12 Emulation & Debugging

12.1 Learning Objectives

By the end of this chapter, you will be able to:

Configure QEMU for Raspberry Pi OS emulation without physical hardware
Configure Renode for multi-architecture embedded system simulation
Apply debugging techniques including breakpoints and variable inspection
Interpret serial monitor and plotter output for firmware debugging
Leverage logic analyzers and GDB for advanced debugging scenarios

In 60 Seconds

Platform emulation (QEMU, Renode) runs actual compiled firmware binaries on software models of target hardware, enabling high-fidelity testing of complete firmware images including bootloaders, RTOS schedulers, and device drivers. Unlike simplified online simulators, platform emulators model CPU instruction sets and peripheral registers faithfully, allowing debug sessions with GDB and automated test scripts. Renode specifically targets embedded IoT platforms with models for Cortex-M, RISC-V, and major peripheral IPs.

12.2 For Beginners: Emulation & Debugging

Testing and validation ensure your IoT device works correctly and reliably in the real world, not just on your workbench. Think of it like test-driving a car in rain, snow, and heavy traffic before buying it. Thorough testing catches problems before your devices are deployed to thousands of locations where fixing them becomes expensive and disruptive.

Sensor Squad: The Full Machine Simulator

“What if you need to simulate an entire Raspberry Pi – operating system and all – without owning one?” asked Max the Microcontroller. “That is where emulators like QEMU come in! QEMU creates a virtual ARM processor on your PC and runs the real Raspberry Pi OS on it. You can develop and test without any physical hardware.”

Sammy the Sensor was impressed. “So I could test my Python sensor scripts on a virtual Raspberry Pi?” Max nodded. “Exactly! And Renode goes even further – it can simulate multiple microcontrollers communicating with each other. You can test an entire IoT network in software.”

Lila the LED described the debugging tools. “The real power is in debugging. You can set breakpoints – pause points where the code stops and you can inspect every variable. Step through line by line to see exactly what happens. It is like watching the code in slow motion with a magnifying glass.” Bella the Battery concluded, “And logic analyzers show you the exact timing of signals between components. If your I2C communication is failing, you can see the exact moment where the clock and data signals get out of sync. These tools turn mysterious hardware bugs into solvable puzzles!”

12.3 Prerequisites

Before diving into this chapter, you should be familiar with:

Online Hardware Simulators: Experience with browser-based simulators like Wokwi
Programming Paradigms and Tools: Basic programming and debugging concepts

12.4 QEMU for Raspberry Pi

Estimated time: ~15 min | Advanced | P13.C03.U03

Description: QEMU emulates complete computer systems, including ARM processors used in Raspberry Pi.

Installation:

# Install QEMU
sudo apt install qemu-system-arm

# Download Raspberry Pi kernel and dtb
wget https://github.com/dhruvvyas90/qemu-rpi-kernel/raw/master/kernel-qemu-4.19.50-buster
wget https://github.com/dhruvvyas90/qemu-rpi-kernel/raw/master/versatile-pb-buster.dtb

# Download Raspberry Pi OS image
wget https://downloads.raspberrypi.org/raspios_lite_armhf/images/...

Running Raspberry Pi in QEMU:

qemu-system-arm \
  -kernel kernel-qemu-4.19.50-buster \
  -dtb versatile-pb-buster.dtb \
  -m 256 \
  -M versatilepb \
  -cpu arm1176 \
  -append "root=/dev/sda2 rootfstype=ext4 rw" \
  -hda raspios.img \
  -net nic -net user,hostfwd=tcp::5022-:22 \
  -no-reboot

Try It: QEMU Configuration Explorer

Show code

viewof qemuMemory = Inputs.range([128, 1024], {value: 256, step: 128, label: "RAM allocation (MB)"})
viewof qemuCpu = Inputs.select(["arm1176", "cortex-a7", "cortex-a53", "cortex-a72"], {value: "arm1176", label: "CPU model"})
viewof qemuNetwork = Inputs.checkbox(["Enable SSH forwarding", "Enable HTTP forwarding", "Enable MQTT forwarding"], {value: ["Enable SSH forwarding"], label: "Network options"})
viewof qemuDisplay = Inputs.radio(["none (headless)", "sdl (GUI window)", "vnc (remote)"], {value: "none (headless)", label: "Display mode"})

Show code

qemuPiModel = ({
  "arm1176": {name: "Raspberry Pi 1/Zero", maxRam: 512, machine: "versatilepb"},
  "cortex-a7": {name: "Raspberry Pi 2", maxRam: 1024, machine: "raspi2b"},
  "cortex-a53": {name: "Raspberry Pi 3", maxRam: 1024, machine: "raspi3b"},
  "cortex-a72": {name: "Raspberry Pi 4", maxRam: 4096, machine: "raspi4b"}
})[qemuCpu]

qemuRamWarning = qemuMemory > qemuPiModel.maxRam

qemuNetArgs = {
  const ports = [];
  if (qemuNetwork.includes("Enable SSH forwarding")) ports.push("hostfwd=tcp::5022-:22");
  if (qemuNetwork.includes("Enable HTTP forwarding")) ports.push("hostfwd=tcp::8080-:80");
  if (qemuNetwork.includes("Enable MQTT forwarding")) ports.push("hostfwd=tcp::1883-:1883");
  return ports.length > 0 ? `-net nic -net user,${ports.join(",")}` : "-net none";
}

qemuDisplayArg = ({
  "none (headless)": "-nographic",
  "sdl (GUI window)": "-display sdl",
  "vnc (remote)": "-display vnc=:0"
})[qemuDisplay]

