Group: Hardware/Strategies/ReverseEngineering
Contents
-
1 Introduction
- 1.1 How useful is the hardware for its users? (0 not really, 9 very)
- 1.2 How critical is the operation for its users? (0 not really, 9 very)
- 1.3 How often does the average user interact with the hardware? (0 rarely, 9 always)
- 1.4 How many freedom respecting devices are there that perform a similar function? (0 none, 9 many)
- 1.5 Is it a widely distributed hardware?
- 1.6 Is it the last step in completing the liberation of whole device(s)?
- 1.7 How long will it take? (0 fast, 9 long)
- 1.8 Is reverse engineering really needed?
- 1.9 Is it crucial?
- 2 Hardware and work list
- 3 Tools
- 4 Less important
Introduction
Hardware usually requires accompanying software to function, typically in the form of drivers or firmware. However, when this software is proprietary, the hardware becomes useless to the free world.
Occasionally, hardware documentation is available from the vendor. In these cases, it is a matter of writing the missing software according to the documentation. Sometimes the documentation is not available but has been leaked; whether or not this can be used as the base for free software drivers and firmware is a legal question outside the scope of this article.
On the other hand, when vendors refuse to provide documentation, the hardware must be reverse-engineered in order to be liberated, a mammoth task that should only be undertaken after careful consideration of different options.
Which hardware should be prioritized? This article proposes criteria and examples.
How useful is the hardware for its users? (0 not really, 9 very)
For instance, in the Samsung mobile phones, the Wifi, GPS and bluetooth drivers cannot operate without proprietary software. The wifi driver is more useful than the bluetooth driver, therefore it is preferable to direct effort towards having a freedom respecting firmware for the wifi.
How critical is the operation for its users? (0 not really, 9 very)
All chips that could control personally identifiable information (wifi, bluetooth, bootloaders...) have higher priority than, for example, graphics acceleration chips, as long as the device can be used with that graphics chip disabled.
How often does the average user interact with the hardware? (0 rarely, 9 always)
For instance, Raspberry Pi is a development platform, not something that users carry around and interact with every day. High interaction devices include smartphones, e-readers, laptops, tablets, etc.
How many freedom respecting devices are there that perform a similar function? (0 none, 9 many)
For instance, we can run fully freedom respecting software stacks in some laptops. If users want to have a freedom respecting laptop, they should simply choose one that does. Therefore the is limited value in liberating new laptops. Of course, this could change if those already liberated become very expensive or hard to find. Also, one could choose to buy a Beaglebone Black instead of a Raspberry Pi. In contrast, there is no e-reader completely liberated.
Is it a widely distributed hardware?
For instance, millions of Raspberry PI have been sold. A functional free software firmware for the VideoCore IV GPU it uses would be beneficial to all existing users. Another example is the Samsung Galaxy SIII which sold over 70 million units and can easily be bought second hand world wide. A free software driver for the BCM4334 wifi chip could enable new Replicant users.
Is it the last step in completing the liberation of whole device(s)?
For instance, consider the Allwinner A20 System on a Chip in the Olimex Lime2. If we can make it work with free software, all the hardware of that chip will become functional in the free world. All of the hardware in that single board computer will likewise become functional in the free world.
How long will it take? (0 fast, 9 long)
How much time such work can take depends on:
- how much the tasks at hand fits the skills of the people working on it. The various tasks can require very different skillets.
- How much documentation there is and how much work there is to do
- If making such software usable usually takes times. For instance a GPU driver often needs quite some time to get a low enough number of bugs.
- In some case having access to debug hardware such as osciloscopes and logic analyzer can speed things up in several order of magnitude. It was the case with the port of a free software bootloader on the LG Optimus Black (P970)
Is reverse engineering really needed?
Sometimes reverse engineering might not be needed as documentation might already exist, either published by the hardware manufacturer, or by people that did some reverse engineering on the hardware. Thanks to that it's often possible to help fixing some of the freedom issues mentioned in this page without even needing to do some reverse engineering.
Examples:
- The etna-viv project states: Nearly all of the reverse engineering work has been done, [...] However I don't have time nor will to do everything myself. This project needs developers that help with the Mesa driver for [...] I did my thing, now do yours. There is no point in waiting because whatever you want just won't happen out of itself.
