Tweak your scan

EMBA includes multiple configuration possibilities to tweak your firmware analysis procedure. In the following article we try to summarize some of them.

Proxy settings

For accessing the Internet via the Quest container (used by the AI modules), EMBA needs Internet connnection. If you usually use your environment variables for configuring the relevant _http(s)proxy environment variables, you can now start EMBA with "sudo -E ./emba ...":

EMBA will then automatically detect your proxy settings and configure them in the relevant container.

Blacklist modules

Some modules are running quite long and/or produce so much data that someone probably does not want to run them. EMBA has the possibilities to blacklist some module in the file ./config/module_blacklist.txt. To blacklist a module just add the basename of the module (without the fileending .sh) to the configuration file. This could result in the following settings:

┌──(m1k3㉿emba)-[~/github-repos/emba_forked]
└─$ cat config/module_blacklist.txt
S110_yara_check
S99_grepit

To verify the new settings you can start a new EMBA scan. In the main log file (emba.log) the following entries are shown:

Blacklist modules via profile

The EMBA profile scan-profiles/example-disable-module.emba shows a quick and easy possibility to disable modules with scan profiles. The main idea is to just build the MODULE_BLACKLIST array in the scan profile:

export MODULE_BLACKLIST=( "S99_grepit" "S110_yara_check" )

Blacklist and whitelist CVEs

Override thread settings

EMBA tries to automatically identify how many cores your host has and calculates the maximum modules in parallel and maximum threads (within a module) in parallel. The identified settings are shown in the beginning of a firmware test:

Especially if your system is running into resource issues you are able to tweak these settings with the following command line options:

-P                Overwrite auto MAX_MODS (maximum modules in parallel) configuration
-T                Overwrite auto MAX_MOD_THREADS (maximum threads per module) configuration

Skip cve-search check during the firmware testing process

EMBA performs regular tests that the CVE-search environment is available and fully working. Sometimes this is not needed and can be disabled with the following command line options:

-j                No check for cve-search

This setting also speeds up the initial startup process. WARNING: If the cve-search environment is not fully working EMBA is not able to detect it. This could result in incomplete scanning results.

Password cracking wordlists

The module s109 uses the well known John the ripper password cracker in default mode. If you wish to use your own wordlist for attacking the identified password hashes you can place your list in config/jtr_wordlist.txt. The next time John is using your password list for cracking attacks.

Skipping an entire test phase

Sometimes you need to skip an entire scan phase like the s-phase or the f-phase. You can do this quite easy with specifying a module that does not exist.

The following EMBA call will skip all s-modules but executes the pre-checkers and the finishing modules:

sudo ./emba -f ~/firmware.bin -l ~/log_dir -p ./scan-profiles/default-scan.emba -m s199

The following EMBA call will skip all finishing modules:

sudo ./emba -f ~/firmware.bin -l ~/log_dir -p ./scan-profiles/default-scan.emba -m f199

EMBA - firmware security scanning at its best

Sponsor EMBA and EMBArk:

The EMBA environment is free and open source!

We put a lot of time and energy into these tools and related research to make this happen. It's now possible for you to contribute as a sponsor!

If you like EMBA you have the chance to support future development by becoming a Sponsor

Thank You ❤️ Get a Sponsor
You can also buy us some beer here ❤️ Buy me a coffee

To show your love for EMBA with nice shirts or other merch you can check our Spreadshop