html`<div style="background: linear-gradient(135deg, #2C3E50 0%, #16A085 100%); padding: 24px; border-radius: 8px; color: white; margin-top: 16px;">
  <h4 style="margin: 0 0 12px 0; color: #E67E22;">Generated QEMU Command</h4>
  <pre style="background: rgba(0,0,0,0.3); padding: 16px; border-radius: 6px; font-size: 13px; overflow-x: auto; white-space: pre-wrap; margin: 0 0 16px 0; color: #ecf0f1;">qemu-system-arm \\
  -kernel kernel-qemu-4.19.50-buster \\
  -dtb versatile-pb-buster.dtb \\
  -m ${qemuMemory} \\
  -M ${qemuPiModel.machine} \\
  -cpu ${qemuCpu} \\
  -append "root=/dev/sda2 rootfstype=ext4 rw" \\
  -hda raspios.img \\
  ${qemuNetArgs} \\
  ${qemuDisplayArg} \\
  -no-reboot</pre>
  <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 12px;">
    <div style="background: rgba(255,255,255,0.1); padding: 12px; border-radius: 6px; border-left: 4px solid #3498DB;">
      <div style="font-size: 12px; opacity: 0.8;">Target Pi Model</div>
      <div style="font-size: 18px; font-weight: 600;">${qemuPiModel.name}</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 12px; border-radius: 6px; border-left: 4px solid ${qemuRamWarning ? '#E74C3C' : '#16A085'};">
      <div style="font-size: 12px; opacity: 0.8;">RAM Status</div>
      <div style="font-size: 18px; font-weight: 600;">${qemuRamWarning ? `${qemuMemory}MB exceeds ${qemuPiModel.maxRam}MB max` : `${qemuMemory}MB OK`}</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 12px; border-radius: 6px; border-left: 4px solid #9B59B6;">
      <div style="font-size: 12px; opacity: 0.8;">Forwarded Ports</div>
      <div style="font-size: 18px; font-weight: 600;">${qemuNetwork.length} service${qemuNetwork.length !== 1 ? 's' : ''}</div>
    </div>
  </div>
  ${qemuRamWarning ? html`<div style="margin-top: 12px; padding: 10px; background: rgba(231,76,60,0.3); border-radius: 6px; border-left: 4px solid #E74C3C; font-size: 13px;">Warning: ${qemuPiModel.name} only supports up to ${qemuPiModel.maxRam}MB RAM. QEMU may fail or behave unexpectedly with ${qemuMemory}MB.</div>` : ''}
</div>`

Strengths:

Full OS emulation
Test software before deploying to Pi
No hardware required

Limitations:

No GPIO simulation
Slower than native
Different architecture (some programs may not work identically)

Typical Use Cases:

Raspberry Pi software development without hardware
Testing OS configurations
CI/CD pipelines

12.5 Renode

Description: Open-source simulation framework for embedded systems with support for multiple architectures.

Key Features:

Multi-node networks
Deterministic execution
GDB debugging
Scripting support (Python)
Peripheral simulation
Time-travel debugging

Supported Platforms:

ARM Cortex-M
RISC-V
ESP32
STM32
Nordic nRF52
Many others

Putting Numbers to It

Emulation Speed vs Real Hardware: Firmware CI/CD testing on 5 target platforms (ESP32, nRF52, STM32, RISC-V, Cortex-M4):

Physical hardware testing (sequential on device farms): \[T_{\text{hardware}} = 5 \text{ platforms} \times (3\text{min flash} + 8\text{min test suite}) = 55\text{min}\]

Renode emulation (parallel on CI servers): \[T_{\text{emulation}} = \max(5\text{min}, 5\text{min}, 5\text{min}, 5\text{min}, 5\text{min}) = 5\text{min}\]

Speedup: $\frac{55}{5} = 11\times$ faster testing

CI cost (GitHub Actions pricing):

Hardware runners: $5 \times \$0.008/\text{min} \times 55 = \$2.20$ per test run
Emulation: $5 \times \$0.008/\text{min} \times 5 = \$0.20$ per test run

For 100 daily commits: emulation saves $\$200/\text{day}$ ($\$6,000/\text{month}$) while providing deterministic testing (no flaky RF issues). Physical testing still needed for final validation.

12.5.1 Interactive CI Cost Calculator

Show code

viewof numPlatforms = Inputs.range([1, 10], {
  value: 5,
  step: 1,
  label: "Number of platforms"
})

viewof flashTime = Inputs.range([1, 10], {
  value: 3,
  step: 0.5,
  label: "Flash time per platform (minutes)"
})

viewof testTime = Inputs.range([1, 30], {
  value: 8,
  step: 1,
  label: "Test suite time per platform (minutes)"
})

viewof emulationTime = Inputs.range([1, 15], {
  value: 5,
  step: 0.5,
  label: "Emulation time (parallel, minutes)"
})

viewof costPerMinute = Inputs.range([0.001, 0.02], {
  value: 0.008,
  step: 0.001,
  label: "CI cost per minute ($)"
})

viewof dailyCommits = Inputs.range([10, 500], {
  value: 100,
  step: 10,
  label: "Daily commits"
})

hardwareTime = numPlatforms * (flashTime + testTime)
speedup = hardwareTime / emulationTime
hardwareCost = numPlatforms * costPerMinute * hardwareTime
emulationCost = numPlatforms * costPerMinute * emulationTime
dailySavings = (hardwareCost - emulationCost) * dailyCommits
monthlySavings = dailySavings * 30

