Updating the kernel/initrd

I was able to figure the change on boot.img obtained from the tablet as described at my previous post .

On the 4GB model firmware the boot.img is a gzipped cpio initrd archive "signed" with a  rockhips specific header/footer and the kernel.img is a raw kernel image also "signed". This format is commonly mentioned on the internet as being generated with RK2918 SDK < 2.0.

The 8GB firmware uses a newer RK2918 SDK, 2.1, which packs the kernel and initrd images into a single boot.img, similar to the image generated by Android's "mkbootimg" utility. You can actually extract the kernel/init contents using the split_bootibm.pl script. Unfortunately the RK2918 boot.img uses an extra CRC field which is validated by the booloader. A boot.img generated by the regular "mkbootimg" will not allow the device to boot. This limits the ability to use custom ROMS.

Luckly the bootloader from SDK 2.1 can boot from boot.img/kernel.imgs as generated by the SDK < 2.0.
In short, to modify an 8GB model kernel,  split the boot.img, change the initird/kernel as desired, sign them with rkcrc (signature for the SDK<2.0 format), flash, and reboot.

Step by step:
cd ~
git clone git://github.com/lamegopinto/rk2918tools
# Check the rk2918tools/README for build requirements
cd ~/rk2918tools && make
cd ~/tmp
~/rk2918tools/img-manager.py dump boot
~/rk2918tools/img-manager.py dump kernel
cp -a boot.img boot.img.orig
~/rk2918tools/split_bootimg.pl boot.img
mkdir -p ramdisk && cd  ramdisk
gunzip -c ../boot.img-ramdisk.gz | sudo cpio -i

# Change the ramdisk as desired

sudo find . ! -name "."|sort|sudo cpio -oa -H newc|gzip -n >../newinitrd.gz

cd ..

# Repackage
~/rk2918tools/rkcrc boot.img-kernel kernel.img.new
~/rk2918tools/img-manager.py write kernel kernel.img.new
~/rk2918tools/rkcrc -k newinitrd.gz boot.img.new
~/rk2918tools/img-manager.py write boot boot.img.new

# Reboot device

~/rk2918tools/rkflashtool b

Reading the NAND flash contents

According to my readings most RK2918 based devices support an USB flash mode which allows to read/write the NAND flash contents without needing to boot the device. Specially useful when you flash an unbootable ROM. It is equivalent to the fastboot mode found on other Android devices.

Entering into the USB flash mode is device specific, on the BQ Pascal you need to shutdown the device, remove the USB cable, then while pressing the "-" volume key plug the usb cable. When the USB cable is plugged in these conditions, it is listed on lsusb with "ID 2207:290a", this is not the usual id that you get when connected with a booted system (storage mode).

At this stage it is possible to read/write the flash contents, RK2918 does not support the regular fastboot protocol, it uses a specific protocol, which was already reverse engineered, a linux tool is available: https://github.com/justgr/arnova-tools/tree/master/rkflashtool

Using rlfkashtool we can now look at the flash contents:

./rkflashtool r 0x0 0x1 > /tmp/parameters # Read first block (1 block = 16k size)

Look at  /tmp/block1, this is the parameters file encapsulated in an RK2918 header/footer, the content format is:
"PARM" 32_bits_big_endian_size CONTENTS 32_bits_crc
The parameters file is duplicated into block offsets 0x20, 0x40, 0x60 and 0x80.

The CMDLINE option found on the parameters allows you to determine other partition files.
The format is:  mtdparts=...size@offset(partition_name), for example on my device:
mtdparts=rk29xxnand:0x00002000@0x00002000(misc),0x00004000@0x00004000(kernel),0x00008000@0x00008000(boot)

Now we can use rkflashtool to get the boot partition:
/rkflashtool r 0x00008000 0x00008000 > /tmp/boot.img

Now the bad news, while the boot.img format from the 4GB model was known and had a similar format to the parameters file but using "KRNL", the 8GB firmware change did also change the image files.
Let'e hope I can figure the new format or find someone who already did.

 

Changes with the 8GB model

My first model was the 4GB version, my current model is the 8GB version, there were some changes on the firmware.
The /system (system.img) which was a read-only CRAMFS  image, is now an ext3 file-system, mounted read-only, making it easier to modify without replacing the stock ROM.
As a downside BQ does not provide yet a downloadable version of the stock firmware for this newer version, I am currently working to retrieve it from my current device so I can revert to it in case something goes wrong.

Exploration start

BQ Pascal Lite C is my first tablet device, my first open source mobile device which I can randomly hack. I do own an Android phone but I need it to be available for business use on a regular basis, so I can't play with it as much as I would look.
Actually this is my second BQ Pascal Lite C, I was so happy with my first bough some weeks ago that I decided to offer it to my sister :)

I will try to report my findings as I explore the device on this blog.