Is it crucial?
It is in hardware that does a job that is crucial for us to support. A job can be crucial even if only few people need to do it.
For instance making possible to use certain kind of hardware with free software, when none work with free software would apply here such as:
- Having very fast/powerful RYF certified computers would allow to do certain kind of work with free software, such as compiling huge quantity of software, like complete GNU/Linux distributions.
- Having the ability to use big FPGAs with free software would allow to build SDR, osciloscope and many other tools that would work with free software, enabling free software in new areas.
Hardware and work list
Units | Last step | |
---|---|---|
BCM4334 Wifi | >70M | No |
BCM4334 Bluetooth | >70M | No |
BCM43438 Wifi | >10M | No |
#Vivante GPU | ? | No |
#AMD/ATI GPU 2D support in linux-libre | ? | No |
WiFi/Bluetooth chips
Importance of WiFi chips for smartphones and tablets
We don't have WiFi chips for smartphones or tablets that work without nonfree firmwares.
Both the Openmoko Freerunner and the Purism Librem5 smartphones works without the need to load a firmware in the WiFi chip, as in both cases the firmware is provided on a separate flash chip that is directly connected to the WiFi chip.
Besides these two smartphones, we are not aware of other smartphones or tablets that don't require the distribution to load a nonfree firmware to make the WiFi work.
This is important because the most problematic issues on smartphones and tablets is the WiFi:
Even if a device manufacturer wants to design a device made to run 100% free software, the WiFi firmware will be the most problematic issue as the other issues can be solved by picking the right chips:
- System on a chip compatible with free software bootloader (Such as many I.MX and AllWinner SOCs) a do exist and can be bought for a long time in low quantity.
- Having the GPU work isn't strictly required as on most system on a chip, it is not connected to the display and is only used to do 3D acceleration. Some system on a chip even have separate 2D acceleration. Replicant and GNU/Linux don't require 3D acceleration to be usable. And for some system on a chip, the GPU works with only free software. Other system on a chip either lack free firmware or free driver and firmwares.
Once common devices capable of running a free software bootloader become usable, they would also have the exact same issue and also not require a working GPU as explained above.
Note that smartphones or tablets that are able to connect to GSM/CDMA networks have many privacy issues. Some are described by Replicant
There are several approaches to fix the WiFi/Bluetooth issues:
- Write a free WiFi firmware for a WiFi chip used by some widely available smartphone(s) that are used by free software smartphone distributions such as Replicant. This probably also require some reverse engineering work to understand how the chip work.
- Write a free WiFi firmware for a WiFi chip that can be bought by device manufacturers wanting to have no non-free software required to use their device. Extra care must be taken to chose WiFi chips that can be bought in low quantity, and have a long lifetime, to enable potential device manufacturer to be able to actually buy and use such chips in the product they make.
- Make it easier to use external (USB) WiFi dongles that are known to work with free software (such as the ones compatible with the ath9k_htc driver) with smartphones that fits into one of the two category above.
Importance of WiFi chips for laptops
Many laptops have restrictions in their boot software (BIOS, UEFI) that prevent users from changing the internal WiFi card. See Group:Hardware/Mini_PCIe_slot_restrictions_on_wireless_cards for more details and for workarounds.
Broadcom WiFi and Bluetooth
Broadcom WiFi chips can be found in laptops, smartphones, WiFi access points, etc.
Unfortunately very few are usable in freedom. So far OpenWWF only support the following chips:
- 4306
- 4311(rev1)
- 4318
- 4320
These chips are old and are usually available through:
- PC card / PCMCIA cards
- (m)PCI(e) cards
- Inside some broadcom SOCs used in WiFi access points
More recent chips are not known to work with free software yet.
Some recent chips have roms inside and the firmware is usually a patch to that ROM. So a way to make these chip work could be to look if nexmon is fully free software and if it can produce firmwares that don't depend on the nonfree firmware files and that can work with the free drivers. If that works we could then package these firmwares in FSDG compliant distributions.
