EMBA v2.0.0 - A brave new world of firmware analysis

The last few weeks looked a bit more silent to the outside ... but cool things were going on in the background. Now, it is time to share all the great things we were working on ;)

In the early days of the EMBA firmware analysis environment one of our visions was a bit like the following:

EMBA should be an environment for fully automated detection and verification of known and unknown vulnerabilities in the product and firmware sector

The complete environment needs to be available as Open-Source which allows you to be part of it. Everyone should be able to perform high quality firmware security analysis, perform better IoT penetration tests, create the best SBOMs, scale and optimize firmware security research at all. Additionally, everyone should be able to modify, integrate and adopt EMBA easily (btw. this is the reason why we decided to use Bash), improve EMBA and being part of EMBA as user, tester, developer, feedback giver, idea generator, bug hunter ... you get the idea of Open-Source ;)

Vulnerability analysis in the field of firmware is a complex task, but with EMBA we have built some quite solid tooling and strategies over the years. This would not be possible without all the other awesome Open-Source projects out there!

EMBA is standing on the shoulders of giants. EMBA is standing on your shoulders! Thank you!

We were always fascinated by the idea of automatically starting up the device during an EMBA analysis in a controlled emulated environment. This means that we will be able to verify the already discovered results directly on the running firmware. We are not at the end of this journey yet, but it looks like this goal is not completely unrealistic anymore! In our opinion this release is a milestone to our ultimate goal of vulnerability detection and verification.

The road to version 2.0.0 was very rough and bumpy. Over the last few months we tested, tested, tested, looked at emulation output and improved every little piece a little bit! The goal we had in mind was ...

Let's bring our system emulation engine to the next level

After months of testing, building kernels (shoutout to @HoxhaEndri), analyzing, fixing, refactoring, testing again and screaming multiple times we are now quite happy with the results! Enjoy the following benchmark results of some of our firmware test sets:

• FirmAE corpus

The original FirmAE corpus was created somewhere before 2020. So, today this corpus is quite outdated. Nevertheless, as the FirmAE project was already optimized to a 79% success rate with at least one network service available we were interested if we can further improve this high success rate. We took this corpus as an initial benchmark indicator to ensure our performance is not too bad. The following overview gives some insights into the results from all three system emulation frameworks: firmadyne, FirmAE and EMBA

While firmadyne was the initial framework and other environments like FirmAE and also EMBA were built around the same approach, it had only 16% of success rate. This means in only 16% of the firmware tests firmadyne was able to bring the firmware automatically to a state where network services were reachable. FirmAE improved this rate to 79% success rate. And now, EMBA got this rate to 95% success rate with at least one network service available. Altogether EMBA was able to identify more than 6000 network services on 1074 systems.

---

The Fraunhofer FKIE builds regularly the so-called Home Router Security Report (Check this report). We used these reports as inspiration and built some firmware sets over time:

• Firmware Testset 2020

On a fresh and unoptimized firmware corpus we can get a better idea of more real-world results of the different engines. Neither firmadyne, nor FirmAE were trained on this firmware corpus. This resulted in significantly lower success rates:

The firmadyne results dropped down to 5% (from 16% on the FirmAE corpus) of success rate and the FirmAE rates dropped to 30% (from 79% on the FirmAE corpus). In comparison EMBA was able to double the FirmAE results and fully automatically emulate 87% of firmware to a state where at least one network service was available. In total EMBA detected more than 600 network services on 126 analyzed firmware images.

With the integration of the dependency track API it is now also possible to automatically transfer the generated SBOM into your dependency track instance and track all the vulnerabilities in a beautiful vulnerability and SBOM management tool:

This integration mechanism enhances your vulnerability handling and pentesting process massively and shows the flexibility of EMBA.

---

• Firmware Testset 2022

The testset of the year 2022 looked a bit like a duplication of the results of 2020. Firmadyne got 2% of the tested firmware to a reachable network service, FirmAE already improved the state to 16% and EMBA climbed up to 76%. This time with around 400 reachable network services on 121 analyzed firmware images:

---

• Firmware Testset 2024

Also on a more modern testset from 2024 the picture changed not that much. Firmadyne now has only 1% success rate, FirmAE improved the emulation results to 17% and EMBA stays quite stable at 77%:

These stable emulation results across a huge amount of different firmware images from different vendors with different architectures from different time periods highlight the magic of EMBA and give us a quite good base for further development.

