TheGPLCompliance EngineeringGuide

v3.520100402

ArmijnHemel<armijn@loohuisconsulting.nl>

Copyright20092010LoohuisConsulting.Verbatimcopyinganddistributionofthisentire articleispermittedinanymedium,providedthisnoticeispreserved.

Table of Contents
Introduction................................................................................................................................................4 The consumer electronics business............................................................................................................4 How a product is developed..................................................................................................................5 Violations..............................................................................................................................................5 Technical analysis of a device....................................................................................................................6 Initial network scan...............................................................................................................................6 How to perform a network scan........................................................................................................6 Results of a network scan.................................................................................................................6 Value of using network scans...........................................................................................................7 Other network tricks.........................................................................................................................7 Firmware analysis..................................................................................................................................7 Embedded design 101.......................................................................................................................8 Boot sequence and boot loaders...................................................................................................8 Compression techniques..............................................................................................................8 File systems..................................................................................................................................9 squashfs.................................................................................................................................10 ext2/ext3/ext4........................................................................................................................11 cramfs....................................................................................................................................11 jffs2........................................................................................................................................11 yaffs2.....................................................................................................................................12 Executable files..........................................................................................................................12 Compilation 101....................................................................................................................12 Executable formats................................................................................................................13 Tools...............................................................................................................................................13 File analysis tools.......................................................................................................................14 hexdump................................................................................................................................14 file..........................................................................................................................................14 strings....................................................................................................................................14 grep........................................................................................................................................15 md5sum/sha1sum/sha256sum/sha512sum............................................................................15 Tools for unpacking files and archives......................................................................................15 bzip2/bzcat............................................................................................................................16 gzip/zcat................................................................................................................................16 unzip......................................................................................................................................16 lzma.......................................................................................................................................16 unrar......................................................................................................................................17 cabextract..............................................................................................................................17 unshield.................................................................................................................................17 rpmdevtools/rpm2cpio..........................................................................................................17 Other tools..................................................................................................................................17 binutils...................................................................................................................................18 ldd..........................................................................................................................................18 editor......................................................................................................................................18 Physical access....................................................................................................................................18 Serial console..................................................................................................................................18 Attaching a serial cable to a router............................................................................................18

Accessing the serial port............................................................................................................22 JTAG..............................................................................................................................................22 What violations to look for..................................................................................................................23 Linux kernel modules.....................................................................................................................23 busybox...........................................................................................................................................23 C libraries.......................................................................................................................................24 Toolchain........................................................................................................................................24 Bootloaders.....................................................................................................................................25 Physical compliance.................................................................................................................................26 Compliance engineering on Microsoft Windows....................................................................................26 Common violations.............................................................................................................................26 Tools....................................................................................................................................................27 Zipped executables.........................................................................................................................27 Cabinet files....................................................................................................................................27 MSI files.........................................................................................................................................27 Wine................................................................................................................................................27 Other tools......................................................................................................................................27 Cygwin compliance engineering.........................................................................................................28 Experiences..............................................................................................................................................28 Appendix A: GPL checklist.....................................................................................................................29 Appendix B: Reporting and fixing license violations..............................................................................29 Reporting a violation......................................................................................................................29 Handling a violation report ............................................................................................................30 Preventing a violation ....................................................................................................................30 Copyright note ...............................................................................................................................31 Appendix C: Commercial compliance engineering.................................................................................31

Introduction
Thisisaguideexplaininghowtofindlicenseviolationsinembeddeddevices.Thisguide showshowtodiscoverproblemsbyanalysisofnetworkscans,extractinginformationfroma firmwareandphysicallyalteringhardware. Beforewecandiveintothetechnicaldetails,itisworthtakingalookatthebusiness processesoftheconsumerelectronicsindustry,wheremostviolationsarefound. WARNING:Somethingsdescribedinthisguidemightnotbeallowedinyour jurissdictionduetolocallegislation.Pleaseconsultalawyertoseewhatispermitted. Thisisnotlegaladvice.

The consumer electronics business

Theconsumerelectronicsbusinessischallenging.Thebusinessitselfisveryhighvolume andhasverylowmargin.Competitioninthismarketisveryfierce.Theshelflifeofatypical deviceisshort:1to1.5years.Mostofthesalesofanewproducthappenduringthefirst3 monthsthedeviceisonthemarket.Theconsumersmostlylookatfunctionalityandprice. Timetomarket,marketing,priceandemotionalattachmenttoaparticularbrandarewhat drivesthemarket. Makingittotheshopsafewdayslaterthanacompetitor'sproduct(whichironicallyoften comesfromthesamefactories)couldmeanthedifferencebetweenhavingaprofitorturning aloss.Raisingtheprice,evenbysmallamountslike10centsperdevice,couldmeanthe same. Complianceengineeringandcheckingforlicensingissuestendstoendangerprofit.Firstof all,itdelaystherelease.Propercomplianceengineeringcouldtakeafewdays(dependingon thedevice),anyquestionsregardingsourceshavetogobacktothefactory,sourceshaveto beshipped,andsoon.Oftenthefactorywon'torcan'treleaseallsources(becausethey boughtittoo)anditcouldtakemanymonthsbeforethedeviceiscompliant.Arrivingafew monthslaterthanthecompetitionwillmeanyoulosttherace.Companiesoftenalsodon'tget morethanoneortwotestsamples,whichtheycannotaffordtolendouttoacompliance engineerwhentheyneedtotestfunctionality. Thesecondreasonisthatcomplianceengineeringingeneralisnotcheapandthecostsofit havetobesplitperdevice.ApriceofEUR1200forcheckingadeviceisreasonable,given thehourlyratesforacommercialembeddedLinuxsystemsengineer.Still,forcompaniesin thismarketthisisalotofmoney,especiallyifyoukeepinmindthatmanycompanieshaveso calledtestrunsofhardwaretotestdemandinthemarket.Atestrunisdonewithasfewas 200devices.Ifaproductisselling,additionalshipmentsareorderedatthefactory.ForGPL compliancetheamountofdevicesdoesnotmatter,sincedistributionisdistribution,butEUR 1200dividedby200meansasharpraiseinthepriceofadevice. Companiesoftenhavetomakeachoice:shipincompliantsoftwareandriskacourtcaseor faceahugelossresultingfrommissedsales.Somepeoplehavehintedthatacourtcaseis unlikelytohappenandisprobablyalotcheaperthanthealternative.Variousorganisations,

likethegplviolations.orgprojectandSFLChavestartedpushingforcompliancealotmorein thepastyears,sothisargumentislikelytobecomeinvalidsoon.

How a product is developed

Productsareoftennotdevelopedbythecompanythathasitsnameonthebox.Thereare fewWesterncompaniessellingdevicesinlargequantitiestoendconsumersthatdotheirown development.Eventhesecompaniesthatdoareunlikelytodoalltheworkthemselves. Thereareoftenquiteafewcompaniesinvolvedinthedevelopmentofaproduct.The WesterncompaniesbuytheirdevicesinAsia,mostoftenfromaTaiwanese,Chineseor sometimesaKoreancompany.Insomecasesacustomcasingisdevelopedfortheproduct, butmoreoftenagenericcasingisadaptedwiththecompanylogoprintedonthecasing.The manualandpackagingarealsoadaptedtotaste(companylogos,contactinformation, etcetera)andeverythingisshippedtotheWest.TheWesterncompaniesdodistribution, marketing,endusersupport,rebates,andsoon. ThecompanywherethedevicesareproduceduseaboarddesignwithaSDK,whichtheyget fromanotherupstreamvendor,oftenthechipvendor.Therecanbeadditionallayersin between.TheengineersattheTaiwanesecompany,oranyoftheotherlayers,sometimes addsomeextracode,ormakeotherchangesusingtheSDK.Theextracodemightcontain kerneldriversforvarioushardwarecomponentsinthedevice,suchaswirelessnetwork cards,orsoftwarefirewallingmodules. Thesechangesmaybefully,partiallyornotatallintegratedintothesourcearchivefromthe SDK.Ifthesourcesarenotorpartiallyintegratedtheresultisthatthesourcesdistributedas the"GPLsources"arenotcomplete.