There are also some chips that don't even have free software drivers yet. In laptops (for example in the Macbook 6,2) the WiFi card isn't supported yet by the b43 and b43legacy.
BCM4334 Wifi
The BCM4334 Single Chip IEEE 802.11 a/b/g/n MAC/Baseband/Radio with Integrated Bluetooth 4.0 + HS and FM Receiver is used in the Samsung Galaxy SIII which sold over 70 million units. It can easily be purchased second hand world wide. Reverse engineering would is very difficult. It would be very useful because it would enable Replicant. There are no ongoing reverse engineering projects for this chip.
BCM4334 Bluetooth
It is a part of the BCM4334 chip which also includes [[#BCM4334 Wifi|wifi], only it is less useful and the difficulty is unknown.
BCM43438 Wifi
The BCM43438 Single-Chip IEEE 802.11ac b/g/n MAC/Baseband/ Radio with Integrated Blue tooth 4.1 and FM Receiver is used in Raspberry Pi which sold over 10 million units. The user base is large and could upgrade to a free software driver. Reverse engineering would is very difficult. Although the bootloader is free software other hardware parts do not work wihout nonfree software. Since there also is an ethernet port, the availability of the wifi is not a blocker to operate the Raspberry PI.
Intel WiFi
Intel WiFi cards are very popular in laptops, and have free software drivers. Unfortunately they are not usable in freedom as they lack a free software firmware.
Depending on the generation, they use different drivers:
System on Chip GPUs
Vivante
The Vivante GPU is used in the i.MX_6 SoC, in turn used by the Novena laptop. The Etnaviv project reverse-engineering this chipset and implementing support in free software is quite mature, likely ready for daily end-user use cases! There does not appear to be any non-free firmware associated with the GPU, unlike other GPUs such as Adreno.
The only other component of the i.MX6 that is unusable without proprietary software is the video processing unit (VPU), which requires proprietary firmware to function. This firmware can be avoided by instead decoding video in software, unfortunately with a performance and power cost.
Desktops and laptops GPUs
ATI/AMD GPUs are integrated in many laptops and desktops computers. Nvida GPUs are also integrated in many laptops. Both are also available as separate GPU cards that can be plugged in desktop computer.
AMD/ATI radeon GPU 2D support in linux-libre
When a given ATI/AMD GPU isn't supported by linux-libre, the computer is very close to unusable with FSDG compatible GNU/Linux distributions as the Linux kenrel will refuse to load the radeon driver and instead fallback on drivers such as the VESA driver which:
- It might not support the display native resolution (on netbooks, you might only have a 800x600 resolution instead of the native 1024x600, and several other choices)
- It won't support multiple monitors setups
- It will be really slow
It is however not the last step for this hardware as such GPUs require:
- non-free video-bios to initialize the display in libreboot or similar boot software
- non-free bytecode (called AtomBIOS) which is loaded from the video-bios to get the Linux driver initialize the card
- non-free firmware to get 3D acceleration and other function working
Requirements:
- An AMD/ATI GPU supported by radeon but not by linux-libre
- The ability to compile and to run linux(-libre) kernel
Difficulty: It should be easy and fast, and there is even a tutorial on how to do it
AMD/ATI amdgpu GPU 2D support in linux-libre
This is more difficult than adding support for a radeon GPU in linux-libre as it requires to find which functions to patch. Doing that requires some trial and error and to be able to read C code.
This doesn't require to understand well what the code does, but it requires to understand C enough to understand which function calls which function, or to modify the driver to add prints to understand that.
Nvidia GPUs 3D acceleration firmware/microcode
Most of the Nvidia GPUs falls into either category:
- The GPU is too recent and the firmware is signed (and non-free), and because of that it cannot be replaced unless a bug is found in the hardware signature check
- The GPU firmware is unsigned and free software
However there is still some GPUs with unsigned firmwares where only non-free firmwares exists, such as the one in the Tegra K1 ARM SOC.
AMD/ATI 3D acceleration firmware/microcode
It is possible to use the radeon driver without nonfree firmwares for some GPUs. To do that linux-libre is patched to not depend anymore on the nonfree firmware, so some basic feature work like multi-display, and so on.