html`<div style="background: linear-gradient(135deg, #2C3E50 0%, #16A085 100%); padding: 24px; border-radius: 8px; color: white; margin-top: 20px;">
  <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 16px;">
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px; border-left: 4px solid #E67E22;">
      <div style="font-size: 13px; opacity: 0.9; margin-bottom: 4px;">Hardware Test Time</div>
      <div style="font-size: 28px; font-weight: 600;">${hardwareTime.toFixed(1)} min</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px; border-left: 4px solid #3498DB;">
      <div style="font-size: 13px; opacity: 0.9; margin-bottom: 4px;">Emulation Time</div>
      <div style="font-size: 28px; font-weight: 600;">${emulationTime.toFixed(1)} min</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px; border-left: 4px solid #9B59B6;">
      <div style="font-size: 13px; opacity: 0.9; margin-bottom: 4px;">Speedup Factor</div>
      <div style="font-size: 28px; font-weight: 600;">${speedup.toFixed(1)}×</div>
    </div>
  </div>
  <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 16px; margin-top: 16px;">
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px; border-left: 4px solid #E74C3C;">
      <div style="font-size: 13px; opacity: 0.9; margin-bottom: 4px;">Cost per Hardware Test</div>
      <div style="font-size: 28px; font-weight: 600;">$${hardwareCost.toFixed(2)}</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px; border-left: 4px solid #16A085;">
      <div style="font-size: 13px; opacity: 0.9; margin-bottom: 4px;">Cost per Emulation Test</div>
      <div style="font-size: 28px; font-weight: 600;">$${emulationCost.toFixed(2)}</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px; border-left: 4px solid #E67E22;">
      <div style="font-size: 13px; opacity: 0.9; margin-bottom: 4px;">Daily Savings</div>
      <div style="font-size: 28px; font-weight: 600;">$${dailySavings.toFixed(0)}</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px; border-left: 4px solid #3498DB;">
      <div style="font-size: 13px; opacity: 0.9; margin-bottom: 4px;">Monthly Savings</div>
      <div style="font-size: 28px; font-weight: 600;">$${monthlySavings.toFixed(0)}</div>
    </div>
  </div>
</div>`

Key Insight: With daily commits across platforms, emulation provides × faster testing while saving $/month in CI costs. Adjust the sliders above to model your own CI/CD pipeline.

Example: Simulating nRF52 BLE

# Start Renode
renode

# In Renode console
(monitor) mach create "nrf52"
(monitor) machine LoadPlatformDescription @platforms/cpus/nrf52840.repl
(monitor) sysbus LoadELF @path/to/firmware.elf
(monitor) showAnalyzer sysbus.uart0
(monitor) start

Strengths:

Deterministic (reproducible)
Multi-device simulation
Time-travel debugging
Free and open source

Limitations:

Command-line focused
Steep learning curve
Requires detailed platform knowledge

Typical Use Cases:

Multi-device IoT system testing
Wireless network simulation
Regression testing
Complex debugging

12.6 Debugging in Simulation

Estimated time: ~12 min | Intermediate | P13.C03.U04

12.6.1 Breakpoints and Variable Inspection

Most simulators support debugging similar to traditional software:

Setting Breakpoints:

void loop() {
  int sensorValue = analogRead(A0);  // Set breakpoint here
  Serial.println(sensorValue);
  delay(1000);
}

In Wokwi:

Click line number to set breakpoint
Run simulation
Execution pauses at breakpoint
Inspect variables in debugger panel

Variable Watching: Monitor variables in real-time:

Add variable to watch list
See value change as simulation runs
Useful for tracking sensor readings, state machines

12.6.2 Serial Monitor

Essential for debugging embedded systems:

void setup() {
  Serial.begin(115200);
  Serial.println("Starting...");
}

void loop() {
  Serial.print("Temperature: ");
  Serial.println(readTemperature());
  delay(1000);
}

Simulators provide virtual serial monitors showing output in real-time.

Advanced: Serial Plotter

Visualize numeric data:

void loop() {
  int value1 = analogRead(A0);
  int value2 = analogRead(A1);

  Serial.print(value1);
  Serial.print(",");
  Serial.println(value2);

  delay(100);
}

Serial plotter graphs values over time, useful for sensor data analysis.

Try It: Serial Data Visualizer

Show code

viewof sensorType = Inputs.select(["Temperature (DHT22)", "Light (LDR)", "Accelerometer (MPU6050)", "Distance (HC-SR04)"], {value: "Temperature (DHT22)", label: "Sensor type"})
viewof noiseLevel = Inputs.range([0, 50], {value: 10, step: 1, label: "Noise level (%)"})
viewof sampleRate = Inputs.range([10, 1000], {value: 100, step: 10, label: "Sample interval (ms)"})
viewof numSamples = Inputs.range([20, 200], {value: 80, step: 10, label: "Number of samples"})

Show code

sensorConfig = ({
  "Temperature (DHT22)": {base: 22.5, range: 5, unit: "C", label: "Temperature", color: "#E74C3C", secondBase: 55, secondRange: 10, secondUnit: "%", secondLabel: "Humidity", secondColor: "#3498DB"},
  "Light (LDR)": {base: 512, range: 300, unit: "", label: "Light Level", color: "#E67E22", secondBase: 3.3 * 512 / 1024, secondRange: 1.0, secondUnit: "V", secondLabel: "Voltage", secondColor: "#16A085"},
  "Accelerometer (MPU6050)": {base: 0, range: 2, unit: "g", label: "Accel X", color: "#9B59B6", secondBase: 0, secondRange: 2, secondUnit: "g", secondLabel: "Accel Y", secondColor: "#E67E22"},
  "Distance (HC-SR04)": {base: 50, range: 30, unit: "cm", label: "Distance", color: "#16A085", secondBase: 0, secondRange: 0, secondUnit: "", secondLabel: "", secondColor: "#7F8C8D"}
})[sensorType]

serialData = {
  const data = [];
  const noiseFactor = noiseLevel / 100;
  for (let i = 0; i < numSamples; i++) {
    const t = i * sampleRate / 1000;
    const wave = Math.sin(i * 0.08) * sensorConfig.range * 0.5;
    const noise1 = (Math.random() - 0.5) * sensorConfig.range * noiseFactor;
    const v1 = sensorConfig.base + wave + noise1;
    const noise2 = (Math.random() - 0.5) * sensorConfig.secondRange * noiseFactor;
    const wave2 = Math.cos(i * 0.06) * sensorConfig.secondRange * 0.5;
    const v2 = sensorConfig.secondBase + wave2 + noise2;
    data.push({index: i, time: t, value1: v1, value2: v2});
  }
  return data;
}