Violations
Licenseviolationscomeinallkindsofforms,rangingfromforgettingtoaddacopyofthe licensetexttonosource,nolicensetextandnopolicyofhandlingsourcecoderequests. LicenseviolationsarenotlimitedtojustGPLandLGPL.NearlyeverydevicethatrunsLinux alsohasawholerangeofothersubtleviolationsofMIT,BSDandotherlicenses. TherearealsoplentyofGPLlicenseviolationsondevicesthatdon'trunLinux.Therearefor exampledevicesthatrunaverybasicproprietaryoperatingsystem,butalsoincludesome GPLlicensedcode,whichislinkedintoonebigbinaryblobalongwiththerestofthe operatingsystem. ThisdocumentwillmainlyfocusonGPLandLGPLlicensecomplianceengineeringonLinux systems,withasmallsectiondedicatedonanalysingcommondataformatsonMicrosoft Windows.

Technical analysis of a device

AtechnicalanalysisisthetechnicalpartoftheGPLcomplianceengineeringprocess.The goalofatechnicalanalysisistodetermineifthereisGPLorLGPLlicensedsoftwareona device.Atechnicalanalysiscanbeperformedinseveralways.Oftenthereisdevice, firmware,sourcetarball(oranycombinationthereof)thatyouareaskedtocheckfor compliance.Dependingonthesituation,alotofworkcouldberequiredtodiscoverwhether GPLviolationsexist,ortomakesuretherearenone.Thiscanrangefromdissectinga firmwareandgoasfarasphysicalmodificationofadevicetologinviaaserialportontothe device,orbeyond.Thissectionsummarizesmytoolsofchoicetodothis.Itisfarfrom completeandIamverycertainIdonotfindallviolations.Still,itismorethanwhatmost peopleatcompaniesareable(orwilling)tofind.Themoreviolationsyoucatch,themore pressurewecanputonacompanytoadopbetterinternalprocessestopreventviolations fromhappeningatallinthefuture.

Initial network scan

Ifthedeviceisnetworked,itisagoodideatostartascanfromthenetwork.Manyoperating systemshaveslightdifferencesinthenetworkingstackinhowtheyrespondtocertain packets.Usingheuristics,wherealotofspeciallycraftedpacketsaresenttothedeviceitis possibletodeterminewhatadeviceruns.Scanningtoolslikenmaphaveafingerprinting option,whichisfairlyaccurate,thoughnotfoolproof.

How to perform a network scan

ThemostfeaturerichnetworkscanningtoolonLinuxandotherUnixlikeoperatingsystemsis nmap.Atypicalcommandlineinvocationforfingerprintingadevicewouldlooklikethis:
# nmap -P0 -O <ip address> -p 1-65535

Thiscommanddoesnotfirsttrytopingthedeviceonthenetwork(P0),whichisa considerablespeedup,sincemanydevicesdonotrespondtopings.Thefingerprintingoption (O)needsrootprivilegestowork.

Results of a network scan

Theoutputofaninvocationofthenmapcommandcouldlooklikethis:
# nmap -P0 -O 10.0.1.1 Starting Nmap 4.20 ( http://insecure.org ) at 2007-09-16 01:16 CEST Interesting ports on gateway.local (10.0.1.1): Not shown: 1692 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:00:00:00:00:00

Device type: general purpose Running: FreeBSD 6.X OS details: FreeBSD 6.1-RELEASE through 6.2-BETA3 (x86) Uptime: 36.216 days (since Fri Aug 10 20:06:29 2007) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 21.304 seconds

TheresultisalistofopenTCPportsonthedevicewithanindicationwhichservicethese portsarenormallyassignedtoandthenameandversionoftheoperatingsystemthatnmap thinksthedeviceisrunning(inthiscaseitcorrectlyidentifiedaFreeBSDmachine). ScanningforopenTCPportscanrevealimportantinformation.Sometimesthereisadebug port,ortelnetportwhichyoucanconnecttotogainshellaccesstothedeviceitselfand inspectitwhileitisrunning.Bannerstringsforprograms(webserver,UPnPserver,FTP server,etcetera)canalsohelpindeterminingwhatisrunningonaparticulardevice.

Value of using network scans

Whileanetworkscanispowerfulitshouldnotberegardedasproof.Therearesoftware packages,socalledscrubbers,whichwillhidealotofthesedetailsandmakefingerprinting relativelyuseless.Notmanydevicesdeploysuchtechniques,sofornowitcanberegarded asagoodindicationwhatisrunning,untilalldevicesusescrubbers.Therearesometimes alsofalsepositives,whereadeviceseemstorunLinux.Ifyouarenotsureyoushouldalways performthescanwithadifferentscanorder(withtheroptionofnmap)too. Theoutputfromnmapshouldberegardedasanindicationofhowlikelyitisadeviceis interestingforcomplianceengineering.Itdependsonwhatyouarelookingfor.Justkeepin mindthatnmapisnotalwayscorrect(thoughveryoftenitis).

Other network tricks

Therearesomeothertricksyoucanusetogetsomemoreinformation.Inthewebinterface ofadeviceyoumightseeversionstringsofprogramshiddeninlogfiles.Sometimestheweb interfacesondeviceshavesecuritybugswhichcanleadtoaccesstothefilesystem.This wayyoucanquicklyobtainthedataonthedevice.

Firmware analysis
AreliablemethodoffindingGPLlicensedcodeinadeviceisbygrabbingthefirmwareofthe devicefromthedownloadsiteorCDanddissectingittorevealallbitsandpiecesofwhatisin thefirmware.Thereisnostandardrecipefordissectingfirmware,sincetherearemanyways thefirmwareofadevicecanbestructured.However,theunderlyingmethodologiesas outlinedinthisdocumentcanbeusedformanydevices.Beforethesemethodologiesare explainedthereisashortexplanationofhowdevicesworkandwhythedesigninfluencesthe layoutofthefirmware.

Embedded design 101

Thereareafewbasicdesignstepsyouwillneedtoknowforproperreverseengineering. Theseare:

bootsequenceandbootloaders filesystems compressiontechniques executableformats

AgoodbooktoreadtogetsomegeneralunderstandingaboutembeddedLinuxis"Building EmbeddedLinuxSystems",publishedbyO'Reilly. http://www.oreilly.com/catalog/belinuxsys/

Boot sequence and boot loaders

WhenadevicestartstheCPUexecutescertaincommandstoinitializethewholedevice.One ofthethingsthatishardcodedintheCPUisthememorylocationofaninstructionthatshould beloadedfirst.Thisinstructionisoftenthefirstinstructionofthebootloader.Thebootloaderis aprogramwhichsetsuptherestofthesystem. Thebootloaderitselfresidesonflashmemoryatafixedoffset.Thisoffsetvariesgreatly betweenCPUs,boardsandvendors. Asanexample,afairlytypicallayoutfortheflashchipofadevicewiththeAR7chipsetcould looklikethis:

mtd0 mtd1 mtd2 mtd3 0x900a0000,0x903f0000 0x90010000,0x900a0000 0x90000000,0x90010000 0x903f0000,0x90400000

Theseregionsareusedbythebootloader.Inthisparticularcasethebootloaderitselfresides on"mtd2"andthisisthelocationthattheCPUusestofindthebootloader.Thebootloader readstheotherlocationsfromnvramtofindthekernelandtherootfilesystemandloadand startaccordingly. Theoffsetsbetweenthefilesystemscanoftenbeseeninthefirmware.Tocreatetheright offsetsbetweendifferentpartsofthefirmwaresomethingcalledpaddingisused.Thisoften consistsofzeroes,orotherpaddingcharacters(0xffseemstobepopulartoo).Thismakesit easytorecognizethedifferentparts,sincetherewillbealotofthesepaddingcharacters together(uptoseveralthousandinsomecases).

