Is Linksys Violating The GPL?

jap writes "According to this post on LKML, Linksys is shipping firmware for (at least their) 802.11g access-points based on Linux - without any sourcecode available or mentioning of it on their site. This could be interesting: it might provide the possibility of building an ueber-cool accesspoint firmware with IPsec and native ipv6 support etc etc, using this information!"

GPL

[krisp]

Tivo uses linux and has not released source code either. However, the GPL is in the appendix of the manual. Linksys can do something similar and be in compliance.

Re:GPL

[psychosis]

Sorry - not true.
http://www.tivo.com/linux/index.html [tivo.com]

Re:GPL

[FattMattP]

Tivo uses linux and has not released source code either.

Yes they have. [tivo.com]

However, the GPL is in the appendix of the manual.

With the source code notice and URL on the page right before it.

In case gets /.ed

[Anonymous Coward]

Hi,

Sorry for the very lengthly posting, but I want to be as precise as possible in describing this problem.

Awhile ago, I mentioned that the Linksys WRT54G wireless access point used several GPL projects in its firmware, but did not seem to have any of the
source available, or acknowledge the use of the GPLed software. Four weeks ago, I spoke with an employee at Linksys who confirmed that the system did use Linux, and also mentioned that he would work with his management to ensure that the source was released. Unfortunately, my e-mails to this
individual over the past three weeks have gone unanswered. Of course, I also tried contacting Linksys through their common public e-mail accounts (, ) to no avail.

However, it is hard for me to know if my contact in the company has just gone on a three week vacation (and not set an auto-responder), or has been asked to not answer anymore mail on this subject. Also, I should note that I don't own this product, so I can't determine if the source is shipped with it.

However, I have gone through all the available information on the Linksys website, and can find no reference to the GPL, Linux (as it relates to this product), or the firmware source code. Also, the firmware binary (see below) is freely available from their website. There is no link from the download page to the source, or any mention of Linux or the GPL. Finally, it would be
strange if the source was included in the physical package, as my contact at Linksys was initially unaware Linux was used in this product.

The following steps can be used to determine the exact nature of the possible GPL violation.

1. Go to the following URL:
http://www.linksys.com/download/firmware.asp?fwid= 178

2. Download the "firmware upgrade files":
ftp://ftp.linksys.com/pub/network/WRT54G_ 1.02.1_US _code.bin
(MD5SUM: b54475a81bc18462d3754f96c9c7cc0f)

3. While it is downloading, confirm that there is nothing on the webpage to indicate that this binary contains GPLed software.

4. Once the download is complete, copy the contents of the file from offset 0xC0020 onward into a new file.
dd if=WRT54G_1.02.1_US_code.bin of=test.dump skip=24577c bs=32c

5. Notice that this file is an image of a CramFS filesystem. Mount it.

6. Explore the filesystem. You will notice that the system appears to be based on Linux 2.4.5. Incidentally, there is at least one other GPLed project in the firmware: the BusyBox userland component: (http://www.busybox.net/)

7. The Linux kernel (I think) is mixed up with a bunch of other stuff in: bin/boot.bin

You might want to know why I am interested in getting the code for the kernel used in this device.

There's been some discussion here about Linux's lack of wireless support for a few of the newer 802.11b and (nearly?) all 802.11g chips. Incidentally, Linux has excellent support for at least one manufacturer's wireless family.
The following Broadcom chips all appear to be supported under Linux -- if you happen to be running Linux on a MIPS processor in a Linksys router:

Broadcom BCM4301 Wireless 802.11b Controller
Broadcom BCM4307 Wireless 802.11b Controller
Broadcom BCM4309 Wireless 802.11a Controller
Broadcom BCM4309 Wireless 802.11b Controller
Broadcom BCM4309 Wireless 802.11 Multiband Controller
Broadcom BCM4310 Wireless 802.11b Controller
Broadcom BCM4306 Wireless 802.11b/g Controller
Broadcom BCM4306 Wireless 802.11a Controller
Broadcom BCM4306 Wireless 802.11 Multiband Controller

This list was produced by running strings on:
lib/modules/2.4.5/kernel/drivers/net/wl/wl.o

I am trying to determine exactly how tightly coupled these drivers are to the kernel.