But without the (non-free) firmwares, 3D acceleration (and some other features like video decoding offload, openCL, etc) don't work.
According to the Console Hacking 2016 talk, there is some documentation on archive.org on the PS4 Radeon GPU, and that documentation also applies to other radeon GPUs.
Fail0verflow also wrote a tool (radeon-tools) to use that information but that tool doesn't have a free license, so it might be best to start by finding the xml files the talk is talking about, and using that information to code another reverse engineering tool with similar features without ever looking at the radeon-tools code.
It might also be possible to implement the GPU ISA in some well known utilities like binutils, radare2, etc. In turn that could help people wanting to write free firmwares for AMD GPUs. But that won't help people if there is no documentation (in the form of a reverse engineering tool, web page, etc) on what the instructions really do.
AMD/ATI or Nvidia video BIOS and video BIOS bytecode
This would enable libreboot to support many desktop GPUs.
Devices with system on a chip and bootloaders freedom
Smartphones
Very few smartphones have unsigned bootloaders. It would be useful to make them usable with free software smartphones distributions such as Replicant.
LG Optimus Black (P970)
The LG Optimus black has very basic support in upstream Linux and u-boot, it is not enough to be usable under free software smartphone distributions such as Replicant.
To be usable it would require:
- To add better support in Linux (and optionally u-boot), and make more hardware peripherals work, such as the display.
- To add proper support for devices using an upstream Linux kernel in Replicant. That part of the work can also be shared with the GTA04 smartphone.
GTA04
Very few units were produced, and the production stopped due to manufacturing issues It has a free software bootloader and a near-mainline Linux kernel.
It needs to be integrated in free software smartphone distributions such as Replicant, though the work can be shared with the LG Optimus Black.
Tablets
Many tablets have unsigned bootloaders. It would also be useful to make them usable with free software tablets distributions such as Replicant or GNU/Linux.
ARM computers
Some ARM computers can be used with only free software as they have a free software bootloader, usually U-Boot or coreboot.
To be useful, such computers also need to be able to run a free operating system. Unfortunately, choices are limited among fully-free software distributions.
Beside specialized distributions like LibreCMC or ProteanOS, for a general use case we have the following available:
- for 32-bit ARM (armhf), Parabola GNU/Linux-libre and GuixSD are the only options.
- for 64-bit ARM (arm64/aarch64), only GuixSD available.
The issue is that Parabola and GuixSD are targeted towards users with a thorough understanding of system administration and a desire to configure their system manually. There is not currently a fully free GNU/Linux distribution suitable for desktop use by non-technical users for ARM, which prevent non-technical users from being able to use ARM computers in freedom.
Porting user friendly distributions, like Trisquel or PureOS, would alleviate this issue.
Single board computers
Raspberry Pi bootloader
Background information
Millions of Raspberry Pi boards have been sold. Unfortunately, these boards contain a VideoCore system-on-chip, requiring a non-free boot firmware to so much as start up.
More background information on the topic can also be found in part of this article: The fact that the boot is nonfree enabled them to hide the fact that most of the system was controlled by the GPU which is running a nonfree OS and nonfree code.
History and status
A proof-of-concept free software bootloader existed at christinaa/rpi-open-firmware on Github but at the time it was neither complete nor stable enough to make the device useful in freedom.
After that project has been put on hold by its main developer.
Then new developers have picked it again, and that project now lives at librerpi/rpi-open-firmware on Github. As December 2021, this can boot Linux on a Raspberry PI 2 or Raspberry PI 3, but the display controllers don't work, so it's not possible to get graphics on it.
To make it easier to work with, that project was redesigned into an overlay for the lk bootloader, and that new version is now at librerpi/lk-overlay on Github, and with it, as December 2021, it is possible to boot a Raspberry PI 2 to a full GUI desktop, but its limited to a single core, and none of the hardware acceleration works.
Making it easy to reuse
The Raspberry PI 1 is ARMv6, so its CPU architecture is not compatible with any FSDG compliant distribution at the time of writing. See Group:Hardware/FSDG_distributions for more details.
The subsequent Raspberry PIs could work with one or more FSDG compliant distributions.
