Notes on Mali T700 series GPUs
Alyssa Rosenzweig 86256334a5 Updates | %!s(int64=6) %!d(string=hai) anos | |
---|---|---|
notes | %!s(int64=7) %!d(string=hai) anos | |
replays | %!s(int64=6) %!d(string=hai) anos | |
src | %!s(int64=7) %!d(string=hai) anos | |
.gitignore | %!s(int64=7) %!d(string=hai) anos | |
LICENSE | %!s(int64=7) %!d(string=hai) anos | |
PROOF | %!s(int64=7) %!d(string=hai) anos | |
README.md | %!s(int64=6) %!d(string=hai) anos |
Chai is a project to reverse engineer the Mali T-series of GPUs. It focuses on the T760 which is found in the RK3288 SoC. This SoC is notably used in the Veyron design for Chromebooks, which are supported in Libreboot.
Chai has its roots in lima by Luc Verhaegen et al. Lima targets the older Mali cores; chai is for the newer cores like its unreleased successor Tamil. At the time of writing, no code is shared with lima, although limare was useful for illustrative purposes. One of lima's authors, Connor Abbott, did release reverse-engineered documentation for the T6xx ISA, which will be used in chai, along with his disassembler.
Documentation about the GPU is in notes/. Supporting source code is in src/. Source code is under the GPLv2.
2018 update: After a hiatus, the chai project is once again active, working in close collaboation with Panfrost. Some current work is in the panloader repository. The work-in-progress NIR shader compiler is hosted on my personal git, as is the current version of Connor's disassembler.
We currently have replay of some basic programs working, like cube renders, including multi-frame programs. We are in the process of debugging and decoding these replays in order to become a proper driver; see the below roadmap for more details.
For some sample replay goodness, see replays/clear.c, which clears the screen based on test-clear from freedreno. More interesting samples coming soon :)
Join us at #biopenly
on Freenode!
* Partially working
This list is in flux as project requirements change.
The shim is free (GPLv2) and is modified for chai. No other ARM code is used in chai.
Initial reverse engineering used a combination of fuzzing and reading
through the shim source code. Later notes observe communication between
the shim and the blob. A tracer was written that hooks into the shim
function kbase_ioctl
, called for each message. It decodes the message
and dumps it to the console for inspection and replay.
The Mali Offline Shader Compiler may be useful for ISA reverse engineering. See the Lima wiki which discusses legal aspects here.
None of chai's authors are or were affiliated with ARM Limited.
Chai, oolong, and black are for T GPUs. It's a joke. Get it?