blob: d0343580b896b3b4991892c053621a0b0753bddd [file] [log] [blame]
Marcin Bukat8f4202d2011-05-30 21:10:43 +00001This is the collection of small utilities needed to hack Rockchip rk27xx
2series based DAPs. This tools were tested on linux only.
3
4
5rk27load
6This directory contains tool which can send arbitrary image(s) to the device
7in rockchip recovery mode (VID:PID 0x071B:0x3201).
8
9The first image can not exceed 510 bytes (+2 bytes checksum) and entry
10point is 0x18020e00. Usually this code is used to configure SDRAM controller.
11One can use first stage image extracted from Rock27Boot.bin file (a bit
12more sofisticated) or the one provided in rk27load/stage1 directory.
13
14The second image is loaded at the begining of the dram (0x60000000)
15and executed. For some reason (which is still unclear) the size of
162nd stage image is limited to about 3-4 kB.
17
18You can find example of custom 2nd stage image in rk27load/stage2 directory.
19The purpose of this image is to configure bulk transfer and allow to
20load usercode without size restriction mentioned above (the max size
21is 8MB actually). The entry point of usercode is 0x60000000.
22
23You need libusb 1.0 + header files in order to compile this utility.
24You need working arm-eabi crosscompiler in order to compile stage1/stage2
25bootloader binaries (but You should have one already if You tinker whith this)
26
27
28rkboottool
29This directory contains tool which allows to extract (and decrypt) images
30stored in Rock27Boot.bin recovery file.
31
32
33rkusbtool
34This directory contains tool which sends custom scsi commands to the
35rockchip player.
36
37You need libusb-1.0 + header files in order to compile this utility.
Marcin Bukatf182a112013-09-02 12:35:47 +020038
39nandextract
40This directory contains quick and dirty tool which allows to extract
41nand bootloader from raw dump of the first nand block. The main reason
42I post this tool is to somewhat document error correction scheme used by
43rk27xx chip. The tool implements BCH error correction processing with
44help of bch library taken from linux kernel (and slightly modified to
45compile standalone). Error correction is SUPER important as the nands used
46in cheap rk27 players have quite high error rates.
47
48Nand controler in rk27xx chip implements hw BCH error correction engine.
49The documentation is lacking so this info was obtained from RE and
50various other sources.
51The data on the nand is stored in 528 bytes long chunks - 512 bytes
52of actual data followed by 3 bytes of metadata (used by FTL layer to mark
53special sectors) followed by 13 bytes of BCH ECC. BCH algorithm
54uses m=13, t=8 and primitive polynomial 0x25af. Special masking
55is used such as empty sector (with all 0xff) gives all 0xff ECC bytes.
56Quoting e-mail from Ivan Djelic (the author of bch lib in linux):
57To summarize, the steps needed to compute the rk27xx ecc are the following:
581. Reverse bits in each input byte
592. Call encode_bch()
603. Reverse output bits in each computed ecc byte
614. Add a polynomial in order to get only 0xff ecc bytes for a blank page
62For more details you need to read the code.
63
64Another quirk is that rom loader assumes that there are 4 sectors in each
65nand page. This is actually not true for newer nand chips with page size
66bigger then 2k. That means that on newer 4k page chips only first half of
67every page is used in nand bootloader area. This is for compatibility reasons
68most probably.
69
70Finally, every 512 bytes block of data is encoded with rc4 algorithm.
71The key and routine were recovered from rk27xx rom dump by AleMaxx.