• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[TOOL] rkflashtool for Linux and rk2808, rk2818 and rk2918 based tablets

Search This thread

fun_

Senior Member
Aug 20, 2010
2,376
651
here is how to make RKFW image

Code:
$ rkunpack N50-2.3-20111103-ZZ-SDK2.0.img 
VERSION:2.0.3

unpacking
00000000-00000065 N50-2.3-20111103-ZZ-SDK2.0.img-HEAD 102 bytes
00000066-00022623 N50-2.3-20111103-ZZ-SDK2.0.img-BOOT 140734 bytes
00022624-0c342627 update.img 204603396 bytes

unpacking update.img
================================================================================
FIRMWARE_VER:0.2.3
MACHINE_MODEL:rk29sdk
MACHINE_ID:007
MANUFACTURER:RK29SDK

unpacking 10 files
-------------------------------------------------------------------------------
00000800-00000fff package-file:package-file 540 bytes
00001000-000237ff bootloader:RK29xxLoader(L)_V2.08.bin 140734 bytes
00023800-00023fff parameter:parameter:[email protected] 610 bytes
00024000-0002ffff misc:Image/misc.img:[email protected] 49152 bytes
00030000-006a3fff boot:Image/boot.img:[email protected] 6766592 bytes
006a4000-01167fff recovery:Image/recovery.img:[email protected] 11288576 bytes
01168000-0c31efff system:Image/system.img:[email protected] 186346496 bytes
----------------- backup:SELF:[email protected] (update.img) 204603396 bytes
0c31f000-0c31f7ff update-script:update-script 933 bytes
0c31f800-0c31ffff recover-script:recover-script 266 bytes
-------------------------------------------------------------------------------
================================================================================

00022624-0c342627 N50-2.3-20111103-ZZ-SDK2.0.img-MD5 32 bytes
unpacked
$ cat N50-2.3-20111103-ZZ-SDK2.0.img-HEAD N50-2.3-20111103-ZZ-SDK2.0.img-BOOT update.img > new.img
$ md5sum new.img
[COLOR="Red"][B]5191abc65649eacf8d2476e37d84a046[/B][/COLOR]  new.img
$ cat N50-2.3-20111103-ZZ-SDK2.0.img-MD5
5191abc65649eacf8d2476e37d84a046
$ echo -n [COLOR="Red"][B]5191abc65649eacf8d2476e37d84a046[/B][/COLOR] >> new.img
$ sha1sum N50-2.3-20111103-ZZ-SDK2.0.img new.img 
3120b13df8886e0ddfae0e35379443c27c925572  N50-2.3-20111103-ZZ-SDK2.0.img
3120b13df8886e0ddfae0e35379443c27c925572  new.img

oops, I noticed if I replaced update.img with different size one, I need to modify header ;)
I need to make rkfwpack too ;)
 

relsyou

Member
Nov 13, 2011
7
0
Unpack cramfs img with cramfsck -x (as root, so you preserve permissions and uid/gid)
Create an empty file the size of your system partition (dd if=/dev/null of=fubar.img bs=512 count=...... et cetera, do the math)
mkfs.ext3 fubar.img
mount -o loop fubar.img /someplacemountable
copy contents of old image to /someplacemountable (use cp -a to preserve ownership etc)
umount
flash fubar.img to system partition
change init.rk28board.rc to reflect the changes
reflash boot.img
reboot device :)

This is untested, but should work in theory.

Another option is to keep the system partition read-only and use unionfs to overlay a writable partition. I'm not sure if this can be a file on your userdata partition mounted with -o loop, but I suppose it can. This depends on your kernel having unionfs and loopback support though.


Thanks ivop, finally I won't remount my system in rw because there is no need. I make my change on my computer and I flash the system image over the RK2818 tablet.

