release
dev builds
extras
themes manual
wiki
device status forums
mailing lists
IRC bugs
patches
dev guide



Search | Go
Wiki > Main > RKWFileFormat
This page is currently incomplete

Introduction

Rockchip rk27xx based players use firmware file in RKW format.

RKLD section

Header

The header is 0x2C bytes long and consists of such fields:
offset size (bytes) name comment
0x00 4 ImagicNumber Magic number. 0x4C44524B
0x04 4 Size Size of the header
0x08 4 ImageBase Base address of the firmware image
0x0C 4 ImageLoadBase Load address
0x10 4 ImageLoadLimit End of the firmware image
0x14 4 ImageZiBase this is the start of .bss section of the firmware I suppose
0x18 4 ImageReserved0 reserved - I've seen only zeros in this field so far
0x1C 4 ImageReserved1 reserved - I've seen only zeros in this field so far
0x20 4 ImageEntry Entry point address
0x24 4 ImageLoadOptions 0x80000000 - setup flag (I don't know what it means but is present in every RKW I saw), 0x40000000 - check header crc, 0x20000000 - check firmware crc
0x28 4 CRC32 crc32 of the header (excluding crc32 field itself)

Firmware image

The firmware is regular arm, little-endian code image. Usually the very first instruction is a branch - beautiful gift for us as this makes easy to inject our code.

CRC32

Optionally(?), last 4 bytes of the RKW are CRC32 of the firmware part (and loader seems to check this if 0x20000000 flag is present in ImageLoadOptions field of the header.

The crc32 routine is known and seems to be standard crc32 with polynomial 0x04c10db7. There is a tool for manipulating RKWs (thanks to alemaxx) it's crc32 routine is based on lengthy lookup table so I will not document it here. Go read rkwpatch sources instead. There is also file genrkcrc.c floating around which uses the same algorithm to calculate crc32 of rockchip firmware as far as I can tell and is used on rk28xx based android tablets to calculate checksum for boot.img.

RKRS section

This section describes consecutive steps to be performed during system upgrade.

Header

offset size (bytes) name comment
0x00 4 Size Size of the header
0x04 4 Magic 0x53524B52 ('RKRS')
0x08 4 Property ?
0x0C 4 DateTimeStamp ?
0x10 4 AllignedSize ?
0x14 4 FileByteSize ?
0x18 2 SizeOfNameDir ?
0x1A 2 SizeOfIdDir ?
0x1C 2 NumberOfNamedEntries ?
0x1E 2 NumberOfIdEntries ?
0x20 4 OffsetOfNamedEntries Offset to structs describing named entries (counting from the beginning of the section)
0x24 4 OffsetOfIdEntries ?

Named Entries Struct
offset size (bytes) name comment
0x00 4 Size always 0x20
0x04 4 Type type = 3 means RKST section, type = 5 means bootloader
0x08 4 OffsetToData offset relative to the begining of RKST
0x0C 4 SizeOfBytes  
0x10 16 Param It may store some additional informations about entry in RKST

type = 3 (dir structure create & file copy)

OffsetToData - offset to RKST section

This entry instructs upgrade procedure to unpack content of RKST archive onto device's SYSTEM volume (i.e hidden 60-95MB sized one).

type = 4 (format)

Format SYSTEM volume

type = 5 (upgrade bootloader)

OffsetToData - offset to stage1 bootloader (sdram & pll config)

Param[0] - size of stage1 bootloader

Param[1] - offset to stage2 bootloader (main nand bootloader)

Param[2] - size of stage2 bootloader

Param[3] - version of the bootloader (in BCD - higher half contains major, lower half contains minor version. RK27DM reports this in the form of major.minor)

The images of stage1 and stage2 are scrambled with RC4 in 512bytes chunks. The version number is compared to this stored in nand and upgrade is skipped if versions are the same.

type = 300 (copy Rock27Boot.bin ?)

OffsetToData - offset to name of the file followed by payload Param[0] - name length

RKST section

This section is like archive of resource files with complete dir structure

Header

offset size (bytes) name comment
0x00 4 Size Size of the header
0x04 4 Magic 0x53544B52 ('RKST')
0x08 4 Property ?
0x0C 4 DateTimeStamp ?
0x10 4 AllignedSize ?
0x14 4 FileByteSize ?
0x18 2 SizeOfNameDir ?
0x1A 2 SizeOfIdDir ?
0x1C 2 NumberOfNamedEntries ?
0x1E 2 NumberOfIdEntries ?
0x20 4 OffsetOfNamedEntries Offset to structs describing named entries (counting from the beginning of the section)
0x24 4 OffsetOfIdEntries ?

Named Entries Struct
offset size (bytes) name comment
0x00 4 Size  
0x04 4 Action Create dir or copy file
0x08 4 OffsetToData  
0x0C 4 SizeOfBytes  
0x10 Size - 16 Name NULL terminated string containing file/dir path

The single entry has variable length described in Size field.

r13 - 02 Apr 2021 - 20:46:07 - UnknownUser

Copyright © by the contributing authors.