Emulating Embedded Linux Devices at Scale with Light-Touch Firmware Rehosting

Presented at DEF CON 33 (2025), Aug. 8, 2025, 5 p.m. (45 minutes).

We will present a higher-level “rehosting” approach to the emulation of embedded Linux systems. While most existing embedded Linux emulation frameworks work in userspace, we try not to touch userspace or modify a firmware image at all. Instead, we take a higher-level and somewhat “hybrid” approach, which involves building patched Linux kernels and using modified or custom QEMU machines. We do this to model the terrain of a system as closely as possible to that which a userspace firmware image expects, allowing userspace to run essentially unimpeded. This approach involves a considerable amount of reverse-engineering of userspace binaries and libraries, alongside poring over whatever GPL code we can find, in order to write kernel patches, dummy drivers and make QEMU changes “reactively”. Our goal is to end up with a rehosting environment which, from the perspective of userspace, looks almost exactly like the real system. References: All the following provided inspiration, although our methodology is different: - [Firmguide](https://github.com/cyruscyliu/firmguide) - [Firmadyne](https://github.com/firmadyne/firmadyne) - [EMUX](https://github.com/therealsaumil/emux) - [Jetset](https://github.com/aerosec/jetset)

Presenters:

• Sigusr Polke
  Sigusr Polke is the single-use pseudonym of a security researcher, who's spent a lot of time poking at embedded systems over the years.

Similar Presentations:

• DEF CON 29 (2021) / Offensive Golang Bonanza: Writing Golang Malware
• DEF CON 31 (2023) / Spooky authentication at a distance
• CanSecWest 2022 / Launching EMUX - A framework for emulating ARM and MIPS IoT Devices