Group: Hardware/Strategies/ReverseEngineering
Contents
Introduction
Hardware usually requires accompanying software to function, typically in the form of drivers or firmware. However, when this software is proprietary, the hardware becomes useless to the free world.
Occasionally, hardware documentation is available from the vendor. In these cases, it is a matter of writing the missing software according to the documentation. Sometimes the documentation is not available but has been leaked; whether or not this can be used as the base for free software drivers and firmware is a legal question outside the scope of this article.
On the other hand, when vendors refuse to provide documentation, the hardware must be reverse-engineered in order to be liberated, a mammoth task.
Which hardware should be prioritized? This article proposes criteria and examples.
Is it a widely distributed hardware?
For instance, millions of Raspberry PI have been sold. A functional free software firmware for the VideoCore IV GPU it uses would be beneficial to all existing users. Another example is the Samsung Galaxy SIII which sold over 70 million units and can easily be bought second hand world wide. A free software driver for the BCM4334 wifi chip could enable new Replicant users.
Is it the last step in completing the liberation of whole device(s)?
For instance, consider the Allwinner A20 System on a Chip in the Olimex Lime2. If we can make it work with free software, all the hardware of that chip will become functional in the free world. All of the hardware in that single board computer will likewise become functional in the free world.
How long will it take? (0 fast, 9 long)
How much time such work can take depends on:
- how much the tasks at hand fits the skills of the people working on it. The various tasks can require very different skillets.
- How much documentation there is and how much work there is to do
- If making such software usable usually takes times. For instance a GPU driver often needs quite some time to get a low enough number of bugs.
- In some case having access to debug hardware such as osciloscopes and logic analyzer can speed things up in several order of magnitude. It was the case with the port of a free software bootloader on the LG Optimus Black (P970)
Is reverse engineering needed?
Reverse engineering might not be needed as documentation might already exist, either published by the hardware manufacturer, or by people that did some reverse engineering on the hardware.
Examples:
- The etna-viv project states: Nearly all of the reverse engineering work has been done, [...] However I don't have time nor will to do everything myself. This project needs developers that help with the Mesa driver for [...] I did my thing, now do yours. There is no point in waiting because whatever you want just won't happen out of itself.
How useful is the hardware for its users? (0 not really, 9 very)
For instance, in the Samsung mobile phones, the Wifi, GPS and bluetooth drivers need reverse engineering. The wifi driver is more useful than the bluetooth driver.
Is it crucial?
It is in hardware that does a job that is crucial for us to support. A job can be crucial even if only few people need to do it.
For instance making possible to use certain kind of hardware with free software, when none work with free software would apply here such as:
- Having very fast/powerful RYF certified computers would allow to do certain kind of work with free software, such as compiling huge quantity of software, like complete GNU/Linux distributions.
- Having the ability to use big FPGAs with free software would allow to build SDR, osciloscope and many other tools that would work with free software, enabling free software in new areas.
Hardware and work list
Units | Last step | |
---|---|---|
#Mali GPU | >1B | Yes |
BCM4334 Wifi | >70M | No |
BCM4334 Bluetooth | >70M | No |
BCM43438 Wifi | >10M | No |
#Vivante GPU | ? | No |
#AMD/ATI GPU 2D support in linux-libre | ? | No |
WiFi/Bluetooth chips for Smartphones and Tablets
The Openmoko Freerunner is the only smartphone that works without the need to load a firmware in the WiFi chip, as the firmware is provided on a separate flash chip.
On Most/All other (recent?) smartphones, a non-free firmware is required to make the integrated WiFi work.
The most problematic issues on smartphones and tablets is the WiFi: If a device manufacturer wants to design a device made to run 100% free software, the WiFi firmware will be the most problematic issue as the other issues can be solved by picking the right chips:
- System on a chip compatible with free software bootloader (Such as many I.MX and AllWinner SOCs) a do exist and can be bought for a long time in low quantity.
- Having the GPU work isn't strictly required as on most system on a chip, it is not connected to the display and is only used to do 3D acceleration. Some system on a chip even have separate 2D acceleration. Replicant and GNU/Linux don't require 3D acceleration to be usable.
Once common devices capable of running a free software bootloader become usable, they would also have the exact same issue and also not require a working GPU as explained above.
