This page is currently incomplete

Introduction

Rockchip rk27xx based players use firmware file in RKW format.

RKLD section

Header

The header is 0x2C bytes long and consists of such fields:

offset	size (bytes)	name	comment
0x00	4	ImagicNumber	Magic number. 0x4C44524B
0x04	4	Size	Size of the header
0x08	4	ImageBase	Base address of the firmware image
0x0C	4	ImageLoadBase	Load address
0x10	4	ImageLoadLimit	End of the firmware image
0x14	4	ImageZiBase	this is the start of .bss section of the firmware I suppose
0x18	4	ImageReserved0	reserved - I've seen only zeros in this field so far
0x1C	4	ImageReserved1	reserved - I've seen only zeros in this field so far
0x20	4	ImageEntry	Entry point address
0x24	4	ImageLoadOptions	0x80000000 - setup flag (I don't know what it means but is present in every RKW I saw), 0x40000000 - check header crc, 0x20000000 - check firmware crc
0x28	4	CRC32	crc32 of the header (excluding crc32 field itself)

Firmware image

The firmware is regular arm, little-endian code image. Usually the very first instruction is a branch - beautiful gift for us as this makes easy to inject our code.

CRC32

Optionally(?), last 4 bytes of the RKW are CRC32 of the firmware part (and loader seems to check this if 0x20000000 flag is present in ImageLoadOptions field of the header.

The crc32 routine is known and seems to be standard crc32 with polynomial 0x04c10db7. There is a tool for manipulating RKWs (thanks to alemaxx) it's crc32 routine is based on lengthy lookup table so I will not document it here. Go read rkwpatch sources instead. There is also file genrkcrc.c floating around which uses the same algorithm to calculate crc32 of rockchip firmware as far as I can tell and is used on rk28xx based android tablets to calculate checksum for boot.img.

RKRS section

This section describe additional resources packed together.

Header

offset	size (bytes)	name	comment
0x00	4	Size	Size of the header
0x04	4	Magic	0x53524B52 ('RKRS')
0x08	4	Property	?
0x0C	4	DateTimeStamp	?
0x10	4	AllignedSize	?
0x14	4	FileByteSize	?
0x18	2	SizeOfNameDir	?
0x1A	2	SizeOfIdDir	?
0x1C	2	NumberOfNamedEntries	?
0x1E	2	NumberOfIdEntries	?
0x20	4	OffsetOfNamedEntries	Offset to structs describing named entries (counting from the beginning of the section)
0x24	4	OffsetOfIdEntries	?

Named Entries Struct

offset	size (bytes)	name	comment
0x00	4	Size	always 0x20
0x04	4	Type	type = 3 means RKST section, type = 5 means bootloader
0x08	4	OffsetToData	offset relative to the begining of RKST
0x0C	4	SizeOfBytes
0x10	16	Param	It may store some additional informations about entry in RKST

type = 5 description

Param[0] - size of stage1 bootloader (sdram config)

Param[1] - offset to stage2 bootloader

Param[2] - size of stage2 bootloader

Param[3] - version of the bootloader (in BCD - higher half contains major, lower half contains minor version. RK27DM reports this in the form of major.minor)

The images of stage1 and stage2 are scrambled.

RKST section

This section is like archive of resource files with complete dir structure

Header

offset	size (bytes)	name	comment
0x00	4	Size	Size of the header
0x04	4	Magic	0x53544B52 ('RKST')
0x08	4	Property	?
0x0C	4	DateTimeStamp	?
0x10	4	AllignedSize	?
0x14	4	FileByteSize	?
0x18	2	SizeOfNameDir	?
0x1A	2	SizeOfIdDir	?
0x1C	2	NumberOfNamedEntries	?
0x1E	2	NumberOfIdEntries	?
0x20	4	OffsetOfNamedEntries	Offset to structs describing named entries (counting from the beginning of the section)
0x24	4	OffsetOfIdEntries	?

Named Entries Struct

offset	size (bytes)	name	comment
0x00	4	Size
0x04	4	Action	Create dir or copy file
0x08	4	OffsetToData
0x0C	4	SizeOfBytes
0x10	Size - 16	Name	NULL terminated string containing file/dir path

The single entry has variable length described in Size field.