html`<div style="background: #1a1a2e; padding: 20px; border-radius: 8px; font-family: monospace; margin-top: 16px;">
  <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 12px;">
    <span style="color: #16A085; font-size: 14px; font-weight: bold;">Serial Plotter</span>
    <span style="color: #7F8C8D; font-size: 12px;">@ ${(1000 / sampleRate).toFixed(0)} Hz | ${numSamples} samples</span>
  </div>
  <div style="position: relative; height: 200px; background: #0d0d1a; border: 1px solid #2C3E50; border-radius: 4px; overflow: hidden;">
    <svg viewBox="0 0 ${numSamples} 200" preserveAspectRatio="none" style="width: 100%; height: 100%;">
      <polyline
        points="${serialData.map((d, i) => {
          const minV1 = sensorConfig.base - sensorConfig.range;
          const maxV1 = sensorConfig.base + sensorConfig.range;
          const y = 190 - ((d.value1 - minV1) / (maxV1 - minV1)) * 180;
          return `${i},${y}`;
        }).join(' ')}"
        fill="none" stroke="${sensorConfig.color}" stroke-width="1.5" />
      ${sensorConfig.secondLabel ? html`<polyline
        points="${serialData.map((d, i) => {
          const minV2 = sensorConfig.secondBase - sensorConfig.secondRange;
          const maxV2 = sensorConfig.secondBase + sensorConfig.secondRange;
          const y = 190 - ((d.value2 - minV2) / (maxV2 - minV2)) * 180;
          return `${i},${y}`;
        }).join(' ')}"
        fill="none" stroke="${sensorConfig.secondColor}" stroke-width="1.5" />` : ''}
    </svg>
  </div>
  <div style="display: flex; gap: 20px; margin-top: 10px; color: #ecf0f1; font-size: 12px;">
    <span><span style="color: ${sensorConfig.color};">&#9632;</span> ${sensorConfig.label}: ${serialData[serialData.length - 1].value1.toFixed(1)}${sensorConfig.unit}</span>
    ${sensorConfig.secondLabel ? html`<span><span style="color: ${sensorConfig.secondColor};">&#9632;</span> ${sensorConfig.secondLabel}: ${serialData[serialData.length - 1].value2.toFixed(1)}${sensorConfig.secondUnit}</span>` : ''}
    <span style="margin-left: auto; color: #7F8C8D;">Noise: ${noiseLevel}%</span>
  </div>
  <div style="margin-top: 12px; padding: 8px; background: rgba(44,62,80,0.5); border-radius: 4px; color: #7F8C8D; font-size: 11px;">
    Serial output: ${serialData.slice(-3).map(d => `${d.value1.toFixed(1)}${sensorConfig.secondLabel ? ',' + d.value2.toFixed(1) : ''}`).join(' | ')}
  </div>
</div>`

12.6.3 Logic Analyzer

Some simulators (Wokwi, SimulIDE) include virtual logic analyzers to visualize digital signals:

Monitor pin states over time
Decode protocols (I2C, SPI, UART)
Measure timing (pulse width, frequency)
Debug communication issues

12.6.4 GDB Debugging

Advanced simulators (Renode, QEMU) support GDB debugging:

# Start simulator with GDB server
renode --debug

# In another terminal, connect GDB
arm-none-eabi-gdb firmware.elf
(gdb) target remote :3333
(gdb) break main
(gdb) continue
(gdb) step
(gdb) print variable

Full debugging capabilities:

Single-step execution
Breakpoints (conditional, hardware)
Memory inspection
Register viewing
Stack traces

Try It: GDB Debug Session Simulator

Show code

viewof gdbCommand = Inputs.select([
  "break main",
  "break loop",
  "break mqtt_reconnect if count > 45",
  "watch sensorValue",
  "info registers",
  "backtrace",
  "print sensorValue",
  "x/16xw 0x20000000",
  "step",
  "next",
  "continue",
  "info breakpoints"
], {value: "break main", label: "GDB command"})
viewof gdbTarget = Inputs.select(["ESP32 (Xtensa)", "STM32F4 (Cortex-M4)", "nRF52840 (Cortex-M4)", "RISC-V (SiFive)"], {value: "ESP32 (Xtensa)", label: "Target MCU"})

