Firmware Reverse Engineering; policy?
ziggurat29 wrote 07/21/2017 at 02:58 • 0 pointsWhat is the policy, if any, on projects principally about reverse-engineering firmware?
I had recently start commenting the disassembly of a printer firmware I had extracted, and though folks might be interested, but wasn't sure if there was an explicit policy in place regarding that sort of stuff, so I thought I'd ask before I created it.
TIA!
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.
Ahem....
In the United States of America, use of copyrighted material for teaching, scholarship, or research, on a non-profit basis, is considered "fair use", and is permitted under US Code Title 17 section 107. HAD "Services" are governed by US law, and the entire concept of HAD is sharing for educational and research purposes, thus pretty much anything you post is exempt.
[[ Disclaimer: I am not a lawyer, but ... oh, wait, no, what I mean to say is f*c# all the corrupt politicians AND all the greedy corporate as$h*les AND all their sellout lawyers, AND all the shoot-first cops, AND the massively corrupt police state that is the current USA. Any and all laws that infringe on or contravene our unalienable rights as sovereign citizens of the Earth, which are granted without limit, implicitly by our Creator, are invalid, null, and void. Feel free to hack and publish anything you want, my brothers and sisters. Let the chips (and code) fall where they may. ]]
That said, here's the relevant excerpt.
https://goo.gl/RtyDiJ
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include—(1)the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
(2)the nature of the copyrighted work;
(3)the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
(4)the effect of the use upon the potential market for or value of the copyrighted work.
The fact that a work is unpublished shall not itself bar a finding of fair use if such finding is made upon consideration of all the above factors.
Are you sure? yes | no
Thanks so much for digging up the dirt!
In my particular instance, I am planning to release details of a piece of hardware I am reverse engineering. There is firmware on it, but I am not interested in that part since my intent is to create new firmware for the platform, anyway.
[EDIT] whoops, I blended two stories. There is one project that /is/ firmware related, that I originally created this post about, and also another that is hardware related, that the rest of this message is about. But at any rate.... [end edit]
I am aware of the move in the 80s to making the purchase of software a 'license', as opposed to ownership, precisely to circumvent copyright law, but I'm not aware of a similar thing for hardware. I /think/ that for hardware that my purchased item is now my chattel, and I can reverse engineer it to my heart's content /and/ publish details, except where restricted by patent law (which is definitely not in play here).
Anyway, the vendor of this particular product has expressed some displeasure in my reverse engineering efforts (though anyone with a continuity tester can replicate my work), and out of courtesy I am delaying reporting my findings until after they go GA. After that, I intend to disclose those findings either explicitly or implicitly via my open source alternative firmware. It's really short-sighted that they would be irritated by my work, since it only extends the relevancy of their platform, and ostensibly improve sales. But I've seen this before with hardware vendors. Hard-headed old-think.
So, my reason for asking the question is to make sure that HaD doesn't get pissed if I eventually publish a project 'Hacking the XXnn for Fun and Profit'.
[EDIT] the firmware reverse-engineering is for a printer module I bought from China off eBay. The hardware reverse-engineering is for a handheld device that is not GA yet, so I won't disclose the name yet out of courtesy to the vendor. (though I don't think I am at all obligated to extend such courtesies)[end edit]
Are you sure? yes | no
As far as HAD ToU, fair use *is* within the law. I can't imagine how HAD would possibly have a beef.
The patent/copyright holder can jump up and down and b1tch all they want, including sending you scaaary letters from their lawyer, but in order to have an legit infringement claim, they have to show actual real damages, of which there won't be any because you're not selling anything [edit: and you're not causing them any lost sales...right?].
State the fair use clause clearly at the top of your project, and post whatever you got.
It's easier to ask forgiveness than to get permission.
-Rear Admiral Grace Hopper
https://en.wikiquote.org/wiki/Grace_Hopper
Are you sure? yes | no
Maybe this will help clarify. Or maybe not, due to being (probably) written by lawyers.
https://www.eff.org/issues/coders/reverse-engineering-faq
Are you sure? yes | no
Once again, thanks for the research! I guess I'll be reading the eff stuff today, instead of disassembling.
I somewhat disagree with the patent statement, though. It is forbidden to even produce a patented invention, even if you don't use it, much less sell it. (I have been on the defendant side of patent a couple times -- annoying!) I do agree that without damages their case is weaker, and just devolves into cease-and-desist. However, since the essence of patent is disclosure, I don't see how reporting on a patented invention violates anything. Anyway, no patents here.
Usually software has a license with a 'no de-compilation' clause. However, I've not seen an instance where the firmware of a hardware device have a similar license. Any the printer module I got from China, of course, has no documentation at all, much less any license statement.
OK, as fate would have it, I will be in Longmont CO next weekend to visit friends. If you want some free beers for all your research effort, direct message me.
Cheers!
Are you sure? yes | no
I'm facing the same interrogations as well, I've done some reverse engineering on a 30 years old game and I'd like to share my work without infringing any copyrights. To solve this I was thinking about making a map available, with all the functions addresses. The name of a function by itself is already an interesting source of information.
I will also look at radare2, it can save RE projects, I don't know if it is possible to save them without the binary itself.
Are you sure? yes | no
I would refer to point 3.3 of the Term of Use, linked at the bottom of each page. As long as you stay within the limits of the law, you should be fine.
Are you sure? yes | no
thx! so THATs where the ToU is tucked away. Well, I'm not really sure what the law would be on a printer I got off eBay from China that didn't have any explicit 'license' that I can detect, but I'll do some further research elsewhere.
Are you sure? yes | no
I'm not an expert but documenting the hardware, and publishing a home-made firmware based on what you've learned from the ROM contents should be OK. Writing a patch for the original firmware also appears to be a common practice.
Are you sure? yes | no