Emba – An Analyzer For Linux-based Firmware Of Embedded Devices

emba is being developed as a firmware scanner that analyses already-extracted Linux-based firmware images. It should help you to identify and focus on the interesting areas of a huge firmware image. Although emba is optimized for offline firmware images, it can test both, live systems and extracted images. Additionally, it can also analyze kernel configurations. emba is designed to assist a penetration tester. It is not designed as a standalone tool without human interaction. emba is designed to give as much information as possible about the firmware. The tester can decide on the areas to focus on and is always responsible for verifying and interpreting the results.

How to use it?

Before starting, check that all dependencies are met and use the installer.sh script: ./emba.sh -d or ./emba.sh -d -F

Arguments:

Test firmware / live system
-a [MIPS] Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC]-A [MIPS] Force Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC] (disable architecture check)
-l [./path] Log path
-f [./path] Firmware path
-e [./path] Exclude paths from testing (multiple usage possible)
-m [MODULE_NO.] Test only with set modules [e.g. -m p05 -m s10 ... ]](multiple usage possible, case insensitive, final modules aren't selectable, if firmware isn't a binary, the p modules won't run)
-c Enable cwe-checker
-g Create grep-able log file in [log_path]/fw_grep.log
Schematic: MESSAGE_TYPE;MODULE_NUMBER;SUB_MODULE_NUMBER;MESSAGE
-E Enable automated qemu emulation tests (WARNING this module could harm your host!)

Dependency check
-d Only check dependencies
-F Check dependencies but ignore errors

Special tests
-k [./config] Kernel config path

Modify output
-s Print only relative paths
-z Add ANSI color codes to log

Help
-h Print this help message

Docker Container

There is a simple docker-compose setup added which allows you to do everything outside use the cwe-checker

To run it simply do the following:

Build it:

docker-compose build emba

Run it:

FIRMWARE=/absolute/path/to/firmware LOG=/home/n/firmware_log/ docker-compose run emba

This will drop you a shell in the folder where emba has been added. The firmware is located at /firmware/ and the log directory at /log/

./emba.sh -l /log/ -f /firmware/

Examples

Static firmware testing:

  • Extract the firmware from an update file or from flash storage with binwalk or something else
  • Execute emba with set parameters, e.g.

sudo ./emba.sh -l ./logs/arm_test -f ./firmware/arm_firmware/

  • Path for logs and firmware path are necessary for testing successfully (WARNING: emba needs some free disk space for logging)
  • Architecture will be detected automatically; you can overwrite it with -a [ARCH]
  • Use -A [ARCH] if you don’t want to use auto detection for architecture
  • emba currently supports the following architectures: MIPS, ARM, PPC, x86 and x64

Live testing:

For testing live system with emba run it as if you were testing static firmware, but with / as firmware path:

sudo ./emba.sh -l ./logs/local_test -f /

  • Path for logs and firmware path are necessary for testing successfully
  • Architecture will be detected automatically; you can overwrite it with -a [ARCH]
  • Use -A [ARCH] if you don’t want to use auto detection for architecture
  • The paths /proc and /sys will be automatically excluded
  • It improves output and performance, if you exclude docker
    -e /var/lib/docker

Test kernel config:

Test only a kernel configuration with the kernel checker of checksec:

sudo ./emba.sh -l ./logs/kernel_conf -k ./kernel.config

  • If you add -f ./firmware/x86_firmware/, it will ignore -k and search for a kernel config inside the firmware

Good to know:

Dependencies

emba uses multiple other tools and components.

For using emba with all features, you will need following tools on your Kali Linux:

  • readelf
  • find
  • grep
  • modinfo
  • realpath
  • sed
  • cut
  • sort
  • basename
  • strings
  • Option: tree
  • Option: shellcheck
  • Option: docker
  • Option: yara
  • Option: qemu static user mode emulators
  • Option: binwalk

To check these dependencies, only run sudo ./emba.sh -d

For installation of all needed dependencies, run sudo ./installer.sh

Structure

├── installer.sh

-> Tries to install all needed dependencies. Internet access for downloading is required.

  • Afterwards no Internet access is needed
├── check_project.sh

-> Check full project with all subdirectories with shellchecker

  • Install it on your system (Kali) with apt-get install shellcheck
├── emba.sh

-> Main script of this project

├── config

-> Configuration files for different modules with file names, regular expressions or paths. These files are very handy, easy to use and they also keep the modules clean.

├── external

-> All tools and files which are from other projects and necessary for emba

├── helpers

-> Some scripts for stuff like pretty formatting on your terminal or path handling

└── modules

-> The stars of the project – every module is an own file and will be called by emba.

External tools in directory ‘external’

  • ./yara
    • yara rule files – add your own rules here
  • ./checksec
  • ./linux-exploit-suggester.sh
  • ./objdump with all architectures enabled
  • ./allitems.csv

How to write own modules?

Look here – read this file, copy and modify it. Add your main function, where module_log_init and module_title are been called to the emba script. That’s it. Or if you only want to run a single command: Add your command to user_check and uncomment user_check in the emba script.


Source: KitPloit

Leave a Reply