EU-Sovereign · ARM64 EL0–EL3 · RISC-V S-mode · #![no_std]

Find the bug
before the chip
exists.

A sovereign, deterministic full-system emulator for ARM64 and RISC-V. Boot real Linux, RTOSes, Type-1 hypervisors and bare-metal firmware on a digital twin — instruction-for-instruction reproducible, with a time-travel trace into every bug.

Dual_ISA

ARM64 + RV64 Linux

2M+

RV64IM insns · 0 divergences

--rewind_N

Time-travel debug

Apply to Design Partner Program View Architecture

protoxe-cli · bootel2

$ protoxe-cli bootel2 \

--board boards/r1-el2.board \

--load linux-guest/Image@0x40800000 \

--rewind 1M --exc-trace=128@EL2 \

--mmio-trace=512 --break-on-bug \

hypervisor_rk3588.elf

// stop · icount 41_120_004

[exc] EL2 IRQ #30 ×142 <el2_vector_irq+0x14>

[mmio] w gicd+0x100 0xdeadbeef !FAULT

[bug] kernel BRK #0x800 <__warn+0x40>

> rewound to icount 40_120_004 _

// High Assurance Design

Traditional Emulation Wasn't Built for High-Assurance Systems

Legacy virtualizers and monolithic dynamic translation layers introduce risks that modern critical software cannot accept.

Host Dependency

QEMU and legacy VMMs rely on standard libc, POSIX threads, and complex host OS dynamic allocations, blocking deployment inside bare-metal or microkernels.

The Determinism Gap

Dynamic JIT translation introduces runtime performance jitter. protoXE enforces absolute execution predictability through cycle-accurate structures.

✓

Memory Safety

By eliminating runtime heap allocations entirely and utilizing Rust's compile-time guarantees, the simulator is mathematically protected from guest-driven exploits.

// Determinism & Diagnostics

A trace into every bug. The same one, every time.

Same inputs → same execution, instruction-for-instruction. That powers reproducers (--to <icount> replays to the exact point of a bug), snapshots (--save/--resume) you can share, and a diagnostic suite built for pre-silicon bring-up.

--rewind <N>

Time-travel

Trail into the fault

A rolling whole-machine snapshot refreshes every N instructions. On any stop the machine restores to that point and prints the last ~48 EL/PC steps into the bug — or hands GDB a stub you can single-step forward from.

--mmio-trace

Device ring

Which poke broke the device

An ordered ring of the last N MMIO accesses — direction, address annotated <device+0xoff>, value. Address-window filter pins capture to one peripheral. Rejected accesses tagged !FAULT.

--exc-trace

Ordered stream

Catch the storm, not its echo

The ordered ring of exceptions/interrupts taken: target EL, decoded class (EC=0x.., IRQ/FIQ + INTID), symbolized ELR/FAR. The tool for exception-nesting overflows — telemetry gives counts; this gives order.

--audit

ISA coverage

Which opcodes did this boot exercise?

Instruction-coverage audit: counts per ISA category and a triage list of unhandled encodings observed during the run. Turns bring-up into a guided walk of which ARM64 or RISC-V surface your firmware actually exercises.

--break-on-bug

Pre-panic

Stop before the log floods

Halt at the kernel BRK #0x800 (BUG/WARN entry) before the byte-by-byte panic print buries the trace. Pair with --exc-trace / --rewind to see what led to the panic.

--gdb · monitor record

Reverse-debug

Reverse-step a stall

A full GDB remote stub: breakpoints, single step, MMU-translated memory, and snapshot-backed reverse stepping. Snapshot replay is the sound form of reverse — undo-logs can't un-tx a UART or un-ack a GIC IRQ.

// ARM64 EL2 hypervisor bring-up, one command

protoxe-cli bootel2 --board boards/r1-el2.board \
  --load linux-guest/Image@0x40800000 \
  --load guest.dtb@0x46800000 \
  --load initramfs.cpio@0x47000000 \
  --steps 10G --rewind 1M \
  --exc-trace=128@EL2 --mmio-trace=512 \
  --break-on-bug hypervisor_rk3588.elf

A Type-1 EL2 hypervisor hosting a Linux guest, with GICv3 vGIC + stage-1/2 MMU. Same diagnostic runner powers bootriscv — symbolized faults, register dumps, MMIO/exception traces, snapshot rewind, GDB stub. Add a new ISA, get the tooling for free. Read the full manual →

// Zero Runtime Overhead

Composed Static Architecture

System topology is locked at compile-time. Thanks to our zero-cost trait system and $O(\log n)$ static bus routing, hardware modules like core architectures and peripherals interlock safely without dynamic pointer dispatch.

• Hot-swap CPU topologies via native Rust Generics
• Isolated MMU memory maps determined statically

src/main.rs

// Static topology locked at compile time
static mut SYSTEM_BUS: SystemBus = SystemBus::new();

fn main() {
    let mut board = Board::new(&mut SYSTEM_BUS);
    
    // Plug modules with deterministic memory map
    board.plug(CpuArm64::new(0x4000_0000)); 
    board.plug(Ram::new(0x4000_0000, 0x8000_0000)); 
    board.plug(DwUart::new(0xFEB5_0000)); 
    
    protoxe_core::boot(&mut board).expect("Boot err");
}

Built for Mission-Critical Engineering

Silicon Prototyping

Validate firmware, drivers, and custom RTOS abstractions on a digital twin months before tape-out.

High-Assurance Fuzzing

Instantiate massive matrix parallel validation nodes in sub-milliseconds without VM overhead or memory safety leakage.

Defense & Aerospace

Certify verification tooling smoothly under stringent guidelines (ISO 26262 / DO-178C) thanks to pure predictability.

// Behind protoXE

Built by an enterprise architect, for engineers who can't ship a bug.

Claudio Corbetta

Founder · Engineering

EU enterprise architect with 25 years in identity and critical systems infrastructure. protoXE was built to give silicon and firmware teams the diagnostic tooling I never had at the boundary between high-assurance software and the hardware it runs on.

Brussels, Belgium | Identity · Critical Infrastructure | Rust · ARM64 · RISC-V

// Design Partner Program

Accelerate Your Silicon Verification Loop

We are selecting a limited cohort of hardware startups and high-assurance engineering teams. Enter your work email and we'll send you our collaboration brief with contact details and next steps.

We'll send you our brief once. No newsletters, no spam. By submitting you agree to our privacy policy.

Find the bug before the chip exists.