This page is currently incomplete
Introduction
Rockchip rk27xx based players use firmware file in RKW format.
RKLD section
Header
The header is 0x2C bytes long and consists of such fields:
offset |
size (bytes) |
name |
comment |
0x00 |
4 |
ImagicNumber |
Magic number. 0x4C44524B |
0x04 |
4 |
Size |
Size of the header |
0x08 |
4 |
ImageBase |
Base address of the firmware image |
0x0C |
4 |
ImageLoadBase |
Load address |
0x10 |
4 |
ImageLoadLimit |
End of the firmware image |
0x14 |
4 |
ImageZiBase |
this is the start of .bss section of the firmware I suppose |
0x18 |
4 |
ImageReserved0 |
reserved - I've seen only zeros in this field so far |
0x1C |
4 |
ImageReserved1 |
reserved - I've seen only zeros in this field so far |
0x20 |
4 |
ImageEntry |
Entry point address |
0x24 |
4 |
ImageLoadOptions |
0x80000000 - setup flag (I don't know what it means but is present in every RKW I saw), 0x40000000 - check header crc, 0x20000000 - check firmware crc |
0x28 |
4 |
CRC32 |
crc32 of the header (excluding crc32 field itself) |
Firmware image
The firmware is regular arm, little-endian code image. Usually the very first instruction is a branch - beautiful gift for us as this makes easy to inject our code.
CRC32
Optionally(?), last 4 bytes of the RKW are CRC32 of the firmware part (and loader seems to check this if 0x20000000 flag is present in ImageLoadOptions field of the header.
The crc32 routine is known and seems to be standard crc32 with polynomial 0x04c10db7. There is a tool for manipulating RKWs (thanks to alemaxx) it's crc32 routine is based on lengthy lookup table so I will not document it here. Go read
rkwpatch sources instead. There is also file genrkcrc.c floating around which uses the same algorithm to calculate crc32 of rockchip firmware as far as I can tell and is used on rk28xx based android tablets to calculate checksum for boot.img.
RKRS section
This section describes consecutive steps to be performed during system upgrade.
Header
offset |
size (bytes) |
name |
comment |
0x00 |
4 |
Size |
Size of the header |
0x04 |
4 |
Magic |
0x53524B52 ('RKRS') |
0x08 |
4 |
Property |
? |
0x0C |
4 |
DateTimeStamp |
? |
0x10 |
4 |
AllignedSize |
? |
0x14 |
4 |
FileByteSize |
? |
0x18 |
2 |
SizeOfNameDir |
? |
0x1A |
2 |
SizeOfIdDir |
? |
0x1C |
2 |
NumberOfNamedEntries |
? |
0x1E |
2 |
NumberOfIdEntries |
? |
0x20 |
4 |
OffsetOfNamedEntries |
Offset to structs describing named entries (counting from the beginning of the section) |
0x24 |
4 |
OffsetOfIdEntries |
? |
Named Entries Struct
offset |
size (bytes) |
name |
comment |
0x00 |
4 |
Size |
always 0x20 |
0x04 |
4 |
Type |
type = 3 means RKST section, type = 5 means bootloader |
0x08 |
4 |
OffsetToData |
offset relative to the begining of RKST |
0x0C |
4 |
SizeOfBytes |
|
0x10 |
16 |
Param |
It may store some additional informations about entry in RKST |
type = 3 (dir structure create & file copy)
OffsetToData - offset to RKST section
This entry instructs upgrade procedure to unpack content of RKST archive onto device's SYSTEM volume (i.e hidden 60-95MB sized one).
type = 4 (format)
Format SYSTEM volume
type = 5 (upgrade bootloader)
OffsetToData - offset to stage1 bootloader (sdram & pll config)
Param[0] - size of stage1 bootloader
Param[1] - offset to stage2 bootloader (main nand bootloader)
Param[2] - size of stage2 bootloader
Param[3] - version of the bootloader (in BCD - higher half contains major, lower half contains minor version. RK27DM reports this in the form of major.minor)
The images of stage1 and stage2 are scrambled with RC4 in 512bytes chunks. The version number is compared to this stored in nand and upgrade is skipped if versions are the same.
type = 300 (copy Rock27Boot.bin ?)
OffsetToData - offset to name of the file followed by payload
Param[0] - name length
RKST section
This section is like archive of resource files with complete dir structure
Header
offset |
size (bytes) |
name |
comment |
0x00 |
4 |
Size |
Size of the header |
0x04 |
4 |
Magic |
0x53544B52 ('RKST') |
0x08 |
4 |
Property |
? |
0x0C |
4 |
DateTimeStamp |
? |
0x10 |
4 |
AllignedSize |
? |
0x14 |
4 |
FileByteSize |
? |
0x18 |
2 |
SizeOfNameDir |
? |
0x1A |
2 |
SizeOfIdDir |
? |
0x1C |
2 |
NumberOfNamedEntries |
? |
0x1E |
2 |
NumberOfIdEntries |
? |
0x20 |
4 |
OffsetOfNamedEntries |
Offset to structs describing named entries (counting from the beginning of the section) |
0x24 |
4 |
OffsetOfIdEntries |
? |
Named Entries Struct
offset |
size (bytes) |
name |
comment |
0x00 |
4 |
Size |
|
0x04 |
4 |
Action |
Create dir or copy file |
0x08 |
4 |
OffsetToData |
|
0x0C |
4 |
SizeOfBytes |
|
0x10 |
Size - 16 |
Name |
NULL terminated string containing file/dir path |
The single entry has variable length described in Size field.
Copyright © by the contributing authors.