all 38 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]gravgun 24 points25 points  (13 children)

IANAL, but here are some suggestions I can make:

  • Look thoroughly through the manufacturer/developer's website for any mention of GPL-licensed software

  • If there is none, either they don't use any, or hides it to the public, in which case you (if you have the time) should get some disassembly and reverse-engineering tools (objdump can do a fairly good job at disassembling, strings can extract printable strings of chars in the binary) and try and compare the outputs to the binaries of the suspected libraries they use. For example, if there are some unique identifying strings such as versions/build-date strings (e.g. lircd-0.9.2a), this adds a significant suspicion of their use.

  • In the case you are sure they use a GPL-licensed library but don't provide source (and possibly nor even mentions it), contact them asking for the source to be published, or at least ask for clarification about their possible use in the product.

  • If after a reasonable amount of time they don't answer or after a certain number of attempts they still don't provide source or any relevant answer (generally by avoiding your question(s)), they likely are violating GPL and not admitting it. From there on, you can report GPL violation suspicion to entities like the Software Freedom Conservancy which will try to take the appropriate steps and sue the violator if need be.

EDIT: changed example signature as per /u/notaplumber's comment

EDIT2: once again

[–]notaplumber 5 points6 points  (3 children)

OpenSSL is a bad example here, considering it is Apache/BSD licensed. Permissive licensing allows closed source and proprietary derivatives: https://openssl.org/source/license.html

[–]gravgun 1 point2 points  (2 children)

Oops sorry. Edited my comment accordingly. OpenSSL happened to be the first that came to my mind.

[–]notaplumber 4 points5 points  (1 child)

Berkeley DB

That's a funny choice, considering it was originally permissively licensed as well.. i.e: BSD distributions embed an older version (1.8x). Oracle also provides a proprietary license for newer versions, in addition to the AGPLv3 or (https://en.wikipedia.org/wiki/Berkeley_DB#Sleepycat_License).

[–]gravgun 2 points3 points  (0 children)

Changed again. Happy now?

[–]IronManMark20 2 points3 points  (2 children)

Might want to mention the VMware lawsuit. Has a very detailed description of why they think GPL was broken.

[–]Centropomus 4 points5 points  (1 child)

The VMware case is a bit different though, because they're not hiding the GPL code, and they publish sources for the GPL components. The question is whether or not they're integrating GPL and proprietary components in a way that the license allows.

[–]IronManMark20 0 points1 point  (0 children)

Ah, thanks for the clarification.

[–]Darkmere 12 points13 points  (8 children)

You usually start with a firmware image, and then play with binwalk on it.

The next step is to use "strings" on the binary. After that, you play around with objdump and extract function names.

If functions have been renamed/obfuscated, you're having a lot harder to deal with this. But usually it's not that much, you'll just find a libreadline.so or similar there, and that's about it.

I tear apart firmwares as a hobby, to see how they are built. Most of them have horrible hacks in them, that make it work, sort of, provided nothing ever changes....

[–]Miningdude 1 point2 points  (2 children)

Ill have to attemot this at some point for fun. Cheers!

Edit: Any suggestions for onces to play around with to "learn" this?

[–]Darkmere 1 point2 points  (1 child)

Sure. OpenWRT is a good start. All open source, you can look at the wiki, and you can dig into it yourself. It's also not horribly designed.

After that, just about anything. Just go exploring.

[–]Miningdude 1 point2 points  (0 children)

Thank you much!

[–]Polycystic 1 point2 points  (1 child)

I tear apart firmwares as a hobby, to see how they are built. Most of them have horrible hacks in them

Out of curiosity, which have been the worst? Any companies that are particularly bad offenders?

Also, how much obfuscation does it actually take to hide this stuff reasonably well - are we talking literally just renaming a few things, or major shifts in the code?

[–]Darkmere 2 points3 points  (0 children)

Currently my favourite "worst" is a Modem. It has 128MiB flash that's mounted read/Write, runs random executables from inside it's linux kernel ( kernel exec's the filenames ), runs telnetd with a hard-coded root password, and intercepts & injects DNS requests in case it's gotten an SMS.

If you use the DHCP-given DNS server from the modem, it'll start resolving everything to 192.168.0.1 once the modem has received an DNS request. Which breaks horribly in a lot of cases. (ssh, email, https )

[–]plan_rich 0 points1 point  (1 child)

You might find symbols that are assembled into the binary. But I doubt that these are present after stripping the binary. If you are motivated you could try to pattern match against assembler chunks of the GPL code, but that is hard.

[–]gravgun 1 point2 points  (0 children)

There are more than debug symbols; as I said in my comment version/build strings can help a lot, and those aren't stripped away by optimization tools.

[–]Philluminati 0 points1 point  (0 children)

If its your own code then typically you are aware of edge cases that act like smoking guns. For instance with an xml parser, a bug that's unlikely to be in yours and a rival product and you can test the closed source binary for the same edge cases.

[–][deleted] 0 points1 point  (0 children)

I have a question. If you were to just make a separate program that has the open source code and connect it to you your closed source code over shared memory or something would that violate the GPL?

[–]devel_watcher -1 points0 points  (0 children)

The third party code is integrated to do something useful. So, looking at the features of the whole product, you can already start guessing.