---

Additionally, we want to take a look at the following highlights:

• We have 7 new contributors! This is probably the most amazing thing in our release notes! Thanks for supporting EMBA with your effort!
• EMBA got a new kernel for the system emulation engine. We moved away from the old 4.1 firmadyne/FirmAE based kernel to a much newer 4.14.336 LTS Kernel <- This is a very big thing, and you need to clap now ;) (see #1575 by @HoxhaEndri and the Kernel repo here)
• Rocky Linux support by @jurrejelle <- Clap again
• EMBA reached another milestone - 3000 Github stars and counting (If you like EMBA you should also give us a star!)
• The EMBA book is available here
• Copilot code check results integrated - part 1 of a lot
• Improve internal docker base image verification checks
• We build a whole new testing environment where we can run a huge number of EMBA tests in parallel <- This is so freaking cool. Good job @BenediktMKuehne
• Improve SBOM generation with better Java support - see also #1765
• Add Java decompilation and security analysis capabilities - see also #1828
• Add integration of the dependency track API to automatically upload and further process the generated SBOM - see also the wiki
• The launcher is now available - see the Wiki for further details
• Thanks to the great work of @gluesmith2021 we were able to switch to NVDv2. With this step we are hopefully well prepared for the near future. Check the great work here ossf/cve-bin-tool#5265
• We have a new web shop for EMBA merch here. Check it out and show your love for Open-Source firmware analysis with EMBA
• So many new notes, videos, papers and blogposts that deal with EMBA or use EMBA as helper or benchmark tool somewhere in the Internet (with your ideas, your papers, using it and showing how hard we fail you make EMBA to what it is!) - check the Wiki section
• Finally, we had the joy of being part of the beautiful TROOPERS25 security conference. The recording of our talk "SBOMs the right way" is now available here

---

Beside your ongoing support with feedback, testing, working on issues and spreading EMBA you can now also support EMBA as a sponsor.

Check it out here and start being an essential part of the future of EMBA.
Breaking News: Check also our new shop for EMBA merch here.

---

It is always a pleasure to welcome new contributors to EMBA. This time we welcome:

• @waiwai24 made their first contribution in #1532
• @Jeff-Rowell made their first contribution in #1615
• @starrysky1004 made their first contribution in #1659
• @dennisliuu made their first contribution in #1677
• @dependabot[bot] made their first contribution in #1695
• @jurrejelle made their first contribution in #1712
• @T1z1anXXX made their first contribution in #1810

Besides all our newcomers we also want to thank the other, regular contributors!

We had never before so many bug reports, contributors and helping hands! Big kudos to all of you!

---

How can you reach us and stay up to date? Just take one of these channels (or all):

• Bluesky
• Mastodon
• Github discussions
• Github issues
• LinkedIn
• X

---

Now, start your fresh Kali Linux (put enough CPU power and RAM into it) and install EMBA:

└─$ git clone https://github.com/e-m-b-a/emba.git
└─$ cd emba 
└─$ sudo ./installer.sh -d

This will install all pre-requisites, including the docker base image and the CVE database, which will need some bandwith, harddrive space and time.

Afterwards, you are ready to analyse your first firmware with EMBA:

└─$ sudo ./emba -l ~/log -f ~/firmware -p ./scan-profiles/quick-scan.emba

For updating your outdated EMBA installation, please check the update section in our wiki.