Show code

gdbResponses = ({
  "break main": {
    output: `Breakpoint 1 at 0x400d1234: file main.cpp, line 12.`,
    explanation: "Sets a breakpoint at the entry of main(). Execution will pause here when the program starts, letting you inspect initialization state.",
    category: "Breakpoint"
  },
  "break loop": {
    output: `Breakpoint 2 at 0x400d1280: file main.cpp, line 28.`,
    explanation: "Sets a breakpoint at loop(). On embedded systems, this fires every iteration, so use 'continue' to advance one cycle at a time.",
    category: "Breakpoint"
  },
  "break mqtt_reconnect if count > 45": {
    output: `Breakpoint 3 at 0x400d2100: file mqtt.cpp, line 87.\n  stop only if count > 45`,
    explanation: "Conditional breakpoint: only triggers when the reconnect counter exceeds 45. Essential for catching bugs that manifest after many iterations without manually stepping through each one.",
    category: "Breakpoint"
  },
  "watch sensorValue": {
    output: `Hardware watchpoint 4: sensorValue`,
    explanation: "Watchpoint: halts execution whenever sensorValue changes. Uses hardware debug registers (limited to 2-4 on most MCUs). Ideal for tracking unexpected variable modifications.",
    category: "Watchpoint"
  },
  "info registers": {
    output: `r0   0x00000042   66\nr1   0x200018a0   536877216\nr2   0x00000003   3\nsp   0x20003ff0   0x20003ff0\npc   0x400d1234   0x400d1234 <main+12>\nlr   0x400d0f80   0x400d0f80 <_start+32>`,
    explanation: "Shows all CPU registers. Key registers: PC (program counter, current instruction), SP (stack pointer), LR (link register, return address). Register values reveal exact CPU state at breakpoint.",
    category: "Inspection"
  },
  "backtrace": {
    output: `#0  readSensor () at sensor.cpp:45\n#1  0x400d12a0 in processSensorData () at main.cpp:33\n#2  0x400d1284 in loop () at main.cpp:29\n#3  0x400d0f90 in main () at main.cpp:15`,
    explanation: "Shows the call stack (function call chain). Read bottom-up: main() called loop(), which called processSensorData(), which called readSensor(). Essential for understanding how you reached the current point.",
    category: "Inspection"
  },
  "print sensorValue": {
    output: `$1 = 742`,
    explanation: "Prints the current value of a variable. Works with expressions too: 'print sensorValue * 3.3 / 1024' converts ADC reading to voltage. Use 'print/x' for hex, 'print/t' for binary.",
    category: "Inspection"
  },
  "x/16xw 0x20000000": {
    output: `0x20000000: 0x00000042 0x000001a0 0xdeadbeef 0x00000000\n0x20000010: 0x20003ff0 0x400d1234 0x00000003 0xffffffff\n0x20000020: 0x00000001 0x00000000 0x200018a0 0x00000042\n0x20000030: 0x00000000 0x00000000 0x00000000 0x00000000`,
    explanation: "Examines raw memory: 16 words (x=hex, w=word) starting at RAM base address 0x20000000. Useful for inspecting buffers, DMA regions, or stack contents. Look for 0xDEADBEEF (common uninitialized memory marker).",
    category: "Memory"
  },
  "step": {
    output: `45    int raw = analogRead(A0);\n(gdb)`,
    explanation: "Single-step: executes one source line, stepping INTO function calls. Use when you want to trace execution inside a called function. Slow but thorough.",
    category: "Execution"
  },
  "next": {
    output: `46    float voltage = raw * 3.3 / 1024.0;\n(gdb)`,
    explanation: "Step over: executes one source line, stepping OVER function calls (treats them as one step). Use when you trust the called function and want to see its result without entering it.",
    category: "Execution"
  },
  "continue": {
    output: `Continuing.\n\nBreakpoint 1, main () at main.cpp:12\n12    setup();`,
    explanation: "Resumes execution until the next breakpoint, watchpoint trigger, or program exit. The most common flow: set breakpoints, continue, inspect, continue.",
    category: "Execution"
  },
  "info breakpoints": {
    output: `Num  Type           Disp Enb  Address    What\n1    breakpoint     keep y    0x400d1234 main.cpp:12\n2    breakpoint     keep y    0x400d1280 main.cpp:28\n3    breakpoint     keep y    0x400d2100 mqtt.cpp:87\n       stop only if count > 45\n4    hw watchpoint  keep y               sensorValue`,
    explanation: "Lists all breakpoints and watchpoints with their status. 'Enb' column shows if enabled (y/n). Use 'delete N' to remove, 'disable N' to temporarily skip without removing.",
    category: "Info"
  }
})

gdbResult = gdbResponses[gdbCommand]

gdbCategoryColor = ({
  "Breakpoint": "#E67E22",
  "Watchpoint": "#9B59B6",
  "Inspection": "#3498DB",
  "Memory": "#E74C3C",
  "Execution": "#16A085",
  "Info": "#7F8C8D"
})[gdbResult.category]

html`<div style="background: #1a1a2e; padding: 20px; border-radius: 8px; font-family: monospace; margin-top: 16px;">
  <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 12px;">
    <span style="color: #16A085; font-size: 14px; font-weight: bold;">GDB Remote Debug Session</span>
    <span style="color: #7F8C8D; font-size: 12px;">Target: ${gdbTarget}</span>
  </div>
  <div style="background: #0d0d1a; border: 1px solid #2C3E50; border-radius: 4px; padding: 14px; margin-bottom: 12px;">
    <div style="color: #7F8C8D; font-size: 12px; margin-bottom: 6px;">(gdb) <span style="color: #ecf0f1;">${gdbCommand}</span></div>
    <pre style="color: #16A085; font-size: 12px; margin: 0; white-space: pre-wrap;">${gdbResult.output}</pre>
  </div>
  <div style="display: flex; gap: 8px; align-items: center; margin-bottom: 10px;">
    <span style="background: ${gdbCategoryColor}; color: white; padding: 3px 10px; border-radius: 12px; font-size: 11px; font-family: Arial, sans-serif;">${gdbResult.category}</span>
  </div>
  <div style="background: rgba(44,62,80,0.6); padding: 14px; border-radius: 6px; border-left: 4px solid ${gdbCategoryColor}; color: #ecf0f1; font-size: 13px; font-family: Arial, sans-serif; line-height: 1.5;">
    ${gdbResult.explanation}
  </div>
</div>`

12.7 Testing Strategies

Estimated time: ~12 min | Intermediate | P13.C03.U05

12.7.1 Unit Testing Firmware

Separate business logic from hardware interactions for easier testing:

// Testable: logic separated
float convertToFahrenheit(float celsius) {
  return (celsius * 9.0 / 5.0) + 32.0;
}

// In Arduino code
void loop() {
  float tempC = readSensor();
  float tempF = convertToFahrenheit(tempC);  // Testable function
  display.print(tempF);
}

Test the conversion function in simulation or on PC with unit tests:

// Unit test (can run on PC or simulator)
assert(convertToFahrenheit(0) == 32.0);
assert(convertToFahrenheit(100) == 212.0);

12.7.2 Integration Testing

Test complete system in simulation:

Test Scenarios:

Boot sequence
Sensor reading
Wi-Fi connection
Data transmission
Error handling
State machine transitions

Automated Testing with Renode:

# Renode test script
Execute "runMacro $reset"
Start

WaitForString "System ready" timeout=10

SendKey "Key_A"
WaitForString "Button A pressed"

SendKey "Key_B"
WaitForString "Button B pressed"

# Test passes if all WaitForString succeed

12.7.3 Fuzz Testing

Simulate random inputs to find edge cases:

void loop() {
  // In simulator, randomize sensor input
  int sensor = random(0, 1024);

  // Ensure code doesn't crash on any input
  processValue(sensor);
}

Simulators allow rapid iteration through thousands of random scenarios.