Compression techniques

Sometimesfilesystems(squashfs,ext2)orakernelimagecanbefounddirectly,buttheyare oftenincompressedforminthefirmwareandhavetobedecompressedfirst.Duringstartup ofthedevicethebootloaderdecompressesthekerneland/orfilesystemsinmemory,before actuallylaunchingtheOS.

Commonusedcompressionmethodsaregzipandbzip2,withLZMAand7zrapidlyrisingin popularity.
File systems

ThereareacoupleoffilesystemsinuseonembeddedLinuxdevices.Theycanbedivided intotwocategories.Thefilesystemsinthefirstcategoryloadthefilesystemfromflashand uncompressitintonormalmemory.Thefilesystemsinthesecondcategorydon'tloadinto memory,butusemoreflashtoreducewearlevellingontheflashmemory.Bothaproaches havetheiradvantagesanddisadvantages. Commonlyusedfilesystemsare:

squashfs,increasinglywithLZMAcompressioninsteadofzlibcompression ext2fs/ext3fs cramfs(CompressedROMFileSystem),bothbigendian/littleendian romfs jffs2 yaffs2

MostofthesefilesystemscanbeunpackedormountedoverloopbackonarecentLinux system(likeFedora11). Thefollowingtablesummarizesthemethodsyoushoulduseforthemostcommonlyusedfile systems: Filesystem Unpacking method unsquashfs custom unsquashfs(for examplefrom OpenWrt Alternative unpacking method mountover loopback mountover variouscombinationsofSquashFS loopback,might andLZMAareinuse requireanextra kernelmodule, dependingonthe flavourused e2toolspackage mightrequirebyteswappingwith cramfsswapfirst,dependingonthe endiannessofyourmachine Remarks

SquashFS(zlib compression) SquashFS (LZMA compression)

ext2/ext3 cramfs

mountover loopback mountover loopback mountover loopback

romfs

jffs2

jffs2dump

copycontentto mtddevicefirst, thenmountover loopback

yaffs2

unyaffs

squashfs

SquashfsisareadonlyfilesystemforLinux.Itisapopularchoiceinembeddeddevices. Standardversionsofsquashfscanbefoundinafirmwarefilebylookingforthestring'sqsh' (bigendianformat)or'hsqs'(littleendianformat).Othervariantsofsquashfsmighthave differentmagicstringsandcan'tbeunpackedwiththestandardtools. Thesquashfsfilesystem(withzlibcompression)canalsobeunpackedasanormaluser, using"unsquashfs"fromthesquashfstoolspackage:

$ unsquashfs -d rootdir -i /path/to/squashfs-image

Thiscommandunpacksthesquashfsimageinthedirectory"rootdir".Thismethodisactually preferabletomountingoverloopback,sinceitwon'tcreatedevicefilesifyourunitasa normaluserandpreventyoufrommistakeslateron,suchastryingtogrepthroughttyfiles (whichhasratherunpleasantsideeffects). UnpackingasquashfsfilesystemwithLZMAcompressionispossibleinsomecases,butnot inallcases.ThereasonforthisisthattherearequiteafewversionsofLZMAinuse,which arenotalwayscompatible.TheSquashfsLZMAversionathttp://www.squashfslzma.org/for exampleusesdifferentmagicanditcan'tworkwithmanySquashfsfilesystemsthatare actuallyusedonembeddeddevices. ItisnotpossibletodetectLZMAcompressionusingthecommand"file",sincethesignatureis usuallynotdifferentfromanuncompressedsquashfsfilesystem.Whenyoutrytomountit anditfails,youmightseethisindmesg,whichisaclearindicationanothercompression techniquethanzlibhasbeenused:
SQUASHFS: Mounting a different endian SQUASHFS filesystem on loop0 SQUASHFS error: zlib_inflate returned unexpected result 0xfffffffd, srclength 8192, avail_in 160, avail_out 8192 SQUASHFS error: sb_bread failed reading block 0x4b0 SQUASHFS error: Unable to read cache block [12bf5c:3d6] SQUASHFS error: Unable to read inode [12bf5c:3d6]

TheOpenWrtprojectbuildsaversionof"unsquashfs"withLZMAsupportbydefault(called "unsquashfslzma"),sinceJune2008.WiththistoolitispossibletoextractSquashfs3.0 filesystemsthatuseLZMAcompression.OlderversionsofSquashfscan'tbeuncompressed withit.Itisexpectedthatthiswillbepossibleinnewerversions,assoonasSquashfswith LZMAcompressionisacceptedinthemainlinekernel.

ext2/ext3/ext4

ThedefaultfilesystemonmostLinuxsystemsaretheext2,ext3andext4filesystems.These cansimplybemountedonthemajorityofsystemsoverloopback.Somekernelsdon'thave supportforthisfilesystembuiltin(rarely),orsometimesyouhavenorootaccesstomountan ext2filesystemoverloopback.Insuchcasesthee2toolspackageprovidesabarebonesway toaccessanext2filesystemfromuserspace:

$ e2ls ramdisk_el bin boot image.cfs lib sbin sys default lost+found tmp dev mnt usr ftpaccess hotplug samba etc proc var home root web ftpaccess.default inittab

$ e2ls ramdisk_el:etc TZ fstab ftpconversions ftpmaxnumber nsswitch.conf rc.d

cramfs

Anotherpopularfilesystemisthecramfsfilesystem.Itcanbefairlyeasilyrecognizedby searchingforthestring"CompressedROMFS".Therearetwoversions:oneforbigendian systems(PowerPC,SPARC,bigendianMIPS)andlittleendiansystems(x86,littleendian MIPS). Dependingonwhichsystemyouworkonthesefilesystemsmightneedtobebyteswapped frombigendiantolittleendian,orviceversaifyouwanttomountitonoverloopbackona Linuxsystem.Thecramfsswaputilityisatoolthatcanchangetheendiannessofacramfsfile system. Byteswappingwillnotalwayswork,sincesomedevices(notablywiththebcm63xxchipset) haveapatchedcramfsimplementation,butitisoftenenoughtoextractatleastthedirectory hierarchyandnamesofthefilesonthedevice,whichwilloftengiveyoumoreinformation aboutwhatisactuallyonthedevice.
jffs2

Thejffs2filesystemisspecial,sinceitcan'tbemounteddirectlyoverloopback.Itfirstneeds tobewrittentoaspecialdeviceinmemory,whichcanthenbemountedasanormalfile system.Forthissomedarkkernelvoodoomagicisneeded. Thejffs2filesystemcomesintwoflavours:littleendianandbigendian.Bigendianfile systemscan'tbemountedonlittleendianfilesystemsandviceversa.Itmightbenecessary toconverttheendiannessofthefilesystemwithaprogramsuchasjffs2dumpbeforeyoucan accessitscontents. Themtdutilspackagecontainsalltoolsnecessarytoworkwithflashmemorydevices.Oneof themostusefultoolsisjffs2dump.Withjffs2dumpyoucaninspectthestructurefilesystems andchangeendianness,ordumpthecontentsofthefilesystem. Aruleofthumbisthatifyoudumpthecontentsofthejffs2file(usingc)andyougetalotof warnings,butnorealdata,youshouldsupplyoneoftheoptionsb(bigendian)orl(little endian),dependingontheendiannessofyourownsystem.