Thanks for your help and the well done job :)
 

surfer63

Senior Member
May 4, 2010
3,739
1,436
Zwolle
hvdwolf.github.io
little off-topic,
latest RK2918 ROMs which is based on "SDK2.0", new format for boot.img/recovery.img is introduced. it's almost same as common boot.img format for android. unpackbootimg/mkbootimg can be used to unpack/repack it with one exception...
there is SHA1 hash value in header of boot.img (offset 0x240 bytes). Rockchip changes it by some unknown way. normal mkbootimg can't generate same hash value as Rockchip, so we can't make custom boot.img with new format :(
fortunately, we can split new boot.img, and we can make separate kernel.img and boot.img(ramdisk) like as pre-SDK2.0 RK2918 ROMs, which is loadable with new bootloader in SDK2.0 ROMs.
I compiled unpackbootimg on an Ubuntu system.
copied it to my tablet (as it didn't work on ubuntu), but also on my tablet it doesn't work. Any other clues on how to unpack an RK2918 boot.img?
 

surfer63

Senior Member
May 4, 2010
3,739
1,436
Zwolle
hvdwolf.github.io
I compiled unpackbootimg on an Ubuntu system.
copied it to my tablet (as it didn't work on ubuntu), but also on my tablet it doesn't work. Any other clues on how to unpack an RK2918 boot.img?

SOLVED. First unpacked update.img resulted in a corrupt/damaged/whatever boot.img. Second attempt delivered a correct boot.img.

From _funs/naosb git repo I downloaded the new rkutils and compiled them.

Then
Code:
<path_to>/rkunpack boot.img
mkdir boot
cd boot
sudo gunzip < ../boot.img-raw | sudo cpio -i --make-directories
(sudo to preserve all file attributes).
Now I have a folder boot with the unpacked boot.img in it.
 

surfer63

Senior Member
May 4, 2010
3,739
1,436
Zwolle
hvdwolf.github.io
On Mac OS X libusb is built defaultly with high verbosity log info.
It means that when reading or writing you get a lot of extra info. This can be very handy but is in most circumstances completely unwanted (and by now I'm completely sick of it ;) ).

So I built another universal Intel 32bit/64bit 10.4/10.5/10.6/10.7 V2 version without all the debug logging. It only gives the "clean" read/write lines during processing.
 

Attachments

  • rkflashtoolOSX-nologging-v2.zip
    44.8 KB · Views: 336
Last edited:

kenshinta

Senior Member
Dec 13, 2004
348
60
Hi fun_

Can you also show example for how to pack with rk29xx ROMs?

I tried to follow your example but its always gives an error of missing variable ... I'm guessing the HWDEF line confuses it , since rk29xx dont have that.

Thanks.

here is an example for rkafpack

Code:
$ rkunpack N3NET-2.3-20110722.img 
[COLOR="Red"][B]FIRMWARE_VER:1.0.0[/B][/COLOR]
[COLOR="Red"][B]MACHINE_MODEL:rk2818sdk[/B][/COLOR]
MACHINE_ID:
[COLOR="Red"][B]MANUFACTURER:rock-chips[/B][/COLOR]

