blob: 802f5a559bfa5597f9c76efc337f0a3815b78bad (plain
This is the collection of small utilities needed to hack Rockchip rk27xx
series based DAPs. This tools were tested on linux only.
This directory contains tool which can send arbitrary image(s) to the device
in rockchip recovery mode (VID:PID 0x071B:0x3201).
The first image can not exceed 510 bytes (+2 bytes checksum) and entry
point is 0x18020e00. Usually this code is used to configure SDRAM controller.
One can use first stage image extracted from Rock27Boot.bin file (a bit
more sofisticated) or the one provided in rk27load/stage1 directory.
The second image is loaded at the begining of the dram (0x60000000)
and executed. For some reason (which is still unclear) the size of
2nd stage image is limited to about 3-4 kB.
You can find example of custom 2nd stage image in rk27load/stage2 directory.
The purpose of this image is to configure bulk transfer and allow to
load usercode without size restriction mentioned above (the max size
is 8MB actually). The entry point of usercode is 0x60000000.
You need libusb 1.0 + header files in order to compile this utility.
You need working arm-eabi crosscompiler in order to compile stage1/stage2
bootloader binaries (but You should have one already if You tinker whith this)
This directory contains tool which allows to extract (and decrypt) images
stored in Rock27Boot.bin recovery file.
This directory contains tool which sends custom scsi commands to the
You need libusb-1.0 + header files in order to compile this utility.
This directory contains tool to inspect and extract content of
'full' update RKW file.
The RKW file contains specific section which instruct update
routine of the DAP what to do, custom archive with firmware files,
images of stage1 and stage2 nand bootloader and Rock27Boot.bin file
image. Nand bootloader images are stored in scrambled form but
the tool deciphers it to plain binary during extraction.
More complete descritpion of file format can be found on wiki:
This directory contains quick and dirty tool which allows to extract
nand bootloader from raw dump of the first nand block. The main reason
I post this tool is to somewhat document error correction scheme used by
rk27xx chip. The tool implements BCH error correction processing with
help of bch library taken from linux kernel (and slightly modified to
compile standalone). Error correction is SUPER important as the nands used
in cheap rk27 players have quite high error rates.
Nand controler in rk27xx chip implements hw BCH error correction engine.
The documentation is lacking so this info was obtained from RE and
various other sources.
The data on the nand is stored in 528 bytes long chunks - 512 bytes
of actual data followed by 3 bytes of metadata (used by FTL layer to mark
special sectors) followed by 13 bytes of BCH ECC. BCH algorithm
uses m=13, t=8 and primitive polynomial 0x25af. Special masking
is used such as empty sector (with all 0xff) gives all 0xff ECC bytes.
Quoting e-mail from Ivan Djelic (the author of bch lib in linux):
To summarize, the steps needed to compute the rk27xx ecc are the following:
1. Reverse bits in each input byte
2. Call encode_bch()
3. Reverse output bits in each computed ecc byte
4. Add a polynomial in order to get only 0xff ecc bytes for a blank page
For more details you need to read the code.
Another quirk is that rom loader assumes that there are 4 sectors in each
nand page. This is actually not true for newer nand chips with page size
bigger then 2k. That means that on newer 4k page chips only first half of
every page is used in nand bootloader area. This is for compatibility reasons
Finally, every 512 bytes block of data is encoded with rc4 algorithm.
The key and routine were recovered from rk27xx rom dump by AleMaxx.