I tried to run an ARM binary - httpd which is from a Webcam firmware on Ubuntu18.04. My computer is based on X64_86 so I decided to run it by using QEMU virtual machine. As far as I know, QEMU provided two different simulation modes which are System Mode and User Mode. First of all, I tried system mode and the binary can run successfully. From doing so, I can promise the binary is fine.
Then I tried to use User Mode which is more concise and fast. The binary was dynamically linked so there are still two ways suggested by the related blogs. The first solution is copy qemu-arm binary and the dependent dynamic link library file to the root path of firmware - squashfs-root then use the chroot command like chroot ./qemu-arm ./usr/sbin/httpd. It turned out to be fine too.
Finally, I tried to use qemu-arm with -L parameter which suggests the dependent dynamic link library file's prefix. But this time it didn't work and didn't report any error, just been killed after a few minutes. I also tried export LD_LIBRARY_PATH = . and work out neither. Some information I can provide is as following.
apple@ubuntu:squashfs-root$ ls
bin dev drivers etc fuzz_in fuzz_out home ldd_cp.sh lib lib64 linuxrc mnt proc qemu-arm qemu-arm-static root sbin start_debug.sh start.sh sys tmp tmpfs usr var www
apple@ubuntu:squashfs-root$ qemu-arm -L . ./usr/sbin/httpd
Killed
apple@ubuntu:squashfs-root$ file ./usr/sbin/httpd
./usr/sbin/httpd: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
One more info I should mention is that I don't have the source code of the binary. I tried to debug the binary with -g parameter and gdb-multiarch but I got the situation shown below.
apple@ubuntu:squashfs-root$ qemu-arm -L . -g 2222 ./usr/sbin/httpd
Killed
apple@ubuntu:squashfs-root$ gdb-multiarch
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) set architecture arm
The target architecture is assumed to be arm
(gdb) file ./usr/sbin/httpd
Reading symbols from ./usr/sbin/httpd...(no debugging symbols found)...done.
(gdb) target remote: 2222
: 2222: Connection timed out.
(gdb)
The way qemu-arm-static + chroot can work fine which was already tested. The reason why I
am so tenacious to use QEMU user mode with -L is because the final goal of this work is to fuzz the httpd binary by using afl-qemu. And it is a prerequisite that the binary should be able to run with QEMU user mode. I must be missing some things other than the dependent dynamic link library files. Could anybody help me out or even just give me some ideas? Thanks a lot!!!
Added:
apple@ubuntu:~$ qemu-arm --version
qemu-arm version 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.34)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
You can try to update the new version of QEMU to realize the - L function. After testing, qemu-4.1.0 meets the - L function.