unpacking 12 files
-------------------------------------------------------------------------------
00000800-00000fff [COLOR="Red"][B]HWDEF:HWDEF[/B][/COLOR] 797 bytes
00001000-000017ff [COLOR="Red"][B]package-file:package-file[/B][/COLOR] 532 bytes
00001800-00021fff [COLOR="Red"][B]bootloader:RK28xxLoader(L).bin[/B][/COLOR] 131700 bytes
00022000-000227ff [COLOR="Red"][B]parameter:parameter:[email protected][/B][/COLOR] 506 bytes
00022800-0002e7ff [COLOR="Red"][B]misc:Image/misc.img:[email protected][/B][/COLOR] 49152 bytes
0002e800-0066bfff [COLOR="Red"][B]kernel:Image/kernel.img:[email protected][/B][/COLOR] 6541946 bytes
0066c000-006947ff [COLOR="Red"][B]boot:Image/boot.img:[email protected][/B][/COLOR] 163844 bytes
00694800-008e8fff [COLOR="Red"][B]recovery:Image/recovery.img:[email protected][/B][/COLOR] 2441220 bytes
008e9000-085fc7ff [COLOR="Red"][B]system:Image/system.img:[email protected][/B][/COLOR] 131149828 bytes
----------------- [COLOR="Red"][B]backup:SELF:[email protected][/B][/COLOR] (N3NET-2.3-20110722.img) 140498948 bytes
085fc800-085fcfff [COLOR="Red"][COLOR="Red"][B]update-script:update-script[/B][/COLOR][/COLOR] 1294 bytes
085fd000-085fd7ff [COLOR="Red"][B]recover-script:recover-script[/B][/COLOR] 266 bytes
-------------------------------------------------------------------------------
unpacked
$ rkafpack \
[COLOR="Red"][B]FIRMWARE_VER:1.0.0[/B][/COLOR] \
[COLOR="Red"][B]MACHINE_MODEL:rk2818sdk[/B][/COLOR] \
[COLOR="Red"][B]MANUFACTURER:rock-chips[/B][/COLOR] \
[COLOR="Red"][B]HWDEF:HWDEF[/B][/COLOR] \
[COLOR="Red"][B]package-file:package-file[/B][/COLOR] \
'[COLOR="Red"][B]bootloader:RK28xxLoader(L).bin[/B][/COLOR]' \
[COLOR="Red"][B]parameter:parameter:[email protected][/B][/COLOR] \
[COLOR="Red"][B]misc:Image/misc.img:[email protected][/B][/COLOR] \
[COLOR="Red"][B][B]kernel:Image/kernel.img:[email protected][/B][/B][/COLOR] \
[COLOR="Red"][B]boot:Image/boot.img:[email protected][/B][/COLOR] \
[COLOR="Red"][B]recovery:Image/recovery.img:[email protected][/B][/COLOR] \
[COLOR="Red"][B]system:Image/system.img:[email protected][/B][/COLOR] \
[COLOR="Red"][B]backup:SELF:[email protected][/B][/COLOR] \
[COLOR="Red"][B]update-script:update-script[/B][/COLOR] \
[COLOR="Red"][B]recover-script:recover-script[/B][/COLOR] \
> new.img
$ sha1sum N3NET-2.3-20110722.img new.img 
e758a6c47dca7f09f0b8a82ad89b0cd7c7c8e826  N3NET-2.3-20110722.img
e758a6c47dca7f09f0b8a82ad89b0cd7c7c8e826  new.img

some values are empty in RK2818 ROM.

--
here is how to make RKFW image

Code:
$ rkunpack N50-2.3-20111103-ZZ-SDK2.0.img 
VERSION:2.0.3

unpacking
00000000-00000065 N50-2.3-20111103-ZZ-SDK2.0.img-HEAD 102 bytes
00000066-00022623 N50-2.3-20111103-ZZ-SDK2.0.img-BOOT 140734 bytes
00022624-0c342627 update.img 204603396 bytes

unpacking update.img
================================================================================
FIRMWARE_VER:0.2.3
MACHINE_MODEL:rk29sdk
MACHINE_ID:007
MANUFACTURER:RK29SDK

unpacking 10 files
-------------------------------------------------------------------------------
00000800-00000fff package-file:package-file 540 bytes
00001000-000237ff bootloader:RK29xxLoader(L)_V2.08.bin 140734 bytes
00023800-00023fff parameter:parameter:[email protected] 610 bytes
00024000-0002ffff misc:Image/misc.img:[email protected] 49152 bytes
00030000-006a3fff boot:Image/boot.img:[email protected] 6766592 bytes
006a4000-01167fff recovery:Image/recovery.img:[email protected] 11288576 bytes
01168000-0c31efff system:Image/system.img:[email protected] 186346496 bytes
----------------- backup:SELF:[email protected] (update.img) 204603396 bytes
0c31f000-0c31f7ff update-script:update-script 933 bytes
0c31f800-0c31ffff recover-script:recover-script 266 bytes
-------------------------------------------------------------------------------
================================================================================

00022624-0c342627 N50-2.3-20111103-ZZ-SDK2.0.img-MD5 32 bytes
unpacked
$ cat N50-2.3-20111103-ZZ-SDK2.0.img-HEAD N50-2.3-20111103-ZZ-SDK2.0.img-BOOT update.img > new.img
$ md5sum new.img
[COLOR="Red"][B]5191abc65649eacf8d2476e37d84a046[/B][/COLOR]  new.img
$ cat N50-2.3-20111103-ZZ-SDK2.0.img-MD5
5191abc65649eacf8d2476e37d84a046
$ echo -n [COLOR="Red"][B]5191abc65649eacf8d2476e37d84a046[/B][/COLOR] >> new.img
$ sha1sum N50-2.3-20111103-ZZ-SDK2.0.img new.img 
3120b13df8886e0ddfae0e35379443c27c925572  N50-2.3-20111103-ZZ-SDK2.0.img
3120b13df8886e0ddfae0e35379443c27c925572  new.img
 

