Emba | An Analyzer For Linux-based Firmware Of Embedded Devices

Prometheus · January 28, 2021, 1:06pm

emba is being developed as a firmware scanner that analyses already-extracted Linux-based firmware images. It should help you to identify and focus on the interesting areas of a huge firmware image. Although emba is optimized for offline firmware images, it can test both, live systems and extracted images. Additionally, it can also analyze kernel configurations. emba is designed to assist a penetration tester. It is not designed as a standalone tool without human interaction. emba is designed to give as much information as possible about the firmware. The tester can decide on the areas to focus on and is always responsible for verifying and interpreting the results.

How to use it?

Before starting, check that all dependencies are met and use the installer.sh script: ./emba.sh -d or ./emba.sh -d -F

Arguments:

Test firmware / live system
-a [MIPS]         Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC]
-A [MIPS]         Force Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC] (disable architecture check)
-l [./path]       Log path
-f [./path]       Firmware path
-e [./path]       Exclude paths from testing (multiple usage possible)
-m [MODULE_NO.]   Test only with set modules [e.g. -m p05 -m s10 ... ]]
                  (multiple usage possible, case insensitive, final modules aren't selectable, if firmware isn't a binary, the p modules won't run)
-c                Enable cwe-checker
-g                Create grep-able log file in [log_path]/fw_grep.log
                  Schematic: MESSAGE_TYPE;MODULE_NUMBER;SUB_MODULE_NUMBER;MESSAGE
-E                Enable automated qemu emulation tests (WARNING this module could harm your host!)
-D                Run emba in docker container
-i                Ignore log path check

Dependency check
-d                Only check dependencies
-F                Check dependencies but ignore errors

Special tests
-k [./config]     Kernel config path

Modify output
-s                Print only relative paths
-z                Add ANSI color codes to log

Firmware details
-X [version]      Firmware version (double quote your input)
-Y [vendor]       Firmware vendor (double quote your input)
-Z [device]       Device (double quote your input)
-N [notes]        Testing notes (double quote your input)

Help
-h                Print this help message

Docker Container

There is a simple docker-compose setup added which allows you to use emba in a docker container - see the wiki for more details

Examples

Static firmware testing:

Extract the firmware from an update file or from flash storage with binwalk or something else
Execute emba with set parameters, e.g.

sudo ./emba.sh -l ./logs/arm_test -f ./firmware/arm_firmware/

Path for logs and firmware path are necessary for testing successfully (WARNING: emba needs some free disk space for logging)
Architecture will be detected automatically; you can overwrite it with -a [ARCH]
Use -A [ARCH] if you don’t want to use auto detection for architecture
emba currently supports the following architectures: MIPS, ARM, PPC, x86 and x64

Live testing:

For testing live system with emba run it as if you were testing static firmware, but with / as firmware path:

sudo ./emba.sh -l ./logs/local_test -f /

Path for logs and firmware path are necessary for testing successfully
Architecture will be detected automatically; you can overwrite it with -a [ARCH]
Use -A [ARCH] if you don’t want to use auto detection for architecture
The paths /proc and /sys will be automatically excluded
It improves output and performance, if you exclude docker
-e /var/lib/docker

Test kernel config:

Test only a kernel configuration with the kernel checker of checksec:

sudo ./emba.sh -l ./logs/kernel_conf -k ./kernel.config

If you add -f ./firmware/x86_firmware/, it will ignore -k and search for a kernel config inside the firmware

Good to know:

sudo is necessary for some modules to run properly
Currently only tested on Kali Linux(2020.4)
emba needs some free disk space for logging
emba uses well known tools like objdump, LinEnum, checksec, linux-exploit-suggester.sh, cwe-checker
emba includes multiple modules of the well known Linux analyser Lynis

Dependencies

emba uses multiple other tools and components - see the wiki for more details

Structure

See the wiki for more details

How to write own modules?

See the wiki for more details

Topic	Replies	Views
Emp3R0R \| Linux Post-Exploitation Framework Made By Linux User Tools & Scripts tool , freebie , development	838	April 3, 2021
FAMA \| Forensic Analysis For Mobile Apps Tools & Scripts forensic-analysis , fama , mobile-apps	1132	November 27, 2020
Binbloom \| Raw Binary Firmware Analysis Software Tools & Scripts tool , tags , code-analysis	705	August 16, 2021
ELFXtract \| An Automated Analysis Tool Used For Enumerating ELF Binaries Tools & Scripts tool , analysis , execution	660	November 27, 2021
Bread \| BIOS Reverse Engineering And Advanced Debugging Tools & Scripts reverse-engineering , debugging , debugger , onehack	487	November 24, 2023

Friendly Websites

Emba | An Analyzer For Linux-based Firmware Of Embedded Devices

How to use it?

Arguments:

Docker Container

Examples

Static firmware testing:

Live testing:

Test kernel config:

Dependencies

Structure

How to write own modules?

GitHub:

Friendly Websites

Emba | An Analyzer For Linux-based Firmware Of Embedded Devices

How to use it?

Arguments:

Docker Container

Examples

Static firmware testing:

Live testing:

Test kernel config:

Dependencies

Structure

How to write own modules?

GitHub:

Related Topics