---

What's Changed

• bump version in docker-compose by @m-1-k-3 in #1509
• trivy workflow exception update by @m-1-k-3 in #1510
• update sbom scanning profiles by @m-1-k-3 in #1511
• Linux kernel version database update by @github-actions[bot] in #1513
• Metasploit database update by @github-actions[bot] in #1514
• CISA known exploited database update by @github-actions[bot] in #1515
• Architecture detection improvements by @m-1-k-3 in #1512
• Snyk database update by @github-actions[bot] in #1516
• fix max_pid_protection calls by @m-1-k-3 in #1517
• SBOM module for apk_pkg_mgmt_parser by @m-1-k-3 in #1518
• Multiple little fixes to improve F17, F50, S18, S25 by @m-1-k-3 in #1520
• l35 helper fix by @m-1-k-3 in #1522
• Improve installer warning on missing docker installation by @m-1-k-3 in #1523
• fix installer by @m-1-k-3 in #1524
• Snyk database update by @github-actions[bot] in #1529
• Quick version identifier update by @github-actions[bot] in #1528
• CISA known exploited database update by @github-actions[bot] in #1527
• Metasploit database update by @github-actions[bot] in #1526
• Linux kernel version database update by @github-actions[bot] in #1525
• fix IL15 for latest Kali installation by @m-1-k-3 in #1533
• Update dep check to warn if the cve-db from docker container will be used by @m-1-k-3 in #1534
• Linux kernel version database update by @github-actions[bot] in #1535
• Metasploit database update by @github-actions[bot] in #1536
• CISA known exploited database update by @github-actions[bot] in #1537
• Snyk database update by @github-actions[bot] in #1538
• optimize I05_emba_docker_image_dl.sh by @waiwai24 in #1532
• S08 debian package management update by @m-1-k-3 in #1540
• System emulation updates by @m-1-k-3 in #1530
• L10: improve service handling by @m-1-k-3 in #1541
• Exe extraction improvements by @m-1-k-3 in #1542
• Metasploit database update by @github-actions[bot] in #1543
• CISA known exploited database update by @github-actions[bot] in #1544
• Snyk database update by @github-actions[bot] in #1545
• Speedup pre-checking phase by @m-1-k-3 in #1546
• find and fix unprintable characters by @m-1-k-3 in #1547
• Snyk database update by @github-actions[bot] in #1552
• Metasploit database update by @github-actions[bot] in #1551
• Linux kernel version database update by @github-actions[bot] in #1550
• CISA known exploited database update by @github-actions[bot] in #1549
• P50 p55 emulation switch by @m-1-k-3 in #1548
• Revert handling of additional ip address by @m-1-k-3 in #1553
• update uml-utilities.deb by @m-1-k-3 in #1554
• Snyk database update by @github-actions[bot] in #1559
• Metasploit database update by @github-actions[bot] in #1558
• Linux kernel version database update by @github-actions[bot] in #1557
• CISA known exploited database update by @github-actions[bot] in #1556
• update CONTRIBUTING.md by @m-1-k-3 in #1560
• remove hardcoded linux kernel version by @HoxhaEndri in #1561
• Metasploit database update by @github-actions[bot] in #1567
• Linux kernel version database update by @github-actions[bot] in #1566
• GCC version database update by @github-actions[bot] in #1565
• CISA known exploited database update by @github-actions[bot] in #1564
• Snyk database update by @github-actions[bot] in #1568
• JSON bin version identifier migration by @m-1-k-3 in #1562
• migrate further modules to json config by @m-1-k-3 in #1569
• Improve CVE detection by @m-1-k-3 in #1570
• CISA known exploited database update by @github-actions[bot] in #1571
• Snyk database update by @github-actions[bot] in #1574
• Linux kernel version database update by @github-actions[bot] in #1572
• Metasploit database update by @github-actions[bot] in #1573
• Migration of modules S24 and L15 to improved architecture by @m-1-k-3 in #1576
• Metasploit database update by @github-actions[bot] in #1581
• Linux kernel version database update by @github-actions[bot] in #1580
• CISA known exploited database update by @github-actions[bot] in #1579
• Snyk database update by @github-actions[bot] in #1582
• payload dumper installation fix by @HoxhaEndri in #1583
• Linux Kernel v4.14.336 for system emulation environment by @HoxhaEndri in #1575
