Author Topic: Adventures in reverse engineering broadcom nic firmware  (Read 1377 times)


  • Jr. Member
  • **
  • Posts: 81
  • Karma: +13/-0
    • View Profile
Adventures in reverse engineering broadcom nic firmware
« on: December 28, 2023, 12:11:59 pm »
Unlocking a system with 100% open source firmware

In an era where vendors increasingly seek to use proprietary software in the devices around us to exert control over their users, the desire for open source software has expanded to the firmware that allows our machines to function, and platforms which individuals can trust and control have never been more important. However, changes to hardware platforms in recent years such as the Intel ME, vendor-supplied binary blobs and vendor-signed firmware images have repeatedly set back efforts to create open source firmware for the computers we use. The release of Power servers with 99% open source firmware excited many who had been searching for a computer they could trust, but one proprietary firmware blob remained: that of the Ethernet controller. This is the story of how that blob was reverse engineered and replaced with an open source replacement, delivering the first machine with desktop-class performance and 100% open source firmware in many years.

This talk is about how I reverse engineered the final remaining firmware blob on the Talos II/Blackbird POWER9 systems, enabling it to be replaced with an open source replacement, in an intensive reverse engineering effort that spanned several years.

The talk will begin by introducing the open source firmware movement and its practical and ethical motivations, and note the obstacles to delivering fully open source firmware for contemporary x86 and other platforms and explaining the motive behind the project, before moving onto a more technical discussion of the adventure of firmware reverse engineering and the obstacles encountered.

Subjects I intend to cover include: how the original proprietary firmware was reverse engineered from scratch with only limited knowledge of device internals; the long history of Broadcom NIC architecture and its evolution over time; the tools that had to be developed to enable the device probing, testing and reversing process; the story of a horrifying but necessary detour into reversing x86 real mode code and the novel methodology used to aid reversing; how modern NICs allow BMCs in servers to share network ports with the host, and the security hazards this creates; and how fully open source firmware was created legally using a clean room process.

This talk will be accessible to audiences unfamiliar with POWER9 or the open source firmware community, but is also intended to cover some new ground and be of interest to those familiar with the project. The talk will mainly be of interest to those interested in open source firmware and issues such as owner control and the security and auditability issues caused by proprietary firmware, and to those interested in reverse engineering.
Desktop: Talos II T2P9S01 REV 1.01 | IBM Power 9/18c DD2.3, 02CY646 | AMD Radeon Pro WX7100 | 64GB RAM | SSD 1TB


  • Sr. Member
  • ****
  • Posts: 452
  • Karma: +34/-0
  • Talospace Earth Orbit
    • View Profile
    • Floodgap
Re: Adventures in reverse engineering broadcom nic firmware
« Reply #1 on: December 29, 2023, 12:47:33 pm »
It's more good work by Hugo. Well done.


  • Newbie
  • *
  • Posts: 44
  • Karma: +3/-0
    • View Profile
Re: Adventures in reverse engineering broadcom nic firmware
« Reply #2 on: January 03, 2024, 04:32:58 pm »
Wow, quite an entertaining talk, and nice contribution to increasing openness of the platform...well done Hugo.

It would be quite interesting to hear from any Broadcom engineers on the hilarity of The Great Broadcom BitBang.  I would not be suprised if that was a hack invented to solve some early problem with thye design that nobody bothered to go back and fix.


  • Full Member
  • ***
  • Posts: 168
  • Karma: +14/-0
    • View Profile
Re: Adventures in reverse engineering broadcom nic firmware
« Reply #3 on: January 03, 2024, 07:22:04 pm »
The presence of an RSA signature, I venture a guess may be present as there might be other Broadcom products which do check the signature. And Broadcom's internal policy may simply be to sign everything just so that there is uniformity across development.
Blackbird C1P9S01, CPU 02CY650, 2x 8GB 2666 RAM, 1024GB M.2 SSD, AMD RX 560X, 2U heatsink, 500W SFX PSU, Debian 11