Mountingoverloopbackispossiblebyfirstwritingthecontentsofthefiletoamtddeviceand thenmountingit.
modprobe mtdcore modprobe jffs2 modprobe mtdram modprobe mtdblock modprobe mtdchar dd if=/path-to-jffs2-file of=/dev/mtd0 mount -t jffs2 /dev/mtdblock0 /tmp/mnt/

Thisshouldbeenoughtomountthefilesystem.Thedefaultsizethatthemtddevicecanhold is4MB.Sometimestherearebiggerjffs2filesystemsthanthatandyouhavetosupplyasize parameterwhenloadingthemtdrammodule:

modprobe mtdram total_size=8192

Thiswillcreatearamdisksized8megabytes.
yaffs2

Arecentfilesystemisyaffs2.Whileithassofarbeenspottedonjustafewdevices,itis expectedtobeusedalotmoreinthenearfutureonembeddeddevices.Thereisaunyaffs tool,butitwillrequiresomefiddlingtoactuallyunpackthedata.

Executable files

Executablefilesareusuallythe"real"programsonadevice.Therearetwotypesof executablefiles:

scripts compiledprograms

ScriptscanbeGPLlicensedtoo,butsincetheytendtobehumanreadableanywaythisis oftenregardedasnothavingthehighestpriority. ThefocusofGPLcomplianceengineeringismostlyoncompiledprograms,whichhavebeen transformedfromahumanreadableformatintoamachinereadableformatbyaprocess called"compilation".

Compilation 101

Compilationistheprocessofturningapieceofhumanreadablecodeintoamachine executableprogram.Itstartswithsomeonewritingaprograminaprogramminglanguagelike CorC++.Thecompileranalysestheprogram(thisiscalled"parsing")andtranslatesitinto objectfiles.Theobjectfilesarethenlinkedintoanexecutable,orintogeneralpurpose libraries,sotheycanbeusedbymultipleprograms. Therearetwotypesoflinking.Thefirstoneisstaticlinking,whereallfunctionalitythatis needediscompiledintoonestandalonebinaryfile.Thisincludes(partsof)thesystemC libraryandallotherlibrariesthatareneededtomaketheprogramrun.Staticlinkingisdone

atcompiletime. Dynamiclinkingworksdifferently.Thelinkingphaseispostponeduntiltheprogramisactually executed.Aprogramcalled"dynamiclinker"combinestheprogramwiththelibrariesthat needtobeloadedtomaketheprogramrun. Licensewisetherearenodifferencesbetweenthetwo(anoftenmademistake),butthe reverseengineeringprocessmightdiffer.

Executable formats

Thereareafewtypesofexecutableformatsyoucanfindonanembeddeddevice:

ELFwith/withoutgzipcompression,strippedandnotstripped BinaryFlatformat(bFLT)with/withoutgzipcompression

TheELFformatisthemostcommonformat.Mostofthetimethebinarieswillbe"stripped", whichmeansthatallthedebugginginformationhasbeenremovedfromthefile.Ifyouare luckythebinaryhasnotbeenstrippedandallthisinformationwillstillbethere.Thisgives morecluesaboutwhatisactuallyinthefile. ArareformoftheELFformatiswheretheprogramsarecompressedwithgzip,aftertheELF header.Togettothecontentsofthefileyoufirsthavetoextractthecontentsfromthefile. Thisisdoneinthesamewayasyouwouldextractafilesystemwhichhasbeencompressed withgzip. TheELFformatisanindustrystandard.Therearealotoftoolswhichcanbeusedtoinspect ELFbinariesfromallkindsofplatforms.TheGNUbinutilscollectioncontainsafewtoolsfor doingexactlythis:readelfandobjdump. OneoftheinterestingsectionsintheELFformatisthesocalled'dynamicsection'.Inthis sectionthedynamicallylinkedlibrariesarelisted:
$ objdump -x <file> | grep NEEDED

Thereisalotmorefunctionalitythatreadelfandobjdumpoffer,butthebulkofviolationsare notdiscoveredthatway. AnotherformatistheBinaryFlatFormat,orbFLT.ItisthedefaultonuClinuxbasedsystems andnotusedonnormalLinuxsystems.ThisformatismorespaceefficientthanELF,butalso containslessinformationwhichcanbeusedtoidentifystringsinsideprograms.Thereare alsofewertoolsavailablewithwhichyoucaninspectthebinaries(otherthanjustdumpingthe strings).AswiththeELFformat,thereisaspecialvariantwhichusesgzipcompressionthat hastobeunpackedfirst.

Tools
Thetoolboxofareverseengineercontainsalotoftools.Thetoolsetcanbedividedinafew categories:

fileanalysistools

toolsforunpackingfilesandarchives othertools

File analysis tools hexdump

Thehexdumputilityisaveryvaluabletoolforreverseengineering.Itdisplaysthecontentsof afile,withoffsetsandASCIItranslations,ifthe'C'optionisused.Itoutputsviastandard output,soyouwillneedapager,suchas'more'or'less'tocatchitsoutput.Exampleoutput wouldlooklikethis:

00012da0 00012db0 00012dc0 20 64 6f 6e 65 2c 20 62 68 65 20 6b 65 72 6e 65 3b b2 2a 44 02 03 ec bd 6f 6f 74 69 6e 67 20 74 6c 2e 0a 00 1f 8b 08 00 7d 7c 54 57 b9 36 bc f6 | done, booting t| |he kernel.......| |;.*D....}|TW.6..|

Withthisyoucanquicklyspotinterestingtext("kernel")andthegzipheader("1f8b08") immediatelyfollowingit.Paddingcanbeeasilybespottedbecausehexdump"compresses" thisinformationforyoubyusing'*':

00007ee0 * 00010000 ff ff ff ff ff ff ff ff 27 05 19 56 af a1 29 38 ff ff ff ff ff ff ff ff 44 2a b2 3f 00 0b 11 b8 |................| |'..V..)8D*.?....|

file

The"file"toolquicklyletsyoudeterminewhatafilemightcontain.Itdoessobylookingatthe firstsomanybytesandcomparingthatwithknownsignaturesfromthesocalled"magic"file, whichonaLinuxsystemcanusuallybefoundin/usr/share/magic.

$ file main-fs main-fs: Squashfs filesystem, big endian, version 3.0, 9319589 bytes, 1498 inodes, blocksize: 65536 bytes, created: Fri Aug 10 14:33:39 2007

Oftenfirmwarewilljustshowupas"data":
$ file zImage zImage: data

Thisisbecauseafilesystemoftenhasaheaderorotherbytes(padding)putinfrontofit. Using"file"isnota100%foolproofmethod.Sometimesamatchforafilesystemor compressedfileisfound,whileinrealitythereisnofilesystemorcompressedfilethere.Also filewon'tdetecteveryfilesystem.Beforeyouuseit,alwaystrytohavethelatestversionof themagicdatabaseinstalledonyoursystem.

strings

The"strings"toolcomesinhandywhenyouwanttoextractreadablestringsfromabinaryfile. Thestringsyouextractfrombinariesareoftengibberish,butthereadablepartsyoucanget outofabinaryareoftenveryhelpfulandcontainfunctionnames,literaloutputwrittenby

programs(forexamplekprintf()statements),andsoon.Thesestrings,combinedwitha searchengineorknowledgebaseofknownstrings,canrevealalot.
grep

The"grep"toolisgreatforquicklyfindingstringsinfiles(evenbinaries)thatcanbeimportant. "Copyright"(withandwithoutcapitalization),"FreeSoftware","License","GPL"and"General PublicLicense"aregoodstringstosearchfor.Ifyouspecifythecommandlineoption"i"your searcheswillbecaseinsensitiveandquiteabitslower.Iusuallysearchfor"icense",or "opyright",omittingthefirstcharacter,whichmayornotbecapitalized.Itoftensavesmea fewminuteswaiting. Bewarned,manyfilesystemscontainspecialdevicefilesorsymboliclinksto/tmporother partsofyourownfilesystem.Ifyou'renotcarefulyoumightbegreppingonyourwhole computer,or'grep'mightbestuckonaspecialdevicefile.Agoodideaistofirstfilteroutthe rightfileswithforexample"find"andthengrepthroughthem.
md5sum/sha1sum/sha256sum/sha512sum

Fingerprintingtools,likemd5sumandothertoolsfromtheSHAfamily,comeinhandyfor identifyingfiles.Theyworkbytakingthecontentsofafileandcreatingacryptographic checksum.Twofilesthatareidenticalwillhavethesamechecksum. SincetheMD5andSHA1algorithmsareknowntohavecollisions(twofilescanhavethe samefingerprint)itisadvisedtousesha256sumorsha512suminstead.