So to make all that hard work really usful it would be worth packaging that librerpi/lk-overlay in FSDG compliant distributions that support the 32bit ARM (armv7h or armhf) or 64bit ARM (for the more recent Raspberry PIs).
CPU Microcode
Manufactured hardware often have flaws, which sometimes can be fixed by software or configuration data.
This also applies to CPUs, and flaws can remain undetected for a very long time like with the spectre and meltdown issues. If unfixed, such bugs can potentially enable an attacker to remotely take control of computers trough JavaScript.
Some CPU flaws are also often publically documented in errata documents like this one for Core duo processors. Such flaws can usually be fixed either by:
- Having software workarounds, which is not always possible
- Microcode patches when the CPU supports microcode updates
Unfortunately microcode updates are non-free and often encrypted. It's also very problematic if the open source community relies on non-free microcode to fix the issues, so it's better to not to have the ability to do microcode updates or to have free software microcode and microcode updates.
While some of the security issues like spectre and meltdown are mostly problematic when running software that is not under the users control, as explained in the "Who's afraid of Spectre & Meltdown?" article, or presentation. However not all issues are related to security.
Recently there was some breaktrough in this area, some people succedded in documenting AMD K8 and K10 Microcode and microcode updates hardware mechanism, paving the road for free software microcode on such processors.
In addition there is microcode without source code under a free license in older version of Coreboot, so while technically this is not free software, the source code can probably be reconstructed from the binary, and released under the same license.
Having free software microcode would not only enable to fix very serious security issues, but also to do things that weren't possible before, such as having ways to trace instructions with very few performance impact.
The following mainboard are already supported by Libreboot and do support AMD K10 CPUs:
- ASUS KCMA-D8 motherboard
- ASUS KFSN4-DRE motherboard
- ASUS KGPE-D16 motherboard
So having free software microcode on such CPU would make it possible to use computers with libreboot, while still having the latest security fixes.
Sound cards / chips
Some distribution ship nonfree firmwares for sound cards / chips: While the source code used to make these firmwares is free, the firmwares are signed and users cannot modify them because the sound chip enforces the signatures.
A way around would be to have distributions build the firmwares for older hardware that don't enforce signatures. See the Group:Hardware/Components/Sound article for more details.
Fixing that would enable sound to work in FSDG compliant distributions. However most of the computers having these sound chips will probably also have nonfree boot software. Though it's possible that it will enable sound to work on some ARM computers that can boot with free software.
FPGAs
FPGAs are chips with reconfigurable gate patterns, allowing them to do anything a chip would do such as a WiFi or Ethernet chip, a GPU, a CPU, etc.
They are also often used in fields where no chip are available to do a given task, or where reconfigurability is really important such as:
- Free software GSM towers
- Free software SSDs
- SDRs
- HDMI video overlay devices such as the NeTV or the NeTV2
It is also widely used in:
To do such thing, one needs to write some source code in any of HDLs (hardware description languages), and use tools (synthesizers, routers) basically resembling a binary compilation to produce a binary bitstream the FPGA will load to reconfigure itself.
As december 2018, the only the following FPGA families are usable with free software:
- Lattice iCE40 FPGAs (through symbiflow and nextpnr): The chips in this family are are tiny FPGA (small number of gates). They can for instance be used to implement microcontrollers.
- Lattice ECP5 (through symbiflow and nextpnr): The chips in this family are are normal/big FPGA. They may for instance be used to implement system on a chip capable of running GNU/Linux.
There is also some work in progress for the following FPGA families:
- Xilinx 7 series (through symbiflow and verilog to routing)
There is ongoing work to document and support and bitstreams within Symbiflow project which supersedes and includes all finished work from iCEStorm project.
The free software toolchain has also been packaged in Parabola.
See also:
- The ongoing work can be tracked at project GitHub and the "Current status" section on the simbiflow website (The ticks don't show up without Javascript but they can be deduced by reading the html)
- A presentation on symbiflow at the 35c3 which sumarise the status of software freedom for FPGA in december 2018, along with gui
- The "Other FPGA reverse engineering projects" section at http://www.clifford.at/icestorm/
More recent x86 computers
- See the Group:Hardware/research/anti-freedom/Intel_Management_Engine article for more background on it.