Try It: Fuzz Testing Simulator

Show code

viewof fuzzIterations = Inputs.range([100, 10000], {value: 1000, step: 100, label: "Test iterations"})
viewof fuzzInputRange = Inputs.select(["0-1023 (10-bit ADC)", "0-4095 (12-bit ADC)", "0-65535 (16-bit ADC)", "-32768 to 32767 (signed 16-bit)"], {value: "0-1023 (10-bit ADC)", label: "Input range"})
viewof fuzzBoundaryWeight = Inputs.range([0, 100], {value: 30, step: 5, label: "Boundary test weight (%)"})

Show code

fuzzConfig = ({
  "0-1023 (10-bit ADC)": {min: 0, max: 1023, bits: 10, signed: false},
  "0-4095 (12-bit ADC)": {min: 0, max: 4095, bits: 12, signed: false},
  "0-65535 (16-bit ADC)": {min: 0, max: 65535, bits: 16, signed: false},
  "-32768 to 32767 (signed 16-bit)": {min: -32768, max: 32767, bits: 16, signed: true}
})[fuzzInputRange]

fuzzResults = {
  const boundaryValues = [fuzzConfig.min, fuzzConfig.min + 1, fuzzConfig.max, fuzzConfig.max - 1, Math.floor((fuzzConfig.min + fuzzConfig.max) / 2), 0];
  const results = {pass: 0, fail: 0, crash: 0, timeout: 0, edgeCases: [], distribution: new Array(10).fill(0)};
  const boundaryTests = Math.floor(fuzzIterations * fuzzBoundaryWeight / 100);
  const randomTests = fuzzIterations - boundaryTests;

  for (let i = 0; i < fuzzIterations; i++) {
    let value;
    if (i < boundaryTests) {
      value = boundaryValues[i % boundaryValues.length] + Math.floor(Math.random() * 3) - 1;
      value = Math.max(fuzzConfig.min, Math.min(fuzzConfig.max, value));
    } else {
      value = Math.floor(Math.random() * (fuzzConfig.max - fuzzConfig.min + 1)) + fuzzConfig.min;
    }

    const bucket = Math.min(9, Math.floor(((value - fuzzConfig.min) / (fuzzConfig.max - fuzzConfig.min + 1)) * 10));
    results.distribution[bucket]++;

    const r = Math.random();
    if (value === fuzzConfig.max && r < 0.08) {
      results.crash++;
      results.edgeCases.push({value, issue: "Buffer overflow at max value"});
    } else if (value === fuzzConfig.min && r < 0.05) {
      results.fail++;
      results.edgeCases.push({value, issue: "Underflow handling error"});
    } else if (value === 0 && fuzzConfig.signed && r < 0.06) {
      results.fail++;
      results.edgeCases.push({value, issue: "Zero-crossing sign error"});
    } else if (r < 0.002) {
      results.timeout++;
      results.edgeCases.push({value, issue: "Processing timeout"});
    } else if (r < 0.005) {
      results.fail++;
    } else {
      results.pass++;
    }
  }
  results.edgeCases = results.edgeCases.slice(0, 6);
  return results;
}

fuzzPassRate = (fuzzResults.pass / fuzzIterations * 100)
fuzzMaxDist = Math.max(...fuzzResults.distribution)

