises for the emulated devices.

Upcoming classes:

Ringzer0 August 2020, Online Remote Training: (4 day class)


Pre-built VM with ARM-X installed

VMware VM:

The ARM-X VM is compressed using 7-Zip. The archive is split into multiple files of 200MB each, because several cloud hosting providers impose a maximum limit. To extract the VM, use the 7z command line utility:

7z e armx-june2020.7z.001

SHA 256 Checksums:

714bddb26b19591f425b3465177ae98b347cbfb2a4b4e3343c39dc9c2438308d  armx-june2020.7z.001
9f0d619aa597d5c8bc9285bd3d00ed170c65f059c644aed57762ccfab932f8ef  armx-june2020.7z.002

719ea86fd0e7e826d201100296b8fe978cdb316fe480eca84a065e2e7a8c65ca  armx-june2020.vmx
a18560126846bda69550866cb1c2abbc3e6f14dc608617bd3c6f29700ddbd44f  armx-s001.vmdk
21d0566c06df51150b483458ab275ed564d9dd0673d2efd9d5b905a0b4f42993  armx.vmdk

VirtualBox VM: (coming soon, but don't hold your breath)

ARM-X Code


ARM-X Documentation


ARM-X is licensed under the Mozilla Public License v2.0 (MPLv2).