Marcin Bukat | 8f4202d | 2011-05-30 21:10:43 +0000 | [diff] [blame] | 1 | This is the collection of small utilities needed to hack Rockchip rk27xx |
| 2 | series based DAPs. This tools were tested on linux only. |
| 3 | |
| 4 | |
| 5 | rk27load |
| 6 | This directory contains tool which can send arbitrary image(s) to the device |
| 7 | in rockchip recovery mode (VID:PID 0x071B:0x3201). |
| 8 | |
| 9 | The first image can not exceed 510 bytes (+2 bytes checksum) and entry |
| 10 | point is 0x18020e00. Usually this code is used to configure SDRAM controller. |
| 11 | One can use first stage image extracted from Rock27Boot.bin file (a bit |
| 12 | more sofisticated) or the one provided in rk27load/stage1 directory. |
| 13 | |
| 14 | The second image is loaded at the begining of the dram (0x60000000) |
| 15 | and executed. For some reason (which is still unclear) the size of |
| 16 | 2nd stage image is limited to about 3-4 kB. |
| 17 | |
| 18 | You can find example of custom 2nd stage image in rk27load/stage2 directory. |
| 19 | The purpose of this image is to configure bulk transfer and allow to |
| 20 | load usercode without size restriction mentioned above (the max size |
| 21 | is 8MB actually). The entry point of usercode is 0x60000000. |
| 22 | |
| 23 | You need libusb 1.0 + header files in order to compile this utility. |
| 24 | You need working arm-eabi crosscompiler in order to compile stage1/stage2 |
| 25 | bootloader binaries (but You should have one already if You tinker whith this) |
| 26 | |
| 27 | |
| 28 | rkboottool |
| 29 | This directory contains tool which allows to extract (and decrypt) images |
| 30 | stored in Rock27Boot.bin recovery file. |
| 31 | |
| 32 | |
| 33 | rkusbtool |
| 34 | This directory contains tool which sends custom scsi commands to the |
| 35 | rockchip player. |
| 36 | |
| 37 | You need libusb-1.0 + header files in order to compile this utility. |
Marcin Bukat | f182a11 | 2013-09-02 12:35:47 +0200 | [diff] [blame] | 38 | |
| 39 | nandextract |
| 40 | This directory contains quick and dirty tool which allows to extract |
| 41 | nand bootloader from raw dump of the first nand block. The main reason |
| 42 | I post this tool is to somewhat document error correction scheme used by |
| 43 | rk27xx chip. The tool implements BCH error correction processing with |
| 44 | help of bch library taken from linux kernel (and slightly modified to |
| 45 | compile standalone). Error correction is SUPER important as the nands used |
| 46 | in cheap rk27 players have quite high error rates. |
| 47 | |
| 48 | Nand controler in rk27xx chip implements hw BCH error correction engine. |
| 49 | The documentation is lacking so this info was obtained from RE and |
| 50 | various other sources. |
| 51 | The data on the nand is stored in 528 bytes long chunks - 512 bytes |
| 52 | of actual data followed by 3 bytes of metadata (used by FTL layer to mark |
| 53 | special sectors) followed by 13 bytes of BCH ECC. BCH algorithm |
| 54 | uses m=13, t=8 and primitive polynomial 0x25af. Special masking |
| 55 | is used such as empty sector (with all 0xff) gives all 0xff ECC bytes. |
| 56 | Quoting e-mail from Ivan Djelic (the author of bch lib in linux): |
| 57 | To summarize, the steps needed to compute the rk27xx ecc are the following: |
| 58 | 1. Reverse bits in each input byte |
| 59 | 2. Call encode_bch() |
| 60 | 3. Reverse output bits in each computed ecc byte |
| 61 | 4. Add a polynomial in order to get only 0xff ecc bytes for a blank page |
| 62 | For more details you need to read the code. |
| 63 | |
| 64 | Another quirk is that rom loader assumes that there are 4 sectors in each |
| 65 | nand page. This is actually not true for newer nand chips with page size |
| 66 | bigger then 2k. That means that on newer 4k page chips only first half of |
| 67 | every page is used in nand bootloader area. This is for compatibility reasons |
| 68 | most probably. |
| 69 | |
| 70 | Finally, every 512 bytes block of data is encoded with rc4 algorithm. |
| 71 | The key and routine were recovered from rk27xx rom dump by AleMaxx. |