• Update docker-compose.yml by @m-1-k-3 in #1584
• S25 improvements + fixes by @m-1-k-3 in #1578
• Deeper extractor update by @m-1-k-3 in #1587
• Snyk database update by @github-actions[bot] in #1588
• System emulation updates / Speedup S09 by @m-1-k-3 in #1586
• Improve sorting of L10 configs by @m-1-k-3 in #1590
• Snyk database update by @github-actions[bot] in #1596
• Metasploit database update by @github-actions[bot] in #1595
• Linux kernel version database update by @github-actions[bot] in #1594
• GCC version database update by @github-actions[bot] in #1593
• CISA known exploited database update by @github-actions[bot] in #1592
• CISA known exploited database update by @github-actions[bot] in #1597
• Linux kernel version database update by @github-actions[bot] in #1598
• Metasploit database update by @github-actions[bot] in #1599
• Snyk database update by @github-actions[bot] in #1600
• Metasploit database update by @github-actions[bot] in #1604
• Linux kernel version database update by @github-actions[bot] in #1603
• GCC version database update by @github-actions[bot] in #1602
• CISA known exploited database update by @github-actions[bot] in #1601
• Snyk database update by @github-actions[bot] in #1605
• System emulation updates by @m-1-k-3 in #1591
• links, installer updates by @m-1-k-3 in #1606
• Snyk database update by @github-actions[bot] in #1613
• Metasploit database update by @github-actions[bot] in #1612
• Linux kernel version database update by @github-actions[bot] in #1611
• CISA known exploited database update by @github-actions[bot] in #1610
• copy_and_link helper function, improve logging, little bug fixes by @m-1-k-3 in #1608
• improve s24 kernel handling by @m-1-k-3 in #1616
• Copilot review integration by @m-1-k-3 in #1617
• make s26 environment work again by @m-1-k-3 in #1618
• Linux kernel version database update by @github-actions[bot] in #1620
• Metasploit database update by @github-actions[bot] in #1621
• CISA known exploited database update by @github-actions[bot] in #1619
• Snyk database update by @github-actions[bot] in #1622
• Issue1614/feature request reuse existing SBOM for CVE rechecking without full rescan by @Jeff-Rowell in #1615
• Copilot cleanup #2 by @m-1-k-3 in #1623
• Snyk database update by @github-actions[bot] in #1627
• Metasploit database update by @github-actions[bot] in #1626
• Linux kernel version database update by @github-actions[bot] in #1625
• CISA known exploited database update by @github-actions[bot] in #1624
• another cleanup round with copilot by @m-1-k-3 in #1628
• Quick updates by @m-1-k-3 in #1630
• Quick updates by @m-1-k-3 in #1631
• style by @m-1-k-3 in #1632
• Quick updates by @m-1-k-3 in #1633
• reference by @m-1-k-3 in #1634
• style by @m-1-k-3 in #1635
• cleanup, migrate wc by @m-1-k-3 in #1636
• Check_project - fast mode by @m-1-k-3 in #1637
• Fixes everywhere by @m-1-k-3 in #1639
• CISA known exploited database update by @github-actions[bot] in #1640
• Linux kernel version database update by @github-actions[bot] in #1641
• Metasploit database update by @github-actions[bot] in #1642
• Snyk database update by @github-actions[bot] in #1643
• fix ambiguous redirect / Installer updates by @m-1-k-3 in #1644
• CISA known exploited database update by @github-actions[bot] in #1645
• GCC version database update by @github-actions[bot] in #1646
• Linux kernel version database update by @github-actions[bot] in #1647
• Metasploit database update by @github-actions[bot] in #1648
• Snyk database update by @github-actions[bot] in #1649
• Fix L10 init entries by @m-1-k-3 in #1650
• Cleanup and Community projects by @m-1-k-3 in #1651
• Snyk database update by @github-actions[bot] in #1656
• Linux kernel version database update by @github-actions[bot] in #1654
• CISA known exploited database update by @github-actions[bot] in #1653
• Metasploit database update by @github-actions[bot] in #1655
• Improve EMBA version in F50 module by @m-1-k-3 in #1652
• Fix bug in S21 S23 S27 about csv path extraction by @starrysky1004 in #1659
• Snyk database update by @github-actions[bot] in #1664
• Metasploit database update by @github-actions[bot] in #1663
• Linux kernel version database update by @github-actions[bot] in #1662
