This talk will begin with a presentation of the state of free boot software for the MT8173 as it was developed by Google within the ChromiumOS project for CrOS devices (that will also be briefly presented). It will then focus on the only remaining proprietary part in that boot chain: the MT8173 PCM firmwares. A brief description of the PCM processor and the critical role it plays in managing the chip's power management, through dedicated firmwares, will then be given. This will provide understanding as to why these firmwares are critical and can hardly be avoided for proper operation of the chip and the devices that use them. This introduction will thus have highlighted the need for liberating these firmwares, one way or another, to achieve a functional fully free boot chain.
The different approaches to liberating the MT8173 PCM firmwares will subsequently be presented, with the various show-stoppers encountered. A sudden realization regarding the firmware's licenses, that turned out to be a game-changer, will then be highlighted. Guiding a new path for liberation, this approach will be detailed through all the technical aspects it involved. These aspects, consisting of discovering an unknown and undocumented ISA (Instruction Set Architecture) from the binary firmwares only, will be presented in-depth through the series of steps that were carried out. Most of these steps will be presented in chronological order, from discovering the first instruction to refining the understanding of their binary structure. The tools that were developed to ease this work will also be mentioned, as well as the required test setup for discovering new instructions.
Finally, an overview of the work accomplished, as well as the current state of the MT8173 PCM firmwares liberation effort will be presented. As a conclusion, an overview of the lessons learned from this experience and recommendations for undertaking similar work will be mentioned.