Note that smartphones or tablets that are able to connect to GSM/CDMA networks have many privacy issues. Some are described by Replicant
There are several approaches to fix the WiFi/Bluetooth issues:
- Write a free WiFi firmware for a WiFi chip used by some widely available smartphone(s) that are used by free software smartphone distributions such as Replicant. This probably also require some reverse engineering work to understand how the chip work.
- Write a free WiFi firmware for a WiFi chip that can be bought by device manufacturers wanting to have no non-free software required to use their device. Extra care must be taken to chose WiFi chips that can be bought in low quantity, and have a long lifetime, to enable potential device manufacturer to be able to actually buy and use such chips in the product they make.
- Make it easier to use external (USB) WiFi dongles that are known to work with free software (such as the ones compatible with the ath9k_htc driver) with smartphones that fits into one of the two category above.
BCM4334 Wifi
The BCM4334 Single Chip IEEE 802.11 a/b/g/n MAC/Baseband/Radio with Integrated Bluetooth 4.0 + HS and FM Receiver is used in the Samsung Galaxy SIII which sold over 70 million units. It can easily be purchased second hand world wide. Reverse engineering would is very difficult. It would be very useful because it would enable Replicant. There are no ongoing reverse engineering projects for this chip.
BCM4334 Bluetooth
It is a part of the BCM4334 chip which also includes [[#BCM4334 Wifi|wifi], only it is less useful and the difficulty is unknown.
BCM43438 Wifi
The BCM43438 Single-Chip IEEE 802.11ac b/g/n MAC/Baseband/ Radio with Integrated Blue tooth 4.1 and FM Receiver is used in Raspberry Pi which sold over 10 million units. The user base is large and could upgrade to a free software driver. Reverse engineering would is very difficult. Although the bootloader is free software other hardware parts do not work wihout nonfree software. Since there also is an ethernet port, the availability of the wifi is not a blocker to operate the Raspberry PI.
Desktops and laptops WiFi
Intel WiFi
Intel WiFi cards are very popular in laptops, and have free software drivers. Unfortunately they are not usable in freedom as they lack a free software firmware.
Depending on the generation, they use different drivers:
Broadcom WiFi
Broadcom WiFi cards are also popular in laptops, unfortunately very few are usable in freedom. So far OpenWWF only support the following chips:
- 4306
- 4311(rev1)
- 4318
- 4320
Adding more recent chips would be useful.
Moreover chips cards are not even supported by free software drivers:
- The b43 and b43legacy drivers don't support some chips, some of which are used in Macbooks like the Macbook 6,2
System on Chip GPUs
Mali
The Mali GPU can be found in many Allwinner SoCs. Hardware video acceleration has been freed through the Cedrus project. Thus, on many Allwinner boards, the Mali GPU is the only obstacle to a full free software stack. Allwinner SoCs are found in many popular boards and devices.
Similarly, Mali GPUs are used in a number of Rockchip SoCs. These SoCs use free software from the vendor for video acceleration; on chipsets like the RK3288 found in some recent Chromebooks, the GPU is the only obstacle to using exclusively free software.
Mali GPUs are divided into three versions: Utgard, Midgard, and Bifrost. The Lima project is creating a free software driver for the Utgard series. Conversely, the Panfrost project is freeing Midgard and Bifrost. However, neither is ready for daily use at the moment. You can help!
The Mali is also used in many Exynos chips, including most Samsung phones (12) from the S2 to the S7, selling over 100 million units combined (1, 2, 3).
Some of these Android devices are compatibles with Replicant; they are widely available for purchase with or without Replicant pre-installed.
Vivante
The Vivante GPU is used in the i.MX_6 SoC, in turn used by the Novena laptop. The Etnaviv project reverse-engineering this chipset and implementing support in free software is quite mature, likely ready for daily end-user use cases! There does not appear to be any non-free firmware associated with the GPU, unlike other GPUs such as Adreno.
The only other component of the i.MX6 that is unusable without proprietary software is the video processing unit (VPU), which requires proprietary firmware to function. This firmware can be avoided by instead decoding video in software, unfortunately with a performance and power cost.
Desktops and laptops GPUs
ATI/AMD GPUs are integrated in many laptops and desktops computers. Nvida GPUs are also integrated in many laptops. Both are also available as separate GPU cards that can be plugged in desktop computer.