• CISA known exploited database update by @github-actions[bot] in #1661
• Basic Tricore architecture support by @m-1-k-3 in #1660
• Fix #1666 / emulation updates by @m-1-k-3 in #1667
• Objdump fix / s40 perm fix / emulation max restart by @m-1-k-3 in #1668
• Improve s16, s17 modules by @m-1-k-3 in #1670
• Introduce the EMBA launcher by @m-1-k-3 in #1669
• Snyk database update by @github-actions[bot] in #1673
• Linux kernel version database update by @github-actions[bot] in #1672
• CISA known exploited database update by @github-actions[bot] in #1671
• Bandit config / L10 qemu log check by @m-1-k-3 in #1674
• cleanup by @m-1-k-3 in #1675
• Fix: release files cfg typo for SuSE by @dennisliuu in #1677
• Snyk database update by @github-actions[bot] in #1681
• Metasploit database update by @github-actions[bot] in #1680
• GCC version database update by @github-actions[bot] in #1679
• CISA known exploited database update by @github-actions[bot] in #1678
• Update README.md by @m-1-k-3 in #1683
• Snyk database update by @github-actions[bot] in #1687
• Metasploit database update by @github-actions[bot] in #1686
• Linux kernel version database update by @github-actions[bot] in #1685
• CISA known exploited database update by @github-actions[bot] in #1684
• make s23 work again / L10 updates by @m-1-k-3 in #1676
• Snyk database update by @github-actions[bot] in #1692
• Metasploit database update by @github-actions[bot] in #1691
• Linux kernel version database update by @github-actions[bot] in #1690
• CISA known exploited database update by @github-actions[bot] in #1689
• Bump lycheeverse/lychee-action from 1.8.0 to 2.0.2 in /.github/workflows by @dependabot[bot] in #1695
• Snyk database update by @github-actions[bot] in #1700
• Metasploit database update by @github-actions[bot] in #1699
• Linux kernel version database update by @github-actions[bot] in #1698
• CISA known exploited database update by @github-actions[bot] in #1697
• Add latest news section to README by @m-1-k-3 in #1696
• l10 - shift around and cleanup by @m-1-k-3 in #1688
• fix #1694 by @m-1-k-3 in #1701
• Metasploit database update by @github-actions[bot] in #1704
• Linux kernel version database update by @github-actions[bot] in #1703
• Snyk database update by @github-actions[bot] in #1705
• CISA known exploited database update by @github-actions[bot] in #1702
• Snyk database update by @github-actions[bot] in #1711
• Metasploit database update by @github-actions[bot] in #1710
• Linux kernel version database update by @github-actions[bot] in #1709
• CISA known exploited database update by @github-actions[bot] in #1708
• multiple fixes by @m-1-k-3 in #1707
• Snyk database update by @github-actions[bot] in #1715
• Metasploit database update by @github-actions[bot] in #1714
• Linux kernel version database update by @github-actions[bot] in #1713
• Add Rocky/RHEL/Alma/Redhat Linux support by @jurrejelle in #1712
• Snyk database update by @github-actions[bot] in #1722
• Metasploit database update by @github-actions[bot] in #1721
• CISA known exploited database update by @github-actions[bot] in #1719
• Linux kernel version database update by @github-actions[bot] in #1720
• Emulation engine - improve runtime and sevice starter by @m-1-k-3 in #1716
• Snyk database update by @github-actions[bot] in #1725
• Linux kernel version database update by @github-actions[bot] in #1724
• CISA known exploited database update by @github-actions[bot] in #1723
• Bump docker base image by @m-1-k-3 in #1726
• Make the default install workflow work again by @m-1-k-3 in #1727
• Make workflows work again by @m-1-k-3 in #1728
• L10 config prio adjustments by @m-1-k-3 in #1729
• CISA known exploited database update by @github-actions[bot] in #1730
• Linux kernel version database update by @github-actions[bot] in #1731
• Metasploit database update by @github-actions[bot] in #1732
• Snyk database update by @github-actions[bot] in #1733
• Snyk database update by @github-actions[bot] in #1738
• Linux kernel version database update by @github-actions[bot] in #1737
• CISA known exploited database update by @github-actions[bot] in #1736
• s22 fix and cleanup by @m-1-k-3 in #1739