Ofloo

Member
Nov 10, 2010
24
0
Geel
Code:
Bus 001 Device 068: ID 2207:290a
My device lists as following when i follow the hold volume up procedure, .. however when i run
Code:
$ ./rkflashtool r 0x8000 0x2000 >boot.img.backup
rkflashtool: fatal: cannot open device

suggestions are welcome

when i compile however, .. i get these warnings, .. i run ubuntu natty gcc version 4.5.2

Code:
rkflashtool.c: In function ‘main’:
rkflashtool.c:160:18: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result
rkflashtool.c:170:17: warning: ignoring return value of ‘read’, declared with attribute warn_unused_result

EDIT
After figuring out i require rkflashtool v2 cause i got 2918 chip

Code:
$ sudo ./rkflashtool r 0x8000 0x2000 >boot.img.backup
rkflashtool: info: interface claimed
rkflashtool: info: reading flash memory at offset 0x00008000
rkflashtool: info: reading flash memory at offset 0x00008020
rkflashtool: info: reading flash memory at offset 0x00008040
rkflashtool: info: reading flash memory at offset 0x00008060
rkflashtool: info: reading flash memory at offset 0x00008080
rkflashtool: info: reading flash memory at offset 0x000080a0
rkflashtool: info: reading flash memory at offset 0x000080c0
rkflashtool: info: reading flash memory at offset 0x000080e0
rkflashtool: info: reading flash memory at offset 0x00008100
rkflashtool: info: reading flash memory at offset 0x00008120
rkflashtool: info: reading flash memory at offset 0x00008140
rkflashtool: info: reading flash memory at offset 0x00008160
rkflashtool: info: reading flash memory at offset 0x00008180
rkflashtool: info: reading flash memory at offset 0x000081a0
rkflashtool: info: reading flash memory at offset 0x000081c0
rkflashtool: info: reading flash memory at offset 0x000081e0
rkflashtool: info: reading flash memory at offset 0x00008200
rkflashtool: info: reading flash memory at offset 0x00008220
rkflashtool: info: reading flash memory at offset 0x00008240
rkflashtool: info: reading flash memory at offset 0x00008260
rkflashtool: info: reading flash memory at offset 0x00008280
rkflashtool: info: reading flash memory at offset 0x000082a0
rkflashtool: info: reading flash memory at offset 0x000082c0
rkflashtool: info: reading flash memory at offset 0x000082e0
rkflashtool: info: reading flash memory at offset 0x00008300
rkflashtool: info: reading flash memory at offset 0x00008320
rkflashtool: info: reading flash memory at offset 0x00008340
rkflashtool: info: reading flash memory at offset 0x00008360
rkflashtool: info: reading flash memory at offset 0x00008380
rkflashtool: info: reading flash memory at offset 0x000083a0
rkflashtool: info: reading flash memory at offset 0x000083c0
rkflashtool: info: reading flash memory at offset 0x000083e0
rkflashtool: info: reading flash memory at offset 0x00008400
rkflashtool: info: reading flash memory at offset 0x00008420
rkflashtool: info: reading flash memory at offset 0x00008440
rkflashtool: info: reading flash memory at offset 0x00008460
rkflashtool: info: reading flash memory at offset 0x00008480
rkflashtool: info: reading flash memory at offset 0x000084a0
rkflashtool: info: reading flash memory at offset 0x000084c0
rkflashtool: info: reading flash memory at offset 0x000084e0
rkflashtool: info: reading flash memory at offset 0x00008500
rkflashtool: info: reading flash memory at offset 0x00008520
rkflashtool: info: reading flash memory at offset 0x00008540
rkflashtool: info: reading flash memory at offset 0x00008560
rkflashtool: info: reading flash memory at offset 0x00008580
rkflashtool: info: reading flash memory at offset 0x000085a0
rkflashtool: info: reading flash memory at offset 0x000085c0
rkflashtool: info: reading flash memory at offset 0x000085e0
rkflashtool: info: reading flash memory at offset 0x00008600
rkflashtool: info: reading flash memory at offset 0x00008620
rkflashtool: info: reading flash memory at offset 0x00008640
rkflashtool: info: reading flash memory at offset 0x00008660
rkflashtool: info: reading flash memory at offset 0x00008680
rkflashtool: info: reading flash memory at offset 0x000086a0
