MyMPx.org - Anyone who wants rockchip firmware extractor read this

MyMPx.org (http://mympx.org/forum/)

- Mods and Themes (http://mympx.org/forum/mods-themes/)

- - Anyone who wants rockchip firmware extractor read this (http://mympx.org/forum/mods-themes/41376-anyone-who-wants-rockchip-firmware-extractor-read.html)

Anyone who wants rockchip firmware extractor read this

Hi All,

Having tried for some time now to get information from Rock-Chip with no success, I need your help to get them to listen to our request for firmware extraction.

We can do one of two things,

1. Individually mail the company asking them to release information to us to help us create the extractor.

or

2. Create a mail with a list of people that request the information, and send that to them.

Without this information, the firware extraction cannot proceed, believe me I have tried without it.

I will monitor this thread for ideas,

Regards

Dancemammal

Hi dancemammal

Sorry to hear you had no luck with this bit, and thanks for all your efforts so far.

If anyone wants to try contacting Rockchip here are 2 email addresses:-

E-mail:support@rock-chips.com

投诉邮箱:customer@rock-chips.com

Pity the company can't see the benefit of providing this information. I'll give them a try myself.

(noticed the website has changed now, the english version seems to have gone altogether)

http://www.rock-chips.com/newEbiz1/E...Contactus.html

nice to see you again dancemammal

sorry to hear about rockchip but it does not surprise me at all

i have emailed them countless times with no response whatsoever.

doing a mass email to them, would it work, in truth i am unsure that it really would.

i really wonder who makes the firmwares for these players, there may be a co pletely different company designated to doing the software for this hardware, but how to get that info aswell is a mystery

Re: Anyone who wants rockchip firmware extractor read this

I'm in for helping in whatever you guys decied on doing.
I wish to re-skin my Onda clone, but don't want risk it.

If anyone is interested I managed to get hold of some RK2608 mp4 player source code in C . :shock:

http://www.megaupload.com/?d=IKUP8H6Q

dancemammal

since the new version of the rockchip came out (RK2706) i can not use your tool as the images inside are 32bit and the editor can not handle those (for most anyway - ramos rm970 an example) - i currently use a tools called image searh editor)

also i am finding the the new firmwares are now using animated gifs!!! and png files etc

now, is it possible to expand on your current editor and do something do you think to handles these things, we need to be able to get at all images in whatever format they exist in

i am sure you are a busy man but any help on this would be great

the new chip, ingenic/chinachip (ainol v2000se example), has a homebrew extractor the extracts out all images and other files with the click of a button, is this possible

i have several firmwares and also a breakdown of the actual files that make up the firmwares and parts of the firmware, so we are looking at a file callled bmp0.bin, this is the part of the firmware that contains the images only

any ideas

cheers
makd511

Man, that's bad news! I doubt mass-nagging them would work (although im not saying no to it, whatever we can do, we should do it;)) Would that sourcecode knob posted do any good?

Re: Anyone who wants rockchip firmware extractor read this

some days ago i got access to a rockchip player including the RK260x chip. i took a look on it and found a way to extract the first 0x200 bytes of the first block inside the RFW firmware file (you don't need any informations by the manufacturer to do this, just investigate their protocol and you know how to do it). anyway, i still have problems to understand the RFW file format. against s1mp3 players format, these files don't contain any text strings which would simplify analysis a lot. i investigated the file header and found several entries which point to different blocks inside the file. i also recognized one of these block is the ressource file (e.g. similar to UI30.RES on s1mp3 devices), while others contain program code of the firmware. if anybody can give me more detailed information about the RFW file header and structure, i guess i will be able to write a firmware extractor for the RK260x series. btw. which machine code get's used for the controller, are there any disassemblers?

Hi All,

I am more than willing to help, perhaps Wire would share what he has learned with the forum, and we can build on what has been discovered.

Dancemammal

It's a zsp400 based processor, I have uploaded the technical manual here:-
http://www.mympxplayer.org/zsp400pdf...-am-df930.html
with the complete instruction set.

There is already an assembler and dissassember which just works with "Rock" .rkp games at the moment, uploaded by Benny here:-
http://www.mympxplayer.org/rockchip-sdk-vt11147.html

Same instruction set. so we have a good start.

and datasheet with example code here:-
http://www.mympxplayer.org/rock26xx-...pdf-df609.html

Hi Knob
Im very interested in the first one of your documents (ZSP 400
with instruction set), but it seems the link isn't longer working.
Regards
Benny

It's still waiting for the site admin to make the link active, then it will be available to you download. :wink:

in the meantime it's here:-
Zsp400 Technical Manual

Hi Knob
Tks a lot
Regards
Benny

Re: Anyone who wants rockchip firmware extractor read this

yes, thnx a lot for this doc. since we know the instruction code set we are able to investigate the firmware files (RFW) to find out where code gets stored and which format gets used to separate between different apps. because the image data get's stored unencrypted directly inside the file (that's why dancemammals editor works) i don't think the code get's encrypted in any way. the update tool directly writes this data to the flash chip, page by page. when you have a quick look at the RFW header, you are able to extract the following content (from file "RockChip_firmware_(PowerPack).zip"):