- AMD has similar issues with the PSP. See also the Group:Hardware/research/anti-freedom/AMD_PSP page about PSP for more background on it.
Home servers
There are a lot of low power single board computers that can be used to make home servers. While most of them can be used with fully free software, there are still issues on that area.
Raspberry pi
See the section on the Raspberry Pi bootloader this page.
WiFi
More and more Single Board Computers come with onboard WiFi chips. Theses are the same chips that are used in smartphones and tablets.
See the section about WiFi/Bluetooth chips for Smartphones and Tablets in this page for more details
WiFi access point feature on Single Board Computers
There are several ways to connect a WiFi chip/card to a Single Board Computer:
- Through mini-PCI(e)
- Through USB
- Through other busses such as sdio, SPI, etc
While PCI-(express)/PC-card cards/chips that can work with only free software driver do exists, such as:
- The ones compatible with the ath9k or ath5k driver
- Some chips compatible with the OpenFWWF firmware (which is compatible with the b43 driver)
mini-PCIe is rare among single Board Computers because of:
- The lack of PCIe support from most system on a chip
- The increased complexity in designing a board with PCIe
In another hand USB is very widely available, but the drivers that can make USB chips/card work with 100% free software suffer from some limitations that makes some project(s) chose cards working with other WiFi drivers (which require non-free firmware to work). Quoting the Internet cube project:
Free Software version (limited to 7 simultaneous connections, multissid up to 2 AP): MOD-WIFI-AR9271-ANT Non Free Software version (multissid up to 8 AP) : MOD-WIFI-R5370-ANT
Some associations such as FDN reselling such hardware only sells it with the "non-free software version".
More details on the issue is available here. To fix, some of the things done in the free software firmware have to be moved in the free software driver.
Tools
Hardware manufacturing
- Hardware manufacturing has become more and more accessible over the years. Some communities are even able to design projects over the Internet.
- It's now possible to easily design single board computers (for instance by using system on a chips that require minimal additional components to work).
- Being able to manufacturing hardware gives us more leverage in component choices. This can enable us to make hardware that works with free software.
3D printers and CAD software
- CAD software is needed for the manufacture of several kind of physical objects, such as plastic cases, which are often required when designing hardware.
- It may be strategic to make sure that hardware and software keeps being fully free in 3D printers, in order to spread free software ideals outside of the software community. See the talk about Free software in the 3D-printing community at Libreplanet 2019 for more details about that.
PCM manufacturing and related software
- Free software tools like Kicad exists and it's possible to design complex PCBs with it.
FPGAs and chip design tools
FPGAs can be used to design chips, such as CPUs for instance. See FPGAs for more details.
Less important
Storage devices proprietary firmwares
Most storage devices have proprietary firmwares, this includes:
- Hard disk drives
- SSDs
- SD and microSD cards
- eMMC
Some don't have firmwares such as:
- NAND
- SPI flash
Several attempts to have free software firmwares exist:
- The OpenSSD Project, however their most recent platform uses an FPGA that depends on a non-free "compiler" to use, whereas their older platform doesn't. I didn't check if the older platform could be used with fully free software.
- A port of the Linux kernel to a hard disk
- There is also information on microSD firmwares from Andrew 'bunnie' Huang: 1 [1] and SSD firmware update procedure from Samsung
- For eMMC there is a presentation on the Galaxy SIII eMMC which include information on how to reprogram its firmware.
- Some Single Board Computers that can run fully free software(with u-boot and Parabola), and that also have NAND chips such as the A20-OLinuXIno-LIME2-n8GB are able, with some software configuration to be used as USB mass storage device (for instance by loading the g_storage driver module).
Storage devices with non-free firmwares are a security concern because:
- They could hide data from the user
- The operating systems expect them to behave correctly: If they don't, they can attack the operating system by changing the programs (either before they are loaded, or right after their integrity has been checked, to have the operating system load a modified version).
However there are a lot of more crucial work to do before having to care peripherals that can't be differentiated from hardware
This page was a featured resource in December 2018.
This page was a featured resource in April 2021.