News Archive (1999-2012) | 2013-current at LinuxGizmos | IoT and Embedded News Feed |    About   

Snoop out GPL violations like a hacker

Oct 22, 2008 — by Eric Brown — from the LinuxDevices Archive — 3 views

Germany-based GPL-Violations.org has published a guide describing how to identify GPL- or LGPL-licensed open source software in embedded devices. Written by Armijn Hemel, the “GPL compliance engineering guide” offers tips and tricks for tracking down GPL code in firmware ranging from bootloaders to… executables.

(Click for larger view of the SMC Networks WSKP100 VoIP phone behind GPL-Violations's successful Skype suit)

Founded by open source expert Harald Welte, GPL-Violations.org has prevailed in several lawsuits over violations of the GNU GPL (GNU General Public License), the most popular open-source software license in the world. The organization's new compliance guide can be used by hackers to more easily identify code violations, it says. The guide may also come in handy for vendors who want to analyze third-party components for license compliance. The typical violation occurs when embedded device firms or their distributors fail to supply a copy both of the source code and the GPL license — as required by the GPL license.

The Guide

Hemel starts out by explaining why there are so many GPL violations in embedded devices that incorporate GPL code (typically Linux-based devices). First, he says, the process of compliance-checking takes several days if all goes well, and can take weeks or months if additional manufacturers contributing to the product drag their feet. In a hot consumer electronics market, where devices see their best sales in the first few months, such delays can spell trouble, writes Hemel.

According to Hemel, compliance checking costs about 1,200 Euros (~$1,500). While not a great deal of money for a product company, product development budgets are notoriously tight. And, organizations like GPL-Violations and the SFLC typically request compliance multiple times before actually suing, which may lead some companies to take the risk.


Broke the rules:
Actiontec's MI424WR

(Click for details)

Yet, with hacker projects and non-profit legal support groups getting more rigorous about “outing” companies and filing lawsuits against GPL violators, such a gamble looks less compelling every day. After GPL-Violations.org won several cases, including a successful suit against Skype over distributing SMC Networks's WSKP100 VoIP phone (pictured at top), a similar (and similarly successful) U.S. group called the Software Freedom Law Center (SFLC) has racked up one settlement after another on behalf of the developers of BusyBox. Even mighty Verizon settled with the SFLC when it was discovered that Actiontec's MI424WR wireless router (pictured at right), used by Verizon's FiOS customers, violated the GPL.

The compliance guide explores the tools and techniques for dissecting firmware for code violations, and in some cases physically modifying a device to log in via a serial port to discover hidden violations. Discussed tools can be used to analyze:

  • Boot sequence and bootloaders
  • Compression techniques
  • File systems, including Squashfs, Ext2/ext3, Cramfs, and Jffs2
  • Executables

The guide then goes on to explain the tools that GPL-Violations.org uses to analyze these components, including:

  • Hexdump
  • Strings
  • Grep
  • Bzip2/bzcat
  • Gzip/zcat
  • Lzma
  • Cramfsswap
  • Mtd-utils
  • Unrar
  • Md5sum/sha1sum/sha256sum/sha512sum
  • Cabextract
  • Unshield

Hemel next offers an explanation of physical access methods, including using the serial console or JTAG connectors, complete with close-up photographs of connections. He also discusses Linux kernel modules, BusyBox, and other relevant software packages, and concludes with the best techniques for approaching a company if a violation is encountered.

Availability

GPL-Violations.org's freely available, 26-page “GPL compliance engineering guide” should be available as a PDF file, here.

In August, meanwhile, the SFLC published a more legalistic guide on how to identify GPL code violations and what to do when one is discovered. Written by Bradley Kuhn, Aaron Williamson, and Karen Sandler, the SFLC's “A practical guide to GPL compliance” should be available here.


 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.