Group: Hardware/Strategies/ReverseEngineering
Contents
Introduction
Drivers, firmware, and hardware are integral parts of the computers we use and the devices that interact with them -- and when these things are proprietary, they are incompatible with free software. When the hardware manufacturer does not publish key technical specifications sufficient to write free drivers for their hardware, we'll have to reverse engineer the needed support. Which hardware should be prioritized ? We propose criterions and a few examples.
Is it a widely distributed hardware ?
For instance, millions of Raspberry PI have been sold. A free software driver for the VideoCore IV GPU it uses would be beneficial to all existing users. Another example is the Samsung Galaxy SIII which sold over 70 million units and can easily be bought second hand world wide. A free software driver for the BCM4334 wifi chip could enable new Replicant users.
Is it the last step in completing the liberation of a whole device ?
For instance, consider the i.MX_6 System on a Chip in the Novena laptop. If we can reverse engineer the two coprocessors VDU & GPU, all the hardware of that chip will become functional in the free world. All of the hardware in the laptop will likewise become functional in the free world.
Is it difficult to reverse engineer ? (0 easy, 9 hard)
Low hanging fruit are motivating, create awarness on the problem and help new developers learn so they can work on more difficult tasks later on.
How useful is the hardware ? (0 not really, 9 very)
For instance, in the Samsung mobile phones, the Wifi, GPS and bluetooth drivers need reverse engineering. The wifi driver is more useful than the bluetooth driver.
Is it crucial ?
It is in hardware that does a job that is crucial for us to support. A job can be crucial even if only few people need to do it.
Hardware list
| Units | Last step | Difficult | Useful | Crucial | |
|---|---|---|---|---|---|
| #Mali GPU | >100M | No | 5/9 | 9/9 | No |
| BCM4334 Wifi | >70M | No | 9/9 | 9/9 | No |
| BCM4334 Bluetooth | >70M | No | ?/9 | 2/9 | No |
| BCM43438 Wifi | >10M | No | 9/9 | 2/9 | No |
| Vivante GPU | ?? | No | 5/9 | 2/9 | No |
Mali GPU
The Mali is used in most Samsung phones (12) from the S2 to the S7 which sold over 100 million units combined (1, 2, 3). They can easily be purchased second hand world wide. Reverse engineering is made easier because the driver is in user space and all dialogs with the hardware via a kernel driver published as free software. It is very useful because the device cannot be used without a display. The Lima project exists and is useable in some cases. But is incomplete and did not see much activity since 2016.
BCM4334 Wifi
The BCM4334 Single Chip IEEE 802.11 a/b/g/n MAC/Baseband/Radio with Integrated Bluetooth 4.0 + HS and FM Receiver is used in the Samsung Galaxy SIII which sold over 70 million units. It can easily be purchased second hand world wide. Reverse engineering would is very difficult. It would be very useful because it would enable Replicant. There are no ongoing reverse engineering projects for this chip.
BCM4334 Bluetooth
It is a part of the BCM4334 chip which also includes [[#BCM4334 Wifi|wifi], only it is less useful and the difficulty is unknown.
BCM43438 Wifi
The BCM43438 Single-Chip IEEE 802.11ac b/g/n MAC/Baseband/ Radio with Integrated Blue tooth 4.1 and FM Receiver is used in Raspberry Pi which sold over 10 million units. The user base is large and could upgrade to a free software driver. Reverse engineering would is very difficult. Although the bootloader is free software other hardware parts do not work wihout nonfree software. Since there also is an ethernet port, the availability of the wifi is not a blocker to operate the Raspberry PI.
Vivante GPU
The Vivante GPU is used in the i.MX_6 SoC which is used in the Novena laptop which sold ??? units. Reverse engineering is made easier because the driver is in user space and all dialogs with the hardware via a kernel driver published as free software. The Etnaviv project exists and is useable but it needs completion.
The only other part in the SoC requiring reverse engineering is the VDU.
TODO
SSD firmware blobs
It's pretty easy to hide data in an SSD or mount an attack on a machine when those blobs are totally unknown. You don't have to load the SSD firmware as part of boot, of course, but it is typically updateable. There's been a few demonstrations of attacks on USB/hard drive firmwares in the past. An exploit was found on an SD card firmware but was not weaponized. It is relatively trivial to hide data and do TOC/TOU attacks on unsuspecting hosts from mass storage firmwares.
Updating the firmware of a ssd / hdd
VDU used in the Novena
TBD
Raspberry hardware setup and bootloader
The Raspberry Pi needs nonfree software to start up. I think it initializes the hardware. This is a big problem; it means we have to call that machine "fatally flawed". I suspect that "bootloader" refers to just _part_ of the software that runs at startup time. It must run _after_ initializing the hardware.
Startup software consists of:
- Proprietary hardware setup.
- Free bootloader.
Freedom box
There are a number of hardware referenced at http://www.freedomboxfoundation.org/. Which one would benefit from reverse engineering and on which hardware part ?