Code:

id: ROCK260x

year: 2005

version: VER5.00

name: Rockchip

block 00: fofs=00000690, size=00000F54, attr=00000000

block 01: fofs=000015E4, size=0000FC70, attr=00000000

block 02: fofs=00011254, size=00002D82, attr=00000000

block 03: fofs=00011254, size=00002D82, attr=00000000

block 04: fofs=00013FD6, size=00009618, attr=00007900

block 05: fofs=0001D5EE, size=00005F0C, attr=00006506

block 06: fofs=000234FA, size=00008B76, attr=00001700

block 07: fofs=0002C070, size=0000AFBE, attr=00007900

block 08: fofs=0003702E, size=00008A24, attr=00001700

block 09: fofs=0003FA52, size=0000907E, attr=00006300

block 10: fofs=00048AD0, size=00003816, attr=00007900

block 11: fofs=0004C2E6, size=00000756, attr=00006C00

block 12: fofs=0004CA3C, size=000086AA, attr=00001700

block 13: fofs=000550E6, size=00008392, attr=00007900

block 14: fofs=0005D478, size=00000FEA, attr=00009D00

block 15: fofs=0005E462, size=00010278, attr=00001700

block 16: fofs=0006E6DA, size=000038BE, attr=00001C5F

block 17: fofs=00071F98, size=00001B9C, attr=00000DCE

block 18: fofs=00073B34, size=0000255C, attr=000012AE

block 19: fofs=00076090, size=000041EC, attr=00007900

block 20: fofs=0007A27C, size=0000203C, attr=00001700

block 21: fofs=0007C2B8, size=0000F864, attr=00002B00

block 22: fofs=0008BB1C, size=00000000, attr=0000B100

block 25: fofs=0008BB1C, size=0000178A, attr=0000C300

block 27: fofs=0008D2A6, size=00000820, attr=0000B000

block 28: fofs=0008DAC6, size=0000759C, attr=00007900

block 29: fofs=00095062, size=00002D2A, attr=00001700

block 30: fofs=00097D8C, size=00002EE8, attr=00008000

block 31: fofs=0009AC74, size=00001FF8, attr=00007900

block 32: fofs=0009CC6C, size=0000003C, attr=000060D0

block 33: fofs=0009CCA8, size=0000607C, attr=00001700

block 34: fofs=000A2D24, size=00001F06, attr=0000C300

block 37: fofs=000A4C2A, size=00001620, attr=0000C300

block 38: fofs=000A624A, size=00000702, attr=0000B000

block 61: fofs=000A694C, size=00210CB2, attr=00000000

block 62: fofs=002B75FE, size=000C0000, attr=00800000

block 63: fofs=003775FE, size=0004D1BE, attr=282779CB

block 64: fofs=003C47BC, size=006417DC, attr=6FAEFFB2

block 01 (or file 01) get's written to the flash chip directly on every upload. blocks of greater numbers too, but to different places. the last block contains all image ressources. maybe the attribute 6FAEFFB2 is uniqe for ressource data. to be sure on that i have to test this against all other firmware files first. possibly one block contains the bootloader ROM for the RK chip. this one should be detectable, because it directly starts with a JMP instruction in 99% of all cases and it may be of fixed size for all firmwares (how large is the ROM?).

the RFW file header structure i used to retrieve this informations:

Code:

typedef struct {

  unsigned __int32 flag;

  unsigned __int32 fofs;

  unsigned __int32 size;

  unsigned __int32 unkwn;

} RFW_HEADER_ENTRY;



typedef struct {

  char id[8];   //"ROCK260x"

  char year[4]; //eg. "2005"

  char ver[7];  //eg. "VER5.00"

  unsigned __int8 unkwn0013[12];

  char name[17];

  unsigned __int8 unkwn0030[0x250];

  RFW_HEADER_ENTRY entry[65];

} RFW_HEADER;

any more details about the unkwn0013/0030 fields are appreciated.
does the game-disassembler reads any special application-header, or in other words: do we have more informations how application code get's stored?

Re: Anyone who wants rockchip firmware extractor read this

Hi wiRe
RKP-Format (actually only used for Games with the exception of my
first Test-Programm Data-Viewer) seems to be a special-format of code.
Firmware is a different thing, but uses the same instruction set and
the same processor:
http://www.file-upload.net/download-...2zxds.pdf.html
Regards
Benny

Re: Anyone who wants rockchip firmware extractor read this

Hey, what about the SDK documentation from that chinese blog?

Here

i can't effort the time to continue the rockchip firmware extractor, thus i uploaded all rockchip-related sources to my svn repo.

you can find the link to sourceforge on my page:
http://www.s1mp3.de/