rkflashtool: info: reading flash memory at offset 0x000086c0
rkflashtool: info: reading flash memory at offset 0x000086e0
rkflashtool: info: reading flash memory at offset 0x00008700
rkflashtool: info: reading flash memory at offset 0x00008720
rkflashtool: info: reading flash memory at offset 0x00008740
rkflashtool: info: reading flash memory at offset 0x00008760
rkflashtool: info: reading flash memory at offset 0x00008780
rkflashtool: info: reading flash memory at offset 0x000087a0
rkflashtool: info: reading flash memory at offset 0x000087c0
rkflashtool: info: reading flash memory at offset 0x000087e0
rkflashtool: info: reading flash memory at offset 0x00008800
rkflashtool: info: reading flash memory at offset 0x00008820
rkflashtool: info: reading flash memory at offset 0x00008840
rkflashtool: info: reading flash memory at offset 0x00008860
rkflashtool: info: reading flash memory at offset 0x00008880
rkflashtool: info: reading flash memory at offset 0x000088a0
rkflashtool: info: reading flash memory at offset 0x000088c0
rkflashtool: info: reading flash memory at offset 0x000088e0
rkflashtool: info: reading flash memory at offset 0x00008900
rkflashtool: info: reading flash memory at offset 0x00008920
rkflashtool: info: reading flash memory at offset 0x00008940
rkflashtool: info: reading flash memory at offset 0x00008960
rkflashtool: info: reading flash memory at offset 0x00008980
rkflashtool: info: reading flash memory at offset 0x000089a0
rkflashtool: info: reading flash memory at offset 0x000089c0
rkflashtool: info: reading flash memory at offset 0x000089e0
rkflashtool: info: reading flash memory at offset 0x00008a00
rkflashtool: info: reading flash memory at offset 0x00008a20
rkflashtool: info: reading flash memory at offset 0x00008a40
rkflashtool: info: reading flash memory at offset 0x00008a60
rkflashtool: info: reading flash memory at offset 0x00008a80
rkflashtool: info: reading flash memory at offset 0x00008aa0
rkflashtool: info: reading flash memory at offset 0x00008ac0
rkflashtool: info: reading flash memory at offset 0x00008ae0
rkflashtool: info: reading flash memory at offset 0x00008b00
rkflashtool: info: reading flash memory at offset 0x00008b20
rkflashtool: info: reading flash memory at offset 0x00008b40
rkflashtool: info: reading flash memory at offset 0x00008b60
rkflashtool: info: reading flash memory at offset 0x00008b80
rkflashtool: info: reading flash memory at offset 0x00008ba0
rkflashtool: info: reading flash memory at offset 0x00008bc0
rkflashtool: info: reading flash memory at offset 0x00008be0
rkflashtool: info: reading flash memory at offset 0x00008c00
rkflashtool: info: reading flash memory at offset 0x00008c20
rkflashtool: info: reading flash memory at offset 0x00008c40
rkflashtool: info: reading flash memory at offset 0x00008c60
rkflashtool: info: reading flash memory at offset 0x00008c80
rkflashtool: info: reading flash memory at offset 0x00008ca0
rkflashtool: info: reading flash memory at offset 0x00008cc0
rkflashtool: info: reading flash memory at offset 0x00008ce0
rkflashtool: info: reading flash memory at offset 0x00008d00
rkflashtool: info: reading flash memory at offset 0x00008d20
rkflashtool: info: reading flash memory at offset 0x00008d40
rkflashtool: info: reading flash memory at offset 0x00008d60
rkflashtool: info: reading flash memory at offset 0x00008d80
rkflashtool: info: reading flash memory at offset 0x00008da0
rkflashtool: info: reading flash memory at offset 0x00008dc0
rkflashtool: info: reading flash memory at offset 0x00008de0
rkflashtool: info: reading flash memory at offset 0x00008e00
rkflashtool: info: reading flash memory at offset 0x00008e20
rkflashtool: info: reading flash memory at offset 0x00008e40
rkflashtool: info: reading flash memory at offset 0x00008e60
rkflashtool: info: reading flash memory at offset 0x00008e80
rkflashtool: info: reading flash memory at offset 0x00008ea0
rkflashtool: info: reading flash memory at offset 0x00008ec0
rkflashtool: info: reading flash memory at offset 0x00008ee0
rkflashtool: info: reading flash memory at offset 0x00008f00
rkflashtool: info: reading flash memory at offset 0x00008f20