As an aside, I know that some wireless companies have been hesitant of releasing open source drivers because they are worried their radios might be pushed out of spec. However, if the drivers are alre

Requirements

[TWX]

If they're not rewriting the source code, using it in a form that they themselves obtained it in (pre-compiling), they might not have to provide source if they disclose their source location. Also, if they were smart enough to create independent kernel modules for the rest of the device, they wouldn't have to release those anyway.

It would be nice if they included at least a copy of the GPL and a linux installation CD in the back of their manual though, since that would be a way of distributing the code, if not more than the code, and would probably make them in compliance.

Hell, TurboLinux install CDs came with hardware that Linux couldn't even use, for a while...

Re:Cisco IOS ?

[Anonymous Coward]

Nah, Free/OpenBSD can have commercial license where you don't need to publish the source e.g. MacOSX

It might be available

[FattMattP]

The source might be available but only mentioned in the documentation. He states in his message that he doesn't own one of these units so he doesn't have access to all the information that an owner of the unit would. The GPL doesn't require that the source be distributed with the binaries only that it be available. That doesn't mean downloadable. It's possible that people who have purchased the unit have instructions contained within on how to download or order a CD with the source code.

Re:GPL

[PhuCknuT]

And I'm sure you know this, but they are not required to release all of their source code, only the code for gpl parts of tivo. Just because the OS is linux doesn't mean they have to release code for everything running on it.

Re:How did this work for the Tivo?

[dsgrntlxmply]

Tivo have made source code available since approximately day one of their product.

Even before they had an FTP site, they would ship promptly and for a very reasonable fee, source on CD-R.

The real guts of the product, including all substantial video-related drivers, are in loadable modules. The kernel and provided source have just enough hardware-specific code to calm the hardware down enough to allow the kernel to get started.

As far as I can tell, Tivo have done everything they need to under GPL.

[Disclosure of interests: I own a small amount of Tivo stock. When I ordered the source code way back when, they included a nice Tivo hat along with the CD.]

Re:Does it matter ?

[jonabbey]

That's silly, and wrong. The GPL is an affirmative grant of rights, providing you comply with its terms. If you don't want to comply with its terms, no problem, you just don't have any rights to copy someone else's stuff. That prohibition on copying someone else's stuff isn't a consequence of the GPL, it's a consequence of copyright law in this country.

The only way for the GPL to lose all effectiveness in the way that you imply would be if a court someplace were to rule that the GPL's terms were ridiculously onerous, and that by handing it out to everyone for public download without requiring a click-through license, the stuff had effectively been placed in the public domain.

This is about as likely as a court someplace declaring that Microsoft's software was licensed with unduly onerous terms, and that their stuff was therefore public domain as well.

I.e., not likely at all. I don't think copyright is like trademark law, where if you don't take steps to protect your mark, you can lose it.

IANAL, but the guy who drafted the GPL [columbia.edu] is.

hotmail also requires IE or NS

[SHEENmaster]

but setting konqueror or mozilla to send MSIE identification HTTP directives did the trick.

Is it actually required, or do they just say it is? Have you tried a different browser?

Agreed.

[mindstrm]

However, the GPL still requires that they provide source, even if they have not modified it. If you redistribute, you must provide source, or at least a written offer for the source.

You can (section c) simply pass along the written offer YOU received, if you are simply redistributing, and not modifying, but only if it's NON-COMMERCIAL, and only if you yourself received the written offer. IF they are using stock linux kernels, there is no written offer, so .. they are obligated to provide a copy of the source (sans their changes, if they are not within the scope of the gpl)

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

* a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

* b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

* c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

Re:über

[CableModemSniper]

writing ${vowel}e is an alternative way of expressing a character with an umlaut over it. Its perfectly valid German.

Required??

[FreeLinux]

Just yesterday, I updated the firmware and reconfigured one of these with Konqueror running from a Knoppix CD. The only issue that I had was that Wine was not able to run their firmware update tool, which is just a GUI tftp.exe and the firware.bin. With Knoppix, I just did a tftp put firmware.bin and all was well.

Belkin 54g WAP/Router

[Anonymous Coward]

Just been hacking around a Belkin 54k WAP/Router box I bought a few weeks back. NMap identifies it as Linux 2.4.0-2.4.5.

The Belkin Networking downloads page gives an updated firmware for this. Sure enough, at offset 790393 there's a CRAM Filesystem. Mounting that shows a stock 2.4.5 kernel with three custom modules (one for the wireless card, one for the ethernet card, one for the front panel LEDs). These three modules aside it looks like non-modified GPL stuff.

