Group: Hardware/Strategies/ReverseEngineering
Contents
Introduction
A lot of hardware require software to work (often as drivers and/or firmware(s)). However when the only software to make a given hardware work is proprietary, there is no way to use that hardware in freedom.
When hardware documentation is available, is is a matter of writing the missing software. When it is not, the hardware has to be reverse engineered to either write such documentation and/or to write such software.
Which hardware should be prioritized ? We propose criterions and a few examples.
Is it a widely distributed hardware ?
For instance, millions of Raspberry PI have been sold. A functional free software firmware for the VideoCore IV GPU it uses would be beneficial to all existing users. Another example is the Samsung Galaxy SIII which sold over 70 million units and can easily be bought second hand world wide. A free software driver for the BCM4334 wifi chip could enable new Replicant users.
Is it the last step in completing the liberation of whole device(s) ?
For instance, consider the Allwinner A20 System on a Chip in the Olimex Lime2. If we can make it work with free software, all the hardware of that chip will become functional in the free world. All of the hardware in that single board computer will likewise become functional in the free world.
How long will it take ? (0 fast, 9 long)
How much time such work can take depends on:
- how much the tasks at hand fits the skills of the people working on it. The various tasks can require very different skillets.
- How much documentation there is and how much work there is to do
- If making such software usable usually takes times. For instance a GPU driver often needs quite some time to get a low enough number of bugs.
- In some case having access to debug hardware such as osciloscopes and logic analyzer can speed things up in several order of magnitude. It was the case with the port of a free software bootloader on the LG Optimus Black (P970)
Is reverse engineering needed?
Reverse engineering might not be needed as documentation might already exist, either published by the hardware manufacturer, or by people that did some reverse engineering on the hardware.
Examples:
- The etna-viv project states: Nearly all of the reverse engineering work has been done, [...] However I don't have time nor will to do everything myself. This project needs developers that help with the Mesa driver for [...] I did my thing, now do yours. There is no point in waiting because whatever you want just won't happen out of itself.
How useful is the hardware for its users? (0 not really, 9 very)
For instance, in the Samsung mobile phones, the Wifi, GPS and bluetooth drivers need reverse engineering. The wifi driver is more useful than the bluetooth driver.
Is it crucial ?
It is in hardware that does a job that is crucial for us to support. A job can be crucial even if only few people need to do it.
Hardware and work list
| Units | Last step | Difficult | Long | Useful | Crucial | |
|---|---|---|---|---|---|---|
| #Mali GPU | >100M | Yes | 5/9 | Yes | 9/9 | No |
| BCM4334 Wifi | >70M | No | 9/9 | 9/9 | No | |
| BCM4334 Bluetooth | >70M | No | ?/9 | 2/9 | No | |
| BCM43438 Wifi | >10M | No | 9/9 | 2/9 | No | |
| Vivante GPU | ?? | No | 5/9 | 2/9 | No | |
| ATI GPU 2D support in linux-libre | ? | No | Easy | No | Very | No |
Mali GPU
The Mali GPU can be found in a lot of Allwinner System on a chip, since the Cedrus project took care of the video decoding offloading, only the Mali GPU isn't usable with free software. Such System on a chip can be found in many boards or devices which can easily be bought.
The Lima project produced some free software demo code that is able to use the hardware, but it has to be converted to a proper driver to be useful.The project did not see much activity since 2016.
The Mali is also used in many Exynos System on a chip found in most Samsung phones (12) from the S2 to the S7 which sold over 100 million units combined (1, 2, 3).
Many of such devices are compatibles with Replicant, and can also be bought second hand worldwide, with or without Replicant being already installed on it.
BCM4334 Wifi
The BCM4334 Single Chip IEEE 802.11 a/b/g/n MAC/Baseband/Radio with Integrated Bluetooth 4.0 + HS and FM Receiver is used in the Samsung Galaxy SIII which sold over 70 million units. It can easily be purchased second hand world wide. Reverse engineering would is very difficult. It would be very useful because it would enable Replicant. There are no ongoing reverse engineering projects for this chip.
BCM4334 Bluetooth
It is a part of the BCM4334 chip which also includes [[#BCM4334 Wifi|wifi], only it is less useful and the difficulty is unknown.
BCM43438 Wifi
The BCM43438 Single-Chip IEEE 802.11ac b/g/n MAC/Baseband/ Radio with Integrated Blue tooth 4.1 and FM Receiver is used in Raspberry Pi which sold over 10 million units. The user base is large and could upgrade to a free software driver. Reverse engineering would is very difficult. Although the bootloader is free software other hardware parts do not work wihout nonfree software. Since there also is an ethernet port, the availability of the wifi is not a blocker to operate the Raspberry PI.
Vivante GPU
The Vivante GPU is used in the i.MX_6 SoC which is used in the Novena laptop which sold ??? units. Reverse engineering is made easier because the driver is in user space and all dialogs with the hardware via a kernel driver published as free software. The Etnaviv project exists and is useable but it needs completion.
The only other part in the SoC requiring reverse engineering is the VDU.
ATI GPU 2D support in linux-libre
ATI/AMD GPUs are present in many laptops and desktops computers. When a given ATI/AMD GPU isn't supported by linux-libre, the computer is very close to unusable with FSDG compatible GNU/Linux distributions as the Linux kenrel will refuse to load the radeon driver and instead fallback on drivers such as the VESA driver which:
- It might not support the display native resolution (on netbooks, you might only have a 800x600 resolution instead of the native 1024x600, and several other choices)
- It won't support multiple monitors setups
- It will be really slow
It is however not the last step for this hardware as such GPUs require:
- non-free video-bios to initialize the display in libreboot or similar boot software
- non-free bytecode (which is loaded from the video-bios) to get the Linux driver initialize the card
- non-free firmware to get 3D acceleration and other function working
Requirements:
- An unsupported ATI GPU
- The ability to compile and to run linux(-libre) kernel
Difficulty: It should be easy and fast, and there is even a tutorial on how to do it
TODO
SSD firmware blobs
It's pretty easy to hide data in an SSD or mount an attack on a machine when those blobs are totally unknown. You don't have to load the SSD firmware as part of boot, of course, but it is typically updateable. There's been a few demonstrations of attacks on USB/hard drive firmwares in the past. An exploit was found on an SD card firmware but was not weaponized. It is relatively trivial to hide data and do TOC/TOU attacks on unsuspecting hosts from mass storage firmwares.
Updating the firmware of a ssd / hdd
VDU used in the Novena
TBD
Raspberry hardware setup and bootloader
The Raspberry Pi needs nonfree software to start up. I think it initializes the hardware. This is a big problem; it means we have to call that machine "fatally flawed". I suspect that "bootloader" refers to just _part_ of the software that runs at startup time. It must run _after_ initializing the hardware.
Startup software consists of:
- Proprietary hardware setup.
- Free bootloader.
Freedom box
There are a number of hardware referenced at http://www.freedomboxfoundation.org/. Which one would benefit from reverse engineering and on which hardware part ?