Tools for unpacking files and archives

Compression/file format gzip

Unpackingtool gunzip

Alternative zcat

Remarks zcatunpacksto stdoutbydefaultand needstobe redirectedtoafile bzcatunpacksto stdoutbydefaultand needstobe redirectedtoafile lzcatunpacksto stdoutbydefaultand needstobe redirectedtoafile

bzip2

bunzip2

bzcat

ZIP lzma

unzip lzcat unlzma

tar cpio

tar cpio

Windowsexecutable

7z

cabextract,unshield, oftenthequickestway WINE toextractfilesisby usingWINE

RAR 7zip rpm

unrar 7z rpmdevtools rpm2cpio

bzip2/bzcat

Datacompressedwithbzip2canbeeasilyfoundbysearchingforthestring"BZh"insidethe firmwareimage.
gzip/zcat

Agzipheaderasusedinmostdevicesstartswiththeheader"1f8b08"(hexadecimal).Using "hexdumpC"thesecanbeeasilyfound.Ifyoulookwithviorvim,thenthesethree charactersareformattedas"^_<8b>"byvim.Filescanbeeasilyunpackedbyusingzcatand redirectingoutputtoafile:

$ zcat infile > outfile

unzip

NormalZIPfilescanbeunpackedusingtheunzipprogram.InfirmwaresZIPcompressed partsnormallystartwithPK.SomeWindowsexecutablescanalsobeunpackedwithunzip.
lzma

AtechniquethatisbecomingincreasinglypopularisLZMAcompression.Itsclaimisthatit offersbettercompressionthanothercompressiontechniques.ThereissupportforLZMA decompressioninvariousbootloadersanditisfairlypopularforSquashfsfilesystemsasa replacementforzlibcompression. AnexamplefromafilethatusesLZMAcompression:

00000020 00000030 00000040 4c 69 6e 75 78 20 4b 65 67 65 00 00 00 00 00 00 5d 00 00 00 02 00 b0 2a 72 6e 65 6c 20 49 6d 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6f |Linux Kernel Ima| |ge..............| |]......*.......o|

TheLZMAcompressedfilecanberecognizedbythesequence'5d0000',athexoffset 0x040.Unpackingcanbedonebythe'lzcat'or'lzma'tools.Itdoesnotsupportoffsets,soin thiscasethefirst64bytesshouldberemoved,afterwhichitcanbeunpacked:

$ lzma -cd infile > outfile

Anothertoolthatisconvenientis'lzmainfo',whichgivesalotofinformationaboutafile compressedwithLZMA:
$ lzmainfo lzma-file

lzma-file Uncompressed size: Dictionary size: Literal context bits (lc): Literal pos bits (lp): Number of pos bits (pb):

3 MB (2797568 bytes) 32 MB (2^25 bytes) 3 0 2

unrar

TheRARarchivingformatisverypopularonWindows,becauseofits(claimed)superior compressionrates.Alotsourcearchivesaredistributedinthisformat.Tounpackthesefiles onLinux/Unixyoushouldusethe"unrar"program.Thisprogramisdistributedasfreeware andthereiscurrentlynofreesoftwarealternative.

cabextract

The"cabextract"utilityisaprogramtoextractcabinet(.cab)archives.Thisisanarchive formatwhichiscommonlyusedonMicrosoftWindows.SinceGPLlicenseviolationsarenot limitedtojustUnix(like)platforms,butalsocanoccuronMicrosoftWindowsthisisauseful tooltohave.SomeActiveXcomponents,forexampletomakeanIPcameraworkwith InternetExplorer,aredistributedasacabinetarchive.SometimesfirmwareupdatesforLinux baseddevicesarealsoshippedinsideaMicrosoftWindowsexecutable.

unshield

The"unshield"utilityisusedtoextractInstallShieldcabinetfiles.Thesefilesareavariantof the.cabarchivesthat"cabextract"cannotextract.Asofthetimeofwritingtheofficially releasedversionofunshieldcannotextractalltypesofInstallShieldfiles.Therearepatches availableinthesourcecoderepositoryforunshieldthataddthistypeoffunctionality.

rpmdevtools/rpm2cpio

SometimessourcecodearchivescontainfilesintheRPMformat.RPMisthenativeformat fortheinstalleronvariousLinuxdistributions.Insomesourcearchivesfordevicesthe sourcesaredistributedasRPMfiles.Withrpm2cpiotheRPMfilecanbeconvertedtoacpio archive,whichcanbeextractedusingcpio.Arecentdevelopmentisrpmdevtools,which allowseasyunpackingofRPMs.SinceRPMwillmovetoanewinternalformat(using7z)this isthepreferredway.

Other tools

binutils ldd(partofaClibrary,likeGNUlibc) anyeditorthatcanreadinbinaryfiles,suchasvioremacs base64

binutils

Thebinutilspackagecontainsseveralusefultoolstoinspectbinaries,suchasreadelfand nm.
ldd

Thelddtoolprintssharedlibrariesforadynamicallylinkedexecutable.
editor

Apropereditorisusedifyouwanttoeditfilesandextractparts.Alternatively,atoolsuchas ddcanbeused.

Physical access
Thefinalpartofcomplianceengineeringworkisgettingphysicalaccesstoadevice. Sometimesthebootloaderisnotshippedinafirmwareupdateandcanonlybeaccessed throughaserialconsoleorJTAG.OftenaGPLlicensedbootloaderisusedonadevice.Ifyou don'tperformacheckusingaserialport,itcaneasilybemissed.

Serial console
Manydeviceshaveaserialport,oraserialportcanbeattachedtoitwithouttoomucheffort. Aserialportisusedduringdevelopmentofthedevice.Thefirmwareofthedeviceoftenlets youloginonthedeviceviatheserialportwhenyouconnecttoitthroughaserialcable,or givesyouarootshellonthedevicedirectly.Thisisnotalwaysguaranteedtowork.Insome devicesnooutputissenttotheserialportduringbooting,oroncethedevicehasbooted.
Attaching a serial cable to a router

Youcanlogontotheserialportbyusingacable,whichattachingonesidetotheserialport ontherouterandtheotherporttothePC,eitheraserialportonthemotherboard,oraserial USBconverter. WARNING:Manyroutersworkon3.3Volts,whileaserialportonaPCworkson12 Volts.Youneedaspecialcablewhichcanshiftbetweenthetwovoltagesoryourisk blowingupthedevice. Therearespecialkits(MAX232)tomakesocalled"levelshifters",thattakecareofthe voltagedifference.OldSiemensphonecablesalsowork.SomeonlineshopssellRS232 shifters: http://www.sparkfun.com/commerce/product_info.php?products_id=449

Illustration 1: Pre-made level shifter. BeforeyoucanconnecttheonboardserialporttoaPCyouoftenhavetosolderheaderpins ontothesolderpadsfortheserialport.Oftentherearefourormoresolderpadsnextto eachotheronadevice,sometimesevenlabeledas"serial","COM1",orequivalent.These headerpinscanbeobtainedatanydecentelectronicsstore,forafewcentsperpin.

