Entering into the USB flash mode is device specific, on the BQ Pascal you need to shutdown the device, remove the USB cable, then while pressing the "-" volume key plug the usb cable. When the USB cable is plugged in these conditions, it is listed on lsusb with "ID 2207:290a", this is not the usual id that you get when connected with a booted system (storage mode).
At this stage it is possible to read/write the flash contents, RK2918 does not support the regular fastboot protocol, it uses a specific protocol, which was already reverse engineered, a linux tool is available: https://github.com/justgr/arnova-tools/tree/master/rkflashtool
Using rlfkashtool we can now look at the flash contents:
./rkflashtool r 0x0 0x1 > /tmp/parameters # Read first block (1 block = 16k size)Look at /tmp/block1, this is the parameters file encapsulated in an RK2918 header/footer, the content format is:
"PARM" 32_bits_big_endian_size CONTENTS 32_bits_crc
The parameters file is duplicated into block offsets 0x20, 0x40, 0x60 and 0x80.
The CMDLINE option found on the parameters allows you to determine other partition files.
The format is: mtdparts=...size@offset(partition_name), for example on my device:
mtdparts=rk29xxnand:0x00002000@0x00002000(misc),0x00004000@0x00004000(kernel),0x00008000@0x00008000(boot)
Now we can use rkflashtool to get the boot partition:
/rkflashtool r 0x00008000 0x00008000 > /tmp/boot.img
Now the bad news, while the boot.img format from the 4GB model was known and had a similar format to the parameters file but using "KRNL", the 8GB firmware change did also change the image files.
Let'e hope I can figure the new format or find someone who already did.
Sem comentários:
Enviar um comentário