-
-
Notifications
You must be signed in to change notification settings - Fork 242
Usage
Before running EMBA make sure that you have installed all dependencies.
- Execute EMBA with set parameters, e.g.
sudo ./emba -l ./log -f ./firmware
- Path for logs and firmware path are necessary for testing a firmware image.
- You can specify multiple arguments.
- We are recommending to use the
-p
parameter and select one of the provided scan profiles:Instead of looking for the right parameters for an optimized EMBA run, we've selected an mostly ideal combination of options for your quick start ... so you don't have to.sudo ./emba -l ./log -f ./firmware -p ./scan-profiles/default-scan.emba
- Test only a kernel configuration with the kernel checker of checksec:
sudo ./emba -l ./logs/kernel_conf -k ./kernel.config
- If you add
-f ./firmware
, it will ignore-k
- You can specify some arguments.
-
sudo
is necessary for some modules to run properly, e.g.S115_usermode_emulator.sh
- Currently only tested on Kali Linux (2023.04). We try to always update EMBA to the newest Kali Linux version and won't check if it stays compatible with older versions.
- EMBA needs quite a lot of free disk space for logging
- EMBA currently supports the following architectures: MIPS, ARM, PPC, x86 and x64
- As EMBA supports a lot of parameters we have introduced scan profiles. You can start EMBA for example with the following command line:
This template sets multiple useful options for running EMBA
sudo ./emba -l ~/emba_log -f ~/firmware -p ./scan-profiles/default-scan.emba
There is a simple docker-compose setup added, which allows you to run EMBA in a docker container. If you are using EMBA in the classic mode, you already are using our docker-compose setup. This chapter is now just for developing purposes.
Run interactive docker container:
EMBA="." FIRMWARE=/absolute/path/to/firmware LOG=/home/n/firmware_log/ docker-compose run emba
This will drop you a shell in the folder where EMBA has been added. The firmware is located at /firmware
and the log directory at /log
.
./emba -l /log -f /firmware -i
EMBA will do the work for you fully automatically:
If you don't use the developer mode -D
then it will start the EMBA docker container automatically.
sudo ./emba -l ./log -f /firmware
- You can specify some arguments.
Print the possible command line options with
./emba -h
USAGE
Test firmware
-l [~/path] Log path
-f [~/path] Firmware path
-m [MODULE_NO.] Test only with set modules [e.g. -m p05 -m s10 ... or -m p to run all p modules]
(multiple usage possible, case insensitive)
-p [PROFILE] EMBA starts with a pre-defined profile (stored in ./scan-profiles)
-t Activate multi threading (destroys regular console output)
-P Overwrite auto MAX_MODS (maximum modules in parallel) configuration
-T Overwrite auto MAX_MOD_THREADS (maximum threads per module) configuration
Developer options
-D Developer mode - EMBA runs on the host without container protection
-S STRICT mode - developer option to improve code quality (not enabled by default)
-y Overwrite log directory automaticially, even if it is not empty
System check
-d [1/2] Only checks dependencies (1 - on host and in container, 2 - only container)
-F Checks dependencies but ignore errors
-U Check and apply available updates and exit
-V Show EMBA version
Special tests
-k [~/config] Kernel config path
-C [container id] Extract and analyze a local docker container via container id
-r Remove temporary firmware directory after testing
-b Just print a random banner and exit
-o [~/path] 2nd Firmware path to diff against the main firmware file - diff mode only (no other firmware analysis)
-c Enable extended binary analysis
-E Enables automated qemu user emulation tests (WARNING this module could harm your host!)
-Q Enables automated qemu system emulation tests (WARNING this module could harm your host!)
-a [MIPS] Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC] (usually not needed)
-A [MIPS] Force Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC] (disable architecture check - usually not needed)
-e [./path] Exclude paths from testing (multiple usage possible - usually not needed)
Reporter options
-W Activates web report creation in log path (overwrites -z)
-g Create grep-able log file in [log_path]/fw_grep.log
-s Prints only relative paths
-z Adds ANSI color codes to log
Firmware details
-X [version] Firmware version (versions aka 1.2.3-a:b only)
-Y [vendor] Firmware vendor (alphanummerical values only)
-Z [device] Device (alphanummerical values only)
-N [notes] Testing notes (alphanummerical values only)
Help
-h Prints this help message
For testing a live system with EMBA, run it as if you were testing static firmware, but with /
as firmware path:
./emba -l ./log -f /
- Path for logs and firmware path are necessary for EMBA.
- It improves output and performance, if you exclude docker with the
-e
switch:./emba -l ./log -f / -e /var/lib/docker
EMBA - firmware security scanning at its best
Sponsor EMBA and EMBArk:
The EMBA environment is free and open source!
We put a lot of time and energy into these tools and related research to make this happen. It's now possible for you to contribute as a sponsor!
If you like EMBA you have the chance to support future development by becoming a Sponsor
Thank You ❤️ Get a Sponsor
You can also buy us some beer here ❤️ Buy me a coffee
To show your love for EMBA with nice shirts or other merch you can check our Spreadshop
EMBA - firmware security scanning at its best