Skip to main content

CoreXight

Introduction

CoreXight is a cutting-edge feature implemented in Corellium's virtual hardware lab, designed to enhance the capabilities of CoreSight tracing. This document provides comprehensive support and guidance on using CoreXight, specifically tailored for virtualized devices.

CoreXight from Corellium extends the debugging and trace functionality of the Arm CoreSight architecture.

See an example of CoreXight in action in our CoreSight Tracing Demo.

What is CoreXight?

CoreXight is an in-house trace stream parser that extends the functionalities of CoreSight. It offers a stream of code flow trace off the CPU core and includes several advanced features to make tracing more effective and insightful. It is primarily used with the ARM architecture and is integral in analyzing and debugging applications running on virtualized devices.

Key Features

  1. Enhanced Tracing: Unlike regular CoreSight, CoreXight can collect data for the whole virtual machine (VM) into a single trace. This is achieved by either interleaving multiple per-CPU traces or splitting a single system-wide trace.
  2. Process Attribution: CoreXight can attribute code flow to specific processes running in the VM, allowing users to identify which program is executing any given code.
  3. Filtering: Users can filter the trace by process or thread, focusing only on relevant data and excluding traces from other programs.
  4. Interleaving CoreTrace Syscall Data: CoreXight can interleave CoreTrace syscall data in the code flow trace, providing deeper insights into the system's operations.
  5. No Special Setup Required: CoreXight does not require any specific setup on the executable code, making it suitable for tracing both user land and kernel code.
  6. Output Format: CoreXight produces a basic-block trace in a simple text format, with process names, PIDs, TIDs, and interleaved comments for enhanced readability and analysis.

Using CoreXight

Setting Up

  1. Connect to charmd: Use the control socket to send commands to the hypervisor about the target VM.
  2. Enable Tracing: Issue commands to enable CoreSight tracing and, optionally, system call tracing for enriched data.
  3. Start CoreXight Tracing: Use the armtrace command with the VMID, output path, maximum trace size, and a filter based on process name, PID, or leave it for full-system tracing.
  4. Interact with the Application: Perform desired actions within the application to generate trace data.
  5. Stop Tracing: Reissue the armtrace command with the VMID to stop tracing.

Processing Trace

  1. Gather Necessary Files: Obtain the application binary, bundled libraries, and the dyld shared cache matching the VM.
  2. Run CoreXight Tool: Use Corellium’s custom tool to process the trace, inputting the necessary file paths.
  3. Output Analysis: Redirect the output data to a file for analysis, noting that the processing time and output size may vary depending on the system and trace length.

Analyzing the Trace

  1. Examine Trace Files: Check the trace files' sizes and details.
  2. Edit and Analyze the Trace: Use an appropriate editor to handle the large text file. It may be necessary to split the file into smaller chunks for easier handling.
  3. Trace Analysis: Analyze the full program flow information and enriched syscall data for comprehensive insights.

Performance Considerations

CoreXight is designed to minimize the impact on VM performance while maximizing the analysis capabilities. It is ideal for scenarios where detailed, in-depth analysis is required without a significant performance trade-off during the application's runtime.


CoreXight offers an advanced and efficient method for tracing code execution in virtual environments, providing detailed insights into application behavior. It is a powerful tool for developers and analysts working with virtualized devices environments in Corellium's virtual hardware lab. For further assistance or specific queries, please refer to our technical support team.