However, reading any of the binary files shows the string : "GCC: (GNU) 3.0 20010422 (prerelease) with bcm4710a0 modifications" - Modifications you say? Oh dear, I don't remember seeing a Broadcom patch submitted to GCC ...

Re:GPL

[Cramer]

To be accurate, TiVo has not (and never will) released the source to the non-GPL'd stuff that makes the Tivo what it is... the kernel modules and "tivoapp". The source to all the GPL components and the entire linux kernel running on the tivo are available.

Re:Alternate browser support

[revmoo]

I have adminned mine from phoenix and w3m in linux, and both worked fine, I don't know what problems you guys are having...

Re:Only if they changed something...

[lmfr]

"There is only a violation if they modified existing GPL code."

No, there's a violation if they distribute GPL programs. If so, they must give the source (for the GPL programs, inc. any modifications), alongside the binaries or when requested. At least, a written offer must accompany the binaries.

Re:Requirements

[David Jao]

If they're not rewriting the source code, using it in a form that they themselves obtained it in (pre-compiling), they might not have to provide source if they disclose their source location.

False.

You're probably thinking of section 2c of the GPL, which says:

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

Note the phrase "only for noncommercial distribution." Linksys is distributing this software commercially, so section 2c does not apply to them.

Under the terms of the GPL, Linksys must either ship the source code with the product or accompany the product with a 3-year written offer to disclose the source on demand at duplication cost.

Finally, Linksys must also of course include the GPL with their product and declare that the software is distributed under the terms of the GPL.

Re:Belkin 54g WAP/Router

[Anonymous Coward]

Replying to my own comment ...

One thing that is HEAVILY modified in the Belkin dist is a copy of micro_httpd. It's located in /usr/sbin/httpd. Reading the binary shows a large number of changes specific to running the router's admin interface. Interestingly enough, it can also administer sharing an Epson USB printer, but sadly no USB port on the box!

Reading the micro_httpd license suggests that they should definetly be at least acknowledging where it came from, if not the actual changes themselves.

Re:umm

[Fluffy the Cat]

And I could sell that computer to someone, with Linux installed, along with my own software, and still not be obligated to release any source.

No, you wouldn't. The GPL would require you to provide either the source code to GPLed code on your computer, or an offer of the source code. You could quibble over section 3c and whether it's commercial distribution if you're selling the computer rather than the software on it, and in that case you could get away with just passing on the offer that you received with your copy of Linux.

Re:Belkin 54g WAP/Router

[geniusj]

If they didn't distribute the compiler they used to compile that code, then they're safe from having to distribute those modifications. You can use modified GPL code with no obligations. It's only when you distribute it that there's a problem.

Re:Cisco IOS ?

[prizog]

Usually, we don't do much investigation -- we rely on reports from users of the products. We never agree to EULAs, technical NDAs, etc. as a matter of principle. And usually, there's no disassembly involved -- simply grepping for a copyright notice is enough. Most violations are inadvertant -- they're still serious, but there's usually no attempt to hide what software is used.

Re:Belkin 54g WAP/Router

[Sancho]

For the GCC modification, they don't have to release the code if they don't distribute it.

Re:More From the Kernel List

[Anonymous Coward]

Go to www.innoplus.com and download there firmware (look under "English", then "Support" and then "Download", or use http://www.innoplus.com/html/eng_after1.htm). You will see that it is Linux based. They mention it runs Linux, but no notice of the GPL, and they don't want to release an SDK or the source code. Maybe we should also put them on the list? Please be gentle, they are veryhelpfull and friendly, and probably just ignorant, not malicious :)

Re:I thought the kernel was LGPLed

[Anonymous Coward]

The Linux kernel is GPL'd, but Linus has specifically said that dynamically loaded kernel modules are not bound by the GPL.

Note that this conflicts with the usual interpretation of the GPL, but is perhaps reasonable considering that in a sense, userland programs link with the kernel, as well.

Chalk one up for American Megatrends as well...

[LiteForce]

American Megatrends use uClinux [uclinux.org] (also GPL licensed) as a core part of their firmware for the AMI MegaRAC G2 Remote Processor (http://www.ami.com/megarac/ [ami.com]).

I only discovered this by running 'strings' on the firmware and found references to uClinux and a variety of other GPL stuff.

There is NO mention of the GPL in the product manual or on the packaging which contains the CD with a backup copy of the firmware.

