proto E
Design Partner Access
Validated instruction-by-instruction against real ARM64 silicon

Find the bug
before the chip
exists.

protoXE is a silicon-accurate ARM64 emulator that boots real firmware — Linux, OP-TEE, bare-metal — and surfaces integration bugs that QEMU misses. Every instruction validated against real hardware.

1 ISA gap
in 3.1M OP-TEE instructions
Linux 6.6 →shell
real kernel, interactive
OP-TEE TEE_SUCCESS
real TA lifecycle
Request a Live Demo Read the Case Study →
protoxe-cli bootoptee tee.bin

entry: 0xE100000 at Secure-EL1 · running…

I/TC: Embedded DTB found

I/TC: OP-TEE version: bfe86e3 … aarch64

I/TC: Primary CPU initializing

I/TC: Primary CPU switching to normal world boot

── OP-TEE boot complete: 2,676,630 insns ──

CALLS_UID → 384fb3e0 ✅ canonical OP-TEE UID

OPEN_SESSION → TEE_SUCCESS session 0x1

INVOKE_COMMAND → TEE_SUCCESS

CLOSE_SESSION → TEE_SUCCESS

// Oracle-Driven Validation

Your emulator is not your chip.

QEMU does not model your SoC's interrupt routing, your secure-world memory layout, or the edge cases in your custom IP. Bugs that live in that gap only surface after tapeout — the most expensive place to find them.

// Case Study — OP-TEE Integration

How protoXE found a real ISA gap at instruction 187,000

A team integrating OP-TEE into an ARM64 SoC ran the real tee.bin binary on protoXE. At instruction 187,000, the simulator stopped with a precise diagnosis:

── OP-TEE entered __do_panic at 187,100 insns ──

x0 → "core/mm/core_mmu.c"

x2 → "check_pa_matches_va"

ESR_EL1=0x96000045 ELR_EL1=0xE118C04

The AT s1e1r instruction (address translation, CRn=7 CRm=8) was silently decoded as a DC cache no-op — leaving PAR_EL1 always zero. OP-TEE's own self-check caught it. QEMU did not surface it.

After the one-line fix, OP-TEE booted to completion in 3.1 million instructions — zero undecoded instructions, three TEE_SUCCESS, one ISA gap closed before tapeout.

"Not a faster emulator, but an emulator you can blame."
// The oracle

Three properties that make the platform trustworthy

01

Differential Testing

Every instruction stream is compared register-by-register against QEMU and real silicon (Youyeetoo R1, RK3588S). A divergence is a protoXE bug — tracked, fixed, and closed. The current gap count on a full Linux 6.6 + OP-TEE boot: zero undecoded encodings.

02

Oracle-Driven Bring-Up

When software fails, protoXE names the instruction, the PC, the ESR, the FAR, and the failing assert's source file and line — before the UART is even initialised. The debug loop is: run → read the fault → fix. No guessing.

03

Composable Platform

Drop your RTL IP (Verilog, Verilated) into a silicon-proven ARM64 SoC via the co-simulation bridge. A divergence at the component boundary is provably yours, not the simulator's — because the surrounding platform is oracle-validated.

3.1M
OP-TEE boot instructions
0
undecoded ISA encodings
1
real ISA gap found & fixed
TEE_SUCCESS in TA lifecycle
// Proven on real software
Linux 6.6

Boots to an interactive userspace shell. SMP (8 cores), virtio-blk, networking, console input. Same kernel as production.

OP-TEE OS

Real tee.bin from source. EL3 monitor, EL1t thread dispatch, OPTEE_SMC ABI. OPEN_SESSION → INVOKE → CLOSE, all TEE_SUCCESS.

TrustZone Stack

EL3, world switch, TZASC memory isolation — each layer lock-step validated against QEMU secure=on.

Custom RTL IP

Drop your Verilog block via the co-simulation bridge (APB / AXI4-Lite). Substitution testing isolates integration bugs at the boundary.

// Who uses protoXE

Built for mission-critical integration

A

Chip Designers & IP Vendors

Validate your custom SoC firmware and driver stack before tapeout. Drop your RTL IP into a proven ARM64 board via the co-simulation bridge. A test failure means a real bug — not a simulator artefact.

B

Secure World Teams

Develop and test OP-TEE, TrustZone, and sovereign-security software against a faithful platform — not a general-purpose proxy. EL3, TZASC carve-outs, and the real OPTEE_SMC ABI, all validated.

C

Defense & Aerospace

A deterministic, fully auditable simulation host with no dynamic allocation, no POSIX dependency, and a Rust memory safety foundation aligned with ISO 26262 and DO-178C.

// Design Partner Program

Work with us on your integration problem.

We work with a small number of teams. Enter your work email and we'll send you our collaboration brief with contact details and next steps.

We'll send you our brief once. No newsletters, no spam. By submitting you agree to our privacy policy.