AMD/ATI GPU 2D support in linux-libre
When a given ATI/AMD GPU isn't supported by linux-libre, the computer is very close to unusable with FSDG compatible GNU/Linux distributions as the Linux kenrel will refuse to load the radeon driver and instead fallback on drivers such as the VESA driver which:
- It might not support the display native resolution (on netbooks, you might only have a 800x600 resolution instead of the native 1024x600, and several other choices)
- It won't support multiple monitors setups
- It will be really slow
It is however not the last step for this hardware as such GPUs require:
- non-free video-bios to initialize the display in libreboot or similar boot software
- non-free bytecode (which is loaded from the video-bios) to get the Linux driver initialize the card
- non-free firmware to get 3D acceleration and other function working
Requirements:
- An unsupported ATI GPU
- The ability to compile and to run linux(-libre) kernel
Difficulty: It should be easy and fast, and there is even a tutorial on how to do it
Nvidia GPUs 3D acceleration firmware/microcode
Most of the Nvidia GPUs falls into either category:
- The GPU is too recent and the firmware is signed (and non-free), and because of that it cannot be replaced unless a bug is found in the hardware signature check
- The GPU firmware is unsigned and free software
However there is still some GPUs with unsigned firmwares where only non-free firmwares exists, such as the one in the Tegra K1 ARM SOC.
AMD/ATI 3D acceleration firmware/microcode
AMD/ATI or Nvidia video BIOS and video BIOS bytecode
This would enable libreboot to support many desktop GPUs.
Devices with system on a chip and bootloaders freedom
Smartphones
Very few smartphones have unsigned bootloaders. It would be useful to make them usable with free software smartphones distributions such as Replicant.
LG Optimus Black (P970)
The LG Optimus black has very basic support in upstream Linux and u-boot, it is not enough to be usable under free software smartphone distributions such as Replicant.
To be usable it would require:
- To add better support in Linux (and optionally u-boot), and make more hardware peripherals work, such as the display.
- To add proper support for devices using an upstream Linux kernel in Replicant. That part of the work can also be shared with the GTA04 smartphone.
GTA04
Very few units were produced, and the production stopped due to manufacturing issues It has a free software bootloader and a near-mainline Linux kernel.
It needs to be integrated in free software smartphone distributions such as Replicant, though the work can be shared with the LG Optimus Black.
Tablets
Many tablets have unsigned bootloaders. It would also be useful to make them usable with free software tablets distributions such as Replicant or GNU/Linux.
ARM computers
Some ARM computers can be used with only free software as they have a free software bootloader, usually U-Boot or coreboot.
To be useful, such computers also need to be able to run a free operating system. Unfortunately, choices are limited among fully-free software distributions. For 32-bit ARM (armhf), Parabola GNU/Linux-libre is the only option. For 64-bit ARM (arm64/aarch64), there are not yet FSDG-compliant distributions available.
Even on 32-bit systems, Parabola is targeted towards users with a thorough understanding of system adminstration and a desire to configure their system manually. There is not currently a fully free GNU/Linux distribution suitable for desktop use by non-technical users, effectively prohibiting this user segment from using ARM computers in freedom.
Porting user friendly distributions, like Trisquel or PureOS, would alleviate this issue.
Single board computers
Raspberry Pi bootloader
Millions of Raspberry Pi boards have been sold. Unfortunately, these boards contain a VideoCore system-on-chip, requiring a non-free boot firmware to so much as start up.
- A proof-of-concept free software bootloader exists, but it is neither complete nor stable enough to make the device useful in freedom. The project also have been put on hold by its main developer until someone else picks it up and continue its development
- More information on the topic can also be found in this blog post and in this git repository
CPU Microcode
Manufactured hardware often have flaws, which sometimes can be fixed by software or configuration data.
This also applies to CPUs, and flaws can remain undetected for a very long time like with the spectre and meltdown issues. If unfixed, such bugs can potentially enable an attacker to remotely take control of computers trough JavaScript.
Some CPU flaws are also often publically documented in errata documents like this one for Core duo processors. Such flaws can usually be fixed either by:
- Having software workarounds, which is not always possible
- Microcode patches when the CPU supports microcode updates
Unfortunately microcode updates are non-free and often encrypted.
Recently there was some breaktrough in this area, some people succedded in documenting AMD K8 and K10 Microcode and microcode updates hardware mechanism, paving the road for free software microcode on such processors.
