In some cases there is no other way to create a device driver than to reverse engineer it from a binary "blob" (a closed-source driver). For some open-source drivers (like the driver for ATi R300+ based cards) some of these techniques were used to produce a working driver. Getting information from memory dumps or binary streams is difficult to master and in many cases takes lots of work. To make the necessary work a little easier, here is a list of several tools that could be used to gather information.

Warning: only use the tools below when you know what you are doing!

The idea here is to set the environment variable SF_ADDR to your MMIO address. You find this address by using lspci. For example, if lspci -v gives you:

01:00.0 VGA compatible controller: ATI Technologies Inc RV380 [Radeon
X600 (PCIE)] (prog-if 00 [VGA])
        Subsystem: ATI Technologies Inc Unknown device 0f02
        Flags: bus master, fast devsel, latency 0, IRQ 169
        Memory at f0000000 (64-bit, prefetchable) [size=128M]
        Memory at ''fe9e0000'' (64-bit, non-prefetchable) [size=64K]
        I/O ports at dc00 [size=256]
        Expansion ROM at fea00000 [disabled] [size=128K]
        Capabilities: <access denied>

Then you do

export SF_ADDR='0xfe9e0000'
$LD_PRELOAD=/pathto/ Xorg >dump 2>&1

while xorg.conf is configured to use the fglrx driver. Note that this has a high impact on performance when running the X-server.

Currently this version is exactly the same as iba-2, execpt that you get some better error messages to see what is going on without looking into the source. Also this version features logging and analyzing without recompilation. It also features automatic detection of the correct address of the graphics card.

Note: None of the iba's works with current fglrx anymore, because fglrx no longer uses user space to do mmio writes. You need "kmmio tracer" (see below)

_Note: Also consider Revenge (described below) as a possible replacement for iba. Revenge supports superiour auto-detection and works with the latest fglrx blob.

Get it at:;a=summary

  • Oliver's Valgrind-MMT Extended version of Daniels' Valgrind-MMT (described above) supporting libc 2.5.

_Note: This version of Valgrind-MMT is based on the Valgrind SVN repository as of r7063, or 2007-10-31.

Get it at: (Unfortunately this was lost due to home directory failure.)

This traces all of the MMIO operations of a kernel module. This is useful for tracing the MMIO of a binary kernel blob. (As a side note: the fgrlx driver does most of its work in user space, so libsegfault should work just fine.)

This can translate registers/bitfields into their numeric values. However, we need to generate config files appropriate for each card type/family.

These tools have been used to dump the command line that is sent to the CP (command processor) during R300 development.

Get it by: git clone git://

Revenge is a reverse engineering tool developed for reverse engineering and debugging the 3D commands sent to ATI GPU's. Revenge supports AGP, PCI, and PCI-E interfaces, as well as the IGP and RS690 chipsets. Currently you must specify the interface type as an option.

Revenge runs a series of simple OpenGL tests and dumps the results into several files, which may be examined by pretty_print_command_stream.tcl from the glxtest package, alternatively you could write your own analysis tools. Adding tests for new OpenGL features is a very simple task.

See the included README for more details.