EMBA is designed as the central firmware analysis tool for penetration testers.
It supports the complete security analysis process starting with the firmware extraction process, doing static analysis and dynamic analysis via emulation and finally generating a web report. EMBA automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts or hard-coded passwords. EMBA is a command line tool with the option to generate an easy to use web report for further analysis.
EMBA combines multiple established analysis tools and can be started with one simple command. Afterwards it tests the firmware for possible security risks and interesting areas for further investigation. No manual installation of all helpers, once the integrated installation script has been executed, you are ready to test your firmware.
EMBA is designed to assist penetration testers and not as a standalone tool without human interaction. EMBA should provide as much information as possible about the firmware, that the tester can decide on focus areas and is responsible for verifying and interpreting the results.
Before running emba make sure, that you have installed all dependencies.
We strongly recommend that you run emba inside a virtual machine, because this software is in alpha state and we cannot guarantee that emba will not be responsible for possible data loss or other malfunctions on your system. If you use emba with Docker (-D) switch, then you should be able to forego the VM (but no guarantee!)
Emba can be executed in two ways, one classic and one with Docker. In the classic variant, emba runs and all modules on the host and the dependencies of emba must be installed on it. With the second variant with Docker, only Docker needs to be installed on the host and emba installs everything necessary in the Docker container itself during the first run.
To install all necessary applications on the host for emba, you only have to run the install script with root permissions:
You can use the -F switch with the installer to force the installation of all needed applications. We recommend using this for the initial installation.
To get the full emba experience, you have to install the database for CVE-Search manually.
Emba can also be used with Docker, and therefore is very easy to maintain. You only have to install Docker in combination with some external images. To get these, you just have to run the installer with the -d switch. It will install only all needed dependencies, to run emba inside of Docker.
sudo ./installer.sh -d
on your system and then you can run emba with the -D switch. During the first run, emba then builds the Docker container and installs all the necessary applications in it. Please be patient here, it may take a while.
To build the emba container manually:
docker-compose build emba
(you can skip this step, then emba will build it on its first run)
To get the full emba experience, you have to install the database for CVE-Search manually. The container accesses the host’s database here.
./emba.sh -l ./log -f ./firmware
sudo ./emba.sh -l ./log -f /firmware -D
Test firmware / live system
-a [MIPS] Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC] -A [MIPS] Force Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC] (disable architecture check)
-l [./path] Log path
-f [./path] Firmware path
-e [./path] Excludes paths from testing (multiple usage possible)
-m [MODULE_NO.] Tests only with set modules [e.g. -m p05 -m s10 … ]] (multiple usage possible, case insensitive, final modules aren’t selectable, if firmware isn’t a binary, the p modules won’t run)
-c Enables cwe-checker
-g Create grep-able log file in [log_path]/fw_grep.log
-E Enables automated qemu emulation tests (WARNING this module could harm your host!)
-D Runs emba in docker container
-i Ignores log path check
-W Activates web report creation in log path (overwrites -z)
-d Only checks dependencies
-F Checks dependencies but ignore errors
-k [./config] Kernel config path
-x Enable deep extraction – try to extract every file two times with binwalk (WARNING: Uses a lot of disk space)
-s Prints only relative paths
-z Adds ANSI color codes to log
-X [version] Firmware version (double quote your input)
-Y [vendor] Firmware vendor (double quote your input)
-Z [device] Device (double quote your input)
-N [notes] Testing notes (double quote your input)
-h Prints this help message