Illustration 2: A row of 36 header pins.

Illustration 3: Solder pads for a serial port on a device, without header pins Somevendorstrytohidethesesolderpadstomakephysicalaccesstothedeviceharder. Luckilymostvendorssimplydon'tcareandinsomeofthedevicesyoucanalreadyfindpin headerssolderedontothesolderpads.

Illustration 4: Serial port with header pins pre-soldered. Ofthesolderpadsusuallyonlyfourareneeded:

GND(ground) Tx(transmit) Rx(receive) VCC

ThesecanbemappedtoequivalentportsonaserialportonthePC.Differentboardshave differentlayouts,oftenvaryingbetweenmodelsandrevisions. Aserialportcanbediscoveredbyusingamultimetertomeasurethevoltageonthepinsor solderpads.

GND:0volts VCC:3.3volts Tx/Rx:variable

Manyboardsuseadefaultlayoutandpeoplehavealreadymadetheeffortoffindingout wheretheportsonawidevarietyofboardsarelocated.TheOpenWrtwikiisagreat(though somewhatchaotic)resourceforthis.Itisadvisedtoalwaysverifywithamultimeterifthe informationiscorrect. Thenextstepishavingapropercable.AcheapsolutionistouseCDROMaudiocables. Someofthesehaveconnectorsthatcaneasilybereused.Theconnectorslooklikethis:

Illustration 5: CD-ROM audio cable. Theblackclipsthatareholdingtheconnectorscaneasilybelifted,sothecable,plus connector,canberemovedbysimplypullingthecable.Theconnectorscanthenbeattached tothepinsontheserialport.

Illustration 6: Modified CD-ROM audio cable attached to header pins.

Accessing the serial port

When the serial cable has been properly attached to the router it can be accessed using a serial communication program. The most popular one on Linux is called 'minicom'. Not all serial ports use the same speed (or 'baud rate'). Popular baud rates are 9600, 38400, 57600 and 115200.

JTAG
SomedevicescanonlybeaccessedthroughJTAG.

What violations to look for

Alotofpackagesarecommononmostdevices.Dependingonthepackageconcerned, differenttechniqueswillhavetobeemployedtofindviolations.Afewcommononesare describedbelow.

Linux kernel modules

OneofthegreyareasofLinuxkernellicensinghasbeenkernelmodules.Therearealotof kernelmoduleswhicharenotlicensedasGPL.Inthepasttherehasbeenongoing discussionswhetherornotthemodulesshouldbeGPLlicensedornot. Oneofthefirstmeasurementstoclarifythestatusistheuseofa"license"macroinkernel modules:
# strings rt2500.o | grep license license=GPL

Modulesthathavesetthismacrowillhaveaccesstomoreinternalsofthekernel.Licensing ofmodulesthathavethismacrosetshouldneverbeanissue. Withregardtoothermodulesopinionsdiffer.GregKroahHartman,oneoftheleadingLinux kerneldevelopers,toldmeinapersonalemailon14October2007: [I]t'squitesimple,me,andmylawyersfeelthatthereisNOwaytohaveaLinuxkernel modulethatisnotundertheGPLv2.Todosootherwiseviolatesthelicenseofthekernel, andmycopyrights.Butit'snotonlymethatsaysthis,NovellandIBMhavepubliclystated thisinthepast,aswellasHP(well,theykindofmurmuredit,buthavesaidsoinperson.) RedHatalsostatesthis,aswellasanumberofkeyLinuxkernelcontributorsandholdersof copyrightonthekernel. TheLinuxFoundationalsoissuedastatementonclosedsourcedriversandmodulesonJune 232008: http://www.linuxfoundation.org/en/Device_driver_statement AppendixCofthebook"BuildingEmbeddedLinuxSystems"(1stedition),publishedby O'Reilly,alsohas11pagesdedicatedtohowkerneldevelopersseethelegalstatusofbinary kernelmodules.Althoughthemailsaredated(inthetimeperiod19992002)andtheauthors ofthemailsarenotlegalprofessionals,theydoprovideaninsightintothesubject.

busybox
Busyboxisaprogramthatcombinesalotoffunctionalityofprogramsintoone,whileleaving outthemoreadvancedfeaturesofmanyoftheGNUtools.ItistheSwissarmyknifeof embeddedLinuxandnearlydefaultonembeddedLinuxdevices.Itworksbymakinga symlinkfromaprogramtothebusyboxbinary.Dependingonaswhichprogramitisinvokedit willbehavedifferently. Bydefaultnotallfunctionalityisbuiltintobusybox.Atcompilationtimeaconfiguration(much

liketheconfigurationfortheLinuxkernel,usingacursesbasedinterface)isreadtodetermine whichfunctionalityshouldbebuiltintobusybox.Theconfigurationcommonlyresidesinafile called".config".Theconfigurationfileiswrittenaftertheconfigurationutilityisrun. Optionsthatareenabledaresetlikethisintheconfigurationfile:

CONFIG_CAT=y

Optionsthataredisabledaresetas:
# CONFIG_CHGRP is not set

Insidethebusyboxbinaryyoucanfindhintsaboutwhichconfigurationisused,dependingon thingsliketheversionofbusyboxthatisused.Sometimesthestring"Currentlydefined functions"isfollowedbyalistoffunctions,whichmapsmoreorlessdirectlytothe configurationofbusybox.Inothercasesashellcommandlikethefollowingmightbemore useful(note:thisonlyworksforbusyboxexecutableslinkedwithuClibc):

$ strings busybox | grep _main | sort

Thisshouldgiveyoualistwithvariousfunctionnames,like:
vi_main wc_main wget_main which_main yes_main

Thepartbefore'_main'matcheswiththenameoftheapplet(executable),whichcaneasily bematchedwiththebusyboxconfiguration.Viceversathisisnotalwaystrue,sincesome configurationoptionsarejustoptionstotweakapplets,nottobuildnewones. Ingeneral,thesymlinkstothebusyboxbinaryandthefunctionsdefinedinthebinaryshould matchthebusyboxconfiguration,orelseitisaviolationofthelicense.

C libraries
ALinuxsystemisnotcompletewithoutthesocalledClibrary,whichcontainsfunctionality everyprogramonthesystem,apartfromtheLinuxkernelitself,isusingonewayoranother. TherearetwoClibrariesonLinuxthatarepopularonembeddedLinuxsystems(except Androidphones):glibcanduClibc.AnotherClibrarythatissometimes(butnotoften)usedis dietlibc.BothglibcanduClibcareLGPLlicensed,whiledietlibcisGPLv2licensed.Formany embeddeddevicessourcesfortheselibrariesaremissing,becausetheClibraryisoftenpart ofthesocalledtoolchain.

Toolchain
Anoftenoverlookedpartinthecomplianceprocessisthetoolchain.Atoolchainisthe combinationofacompiler,Clibrary,headerfilesandbinutilsthatcantranslateprograms writtenbyaprogrammertosomethingacomputerunderstands.