html`<div style="background: linear-gradient(135deg, #2C3E50 0%, #1a1a2e 100%); padding: 24px; border-radius: 8px; color: white; margin-top: 16px;">
  <h4 style="margin: 0 0 16px 0; color: #E67E22;">Fuzz Test Results: ${fuzzIterations} Iterations</h4>
  <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr)); gap: 12px; margin-bottom: 16px;">
    <div style="background: rgba(22,160,133,0.2); padding: 12px; border-radius: 6px; border-left: 4px solid #16A085; text-align: center;">
      <div style="font-size: 24px; font-weight: 700; color: #16A085;">${fuzzResults.pass}</div>
      <div style="font-size: 11px; opacity: 0.8;">PASS</div>
    </div>
    <div style="background: rgba(231,76,60,0.2); padding: 12px; border-radius: 6px; border-left: 4px solid #E74C3C; text-align: center;">
      <div style="font-size: 24px; font-weight: 700; color: #E74C3C;">${fuzzResults.crash}</div>
      <div style="font-size: 11px; opacity: 0.8;">CRASH</div>
    </div>
    <div style="background: rgba(230,126,34,0.2); padding: 12px; border-radius: 6px; border-left: 4px solid #E67E22; text-align: center;">
      <div style="font-size: 24px; font-weight: 700; color: #E67E22;">${fuzzResults.fail}</div>
      <div style="font-size: 11px; opacity: 0.8;">FAIL</div>
    </div>
    <div style="background: rgba(127,140,141,0.2); padding: 12px; border-radius: 6px; border-left: 4px solid #7F8C8D; text-align: center;">
      <div style="font-size: 24px; font-weight: 700; color: #7F8C8D;">${fuzzResults.timeout}</div>
      <div style="font-size: 11px; opacity: 0.8;">TIMEOUT</div>
    </div>
  </div>
  <div style="margin-bottom: 16px;">
    <div style="font-size: 12px; color: #7F8C8D; margin-bottom: 6px;">Input Distribution (${fuzzConfig.bits}-bit range)</div>
    <div style="display: flex; gap: 2px; height: 60px; align-items: flex-end;">
      ${fuzzResults.distribution.map((count, i) => {
        const height = Math.max(4, (count / fuzzMaxDist) * 56);
        const pct = i / 10;
        const color = pct < 0.1 || pct >= 0.9 ? '#E74C3C' : '#3498DB';
        return html`<div style="flex: 1; height: ${height}px; background: ${color}; border-radius: 2px 2px 0 0; opacity: 0.8;" title="Bucket ${i}: ${count} tests"></div>`;
      })}
    </div>
    <div style="display: flex; justify-content: space-between; font-size: 10px; color: #7F8C8D; margin-top: 2px;">
      <span>${fuzzConfig.min}</span>
      <span style="color: #E74C3C;">Red = boundary regions</span>
      <span>${fuzzConfig.max}</span>
    </div>
  </div>
  ${fuzzResults.edgeCases.length > 0 ? html`<div style="background: rgba(231,76,60,0.15); padding: 12px; border-radius: 6px; border-left: 4px solid #E74C3C;">
    <div style="font-size: 12px; font-weight: 600; margin-bottom: 8px; color: #E74C3C;">Edge Cases Found:</div>
    ${fuzzResults.edgeCases.map(e => html`<div style="font-size: 12px; font-family: monospace; padding: 2px 0; color: #ecf0f1;">Input=${e.value}: ${e.issue}</div>`)}
  </div>` : html`<div style="background: rgba(22,160,133,0.15); padding: 12px; border-radius: 6px; border-left: 4px solid #16A085; font-size: 13px;">No edge case failures detected in ${fuzzIterations} iterations. Increase iterations or boundary weight to find more.</div>`}
  <div style="margin-top: 12px; padding: 10px; background: rgba(44,62,80,0.5); border-radius: 4px; font-size: 12px; color: #7F8C8D; font-family: Arial, sans-serif;">
    Pass rate: ${fuzzPassRate.toFixed(2)}% | Boundary tests: ${Math.floor(fuzzIterations * fuzzBoundaryWeight / 100)} (${fuzzBoundaryWeight}%) | Random tests: ${fuzzIterations - Math.floor(fuzzIterations * fuzzBoundaryWeight / 100)}
  </div>
</div>`

12.8 Limitations of Simulation

Estimated time: ~10 min | Intermediate | P13.C03.U06

12.8.1 Timing Differences

Simulators may not perfectly match real-time behavior:

Interrupt timing
Clock accuracy
RTOS scheduling
Hardware delays

Impact: Real-time critical applications (motor control, audio) may behave differently on physical hardware.

Mitigation: Validate timing-critical code on physical hardware.

12.8.2 Missing Peripherals

Not all hardware features are simulated:

Specific sensor models
Proprietary communication protocols
Custom hardware

Impact: Cannot fully test systems with unsupported components.

Mitigation: Use closest available component or mock behavior.

12.8.3 Analog Behavior

Digital simulation of analog circuits has limitations:

Component tolerances
Temperature effects
Noise and interference
Power supply variations

Impact: Analog sensor readings may differ from simulation.

Mitigation: Plan for calibration and testing with physical sensors.

12.8.4 Physical Interactions

Simulation cannot capture:

Mechanical vibrations
Environmental factors (temperature, humidity)
EMI/RFI interference
Real-world network conditions

Impact: Deployed devices may encounter issues not seen in simulation.

Mitigation: Field testing with pilot deployments.

12.8.5 Performance Differences

Simulator performance is not equal to real hardware:

May be faster (ideal execution)
May be slower (overhead of simulation)
Different memory characteristics

Impact: Performance-critical code needs hardware validation.

Mitigation: Profile on real hardware.

12.8.6 Worked Example: Choosing the Right Debug Approach for a Fleet Tracker

Scenario: Your startup is building a GPS/cellular fleet tracker (ESP32 + u-blox NEO-M9N GPS + SIM7600 LTE modem). During field testing, 3 out of 50 prototype units lose GPS fix after exactly 72 hours of continuous operation, requiring a power cycle to recover. The bug does not appear in your simulation environment.

Step 1: Assess which tools can reproduce the bug

Debug Approach	Can Reproduce?	Why / Why Not	Cost
Wokwi simulation	No	No real GPS/LTE hardware, no 72-hour timing effects	$0
QEMU emulation	No	Emulates CPU but not GPS module’s internal state machine	$0
Renode simulation	Unlikely	Could model GPS timeout but missing NEO-M9N peripheral model	$0
JTAG debugger on bench	Unlikely	Bug needs 72 hours to trigger; JTAG connection prevents sleep modes	$45 (ESP-Prog)
Serial logging to SD card	Yes	Log GPS state machine transitions for 72+ hours, review after failure	$12 (SD card module)
Logic analyzer on I2C/UART	Partial	Shows GPS-to-ESP32 communication breakdown but not root cause	$150 (Saleae Logic 8)
Field unit with crash dump	Yes	ESP32 core dump to flash partition, retrieve after failure	$0 (firmware change)

Step 2: Design a staged debug strategy

Stage 1 (0 cost, 1 day): Enable ESP32 core dump to flash. Redeploy to 3 affected units. Wait for crash and retrieve dump via OTA.

Stage 2 (if core dump shows no crash): Add SD card logging of GPS NMEA sentences, ESP32 heap usage, and LTE modem AT command responses. Sample every 60 seconds. 72 hours at 1 sample/min = 4,320 entries, ~2 MB on SD card.

Stage 3 (if still unclear): Connect Saleae logic analyzer to GPS UART lines on one bench unit and run for 72+ hours with continuous capture at 9600 baud.

Step 3: What the investigation revealed

The SD card logs showed the root cause: the u-blox NEO-M9N GPS module enters a “periodic power-saving mode” after 72 hours when the host does not poll PMTK messages. The ESP32 firmware was using only NMEA passthrough and never sent the keep-alive UBX-CFG-PM2 command. In simulation, GPS data was mocked as always-available, so this power management behavior was invisible.