• fix multi_grep detection mechanism by @m-1-k-3 in #1741
• Snyk database update by @github-actions[bot] in #1745
• Metasploit database update by @github-actions[bot] in #1744
• Linux kernel version database update by @github-actions[bot] in #1743
• CISA known exploited database update by @github-actions[bot] in #1742
• bump binutils by @m-1-k-3 in #1746
• Improve system restarter for HNAP/UPnP module by @m-1-k-3 in #1747
• improve upnp/hnap/jnap module by @m-1-k-3 in #1749
• Snyk database update by @github-actions[bot] in #1753
• Metasploit database update by @github-actions[bot] in #1752
• Linux kernel version database update by @github-actions[bot] in #1751
• CISA known exploited database update by @github-actions[bot] in #1750
• fix nmap result copy by @m-1-k-3 in #1755
• improve dnsmasq.json by @m-1-k-3 in #1756
• fix upnp detection by @m-1-k-3 in #1757
• remove weak file pattern by @m-1-k-3 in #1758
• Snyk database update by @github-actions[bot] in #1762
• Metasploit database update by @github-actions[bot] in #1761
• CISA known exploited database update by @github-actions[bot] in #1760
• s24 kernel detection improvementen by @m-1-k-3 in #1759
• Bump docker base image by @m-1-k-3 in #1764
• fix s16 by @m-1-k-3 in #1766
• EMBA restart for firmware directories by @m-1-k-3 in #1767
• fix #1774, #1773, #1772 by @m-1-k-3 in #1775
• Add missing csv header fields to S12_binary_protection.sh by @jblu42 in #1777
• Snyk database update by @github-actions[bot] in #1781
• Metasploit database update by @github-actions[bot] in #1780
• Linux kernel version database update by @github-actions[bot] in #1779
• CISA known exploited database update by @github-actions[bot] in #1778
• Improve package handling, fix #1765, #1771, 1782 by @m-1-k-3 in #1769
• Axis detection by @m-1-k-3 in #1783
• Dependency Track integration by @m-1-k-3 in #1784
• Q20 - little fix by @m-1-k-3 in #1786
• Snyk database update by @github-actions[bot] in #1790
• Metasploit database update by @github-actions[bot] in #1789
• CISA known exploited database update by @github-actions[bot] in #1787
• GCC version database update by @github-actions[bot] in #1788
• improve wolfSSL identifier by @m-1-k-3 in #1791
• F14 - tag module integration by @m-1-k-3 in #1792
• Update latest news section in README.md by @m-1-k-3 in #1798
• big cleanup round by @m-1-k-3 in #1793
• bug report template improvements, little fixes by @m-1-k-3 in #1799
• Updating CONTRIBUTORS.md by @m-1-k-3 in #1800
• Linux kernel version database update by @github-actions[bot] in #1802
• CISA known exploited database update by @github-actions[bot] in #1801
• Metasploit database update by @github-actions[bot] in #1803
• Snyk database update by @github-actions[bot] in #1804
• add VERSION.XML parsing to s08 by @m-1-k-3 in #1806
• another cleanup round by @m-1-k-3 in #1807
• fix: wrongly use '||' in L10_system_emulation.sh by @T1z1anXXX in #1810
• v2.0.0 preparation by @m-1-k-3 in #1809
• bump docker base image by @m-1-k-3 in #1811
• Snyk database update by @github-actions[bot] in #1815
• Metasploit database update by @github-actions[bot] in #1814
• Linux kernel version database update by @github-actions[bot] in #1813
• CISA known exploited database update by @github-actions[bot] in #1812
• S17 log improvements by @m-1-k-3 in #1816
• Next v2.0.0 cleanup by @m-1-k-3 in #1818
• Crass update by @m-1-k-3 in #1821
• Snyk database update by @github-actions[bot] in #1826
• Metasploit database update by @github-actions[bot] in #1825
• CISA known exploited database update by @github-actions[bot] in #1823
• Linux kernel version database update by @github-actions[bot] in #1824
• S28 module: Java decompiler and analyzer / fix p10, add vineflower by @m-1-k-3 in #1828
• bump v2.0.0 by @m-1-k-3 in #1830

New Contributors

• @waiwai24 made their first contribution in #1532
• @Jeff-Rowell made their first contribution in #1615
• @starrysky1004 made their first contribution in #1659
• @dennisliuu made their first contribution in #1677
• @dependabot[bot] made their first contribution in #1695
• @jurrejelle made their first contribution in #1712
• @T1z1anXXX made their first contribution in #1810

Full Changelog: v1.5.2-SBOM-next-generation-EMBA...v2.0.0-A-brave-new-world