I asked for copies of any GPL sources (and associated changes) which the MegaRAC G2 used - to their credit, I received a very nice diff which only covered changes to files which already exist in the uClinux distribution.

Unfortunately, those changes include the addition of header files which the modified kernel relies on - header files which I wasn't given and further requests for them have been ignored. So, even with the 'source' which I was given, I can't use it to produce an identical binary as to that contained in the firmware image which was supplied to me.

For those readers who are interested in purchasing one or more MegaRAC G2s, I suggest you ask your AMI dealer why it took them over eight weeks to patch a vulnerability [ami.com] which allowed *any* remote user to gain full access to the system console and also why the product is prone to frequent hangs which are not recoverable unless you unplug all power from the server and card until the onboard battery drains.

The vulnerability is so simple to exploit - start up the GTK+ remote console utility that came on the CD and point it to the IP address of any MegaRAC G2 card.... that's it. No prompt for a username or password. Nothing. Instant console access.

... then again, I suppose it just goes to show the quality of the code which their engineers are kicking out to the end-users :-(

Re:Belkin 54g WAP/Router

[Anonymous Coward]

Those who received the modified GCC have the right to get the source. Since the end user of the routers does not get a copy of GCC, the end user does not have a right to the source modifications.

Re:Cisco IOS ?

[ZorroIII]

In the release notes [cisco.com] for the software on the NM-CE card they say:

GNU General Public License Modules Cisco Cache software, Release 3.0.2 incorporates software licensed under the GNU General Public License. If you would like the source code for any of the modified GPL code in Cisco Cache software, Release 3.0.2, send a request to ce-sw-req@cisco.com

I sent them a mail some time ago asking for the source of GPL programs, but still havent received an answer. The card is rather interesting, one day I'll try to modify the OS to something that can be used for other stuff aswell.

Linksys NAS device also rips off linux

[UncleSocks]

Hi,

A few months ago I was poking around their "network file server in a box" - I forget the model number, but it is shoebox sized and purple.

I can say for a fact that they used Linux and a number of other GPL bits in this box. I almost sounded the alarm, but I was way too busy with other things.

What I found:
1) Open case
2) Remove small compact flash card that contains the software for this product
3) Install compact flash card into my notebook
4) Use cfdisk, notice that there are three ext2 filesystems
5) Mount ext2 filesystem
6) See that they are using a 2.4.x kernel
7) See that they are using GPL print spooling software (I forget which)
8) Try to find _any_ notice about the GPL in the docs or via the debug serial port _NO NOTICE_.
9) Visit linksys website to find GPL required sources, not there.

If anyone wants more details please message me off list.

Re:I'm not sure

[mysidia]

You can use the LGPL commercially and not have to release ANY source. The only source that would ever be required to be released is the ORIGINAL source IF you modified it.

Not true. If you modified the source code to the library and distribute a binary linked against the modified library, then you must distribute the modified source for the library, see the LGPL:

4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. ...

Proprietary programs can be distributed that use a library licensed under the LGPL when the appropriate corresponding version of the library source code is included, but only under certain conditions, and a couple of the most important ones are:

• The program object code is provided in a way that the user can link it against versions of the library that they have made changes to (ie: either the binary is not statically linked or copies of the proprietary object files and the library object file are included as separate entities that the user can link)
• The end-user is allowed to modify and reverse-engineer the proprietary program using LGPL code for their own use

These are notable significant, because most ER, most businesses that would distribute proprietary software have a standard sell-your-soul EULA that almost invariably includes a prohibition against altering the program (ie: cracking, cheating) or reverse-engineering it.

On the other hand, if your proprietary program is distributed in a pre-compiled form only (the user has to supply the library and do the compile+linking him or herself [after receiving it] to produce their binary that they aren't allowed to distributed)

Then the GPL probably doesn't even come into the picture at all, as it is the library that is GPL'ed, not your program, so just prohibit binary distribution

... And stick with distributions in a not-compiled-yet-but-ready-to-be-compiled-form for all your proprietary software needs [evilgrin], just be sure to use a proprietary programming language having semantics no human could easily understand and a proprietary, patented compiler system :-)

Re:Requirements

[shaitand]

Only if they didn't modify any of the code... and if they didn't modify it, they aren't required to distribute anything. If they modified the gpl'd code then they can't simply distribute the original code without their changes! They have to distribute their changes.