Tweak your scan
EMBA includes multiple configuration possibilities to tweak your firmware analysis procedure. In the following article we try to summarize some of them.
For accessing the Internet via the Quest container (used by the AI modules), EMBA needs Internet connnection. If you usually use your environment variables for configuring the relevant http(s)_proxy environment variables, you can now start EMBA with sudo -E ./emba ...:
EMBA will then automatically detect your proxy settings and configure them in the relevant container.
During the dependency check EMBA tries to reach a dedicated github repo for getting the current version details for the following components:
- Latest EMBA release version
- Latest EMBA github short hash
- Latest EMBA NVD database github short hash
- Latest EMBA container hash
This is quite cool to get an automatic note as soon as there are updates available.
If EMBA has no internet connection these checks can't be performed and the user needs to check his installation manually. It is also possible to disable these checks in the following way:
NO_UPDATE_CHECK=1 sudo -E ./emba <further EMBA parameters>
Some modules are running quite long and/or produce so much data that someone probably does not want to run them. EMBA has the possibilities to blacklist some module in the file ./config/module_blacklist.txt. To blacklist a module just add the basename of the module (without the fileending .sh) to the configuration file. This could result in the following settings:
┌──(m1k3㉿emba)-[~/github-repos/emba_forked]
└─$ cat config/module_blacklist.txt
S110_yara_check
S99_grepit
To verify the new settings you can start a new EMBA scan. In the main log file (emba.log) the following entries are shown:
Note: Blacklisting of pre-checker modules is currently not supported and will result in unexpected behavior.
The EMBA profile scan-profiles/example-disable-module.emba shows a quick and easy possibility to disable modules with scan profiles. The main idea is to just build the MODULE_BLACKLIST array in the scan profile:
export MODULE_BLACKLIST=( "S99_grepit" "S110_yara_check" )
See config/cve-blacklist.txt and config/cve-whitelist.txt
EMBA tries to automatically identify how many cores your host has and calculates the maximum modules in parallel and maximum threads (within a module) in parallel. The identified settings are shown in the beginning of a firmware test:
Especially if your system is running into resource issues you are able to tweak these settings with the following command line options:
-P Overwrite auto MAX_MODS (maximum modules in parallel) configuration
-T Overwrite auto MAX_MOD_THREADS (maximum threads per module) configuration
The module s109 uses the well known John the ripper password cracker in default mode. If you wish to use your own wordlist for attacking the identified password hashes you can place your list in config/jtr_wordlist.txt. The next time John is using your password list for cracking attacks.
Sometimes you need to skip an entire scan phase like the s-phase or the f-phase. You can do this quite easy with specifying a module that does not exist.
The following EMBA call will skip all s-modules but executes the pre-checkers and the finishing modules:
sudo ./emba -f ~/firmware.bin -l ~/log_dir -p ./scan-profiles/default-scan.emba -m s199
The following EMBA call will skip all finishing modules:
sudo ./emba -f ~/firmware.bin -l ~/log_dir -p ./scan-profiles/default-scan.emba -m f199
From EMBA version 1.4.0 ongoing the status bar is enabled in most of the pre-shipped scan-profiles.
The silent mode and the status bar can be adjusted with the following two variables in your favorite scan profile:
# enable silent mode and status bar
export DISABLE_STATUS_BAR=0
export SILENT=1
Adjusting these variables (or removing it from the profile) can be used to configure the silent mode and status bar to your needs.
EMBA usually shows you that she is thinking with a huge amount of dots printed to the screen. To disable this method of showing you the love of EMBA you can set the following option in your scan-profile:
export DISABLE_DOTS=1
An example scan-profile is available here