Reverse Engineering an MPEG Driver

An anonymous reader writes "Following on from the recent spate of reverse engineering articles, there is an interesting summary of the reverse engineering of a binary only Linux driver. The driver is for the integrated MPEG decoder on VIA's popular EPIA-M boards. At the moment VIA has not publicly released the source code for the MPEG chipset on these boards and will only make the code available under NDA saying that "Typically, only requests from companies developing product for sale will be approved." As a result this is holding back development of open source tools (e.g. xine, mplayer, vdr) that would be able to make use of the interesting hardware on these boards."

Is this reverse engineering?

[bromoseltzer]

He took the binary code and inferred a C language program that would produce the same code. Very clever, but I thought reverse engineering worked on a functional level.

IANAL, but I don't think the source code is legally safe if VIA wants to go after it.

-mse

Re:Is this reverse engineering?

[diamondc]

This guy lives in Italy, safe from terrible US IP laws.

Re:Is this reverse engineering?

[dmayle]

Unfortunately, to be safe, you have to load the library in a debugger, and are only allowed to look at the data being sent to the chip, or returning from the chip. That would be reverse engineering the driver. However, unless there was a licensing agreement prohibiting it, dissasembling the driver to learn how it works is a legal way to learn how to use the chip, so long as your end goal is not writing a drop-in replacement for the library. Think of it like this: Reading from a book on programming is learning, and legal. Copying from a book on programming (whether word for word, or paraphrasing) in order to write your own book on programming is illegal.

Re:Is this reverse engineering?

[Anonvmous+Coward]

"You honestly think that simply living in Italy is enough to protect him? Have we learned nothing from reading Slashdot?"

I've learned that paranoia is an epidemic.

Re:Is this reverse engineering?

[yellowstone]

He took the binary code and inferred a C language program that would produce the same code. Very clever, but I thought reverse engineering worked on a functional level.

Well, this is definitely not a 'clean room' reverse engineering.

To do a clean room implementation, you need to have two teams:

1. The first team digs into the implementation, and produces a document specifying the interface.
2. The second team uses the specification produced by the first team to create an implementation.

This is a clean-room implementation when the only communication between the two teams is via the specification: A) No one who sees the original implementation works on the new implementation and B) No one who works on the new implementation looks at the original implementation

Does it work yet?

[FryGuy1013]

To me, it just seemed like a general description of the RE process that people able to RE already know. EPIA M boxes are already good for small PVR boxes using mythtv when a Hauppauge PVR card is added (and a larger power supply). If the MPEG decoder can be used, I'm sure that even the lesser models of EPIA will be able to be used.

Free, but not Free

[Dancin_Santa]

Driver code is the biggest liability that a device maker has. It earns no money, it costs quite a bit to make, and it must be written multiple times for multiple platforms and operating systems.

Via's reluctance to free the driver software is pure evil. They sit like slavemasters on the code and hold it hostage as if it were a servant or slave.

Even if the reverse engineering works out and the code runs equally well as the enslaved code, what will become of the original unfree code? Will that unfortunate code be relegated to living out the rest of its days in slavery? Sadly, I think the answer is affirmative.

Who will fight for the rights of software? I only wish the FSF was more vocal about the Freedom of Software that they purportedly base their ideology upon.

Re:Free, but not Free

[rbullo]

Driver code is the biggest liability that a device maker has. It earns no money, it costs quite a bit to make, and it must be written multiple times for multiple platforms and operating systems.

So release the hardware specs, and let the Open Source community write the drivers for them. This lets the manufacturer cut prices, and frees them to focus on other things.

Am I right? Or would companies not go for this?

Re:Free, but not Free

[Svartalf]

In actuality, they released everything BUT the driver info for the MPEG stuff. They handed the 2D and 3D over to the DRI and XFree86 people- Alan Cox was working on making the drivers all nice and clean up until recently.

From what I got from my contacts at SiS and VIA when I was working on set-top box designs using their chipsets was that the stuff was being held to an NDA because of contractual reasons. My ignorant guess would be that there's something with regards to the MPEG patent licensing that prevents the details being released for piracy prevention reasons because the use of these accelerators would enable real-time/near real-time transcoding of DVDs, etc.

This is not to say that I'm right, or if I am, that it's a good reason.

Re:Free, but not Free

[afidel]

More likely is they bought the MPEG core from some other company and so they don't own it's design. I know this is not at all uncommon in the consumer electronics space, for instance companies often buy a MIPS core with various accelerator subcores.

