e-m-b-a / emba

EMBA - The firmware security analyzer
https://www.securefirmware.de
GNU General Public License v3.0
2.7k stars 234 forks source link

Improve our interesting firmware collection #897

Closed m-1-k-3 closed 3 weeks ago

m-1-k-3 commented 12 months ago

Is your feature request related to a problem? Please describe.

We are always looking for interesting firmware for testing and improving EMBA. This could be:

brainstorm commented 12 months ago

What about VxWorks on SuperH4? How much does EMBA unfold vs manual analysis?:

https://blogs.nopcode.org/brainstorm/anritsu-ms2721b-spectrum-analyzer/

;)

m-1-k-3 commented 12 months ago

@brainstorm do you have already some experience and results of binaryanalysis-ng

brainstorm commented 12 months ago

@m-1-k-3 Back then BANG did not find much, so I resorted to manual analysis in the second part of that article:

https://blogs.nopcode.org/brainstorm/anritsu-ms2721b-spectrum-analyzer-repair-part-2/

I doubt binaryanalysis-ng would find much nowadays either... VxHunter on the other hand found a boatload of very useful stuff (resolving functions and offsets) and nowadays it is integrated in Ghidra as "VxWorks" plugin, which I assume is based on VxHunter.

github-actions[bot] commented 11 months ago

This issue is stale because it has been open for 28 days with no activity.

floyd-fuh commented 9 months ago

It would be very nice if EMBA would support so-called bare-metal firmware, see https://www.youtube.com/watch?v=q4CxE5P6RUE for an explanation. At least in a first iteration it would be nice if the code detects bare-metal firmware and then activates/deactivates certain modules, informs the user, etc.

E.g. hardware running https://www.zephyrproject.org/

m-1-k-3 commented 9 months ago

Could you give me some more details on what you would expect from this identfication. Probably S03 is already doing parts of your needs.

See https://github.com/e-m-b-a/emba/blob/7d00a3763d5376a6dc6a9693509f33e8cb1b3ab8/modules/S03_firmware_bin_base_analyzer.sh#L80

and https://github.com/e-m-b-a/emba/blob/7d00a3763d5376a6dc6a9693509f33e8cb1b3ab8/modules/S03_firmware_bin_base_analyzer.sh#L49

Is this already the identification you are expecting. Additionally, EMBA tries to identify UEFI firmware in module P35 which gets further analysed in module s02

Further details are also available in the wiki https://github.com/e-m-b-a/emba/wiki/OS-support#vxworks-based-firmware / https://github.com/e-m-b-a/emba/wiki/OS-support#uefi-firmware

floyd-fuh commented 9 months ago

Maybe it's just that Zephyr (strings like "Booting Zephyr OS build v3.2.99") is not in that list?

I just think that it very much depends on the chip on those systems on how the firmware would need to be analysed but I also understand that emulating and supporting all the chips out here is a hard task (but maybe worth a try)

m-1-k-3 commented 9 months ago

If you have already automated some tasks that we can start including into EMBA it would be great.

The Zephyr strings can be introduced into the S03 module and in the version detection configuration file here. Could you provided a testing firmware and a PR with the updates on the basic Zephyr integration?

floyd-fuh commented 9 months ago

While EMBA detects that a large VMDK file is scanned, it would be nice if it could also do some optimisations to make the scan end. At least for my configuration the scan of the following VMDK image lead to 2 OOM-kill (killing the entire Kali VM) after ~ 10 hours each when it had only 8GB of RAM, and a complete Kali VM freeze when it had 16GB memory (and more CPU) after ~15 hours:

https://www.infoblox.com/product-evaluation-portal-ddi/

Maybe something to add to your list of interesting firmwares, would be interesting to know if you were able to scan it successfully with a more powerful machine.

m-1-k-3 commented 9 months ago

Big images could cause issues if your host does not have enough power. What you could do is

m-1-k-3 commented 9 months ago

@floyd-fuh 16cores and 32gig of RAM finished the infoblox in 5h 35mins with the default profile.

github-actions[bot] commented 8 months ago

This issue is stale because it has been open for 28 days with no activity.

lalit97-98 commented 5 months ago

Hi Team, I've been using EMBA for couple of days it's been good experience till. Just a request can you add something where I can continue scanning from failed firmware test. the issue is sometimes it takes lot of time to complete the test and if it fails to complete then i have to restart the same process again...

m-1-k-3 commented 5 months ago

Hi @lalit97-98,

good to have you here. Could you please check this discussion. I think we fixed the main restart issues a while ago. Nevertheless, please keep in mind that this feature is in a very early state and not tested in detail. Feedback is always welcome.

lalit97-98 commented 5 months ago

Hi michael , my question is yesterday I started firmware Analysis using emba , and due to an issue it failed to complete after 6 hours. So can i continue from where it failed ?

On Fri, 31 May, 2024, 7:30 pm Michael Messner, @.***> wrote:

Hi @lalit97-98 https://github.com/lalit97-98,

good to have you here. Could you please check this discussion https://github.com/e-m-b-a/emba/discussions/1073#discussioncomment-8676998. I think we fixed the main restart issues a while ago. Nevertheless, please keep in mind that this feature is in a very early state and not tested in detail. Feedback is always welcome.

— Reply to this email directly, view it on GitHub https://github.com/e-m-b-a/emba/issues/897#issuecomment-2142250980, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARQH2QRKW3MIM3KPO4FAPBLZFB7BLAVCNFSM6AAAAAA7SVO4MKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBSGI2TAOJYGA . You are receiving this because you were mentioned.Message ID: @.***>

m-1-k-3 commented 5 months ago

sure ... it should be possible to restart a scan and only execute the modules that were not already finished

lalit97-98 commented 5 months ago

Ok, thanks.

On Fri, 31 May, 2024, 11:52 pm Michael Messner, @.***> wrote:

sure ... it should be possible to restart a scan and only execute the modules that were not already finished

— Reply to this email directly, view it on GitHub https://github.com/e-m-b-a/emba/issues/897#issuecomment-2142771752, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARQH2QUBLV4W5TWMLKAJXADZFC5WBAVCNFSM6AAAAAA7SVO4MKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBSG43TCNZVGI . You are receiving this because you were mentioned.Message ID: @.***>

github-actions[bot] commented 4 months ago

This issue is stale because it has been open for 28 days with no activity.