Debug Tool	Time to Find Bug	Total Cost
Simulation only	Never (can’t reproduce)	$0
SD card logging (actual approach)	4 days (72h wait + 1 day analysis)	$12
Logic analyzer	~5 days (72h wait + 2 days decode)	$150
Replacing GPS module (trial and error)	Unpredictable, wastes money	$35/unit

Lesson: Simulation excels for functional testing and rapid iteration (catching 80% of bugs in minutes), but timing-dependent hardware interactions require real hardware debugging. The optimal strategy is simulation for development speed, with targeted real-hardware debugging for bugs that only manifest over extended operation. Budget $200-500 per developer for basic hardware debug tools (logic analyzer + JTAG probe + SD card logger) – this investment pays for itself the first time a simulation-invisible bug appears.

12.9 Visual Reference Gallery

Wokwi Simulation Environment

Figure 12.1: Wokwi Simulator

Wokwi provides a comprehensive browser-based simulation environment for ESP32, Arduino, and other microcontrollers with extensive component libraries.

ESP32 Development Kit

Figure 12.2: ESP32 DevKit

ESP32 development kits provide convenient access to all chip features with integrated USB programming, making them ideal for both simulation and physical prototyping.

Matching Exercise: Key Concepts

Order the Steps

Label the Diagram

💻 Code Challenge

12.10 Summary

QEMU enables full Raspberry Pi OS emulation for software development and CI/CD integration without physical hardware
Renode provides deterministic multi-architecture simulation with time-travel debugging for complex embedded systems
Debugging techniques include breakpoints, variable watching, serial monitors, logic analyzers, and GDB integration
Testing strategies span unit testing (separated logic), integration testing (full system), and fuzz testing (random inputs)
Simulation limitations include timing differences, missing peripherals, idealized analog behavior, and absence of physical environmental factors

12.11 Knowledge Check

Quiz: Emulation and Debugging

12.12 Concept Relationships

How This Connects

Builds on: Online Hardware Simulators provides entry-level simulation; Programming Paradigms covers development tools.

Relates to: Network Simulation Tools for system-level validation; Testing Automation for CI/CD integration.

Leads to: HIL Testing bridges emulation and real hardware; Field Testing validates in production environments.

Part of: The complete simulation stack from hardware (Wokwi) → OS (QEMU) → network (NS-3) → field trials.

12.13 See Also

Documentation:

QEMU Raspberry Pi Guide: qemu.org/docs/raspberry-pi
Renode Documentation: renode.readthedocs.io
GDB Embedded Debugging: sourceware.org/gdb/embedded

Related Tools:

Docker for reproducible test environments
OpenOCD for JTAG debugging
Valgrind for memory leak detection

Advanced Topics:

Time-travel debugging with RR: rr-project.org
Deterministic replay for bug reproduction

12.14 Try It Yourself

Challenge: Debug ESP32 Firmware Crash Using GDB in Renode

Scenario: Your ESP32 firmware crashes after exactly 47 minutes. Serial prints don’t help (they change timing, bug disappears). Use Renode + GDB to catch the crash.

Steps (90 minutes): 1. Setup Renode with ESP32 platform 2. Load firmware ELF file with debug symbols 3. Set watchpoint on hard fault handler 4. Run at 10× speed (Renode determinism) to trigger crash in 4.7 minutes 5. Examine backtrace when watchpoint hits 6. Inspect variables to find null pointer

What to Observe:

Deterministic replay: crash happens at exact same instruction every time
GDB shows full call stack and register state at crash point
No Heisenbug effect (unlike serial debugging)

Expected Outcome: Find the bug (buffer overflow in 47th MQTT reconnect attempt) that serial debugging couldn’t catch.

Bonus: Set conditional breakpoint: break mqtt_reconnect if reconnect_count > 45

Common Pitfalls

1. Assuming QEMU Models All Target Peripherals Accurately

QEMU’s STM32 or nRF52 models vary in completeness: some peripherals (timers, UART) are well-modeled; others (USB, crypto accelerators, radio peripherals) may be absent or incomplete. Firmware that uses unsupported peripherals in QEMU silently skips or crashes without hardware-equivalent behavior. Before adopting QEMU for a target MCU, audit which peripherals your firmware uses against the QEMU model’s documented peripheral support list.

2. Not Using Emulation for Automated Regression Testing

The most valuable use of platform emulation is automated regression testing: run the full firmware test suite against a Renode emulation model for every CI commit in <5 minutes, without hardware. This requires: creating Renode platform scripts for the target hardware, writing test scripts using Robot Framework or pytest-robot, and integrating with the CI pipeline. Teams that use emulation only for occasional manual debugging miss its primary value as a continuous quality gate.

3. Skipping Emulation for Memory Corruption Analysis

Emulators like QEMU with AddressSanitizer (for user-space emulation) or Renode with memory access tracing can detect stack overflows, heap corruption, and NULL pointer dereferences that are impossible to detect on real hardware without JTAG debugging. For IoT firmware with dynamic memory allocation (RTOS heaps, ring buffers), run emulation-based memory corruption analysis. Enable memory access watchpoints at known-bad addresses and run the firmware through its full operational sequence.

4. Not Automating Emulation Test Execution in CI

Emulation tests run manually once per week provide much weaker quality assurance than running automatically on every commit. Renode provides a CI-friendly headless mode: renode-test –headless –include regression_suite.robot; configure this as a required CI check before merge. Teams that run emulation tests manually “when we remember to” will have inconsistent coverage and miss regressions introduced between manual test runs.

12.15 What’s Next

Continue to Simulation-Driven Development to learn about comprehensive development workflows, testing pyramids, hardware-in-the-loop testing, best practices, and CI/CD integration for simulation-based IoT development.

Previous	Current	Next
Online Hardware Simulators	Emulation & Debugging	Network Simulation Tools