Notes on Mali T700 series GPUs

Cafe 332b0b16f4 Decode one uniform as a half-float vec4 6 years ago
notes 3c3f392fad Update notes about attribute metadata 6 years ago
src 332b0b16f4 Decode one uniform as a half-float vec4 6 years ago
.gitignore d0cfa6da24 Initial commit 6 years ago
LICENSE d0cfa6da24 Initial commit 6 years ago
README.md 2e61ab4e6c Fix dead links in README 6 years ago

README.md

Chai

Chai is a project to reverse engineer the Mali T-series of GPUs. It focuses on the T760 which is found in the RK3288 SoC. This SoC is notably used in the Veyron design for Chromebooks, which are supported in Libreboot.

Chai has its roots in lima by Luc Verhaegen et al. Lima targets the older Mali cores; chai is for the newer cores like its unreleased successor Tamil. At the time of writing, no code is shared with lima, although limare was useful for illustrative purposes. One of lima's authors, Connor Abbott, did release reverse-engineered documentation for the T6xx ISA, which will be used in chai, along with his disassembler.

Documentation about the GPU is in notes/. Supporting source code is in src/. Source code is under the GPLv2.

Roadmap

  • Basic understanding of the ecosystem
  • Fork of the kernel module
  • Basic userspace code to interact with the kernel module
  • Basic fuzzing from userspace
  • Ioctl tracer
  • Polygon drawing
  • ...dump memory
  • ...decode memory
  • ...edit memory
  • ...replay
  • Textures
  • ...dump memory
  • ...decode memory
  • ...edit memory
  • ...replay
  • Primitive shaders
  • ...dump memory
  • ...reverse ISA (thanks cwabbott!)
  • ...disassemble memory (ditto!)
  • ...reassemble
  • Complex shaders
  • ...reverse entire ISA
  • ...functional compiler
  • ...optimising compiling
  • Kernel interface
  • ...port to mainline (thanks phh!)
  • ...basic cleanup
  • ...use native kernel interfaces
  • ...upstreamed
  • Mesa driver
  • ...with toy programs and toy shaders
  • ...with shader compiler
  • ...with all commands supported
  • ...upstreamed

This list is in flux as project requirements change.

Legal aspects

The shim is free (GPLv2) and is modified for chai. No other ARM code is used in chai.

Initial reverse engineering used a combination of fuzzing and reading through the shim source code. Later notes observe communication between the shim and the blob. A tracer was written that hooks into the shim function kbase_ioctl, called for each message. It decodes the message and dumps it to the console for inspection and replay.

The Mali Offline Shader Compiler may be useful for ISA reverse engineering. See the Lima wiki which discusses legal aspects here.

None of chai's authors are or were affiliated with ARM Limited.

Name

Chai, oolong, and black are for T GPUs. It's a joke. Get it?