Skip to content

User mode Emulator

Jump to bottom
Michael Messner edited this page Jul 20, 2022 · 3 revisions

Warning: As this module executes unknown binaries, it is recommend to only use this module in default (docker) mode. Since it can be dangerous for your system, you need to enable it manually with the -E parameter.

Warning: EMBA needs root privileges for running in emulation mode.

The idea behind the emulator is to run the identified binaries with different command line options like -V, -v, --version, --help in a simple chroot environment. After the binary architecture has been identified, it is possible to choose the right qemu emulator. The binary is then run using the statically compiled qemu emulator in tracing mode (--strace). If there are files missing, EMBA will search through the firmware filesystem and copy them to the missing location. If nothing is found, then corresponding empty files will be created. Finally, the binary gets executed in a chroot environment with the right emulator and the generated output is stored in a log file for further processing.

For example, the output of the binary busybox looks like the following:

With the version detection strings from config/bin_version_strings.cfg, it is possible to identify different binary versions from the generated log files:

Hint: If there are some version identification strings missing, just add it to the config/bin_version_strings.cfg configuration file. The next time you run emba they will be identified correctly. Don't forget to then open a pull request with the new version identifier.

Typical problems:

  • Versions are not identified:
    Check the version configuration file (config/bin_version_strings.cfg) and include the needed version identifier.
  • Host reboots during emulation:
    Check the log file s115_usermode_emulator.txt for the last emulated process:
    [*] Initial strace run on the command XYZ to identify missing areas If the last line is something like the one shown above, then this binary probably reboots or crashes your host. Include this binary in the blacklist (config/emulation_blacklist.cfg). As an additional reminder, DO NOT run EMBA in developer mode (-D) if the user mode emulator (-E) is enabled.
  • A wrong emulation root directory is identified:
    On every emulation process, the identified root directory is shown with the following output: 
    [*] Detected root path: /LOG_PATH/wrong-root-directory-identified
[*] Running emulation processes in /LOG_PATH/wrong-root-directory-identified root path (1/1).
    If EMBA fails in the detection of the correct root directory, open an issue here.

Run EMBA with emulation mode activated:

sudo ./emba.sh -l ./logs_mips_router -f ../testimages/MIPS_router -E

To get even better results, just use one of the provided scan-profiles.

sudo ./emba.sh -l ./logs_mips_router -f ../testimages/MIPS_router -p ./scan-profiles/default-scan.emba

EMBA - firmware security scanning at its best

Sponsor EMBA and EMBArk:

The EMBA environment is free and open source!

We put a lot of time and energy into these tools and related research to make this happen. It's now possible for you to contribute as a sponsor!

If you like EMBA you have the chance to support future development by becoming a Sponsor

Thank You ❤️ Get a Sponsor
You can also buy us some beer here ❤️ Buy me a coffee

To show your love for EMBA with nice shirts or other merch you can check our Spreadshop

EMBA - firmware security scanning at its best

Clone this wiki locally