Tweak your scan

EMBA includes multiple configuration possibilities to tweak your firmware analysis procedure. In the following article we try to summarize some of them.

Blacklist modules

Some modules are running quite long and/or produce so much data that someone probably does not want to run them. EMBA has the possibilities to blacklist some module in the file ./config/module_blacklist.txt. To blacklist a module just add the basename of the module (without the fileending .sh) to the configuration file. This could result in the following settings:

┌──(m1k3㉿emba)-[~/github-repos/emba_forked]
└─$ cat config/module_blacklist.txt
S110_yara_check
S99_grepit

To verify the new settings you can start a new EMBA scan. In the main log file (emba.log) the following entries are shown:

Blacklist modules via profile

The EMBA profile scan-profiles/example-disable-module.emba shows a quick and easy possibility to disable modules with scan profiles. The main idea is to just build the MODULE_BLACKLIST array in the scan profile:

export MODULE_BLACKLIST=( "S99_grepit" "S110_yara_check" )

Blacklist and whitelist CVEs

Override thread and module in parallel settings

EMBA tries to automatically identify how many cores your host has and calculates the maximum modules in parallel and maximum threads (within a module) in parallel. The identified settings are shown in the beginning of a firmware test:

Especially if your system is running into resource issues you are able to tweak these settings with the following command line options:

-P                Overwrite auto MAX_MODS (maximum modules in parallel) configuration
-T                Overwrite auto MAX_MOD_THREADS (maximum threads per module) configuration

Skip cve-search check during the firmware testing process

EMBA performs regular tests that the CVE-search environment is available and fully working. Sometimes this is not needed and can be disabled with the following command line options:

-j                No check for cve-search

This setting also speeds up the initial startup process. WARNING: If the cve-search environment is not fully working EMBA is not able to detect it. This could result in incomplete scanning results.

Password cracking wordlists

The module s109 uses the well known John the ripper password cracker in default mode. If you wish to use your own wordlist for attacking the identified password hashes you can place your list in config/jtr_wordlist.txt. The next time John is using your password list for cracking attacks.

Skipping an entire test phase

Sometimes you need to skip an entire scan phase like the s-phase or the f-phase. You can do this quite easy with specifying a module that does not exist.

The following EMBA call will skip all s-modules but executes the pre-checkers and the finishing modules:

sudo ./emba -f ~/firmware.bin -l ~/log_dir -p ./scan-profiles/default-scan.emba -m s199

The following EMBA call will skip all finishing modules:

sudo ./emba -f ~/firmware.bin -l ~/log_dir -p ./scan-profiles/default-scan.emba -m f199