rkflashtool: info: reading flash memory at offset 0x00008f40
rkflashtool: info: reading flash memory at offset 0x00008f60
rkflashtool: info: reading flash memory at offset 0x00008f80
rkflashtool: info: reading flash memory at offset 0x00008fa0
rkflashtool: info: reading flash memory at offset 0x00008fc0
rkflashtool: info: reading flash memory at offset 0x00008fe0
rkflashtool: info: reading flash memory at offset 0x00009000
rkflashtool: info: reading flash memory at offset 0x00009020
rkflashtool: info: reading flash memory at offset 0x00009040
rkflashtool: info: reading flash memory at offset 0x00009060
rkflashtool: info: reading flash memory at offset 0x00009080
rkflashtool: info: reading flash memory at offset 0x000090a0
rkflashtool: info: reading flash memory at offset 0x000090c0
rkflashtool: info: reading flash memory at offset 0x000090e0
rkflashtool: info: reading flash memory at offset 0x00009100
rkflashtool: info: reading flash memory at offset 0x00009120
rkflashtool: info: reading flash memory at offset 0x00009140
rkflashtool: info: reading flash memory at offset 0x00009160
rkflashtool: info: reading flash memory at offset 0x00009180
rkflashtool: info: reading flash memory at offset 0x000091a0
rkflashtool: info: reading flash memory at offset 0x000091c0
rkflashtool: info: reading flash memory at offset 0x000091e0
rkflashtool: info: reading flash memory at offset 0x00009200
rkflashtool: info: reading flash memory at offset 0x00009220
rkflashtool: info: reading flash memory at offset 0x00009240
rkflashtool: info: reading flash memory at offset 0x00009260
rkflashtool: info: reading flash memory at offset 0x00009280
rkflashtool: info: reading flash memory at offset 0x000092a0
rkflashtool: info: reading flash memory at offset 0x000092c0
rkflashtool: info: reading flash memory at offset 0x000092e0
rkflashtool: info: reading flash memory at offset 0x00009300
rkflashtool: info: reading flash memory at offset 0x00009320
rkflashtool: info: reading flash memory at offset 0x00009340
rkflashtool: info: reading flash memory at offset 0x00009360
rkflashtool: info: reading flash memory at offset 0x00009380
rkflashtool: info: reading flash memory at offset 0x000093a0
rkflashtool: info: reading flash memory at offset 0x000093c0
rkflashtool: info: reading flash memory at offset 0x000093e0
rkflashtool: info: reading flash memory at offset 0x00009400
rkflashtool: info: reading flash memory at offset 0x00009420
rkflashtool: info: reading flash memory at offset 0x00009440
rkflashtool: info: reading flash memory at offset 0x00009460
rkflashtool: info: reading flash memory at offset 0x00009480
rkflashtool: info: reading flash memory at offset 0x000094a0
rkflashtool: info: reading flash memory at offset 0x000094c0
rkflashtool: info: reading flash memory at offset 0x000094e0
rkflashtool: info: reading flash memory at offset 0x00009500
rkflashtool: info: reading flash memory at offset 0x00009520
rkflashtool: info: reading flash memory at offset 0x00009540
rkflashtool: info: reading flash memory at offset 0x00009560
rkflashtool: info: reading flash memory at offset 0x00009580
rkflashtool: info: reading flash memory at offset 0x000095a0
rkflashtool: info: reading flash memory at offset 0x000095c0
rkflashtool: info: reading flash memory at offset 0x000095e0
rkflashtool: info: reading flash memory at offset 0x00009600
rkflashtool: info: reading flash memory at offset 0x00009620
rkflashtool: info: reading flash memory at offset 0x00009640
rkflashtool: info: reading flash memory at offset 0x00009660
rkflashtool: info: reading flash memory at offset 0x00009680
rkflashtool: info: reading flash memory at offset 0x000096a0
rkflashtool: info: reading flash memory at offset 0x000096c0
rkflashtool: info: reading flash memory at offset 0x000096e0
rkflashtool: info: reading flash memory at offset 0x00009700
rkflashtool: info: reading flash memory at offset 0x00009720
rkflashtool: info: reading flash memory at offset 0x00009740
rkflashtool: info: reading flash memory at offset 0x00009760
rkflashtool: info: reading flash memory at offset 0x00009780