Thecompilerparses,checksandtranslatesthesourcecodeandgeneratesmachine readablecodefortheplatformitwastoldtogeneratecodefor.Inmostcases,thatisthe sameplatformitisrunningon.So,forexample,onmyPCIcompileaprogramwiththe standardcompilerthatFedora11ships.Theoutputofthecompilationprocesswillbea programthatcanrunonmyPC.IfIwouldbedevelopingforanotherplatform,basedonthe MIPSorARMarchitecture(oranotherplatform,oranotheroperatingsystem)Iwouldhaveto instructmycompilertogeneratecodethatwillrunonthatplatform,becauseprogramsformy Intelx86basedPCwillnotrunonaboxthatusesaMIPSCPUandrunsNetBSD.Forthis youneedaspecialsetupofcompiler,plusassemblerandlinker(foundinGNUbinutils)that cangeneratecodeforaspecificplatformandaClibrarytoturnitintoaworkingexecutable. ThisisnotsomethingthestandardcompilersonstandardLinuxdistributionsdobydefault (note:toolchainsarenotspecificforembeddeddevices.Thecombinationofcompiler,binutils ClibraryandheaderfilesonmynormalPCisalsoatoolchain). Thetaskofbuildingacrosscompilerisnottrivialandquitetrickytogetright(itevengetsalot morefunwhenyoutrytocrosscompileacrosscompiler).Therearealotofbuild environmentsthatmakeiteasytobuildacompletedevelopmentenvironmentforacertain platform,includingapropertoolchain.OpenWrtandbuildrootaretwopopularones,butalot ofvendorshavetheirownbuildenvironment,whichisshippedaspartofaSoftware DevelopmentKit(SDK).TheseSDKs,whilecontainingalotofGPLandLGPLlicensedcode, areoften(partially)includedinsourcedistributionsinbinaryform,ornotshipped(many vendorshaveproprietarytoolsinsidethetoolchainanddon'tallowtheircustomersto redistributetheSDK),oftenresultinginmissingsourcesforthe(LGPL/GPLlicensed)C library. Somevendors,suchasBroadcom,haveadaptedtheGNUCompilerCollection(GCC)and GNUbinutilstotakeadvantageof/usespecificcharacteristicsoftheirCPU.Withoutthese extensionstothecompileryouwillneverbeabletocreateanewprogramandrunitona machinewithcodegeneratedwiththatcompiler(thesituationmightnotbeasblackandwhite asIputithere,butitmakesthingsdefinitelyalotharder). Itisanongoingdebatewhetherornotthetoolchainitselfshouldbeshippedwithasource tarballaspartoftheobligationsdescribedintheGPL.Somepeoplesayitshouldbe,since withoutititisverydifficultandsometimesevenimpossibletobuildanewexecutablefora devicewithouthavingaccesstotheexactcrosscompilerthatwasusedforbuildingthe software.Otherpeoplesaythatbecauseonlytheresultofthetoolchainisdistributed,the toolchaindoesnotneedtobedistributed. ItisbeyondanydoubtthatifatoolchainisavailableinbinaryformintheGPLsourcesfora deviceanditcontainsGPLorLGPLcode(gcc,binutils,glibc,uClibcordietlibc)thelicenses shouldbeadheredto.

Bootloaders
ThereareafewGPLlicensedbootloadersthatarepopularincurrentembeddedproducts.In complianceengineeringtheseareoftenoverlooked. Bootloader platforms comments

PPCBoot ARMboot uboot RedBoot

PowerPC ARM various various

discontinued,butstillused occasionally

originallyfromeCos,modified GPLlicense

Tofindoutifthesebootloadersareuseditisoftennecessarytoaccessthedevicethrough theserialport.

Physicalcompliance
Thephysicalcompliancerequirementsvariouslicenseshaveareoftenoverlooked. Complianceengineeringisnotcompletewithoutaninspectionofthedocumentationthatis shippedwithadevice. TheGPLandLGPLlicensesrequirethatacopyofthelicenseisshippedwiththedevice, eitherphysically(forexample,aspartofthemanual)oronadocumentationCDROM.Quite oftenadeviceisnotshippedwitheitherofthem,orjusttheGPL,evenifLGPLlicensedcode isinusedwhichisthecaseinnearlyallLinuxbaseddevices(anotableexceptionisAndroid basedphones).

ComplianceengineeringonMicrosoftWindows
MostGPLviolationsweknowofareonembeddedsystemsrunningLinux.Thereappearto beplentyofviolationsinprogramsthatrunonMicrosoftWindowstoo.Thereasonthatthese violationsarefairlyunknownisthattheyhaveneverbeenafocalpointforcompliance engineering,mostlyduetolackofresearchintothisarea.

Commonviolations
Acommonreportisofsharewareprograms,likeCD/DVDburningprograms,ormusic players,thatarebeingdistributedinaGPLincompliantway.The'creators'ofthoseprograms tendtoberatherimmunetorequestsforthesourcecodeandkeephappilyviolatingtheGPL andLGPLlicenses. OtherreportedviolationsareprogramsusingpartsofCygwin,forexampleinmanagement softwareforvariousexpensiveaccesspoints.OthercommonviolationsareusingtheGPL licensedversionsoftheQttoolkitorXviD. AninterestingareaofresearchforviolationsisinActiveXcomponentsthatareshippedwith forexampleIPcamerasorrouters.TheActiveXcomponentsareonthedeviceitselfandare downloadedbythewebbrowserfromthedevicetogetsomeextrafunctionality,suchas viewingdata,orcontrollingacamera.Thisissoftwaretooanditshouldalsobecheckedfor violations.

Tools
ThereareafewcommonarchiveformatsforWindowsexecutablesandsharedlibraries. Whichoneisuseddependsonwhichpackagingprogramwasused.

Zipped executables
Quiteoftenfileswiththe'.exe'extensionareinfactselfextractingexectubleswhichhave beencompressedusingZIP.Thesecaneasilybeextractedwiththe'unzip'program.After unpackingothermethodscanbeusedtofurtherinvestigatethecontents.

Cabinet files
AcommonarchivingformatforWindowsexecutablesisthe'cabinetarchive'.Acabinet archiveoftenhasthe.cabfileextension.OnUnixsystemsthe"cabextract"and"unshield" toolscanbeusedtoextractthesefiles.

MSI files
AnotherfileformatthatisusedalotistheMicrosoftInstallerFormat,whichcanberecognized bythe.msifileextension.OftenyoucanextractthedatafromtheMSIusingthe'7z'program. Sometimesthiswillnotworkandyouwillhavetotryothermethods(liketheonedescribed next).Extractinga.msifiledirectlywithcabextractwillusuallygetyouthefilenames,butnot thecontentofthosefiles. Afterunpackingwith7zyouwillusuallyseealotofthatwereinsideaMSIfile,suchas resources(pictures,helpfiles)butalsosharedlibraries(DLL)andcabinetarchives,whichcan beextractedasdescribedabove.

Wine
AveryusefultooltoextractdatafromWindowsinstallersisWine.Duringinstallationdata suchasarchivesarewrittentotemporarylocationsinthefilesystem(C:\windows\temp\). Duringorafterinstallationthesearchivesorthebinariesonthesystemcanbeeasilycopied toanotherplaceandanalysedusingoneofthemethodsdescribedabove.

Other tools
OnWindowsdifferentfileformatsareusedthanonLinuxandmosttoolsdescribedearlier documenttoinspectbinarieswon'twork.Forexample,onLinuxtheELFexecutableformatis primarilyused,butonWindowsthePEexecutableformatisused.BinariesinPEformatkeep theirdatainadifferentform,insuchawaythattoolslike"strings"areoftennotsuccessfulfor extractinginterestingdata.APEdecompilerordisassemblerwouldbeneededtoextractthis information.RightnowthereisnofreesoftwarePEdisassemblerthatismatureandeasyto use.