Having free software microcode would not only enable to fix very serious security issues, but also to do things that weren't possible before, such as having ways to trace instructions with very few performance impact.
The following mainboard are already supported by Libreboot and do support AMD K10 CPUs:
- ASUS KCMA-D8 motherboard
- ASUS KFSN4-DRE motherboard
- ASUS KGPE-D16 motherboard
So having free software microcode on such CPU would make it possible to use computers with libreboot, while still having the latest security fixes.
FPGAs
FPGAs are chips with reconfigurable gate patterns, allowing them to do anything a chip would do such as a WiFi or Ethernet chip, a GPU, a CPU, etc.
They are also often used in fields where no chip are available to do a given task, or where reconfigurability is really important such as:
- Free software GSM towers
- Free software SSDs
- SDRs
- HDMI video overlay devices such as the NeTV or the NeTV2
It is also widely used in:
To do such thing, one needs to write some source code in any of HDLs (hardware description languages), and use tools (synthesizers, routers) basically resembling a binary compilation to produce a binary bitstream the FPGA will load to reconfigure itself.
So far the only Lattice iCE40 FPGAs had been usable with free software. These chips are of small FPGAs class (with a small number of gates).
Apart from the well-supported iCE40 there is ongoing work to document and support Xilinx 7 series and Lattice ECP5 bitstreams within Symbiflow project which supersedes and includes all finished work from iCEStorm project. The ongoing work can be tracked at project GitHub.
See also the "Other FPGA reverse engineering projects" section at http://www.clifford.at/icestorm/
Home servers
There are a lot of low power single board computers that can be used to make home servers. While most of them can be used with fully free software, there are still issues on that area.
Raspberry pi
WiFi
More and more Single Board Computers come with onboard WiFi chips. Theses are the same chips that are used in smartphones and tablets.
See [#WiFi.2FBluetooth_chips_for_Smartphones_and_Tablets] for more details
WiFi access point
There are several ways to connect a WiFi chip/card to a Single Board Computer:
- Through mini-PCI(e)
- Through USB
- Through other busses such as sdio, SPI, etc
While PCI-(express)/PC-card cards/chips that can work with only free software driver do exists, such as:
- The ones compatible with the ath9k or ath5k driver
- Some chips compatible with the OpenFWWF firmware (which is compatible with the b43 driver)
mini-PCIe is rare among single Board Computers because of:
- The lack of PCIe support from most system on a chip
- The increased complexity in designing a board with PCIe
In another hand USB is very widely available, but the drivers that can make USB chips/card work with 100% free software suffer from some limitations that makes some project(s) chose cards working with other WiFi drivers (which require non-free firmware to work). Quoting the Internet cube project:
Free Software version (limited to 7 simultaneous connections, multissid up to 2 AP): MOD-WIFI-AR9271-ANT Non Free Software version (multissid up to 8 AP) : MOD-WIFI-R5370-ANT
Some associations such as FDN reselling such hardware only sells it with the "non-free software version".
More details on the issue is available here. To fix, some of the things done in the free software firmware have to be moved in the free software driver.
Less important
Storage devices proprietary firmwares
Most storage devices have proprietary firmwares, this includes:
- Hard disk drives
- SSDs
- SD and microSD cards
- eMMC
Some don't have firmwares such as:
- NAND
- SPI flash
Several attempts to have free software firmwares exist:
- The OpenSSD Project, however their most recent platform uses an [[#FPGAs
|FPGA]] that depends on a non-free "compiler" to use, whereas their older platform doesn't. I didn't check if the older platform could be used with fully free software.
- A port of the Linux kernel to a hard disk
- There is also information on microSD firmwares from Andrew 'bunnie' Huang: 1 [1] and SSD firmware update procedure from Samsung
- Some Single Board Computers that can run fully free software(with u-boot and Parabola), and that also have NAND chips such as the A20-OLinuXIno-LIME2-n8GB are able, with some software configuration to be used as USB mass storage device (for instance by loading the g_storage driver module).
Storage devices with non-free firmwares are a security concern because:
- They could hide data from the user
- The operating systems expect them to behave correctly: If they don't, they can attack the operating system by changing the programs (either before they are loaded, or right after their integrity has been checked, to have the operating system load a modified version).
However there are a lot of more crucial work to do before having to care peripherals that can't be differentiated from hardware
This page was a featured resource in December 2018.