Skip to content
Pascal Eckmann edited this page Feb 22, 2021 · 31 revisions

Classic

Before running emba make sure that you have installed all dependencies.

Static firmware testing

  • Execute emba with set parameters, e.g.
    sudo ./emba.sh -l ./log -f ./firmware
  • Path for logs and firmware path are necessary for testing successfully.
  • You can specify some arguments.

Test kernel config

  • Test only a kernel configuration with the kernel checker of checksec:
    sudo ./emba.sh -l ./logs/kernel_conf -k ./kernel.config
  • If you add -f ./firmware, it will ignore -k and search for a kernel config inside the firmware
  • You can specify some arguments.

Good to know:

  • sudo is necessary for some modules to run properly, e.g. S115_usermode_emulator.sh
  • Currently only tested on Kali Linux (2020.4)
  • emba needs some free disk space for logging
  • emba currently supports the following architectures: MIPS, ARM, PPC, x86 and x64

Docker

There is a simple docker-compose setup added, which allows you to run emba in a docker container.

Run interactive docker container:

FIRMWARE=/absolute/path/to/firmware LOG=/home/n/firmware_log/ docker-compose run emba

This will drop you a shell in the folder where emba has been added. The firmware is located at /firmware and the log directory at /log.

./emba.sh -l /log -f /firmware -i

Let emba do the work for you, use the -D switch to start emba in Docker mode:

sudo ./emba.sh -l ./log -f /firmware -D

Limitations:

  • CWE-Checker and FACT-extractor are currently not included in the docker container
  • CVE-Search needs the database exposed by the host

Arguments

Print these arguments with

./emba.sh -h
Test firmware / live system
-a [MIPS]         Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC]
-A [MIPS]         Force Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC] (disable architecture check)
-l [./path]       Log path
-f [./path]       Firmware path
-e [./path]       Exclude paths from testing (multiple usage possible)
-m [MODULE_NO.]   Test only with set modules [e.g. -m p05 -m s10 ... ]]
                  (multiple usage possible, case insensitive, final modules aren't selectable, if firmware isn't a binary, the p modules won't run)
-c                Enable cwe-checker
-g                Create grep-able log file in [log_path]/fw_grep.log
                  Schematic: MESSAGE_TYPE;MODULE_NUMBER;SUB_MODULE_NUMBER;MESSAGE
-E                Enable automated qemu emulation tests (WARNING this module could harm your host!)
-D                Run emba in docker container
-i                Ignore log path check

Dependency check
-d                Only check dependencies
-F                Check dependencies but ignore errors

Special tests
-k [./config]     Kernel config path

Modify output
-s                Print only relative paths
-z                Add ANSI color codes to log

Firmware details
-X [version]      Firmware version (double quote your input)
-Y [vendor]       Firmware vendor (double quote your input)
-Z [device]       Device (double quote your input)
-N [notes]        Testing notes (double quote your input)

Help
-h                Print this help message

Live systems

For testing a live system with emba, run it as if you were testing static firmware, but with / as firmware path:

./emba.sh -l ./log -f /
  • Path for logs and firmware path are necessary for emba.
  • It improves output and performance, if you exclude docker with the -e switch:
    ./emba.sh -l ./log -f / -e /var/lib/docker