// the find
e-m-b-a/emba
EMBA - The firmware security analyzer
EMBA is a full-pipeline firmware security scanner for embedded Linux devices, covering extraction, static analysis, dynamic emulation, SBOM generation, and HTML report output. It's aimed at pentesters and product security teams who need to audit router, IoT, or ICS firmware images without building their own toolchain. Backed by Siemens Energy, it has genuine production use behind it.
The binary version identifier database is the real asset here — hundreds of JSON fingerprint files covering everything from busybox to log4j-core to MikroTik RouterOS. That's years of accumulated IoT-specific knowledge you'd otherwise build by hand. The CI/CD setup is unusually disciplined for a Shell project: automated Metasploit, Routersploit, and CISA known-exploited-vulns data pulls via GitHub Actions keep the detection data fresh without manual intervention. System emulation for dynamic analysis is rare in open-source firmware tooling — most tools stop at static analysis. The SBOM output as a first-class feature (separate scan profile, dedicated wiki) matters now that regulators are starting to require it.
It's Bash all the way down — the FLOSS Weekly episode title 'Layers Upon Layers Of Bash' is not ironic. That means poor testability, no type safety, subtle quoting bugs in edge-case firmware paths, and performance ceilings that will hurt on large firmware images. Every quick-start command requires `sudo`, which is an odd posture for a security tool running on analyst workstations — the attack surface of the installer script alone deserves scrutiny. The dependency footprint is large and Linux-only; you're essentially installing a Kali environment or running Docker, which limits CI integration. There's no library or programmatic API — it generates HTML reports for humans, not structured output for downstream tooling, so plugging it into an automated build pipeline requires screen-scraping your own security scanner.