|author||Marcin Bukat <firstname.lastname@example.org>||2013-09-02 12:35:47 +0200|
|committer||Marcin Bukat <email@example.com>||2013-09-02 12:35:47 +0200|
rk27utils: Add nandextract utility
This quick and dirty utility allows to extract nand bootloader from raw 1st nand block dump. I post it mainly to somewhat document how BCH error correction engine of the rk27xx works. Change-Id: I37ca91add7d372e3576d2722afc946d0f08971a9
Diffstat (limited to 'utils/rk27utils/README')
1 files changed, 34 insertions, 0 deletions
diff --git a/utils/rk27utils/README b/utils/rk27utils/README
index a43d69a88f..d0343580b8 100644
@@ -35,3 +35,37 @@ This directory contains tool which sends custom scsi commands to the
You need libusb-1.0 + header files in order to compile this utility.
+This directory contains quick and dirty tool which allows to extract
+nand bootloader from raw dump of the first nand block. The main reason
+I post this tool is to somewhat document error correction scheme used by
+rk27xx chip. The tool implements BCH error correction processing with
+help of bch library taken from linux kernel (and slightly modified to
+compile standalone). Error correction is SUPER important as the nands used
+in cheap rk27 players have quite high error rates.
+Nand controler in rk27xx chip implements hw BCH error correction engine.
+The documentation is lacking so this info was obtained from RE and
+various other sources.
+The data on the nand is stored in 528 bytes long chunks - 512 bytes
+of actual data followed by 3 bytes of metadata (used by FTL layer to mark
+special sectors) followed by 13 bytes of BCH ECC. BCH algorithm
+uses m=13, t=8 and primitive polynomial 0x25af. Special masking
+is used such as empty sector (with all 0xff) gives all 0xff ECC bytes.
+Quoting e-mail from Ivan Djelic (the author of bch lib in linux):
+To summarize, the steps needed to compute the rk27xx ecc are the following:
+1. Reverse bits in each input byte
+2. Call encode_bch()
+3. Reverse output bits in each computed ecc byte
+4. Add a polynomial in order to get only 0xff ecc bytes for a blank page
+For more details you need to read the code.
+Another quirk is that rom loader assumes that there are 4 sectors in each
+nand page. This is actually not true for newer nand chips with page size
+bigger then 2k. That means that on newer 4k page chips only first half of
+every page is used in nand bootloader area. This is for compatibility reasons
+Finally, every 512 bytes block of data is encoded with rc4 algorithm.
+The key and routine were recovered from rk27xx rom dump by AleMaxx.