Re:Free, but not Free

[captaineo]

Here are two legitimate reasons a hardware company might withhold driver code:

1) They differentiate high-end and low-end versions of the same product in software only. I think Nvidia and some storage vendors do this - they sell the same card for $200 and $400, but the driver disables certain features on the $200 part. If they released the source someone could easily find a way to re-enable the "high-end" features on cheap hardware, thus erasing the product differentiation. (which would force the company to sell only the more expensive part, and everyone loses)

2) Software-based copy prevention, a la DVD CSS, or software-based restrictions, like Macrovision. (I know at least one video card company won't release driver source because it would be obvious how to stop Macrovision from being enabled when a video player requires it)

I'd say 2) is slightly less legitimate, but I have no problem with reason 1). I'd rather be able to buy cheap but limited hardware than not have the option at all.

Re:Free, but not Free

[dasmegabyte]

How are they doing themselves a favor?

Most hardware companies use off the shelf parts. They aren't designing the technology so much as lciensing it and marketting it. The ONLY reason they are able to make money off of their products is that they have something that Generic Q. Solderinggun doesn't -- they have the ability to interface these hardware chips with a computer. And all of that magic happens in the driver.

I've seen lies here that drivers don't make money, and this is simply ludicrous. Let's take a real world example: back in 1997, both Iomega and Miro (later Pinnacle) marketted an MJPEG video input box based off of a Zoran chip. Zoran made a very very nice chip capable of massive resolutions, dozens of colour modes and bus mastering and all kinds of kick ass stuff. However, Iomega skimped on their drivers. The result was a product that was totally unable to operate at spec, because the driver had a fundamental flaw that prevented it from capturing at 29.976. Savvy video users quickly learned to cap at 30.10, drop a frame, and save $100+ over the cost of the similar Miro card. However, no matter how much the Slashdot community would like to think otherwise, you can't make money selling to ONLY savvy users. Iomega promptly dropped support, even though late model drivers were FIXING the issues. Miro, on the other hand, made money off of their superior drivers for years to come. Those drivers made that money.

If Miro opened the source of their drivers, GPL or otherwise, nothing would have stopped Iomega from getting them, modding them slightly to include their hardware, and releasing them back to the community. After all, they're not selling them. Good for everybody, right?

No good for Miro, whose dilligence in driver manufacture has just cost them countless sales. Their hardware is now just the sale as the other guy's but sells for much more.

Why the hell do you want hardware companies to lose money for your hobby? Are you so vain that you really think your 3% of the marketshare is worth that much to the VIAs of the world?

Re:Free, but not Free

[ckaminski]

Remember a year or two ago when turbo-charging your Celerons was all the rage? Intel fixed this with an ondie switch that was lasered shut at the factory to stop this. Nothing, not one thing, is preventing a manufacturer from adding $0.10 to a part for a hard-wired switch that makes a $200 part into a $400 part. If it's in software, you're still taking the chance some enterprising developer is going to figure it all out, and ruin your party.

Most people, especially saavy ones, are not loathe to trying out new drivers. MANY are very afraid of taking soldering irons to their $200 parts.

-Chris

Er...

[slackingme]

But does it ru--
Nevermind, no points to spare :)

CLE266.tgz mirror (original slashdotted)

[ultrapenguin]

I've setup a mirror for the source at http://43.244.87.231/cle266.tgz

Be nice to it, and check the original site after slashdot effect goes away.

Re:Software decoding works fine

[MikeFM]

My lil epia box does better than my parents faster Wintel box at playing dvd's and vob's. Sure a lot of that is because MPlayer and Linux are so much better but you're mistaken if you think the epia systems don't have the muscle for the job. If they could enable the hardware decoding it might even make the playback better. They also run much cooler, more energy effecient, and quieter.. something that IMO is a mark of quality.. not of being 'cheap'. Besides, price compare the CPU's.. you'll find they aren't that cheap. :)

irony

[mo]

The silly thing with all of this is that the drivers and support for this card that result from the reverse engineering will ultimately result in more sales. It seems so counter-intuitive for VIA to resist this.

Cool!

Let's harass them for not releasing the code, reverse engineer it and post it everywhere, until they get mad and discontinue Linux driver development altogether! Then xine and mplayer will work GREAT!

Re:Cool!

[El]

Better yet, lets reverse engineer the Windows drivers instead of the Linux drivers, so then they'll get mad and discontinue Windows driver development altogether! Yeah, right...

why do it by hand?

