In some cases there is no other way to create a device driver than to reverse engineer it from a binary "blob" (a closed-source driver). For some open-source drivers (like the driver for ATi R300+ based cards) some of these techniques were used to produce a working driver. Getting information from memory dumps or binary streams is difficult to master and in many cases takes lots of work. To make the necessary work a little easier, here is a list of several tools that could be used to gather information. **Warning**: _only use the tools below when you know what you are doing!_ * **libsegfault** - blob memory access tracer Get it at: [[http://people.freedesktop.org/~glisse/|http://people.freedesktop.org/~glisse/]] The idea here is to set the environment variable SF_ADDR to your MMIO address. You find this address by using `lspci`. For example, if `lspci -v` gives you: 01:00.0 VGA compatible controller: ATI Technologies Inc RV380 [Radeon X600 (PCIE)] (prog-if 00 [VGA]) Subsystem: ATI Technologies Inc Unknown device 0f02 Flags: bus master, fast devsel, latency 0, IRQ 169 Memory at f0000000 (64-bit, prefetchable) [size=128M] Memory at ''fe9e0000'' (64-bit, non-prefetchable) [size=64K] I/O ports at dc00 [size=256] Expansion ROM at fea00000 [disabled] [size=128K] Capabilities: Then you do export SF_ADDR='0xfe9e0000' $LD_PRELOAD=/pathto/libsegfault.so Xorg >dump 2>&1 while xorg.conf is configured to use the fglrx driver. Note that this has a high impact on performance when running the X-server. * **iba** - a tool to spy indirect buffers used during R300 development Get it at: [[http://rasterburn.org/~aet/iba.tar.bz2|http://rasterburn.org/~aet/iba.tar.bz2]] * **iba2** - successor of iba Get it at: [[http://rasterburn.org/~aet/iba-2.tar.bz2|http://rasterburn.org/~aet/iba-2.tar.bz2]] * **iba4** - successor of iba-2 for usability features Get it at: [[http://people.freedesktop.org/~cbrill/iba-4.tar.bz2|http://people.freedesktop.org/~cbrill/iba-4.tar.bz2]] Currently this version is exactly the same as iba-2, execpt that you get some better error messages to see what is going on without looking into the source. Also this version features logging and analyzing without recompilation. It also features automatic detection of the correct address of the graphics card. _Note: None of the iba's works with current fglrx anymore, because fglrx no longer uses user space to do mmio writes. You need "kmmio tracer" (see below)_ _Note: Also consider Revenge (described below) as a possible replacement for iba. Revenge supports superiour auto-detection and works with the latest fglrx blob. * **libsegfault-iba** - a fork of libsegfault coupled with iba Get it at: [[http://www.rasterburn.org/~aet/libsegfault-iba.tar.bz2|http://www.rasterburn.org/~aet/libsegfault-iba.tar.bz2]] * **vbetest hack** - video BIOS spying tools Get it at: [[http://people.freedesktop.org/~airlied/xresprobe-mjg59-0.4.21.tar.gz|http://people.freedesktop.org/~airlied/xresprobe-mjg59-0.4.21.tar.gz]] * **vbetool** - run code from the video BIOS Get it at: [[http://www.srcf.ucam.org/~mjg59/vbetool/|http://www.srcf.ucam.org/~mjg59/vbetool/]] * **valgrind-mmt** - tracks MMIO register writes Get it at: [[http://www.skynet.ie/~airlied/patches/valgrind/|http://www.skynet.ie/~airlied/patches/valgrind/]] * **valgrind-mmt-extend** - extended version of valgrind-mmt for WR-only registers Get it at: [[http://code-monkey.de/articles/2007/01/08/hacking-up-valgrind-mmt|http://code-monkey.de/articles/2007/01/08/hacking-up-valgrind-mmt]] * **valgrind-mmt-extend-extend** - extended version of valgrind-mmt-extend Handles I/O port accesses on amd64, and takes a hex offset instead of decimal, e.g.: sudo valgrind --tool=mmt --offset=c1000000 /usr/bin/Xorg :0 -ac > x.log 2>&1 Get it at: [[http://gitweb.freedesktop.org/?p=users/daniels/valgrind.git;a=summary|http://gitweb.freedesktop.org/?p=users/daniels/valgrind.git;a=summary]] * **Oliver's Valgrind-MMT** Extended version of Daniels' Valgrind-MMT (described above) supporting libc 2.5. _Note: This version of Valgrind-MMT is based on the Valgrind SVN repository as of r7063, or 2007-10-31. Get it at: [[http://cgit.freedesktop.org/~z3ro/valgrind-mmt/|http://cgit.freedesktop.org/~z3ro/valgrind-mmt/]] (Unfortunately this was lost due to people.freedesktop.org home directory failure.) * **kmmio tracer** Get it at: [[http://nouveau.freedesktop.org/wiki/MmioTrace|http://nouveau.freedesktop.org/wiki/MmioTrace]] This traces all of the MMIO operations of a kernel module. This is useful for tracing the MMIO of a binary kernel blob. (As a side note: the fgrlx driver does most of its work in user space, so libsegfault should work just fine.) * ** bitfield ** Get it at: [[http://ozlabs.org/~jk/code/bitfield/|http://ozlabs.org/~jk/code/bitfield/]] This can translate registers/bitfields into their numeric values. However, we need to generate config files appropriate for each card type/family. * ** glxtest ** Get it at: [[http://r300.cvs.sourceforge.net/r300/glxtest/|http://r300.cvs.sourceforge.net/r300/glxtest/]] These tools have been used to dump the command line that is sent to the CP (command processor) during R300 development. * ** Revenge ** Read about it at: [[http://omcfadde.blogspot.com/2011/02/new-home-for-revenge-radeon-reverse.html|http://omcfadde.blogspot.com/2011/02/new-home-for-revenge-radeon-reverse.html]] Get it by: _**git clone git://gitorious.org/omcfadde/revenge.git**_ Revenge is a reverse engineering tool developed for reverse engineering and debugging the 3D commands sent to ATI GPU's. Revenge supports AGP, PCI, and PCI-E interfaces, as well as the IGP and RS690 chipsets. Currently you must specify the interface type as an option. Revenge runs a series of simple OpenGL tests and dumps the results into several files, which may be examined by pretty_print_command_stream.tcl from the [[glxtest|http://r300.cvs.sourceforge.net/r300/glxtest/]] package, alternatively you could write your own analysis tools. Adding tests for new OpenGL features is a very simple task. See the included README for more details.