rkflashtool: info: reading flash memory at offset 0x000097a0
rkflashtool: info: reading flash memory at offset 0x000097c0
rkflashtool: info: reading flash memory at offset 0x000097e0
rkflashtool: info: reading flash memory at offset 0x00009800
rkflashtool: info: reading flash memory at offset 0x00009820
rkflashtool: info: reading flash memory at offset 0x00009840
rkflashtool: info: reading flash memory at offset 0x00009860
rkflashtool: info: reading flash memory at offset 0x00009880
rkflashtool: info: reading flash memory at offset 0x000098a0
rkflashtool: info: reading flash memory at offset 0x000098c0
rkflashtool: info: reading flash memory at offset 0x000098e0
rkflashtool: info: reading flash memory at offset 0x00009900
rkflashtool: info: reading flash memory at offset 0x00009920
rkflashtool: info: reading flash memory at offset 0x00009940
rkflashtool: info: reading flash memory at offset 0x00009960
rkflashtool: info: reading flash memory at offset 0x00009980
rkflashtool: info: reading flash memory at offset 0x000099a0
rkflashtool: info: reading flash memory at offset 0x000099c0
rkflashtool: info: reading flash memory at offset 0x000099e0
rkflashtool: info: reading flash memory at offset 0x00009a00
rkflashtool: info: reading flash memory at offset 0x00009a20
rkflashtool: info: reading flash memory at offset 0x00009a40
rkflashtool: info: reading flash memory at offset 0x00009a60
rkflashtool: info: reading flash memory at offset 0x00009a80
rkflashtool: info: reading flash memory at offset 0x00009aa0
rkflashtool: info: reading flash memory at offset 0x00009ac0
rkflashtool: info: reading flash memory at offset 0x00009ae0
rkflashtool: info: reading flash memory at offset 0x00009b00
rkflashtool: info: reading flash memory at offset 0x00009b20
rkflashtool: info: reading flash memory at offset 0x00009b40
rkflashtool: info: reading flash memory at offset 0x00009b60
rkflashtool: info: reading flash memory at offset 0x00009b80
rkflashtool: info: reading flash memory at offset 0x00009ba0
rkflashtool: info: reading flash memory at offset 0x00009bc0
rkflashtool: info: reading flash memory at offset 0x00009be0
rkflashtool: info: reading flash memory at offset 0x00009c00
rkflashtool: info: reading flash memory at offset 0x00009c20
rkflashtool: info: reading flash memory at offset 0x00009c40
rkflashtool: info: reading flash memory at offset 0x00009c60
rkflashtool: info: reading flash memory at offset 0x00009c80
rkflashtool: info: reading flash memory at offset 0x00009ca0
rkflashtool: info: reading flash memory at offset 0x00009cc0
rkflashtool: info: reading flash memory at offset 0x00009ce0
rkflashtool: info: reading flash memory at offset 0x00009d00
rkflashtool: info: reading flash memory at offset 0x00009d20
rkflashtool: info: reading flash memory at offset 0x00009d40
rkflashtool: info: reading flash memory at offset 0x00009d60
rkflashtool: info: reading flash memory at offset 0x00009d80
rkflashtool: info: reading flash memory at offset 0x00009da0
rkflashtool: info: reading flash memory at offset 0x00009dc0
rkflashtool: info: reading flash memory at offset 0x00009de0
rkflashtool: info: reading flash memory at offset 0x00009e00
rkflashtool: info: reading flash memory at offset 0x00009e20
rkflashtool: info: reading flash memory at offset 0x00009e40
rkflashtool: info: reading flash memory at offset 0x00009e60
rkflashtool: info: reading flash memory at offset 0x00009e80
rkflashtool: info: reading flash memory at offset 0x00009ea0
rkflashtool: info: reading flash memory at offset 0x00009ec0
rkflashtool: info: reading flash memory at offset 0x00009ee0
rkflashtool: info: reading flash memory at offset 0x00009f00
rkflashtool: info: reading flash memory at offset 0x00009f20
rkflashtool: info: reading flash memory at offset 0x00009f40
rkflashtool: info: reading flash memory at offset 0x00009f60
rkflashtool: info: reading flash memory at offset 0x00009f80
rkflashtool: info: reading flash memory at offset 0x00009fa0
rkflashtool: info: reading flash memory at offset 0x00009fc0
rkflashtool: info: reading flash memory at offset 0x00009fe0