[MikeFM]

Why not use a program that automaticlly takes the binary and builds a C program from it? You still have to pick through the logic to give things helpful function/variable names and refactor but it'd save the step discribed here. In the past when I've reverse engineered binaries that is the type of tool I used. Any good reason for doing this by hand?

This still begs the question.. why not just release the damn source? If we can reverse engineer the drivers what would keep the competition from doing so? Why harm your customers for a false sense of security?

C vs. assembler

[Atario]

From the article:

Also some of the logic could be detemined by decoding binary flag fields. For example:

push gVIAGraphicInfo
push 805476C3h
push fVideo
call ioctl

Can now be decoded into the rather more readable:-

ioctl(fVideo,
_IOR('v', //118 192+3,
VIAGRAPHICINFO),//0x805476C3, &gVIAGraphicInfo )

Oh yeah. Much more readable.

-1, Wrong

[Jerk+City+Troll]

Hardware decoding allows for much higher resolution video. Furthermore, specialized hardware typically have more accuracy when decoding the stream. There's additional features too: you can allocate, say, more bits for dynamic color range, fractalize regions that have semi-random "noise" distribution (like tree leaves from a distance) and so on that can improve video quality (to help eliminate obvious artifacts). I am not saying all hardware decoders do this, but these are some advantages. It's very analogous to having specialized 3D hardware to handle graphics rather than "letting the CPU do it".

well yes, what else do you want?

[twitter]

He took the binary code and inferred a C language program that would produce the same code.

It won't produce the same code. Different compilers do things different ways. In the end the binary produced will run the hardware the same way and that's the goal.

Very clever, but I thought reverse engineering worked on a functional level.

He did do functional analysis to make it work. He understood what the thing was doing. If he did not, his code would never have worked. He made little doodles and what have you to make it clear to himself. Now it's in C, the diagrams are much easier to make, though we can be sure he's going to share his diagrams as well. That way other people can make nice software too.

IANAL, but I don't think the source code is legally safe if VIA wants to go after it.

I don't know why you think that. He could have had his computer tell him what it was doing instead of using IDC, no? It's not like he dumpster dived code like old Bill Gates did BASIC. He understood what the code did and reimplemented it himself. Even if he did have dumpster dived code, he could use that to make a functional diagram and then use that to write new code and the results would be the same.

If there is a legal problem with this, there should not be. Why should people be afraid to understand what their machines do and then share that information? So someone else can make money of evryone else's ignorance? Shit, no one would be able to get anything done that way.

Not quite done yet

[wowbagger]

Well, he has done the first part of a reverse engineering process - he has worked out, by inspection of the target, what is being done.

However, he now needs to write the specifications for the hardware, and publish THAT, so that somebody else, somebody who has not seen the binary driver, can write a program based upon the specifications.

Should this not be done, then this code, while interesting to individuals, would be pure poison to anybody who has any intention of distributing this code in a commercial way (e.g. a distro).

And writing a specification for the chip, by inspecting the code, is far more difficult than simply reverse compiling the binary.

why hardware decoder?

[RelliK]

With the ever-increasing clock speed of our CPUs, what is the point of having a hardware MPEG decoder? I understand that p2-400 is sufficient to play DVD-quality movies. The amount you spend on the hardware decoder could have been better spent on memory or video card or CPU or whatever. Now, a hardware encoder would certainly be useful as encoding is still very CPU-intensive. I was contemplating a tivo-like box with a hardware encoder. Does anyone know if hardware MPEG encoders are supported on Linux?

A link to just that: Reverse Engineering Compiler

[myst564]

Just to prove it exists:

Reverse Engineering Compiler

Why a hardware decoder? - Because - It's a VIA

[Chordonblue]

Obviously you've never used VIA processors before. They are notorious for their slow FPU's. In fact, before their latest top-of-the line model - the Nehemiah, their FPU's of previous models always ran at HALF CLOCK. Ouchy.

But, even at full speed a similarly clocked Celeron kicks it's ass in every which way. That said, high performance is not the stated purpose of the Centaur/Via CPU. Its low watts, coupled with the decoder make for an excellent all-around box. I've built around 7 or 8 of these myself and they are excellent for what they are designed for (think: mom and dad or net terminals, not Half Life 2).

I have a few of these floating around the school here now as basic net access / workstation terminals and they are hugely popular - especially in light of what they replaced (AMD 300's). There's nothing like tearing apart some ancient computer and putting one of these boards in it. 90% of the time, it's simply cavernous in there (so much space!)

