Notes on Mali T700 series GPUs

Alyssa Rosenzweig 86256334a5 Updates 6 rokov pred
notes 3c3f392fad Update notes about attribute metadata 7 rokov pred
replays d9526851b8 Add a replay sample 6 rokov pred
src 332b0b16f4 Decode one uniform as a half-float vec4 7 rokov pred
.gitignore d0cfa6da24 Initial commit 7 rokov pred
LICENSE d0cfa6da24 Initial commit 7 rokov pred
PROOF 39a68140b2 Not markdown 6 rokov pred
README.md 86256334a5 Updates 6 rokov pred

README.md

Chai

Chai is a project to reverse engineer the Mali T-series of GPUs. It focuses on the T760 which is found in the RK3288 SoC. This SoC is notably used in the Veyron design for Chromebooks, which are supported in Libreboot.

Chai has its roots in lima by Luc Verhaegen et al. Lima targets the older Mali cores; chai is for the newer cores like its unreleased successor Tamil. At the time of writing, no code is shared with lima, although limare was useful for illustrative purposes. One of lima's authors, Connor Abbott, did release reverse-engineered documentation for the T6xx ISA, which will be used in chai, along with his disassembler.

Documentation about the GPU is in notes/. Supporting source code is in src/. Source code is under the GPLv2.

2018 update: After a hiatus, the chai project is once again active, working in close collaboation with Panfrost. Some current work is in the panloader repository. The work-in-progress NIR shader compiler is hosted on my personal git, as is the current version of Connor's disassembler.

We currently have replay of some basic programs working, like cube renders, including multi-frame programs. We are in the process of debugging and decoding these replays in order to become a proper driver; see the below roadmap for more details.

For some sample replay goodness, see replays/clear.c, which clears the screen based on test-clear from freedreno. More interesting samples coming soon :)

Join us at #biopenly on Freenode!

Roadmap

  • Basic understanding of the ecosystem
  • Fork of the kernel module
  • Basic userspace code to interact with the kernel module
  • Basic fuzzing from userspace
  • Ioctl tracer
  • Screen clear
  • Polygon drawing
  • ...dump memory
  • ...decode memory
  • ...edit memory
  • ...replay
  • ...replay reliably
  • Textures
  • ...dump memory
  • ...decode memory *
  • ...edit memory
  • ...replay
  • Primitive shaders
  • ...dump memory
  • ...reverse ISA (thanks cwabbott!)
  • ...disassemble memory (ditto!)
  • ...reassemble
  • Complex shaders
  • ...reverse entire ISA
  • ...prototype compiler
  • ...functional compiler
  • ...optimising compiling
  • Kernel interface
  • ...port to mainline (thanks phh!)
  • ...basic cleanup
  • ...use native kernel interfaces
  • ...upstreamed
  • Mesa driver
  • ...with toy programs and toy shaders
  • ...with shader compiler
  • ...with all commands supported
  • ...upstreamed

* Partially working

This list is in flux as project requirements change.

Legal aspects

The shim is free (GPLv2) and is modified for chai. No other ARM code is used in chai.

Initial reverse engineering used a combination of fuzzing and reading through the shim source code. Later notes observe communication between the shim and the blob. A tracer was written that hooks into the shim function kbase_ioctl, called for each message. It decodes the message and dumps it to the console for inspection and replay.

The Mali Offline Shader Compiler may be useful for ISA reverse engineering. See the Lima wiki which discusses legal aspects here.

None of chai's authors are or were affiliated with ARM Limited.

Name

Chai, oolong, and black are for T GPUs. It's a joke. Get it?