diff options
| author | Marcin Bukat <marcin.bukat@gmail.com> | 2013-09-02 12:35:47 +0200 |
|---|---|---|
| committer | Marcin Bukat <marcin.bukat@gmail.com> | 2013-09-02 12:35:47 +0200 |
| commit | f182a11f3362017a6c669871414a9bb448ee050d (patch) | |
| tree | 5afc1ba1713af14aea513ca9b53d00369e083447 /utils/rk27utils/README | |
| parent | b97cdc8f5efa8b447e1e1398d86eb87c80ed4b22 (diff) | |
| download | rockbox-f182a11f3362017a6c669871414a9bb448ee050d.tar.gz rockbox-f182a11f3362017a6c669871414a9bb448ee050d.zip | |
rk27utils: Add nandextract utility
This quick and dirty utility allows to extract nand bootloader
from raw 1st nand block dump. I post it mainly to somewhat
document how BCH error correction engine of the rk27xx works.
Change-Id: I37ca91add7d372e3576d2722afc946d0f08971a9
Diffstat (limited to 'utils/rk27utils/README')
| -rw-r--r-- | utils/rk27utils/README | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/utils/rk27utils/README b/utils/rk27utils/README index a43d69a88f..d0343580b8 100644 --- a/utils/rk27utils/README +++ b/utils/rk27utils/README @@ -35,3 +35,37 @@ This directory contains tool which sends custom scsi commands to the rockchip player. You need libusb-1.0 + header files in order to compile this utility. + +nandextract +This directory contains quick and dirty tool which allows to extract +nand bootloader from raw dump of the first nand block. The main reason +I post this tool is to somewhat document error correction scheme used by +rk27xx chip. The tool implements BCH error correction processing with +help of bch library taken from linux kernel (and slightly modified to +compile standalone). Error correction is SUPER important as the nands used +in cheap rk27 players have quite high error rates. + +Nand controler in rk27xx chip implements hw BCH error correction engine. +The documentation is lacking so this info was obtained from RE and +various other sources. +The data on the nand is stored in 528 bytes long chunks - 512 bytes +of actual data followed by 3 bytes of metadata (used by FTL layer to mark +special sectors) followed by 13 bytes of BCH ECC. BCH algorithm +uses m=13, t=8 and primitive polynomial 0x25af. Special masking +is used such as empty sector (with all 0xff) gives all 0xff ECC bytes. +Quoting e-mail from Ivan Djelic (the author of bch lib in linux): +To summarize, the steps needed to compute the rk27xx ecc are the following: +1. Reverse bits in each input byte +2. Call encode_bch() +3. Reverse output bits in each computed ecc byte +4. Add a polynomial in order to get only 0xff ecc bytes for a blank page +For more details you need to read the code. + +Another quirk is that rom loader assumes that there are 4 sectors in each +nand page. This is actually not true for newer nand chips with page size +bigger then 2k. That means that on newer 4k page chips only first half of +every page is used in nand bootloader area. This is for compatibility reasons +most probably. + +Finally, every 512 bytes block of data is encoded with rc4 algorithm. +The key and routine were recovered from rk27xx rom dump by AleMaxx. |