Cygwin compliance engineering

CygwinisaprogramwhichprovidesarealPOSIXcompliantsystemforMicrosoftWindows. CygwinisduallicensedunderGPL.RedHatalsosellsCygwinunderaproprietarylicense.A lotofGNUpackageshavebeenportedtoCygwin.PackagesthatneedCygwintorunhave includedaDLL(dynamiclinklibrary)withPOSIXcompatibilitycodeinit. AWindowsprogramcanbeeasilydetectedusingthe'file'command:
$ file a_program.exe a_program.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit

Thecontentsofafilecanbecheckedwiththe'strings'program:
$ strings a_program.exe cygwin_internal cygwin1.dll _cygwin_crt0 __cygwin_crt0_common@8 _cygwin_premain3 _cygwin_premain2 _cygwin_premain1 _cygwin_premain0 ___cygwin_crt0_bp _cygwin_internal _cygwin1_dll_iname __head_cygwin1_dll __imp__cygwin_internal | grep cygwin

ThisisaclearindiationthatCygwinisused.

Experiences
Experiencefromseveralyearslookingthroughseveralhundredsofsourcearchiveshas learnedthereareafeweasytargetstolookforinGPLcompliance.Thesetargetscanserve asaverysimplelitmustestforGPLcompliance.Oneeasytargetisthetoolchain.Oftena binaryonlytoolchainisshippedinaGPLarchive,withoutsources.Forothertools,likethe onestocreateanactualfilesystem(mksquashfswithorwithoutLZMAcompression, mkfs.jffs2,genromfs,mkcramfs)thesourcesaremissingquiteoftentoo. Anothercommonviolationislackofbootloadersources(ifaGPLlicensedbootloaderisused onthedevice)andaddonpackageswhichwerenotpartoftheoriginalSDKthevendorgot fromupstream. Atrickysourceofviolations,whichishardtoexplaintovendors,iswhen"extrasoftware"is shippedintheGPLsourcesthatisnotpresentonthedevice.Itoftenhappensthatacertain softwarestackforaparticularboardisusedfordevelopingvarioustypesofdevicesfor variousvendors.Tracesofdifferentdevices,withdifferentsoftware,canshowupintheGPL sourcesforadevice,forexampleintheformofafilesystemwithprecompiledbinaries,that wasaccidentallyleftin.Whiletechnicallynotinterestingifyouonlywanttotweakthe software,thisisasourceforlicenseviolations.Itishardtoexplaintovendors,becausein theireyesallthesoftwarethatisonthedeviceisintheGPLtarball,inaGPLcompliantway.

Appendix A: GPL checklist

ThisisasmallchecklistformakingsureadeviceisGPLcompliant 1. CheckthebootloaderforGPLcompliance.Usethelistfromthe'bootloader'section.If oneofthebootloadersmentionedthereisused,huntdownthesources. 2. CheckifthedeviceisGPLandLGPLcompliant. 3. CheckifthesourcesthatareshippedareGPLandLGPLcompliant(completeandnot shippingmorethannecessary). 4. CheckthedocumentationshippedwiththedeviceifitcomplieswithGPLv2section1 andLGPLv2section1.

AppendixB:Reportingandfixinglicenseviolations
ThisguidepresentssomepracticaltipsforsolvingcommonFreeSoftwarelicensecompliance issues.Itisnotlegaladvice,andifindoubt,youshouldcontactaqualifiedlawyer.

Reportingaviolation
Becarefulwhenreportingaviolation.Accusationsandsuspicionsvoicedonpublicmailing listscreateuncertaintyanddolittletosolveviolations.Bycheckingyourfactsyoucanhelp expertsresolveviolationsquickly. Usefulviolationreportstocompaniesaboutapotentiallyinfringingproductshouldcontain:

Thenameoftheproductaffected Thereasonwhyaviolationisbelievedtoexist Thenameoftheprojectcodethatmayhavebeenviolated Astatementregardingwhatlicencethiscodeisunder Alinktotheprojectsite Thenameoftheprojectcodethatmayhavebeenviolated Astatementregardingwhatlicencethiscodeisunder Alinktotheprojectsite Thenameandwebsiteofthepartywhomaybeviolatingthecode Thereasonwhyaviolationisbelievedtoexist Pleasedonotforwardlongemailthreads.Theymakeitdifficulttoassessthesituation. Ifyouhaveclearevidenceofaviolationitisagoodideatotellthecopyrightholders. Theycantakelegalactionifnecessary. gplviolations.org:licenseviolation@gplviolations.org FSFE'sFreedomTaskForce:ftf@fsfeurope.org

Usefulviolationreportstoorganisationslikegplviolations.orgortheFTFshouldcontain:

Additionaltips:

Youcansendviolationreportsto:

Handlingaviolationreport
Itisimportanttohandleviolationreportscarefully.FreeSoftwaredevelopmentfocuseson communityengagementandclearcommunication.Thatmeansitisimportanttorespondto issuesreported,evenifyourreplyisinitiallybrief.Thishelpspreventescalation. Herearesomeusefulsteps:

Confirmyouhavereceivedanyreportssentinandinformthereporteryouarelooking intothecase Ifthereportwasmadeonapublicforumtrytomovethediscussiontoanonpublic spaceassoonaspossible Isolatethepreciseproblem.Ifyoudon'talreadyhavetheinformation,askthereporter for: Thenameoftheproductaffectedortheexactcodecausingaproblem Thereasonwhyaviolationisbelievedtoexist Thenameoftheprojectcodethatmayhavebeenviolated Astatementregardingwhatlicencethiscodeisunder Alinktotheprojectsite Sendupdatestothereporterwhentheyareavailable Noteveryreporterunderstandslicencesfullyandtheremaybemistakesintheir submissions Compliancewiththetermsofthelicencesisnotoptionalandlackofcompliancecan haveseriousconsequences Youcanhirecomplianceengineersorpurchasecomplianceservicesfromthirdparties ifnecessary FSFE'sFreedomTaskForce:ftf@fsfeurope.org LoohuisConsulting:http://www.loohuisconsulting.nl/GPL/

Pleasebearinmind:

Youcangetmoreinformationaboutbestpracticeinthisfieldbycontacting:

Youcanobtaincomplianceengineeringsupportbycontacting:

Preventingaviolation
Thebestwaytofixviolationsistopreventthemoccuring. Usefultips:

Readthelicencesyouwilluse Checkoutthewebsitesexplainingtheselicences Getadvicefromexperts Ifthirdpartiessupplyyouwithcode,ensureyouhavelicencecompliancestipulatedin yourcontracts Asksupplierstobearthecostofresolvingviolations

Usefultipsforsupplychainmanagement:

Formoreinformationyoucancontact:

gplviolations.org:legal@lists.gplviolations.org FSFE'sFreedomTaskForce:ftf@fsfeurope.org

Copyrightnote
Thisappendix:copyright(c)2008ArmijnHemel,ShaneCoughlan ThisworkisavailableundertheCreativeCommonsAttributionNoDerivativeWorks3.0 Unportedlicence.

AppendixC:Commercialcomplianceengineering
ThisdocumentationwasmadebyArmijnHemelatLoohuisConsulting,whiledoingresearch forgplviolations.org. LoohuisConsultingisspecializedintailormadehosting,development,trainingand consultancy. LoohuisConsultingisoneofthefewcompaniesintheworldtoofferGPLcompliance engineeringasaservice.TheincreaseduseofFreeSoftwarerequiresanunderstandingof thelicensesinuseaswellasbestpracticeindeployment,deploymentprocessesand compliance.LoohuisConsultingemployeeshavepracticalexperienceinthisfield,especially withregardstoembeddeddevices. LoohuisConsultingisalsooneoftheleadingexpertsonUniversalPlugandPlaysecurity. OuremployeesarepioneersinundertakingsecurityauditsondevicesusingUniversalPlug andPlayandhavewrittenawardwinningpapersandgivennumerouspresentationsonthe subject. FormoreinformationpleasevisittheLoohuisConsultingwebsite: http://www.loohuisconsulting.nl/