Last week I put one in an Aptiva and realized that if I was an enterprising person (read: man with a Dremel) I could have fit TWO of them in there as a dual workstation! :O

So to sum up, they're small as hell (you have to see it to believe it), simple, fun, easy to configure, but don't plan of using them at the next Fragfest 2003 (c)

NOT reverse engineering

[Performer+Guy]

This is not reverse engineering, he dissassembled the code and pretty much copied/ported the result to C. I don't think this meets any cleanroom standards and the code is dangerously contaminated. To use this work you would have to get someone else to reimplement the driver without looking at this contaminated code base. That means they need to be passed a description of the hardware interface inferred from observations of how this driver works, and the code produced by dissassebling the driver needs to be tossed in the garbage can.

Who taught anyone that dissassembling someone's proprietary code and doing a line for line port then publishing the result was in any way legitimate?

Re: NOT reverse engineering

[Adam+J.+Richter]

Who taught anyone that dissassembling someone's proprietary code and doing a line for line port then publishing the result was in any way legitimate?

"In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work". United States Code, Title 17, section 102(b).

Re:NOT reverse engineering

[swillden]

Who taught anyone that dissassembling someone's proprietary code and doing a line for line port then publishing the result was in any way legitimate?

The better question is: Who decided that the "clean room" approach is actually necessary? Answer: a bunch of ultra-paranoid lawyers at Compaq who were about to piss off Big Blue (deep pockets, lots of lawyers and extremely protective of IP) in a big way and wanted to make absolutely completely sure that there was no way their project could be called a copy.

I don't think it's at all clear that copyright law makes so-called "clean room" reverse engineering necessary. AFAIK, a court has never stated that source code reconstructed from a binary is considered a copy, or even a derivative work. Copyright law does not prevent you from reading something, learning from it, and creating something else based on what you learned. It may be that a court would rule this a derivative work, rather than an work of independent authorship, but it's highly questionable since courts have already said that only the expressive, not the functional, part of code is copyrightable.

It's very clear that clean room reverse engineering is sufficient. It's far from clear that clean room reverse engineering is necessary.

Re:NOT reverse engineering

[orv]

The copyright statement in the driver from via states:-

* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sub license,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice (including the
* next paragraph) shall be included in all copies or substantial portions
* of the Software.


It's just that they didn't actually release the code for the driver. So the port doesn't need to be a proper clean room reverse engineer.

Why do you say VIA resisted?

[Fefe]

First of all, it's just a small wrapper library that is comparatively easy to reverse engineer.

Second of all, there is a library we can reverse engineer.

Third of all, the guy is using the VIA forums to spread the word, so VIA obviously knows about this, and they haven't sued.

To me this rather looks like they were waiting for someone to reverse engineer this, because they couldn't release the sources themselves for contractual reasons. Don't just assume people are evil, maybe they didn't have a choice and did what was in their power to give you the means to help yourself.

Re:maybe, but not for that reason

[homer_ca]

Another possiblity is that Macrovision copy protection is enabled or diabled in the driver (maybe even by flipping one bit). Macrovision is the analog copy protection mandated by the DMCA. So can't let the open source community break their one bit encryption.

I believe this is the TV encoder chip used by the EPIA-M and the VT1622M is the one that supports Macrovision.

Re:What about DMCA?

[Wumpus]

I believe that distribution of this code would be illegal, since it is a derivative work based on VIA's library. I haven't seen VIA's license, by typically those licenses prohibit redistribution, reverse engineering, and disclosure of any trade secrets.

The reverse engineering itself is probably still legal, arguably, if it is done to enable someone to write software that interoperates with the decoder. To be safe, I would assume that it's probably better to write such software for an operating system that VIA doesn't support - QNX, for example. (One could argue that the BSDs' ability to run Linux binaries voids the interoperability argument if one were to write a BSD driver, but what do I know?).

You should also make sure that the person writing the final open source code hasn't seen VIA's decompiled source. Typically this is done by having one person or team reverse engineer the code, document the hardware, and toss the hardware documentation over the wall to the driver team.

Dxr3

[daserver]

Lets not forget the hardware mpeg2 decoder - dxr3. A lot of people have worked on this and it has resulted in a very decent driver. It has had absolutely zero help from sigma. There is even hacks to make it display rgb directly to your tv, bypassing the crappy composite and svideo.