Skip to content

Tweak your scan

Michael Messner edited this page Feb 16, 2024 · 27 revisions

EMBA includes multiple configuration possibilities to tweak your firmware analysis procedure. In the following article we try to summarize some of them.

Proxy settings

For accessing the Internet via the Quest container (used by the AI modules), EMBA needs Internet connnection. If you usually use your environment variables for configuring the relevant http(s)_proxy environment variables, you can now start EMBA with "sudo -E ./emba ...":

image

EMBA will then automatically detect your proxy settings and configure them in the relevant container.

Update checks

During the dependency check EMBA tries to reach a dedicated github repo for getting the current version details for the following details:

  • current EMBA release version
  • current EMBA github short hash
  • current EMBA NVD database github short hash
  • current EMBA container hash

This is quite cool to get a notice as soon as there are updates available. If EMBA has no internet connection these checks can't be performed and the user of EMBA needs to check his installation manually. It is also possible to disable these checks in the following way:

NO_UPDATE_CHECK=1 sudo -E ./emba <further EMBA parameters>

Blacklist modules

Some modules are running quite long and/or produce so much data that someone probably does not want to run them. EMBA has the possibilities to blacklist some module in the file ./config/module_blacklist.txt. To blacklist a module just add the basename of the module (without the fileending .sh) to the configuration file. This could result in the following settings:

┌──(m1k3㉿emba)-[~/github-repos/emba_forked]
└─$ cat config/module_blacklist.txt
S110_yara_check
S99_grepit

To verify the new settings you can start a new EMBA scan. In the main log file (emba.log) the following entries are shown:

image

Note: Blacklisting of pre-checker modules is currently not supported and will result in unexpected behavior.

Blacklist modules via profile

The EMBA profile scan-profiles/example-disable-module.emba shows a quick and easy possibility to disable modules with scan profiles. The main idea is to just build the MODULE_BLACKLIST array in the scan profile:

export MODULE_BLACKLIST=( "S99_grepit" "S110_yara_check" )

Blacklist and whitelist CVEs

See config/cve-blacklist.txt and config/cve-whitelist.txt

Override thread settings

EMBA tries to automatically identify how many cores your host has and calculates the maximum modules in parallel and maximum threads (within a module) in parallel. The identified settings are shown in the beginning of a firmware test:

image

Especially if your system is running into resource issues you are able to tweak these settings with the following command line options:

-P                Overwrite auto MAX_MODS (maximum modules in parallel) configuration
-T                Overwrite auto MAX_MOD_THREADS (maximum threads per module) configuration

Password cracking wordlists

The module s109 uses the well known John the ripper password cracker in default mode. If you wish to use your own wordlist for attacking the identified password hashes you can place your list in config/jtr_wordlist.txt. The next time John is using your password list for cracking attacks.

Skipping an entire test phase

Sometimes you need to skip an entire scan phase like the s-phase or the f-phase. You can do this quite easy with specifying a module that does not exist.

The following EMBA call will skip all s-modules but executes the pre-checkers and the finishing modules:

sudo ./emba -f ~/firmware.bin -l ~/log_dir -p ./scan-profiles/default-scan.emba -m s199

The following EMBA call will skip all finishing modules:

sudo ./emba -f ~/firmware.bin -l ~/log_dir -p ./scan-profiles/default-scan.emba -m f199

Get rid of the dots

EMBA usually shows you that she is thinking with a huge amount of dots printed to the screen. To disable this method of showing you the love of EMBA you can set the following option in your scan-profile:

export DISABLE_DOTS=1

An example scan-profile is available here