however can anyone verrify that my offset size ratio is right for this specific chip? 0x8000 0x2000

edit:

hmm i think i found the offsets and sizes

Code:
$ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00400000 00004000 "misc"
mtd1: 00800000 00004000 "kernel"
mtd2: 00400000 00004000 "boot"
mtd3: 00800000 00004000 "recovery"
mtd4: 10000000 00004000 "system"
mtd5: 10400000 00004000 "backup"
mtd6: 07400000 00004000 "cache"
mtd7: 10000000 00004000 "userdata"
mtd8: 00400000 00004000 "kpanic"
mtd9: 1a3400000 00004000 "user"
 
Last edited:

SnakyJake

Member
Dec 27, 2011
6
4
Hi there,
first thank you all for your work and testing.
I also experimented some with my PMP5080B (Prestigio, RK29 based) using wendals tools to root my device (the tools just unpack an update.img apart, insert su and superuser and repack)

I encountered a strange behavior while using his tools and while using rkflashtool and mkcramfs with linux (just wanted to inject su into system.img)

On the tablet, when using the terminal emulator, cd /system and doing ls (list contents of /system) the terminal spit out crypted characters and a very messed up directory listing.
The tablet worked alright and everything seemed to be fine, except for the mess doing an ls in /system

After downloading the orig system.img from flash, mounting it, copying contents to another selfmade system-dir and rebuilding the original system.img i encountered slight differences between the original system.img and my selfmade system.img

After having a look in cramfs superblock I located the diffs in the root inode of the filesystem, especially the mode and uid/gid blocks.

After all the error (which also exists in wendals tools) was: I needed to give my self-created system-dir a "chmod 777 system" and a "chown root:root system", repack with "mkcramfs system system-new.img" and the diff was ok.

After that I placed my su into system/bin
chmod 6755 system/bin/su
mkcramfs system system-new.img
rkflashtool w 0xE000 0x80000 <system-new.img
DONE

No messed up "ls /system" anymore :)

So for all messing around with the images: keep an eye on ownage and mode of root dirs. I don't know how this effects the stability of your device, maybe its not important.
 

SnakyJake

Member
Dec 27, 2011
6
4
can anyone tell me how to flash from unix device like ubuntu, .. using rkflashtool, .. how do i know that i have the correct size and offset?

Ok, I try to explain. I done it with Jolicloud, which is based on some old ubuntu version, but it actually does not matter.

First make sure you have connected the pad and put it into flashmode (like I had to press [volume down] while connecting usb cable)

Best check with lsusb on command line.
Try to read the flash header like:
rkflashtool r 0x0000 0x2000 >header

Have a look at this file with some hex tool (xxd) or just open it in a text editor (nano, vi). Quite at the beginning there should be something like
CMDLINE: console=...

Follow this text until you see some memory sizes and regions like 0x00002000 0x00002000(misc) and so on. Those are your offsets and sizes. Search for the (system) one. On my pad its 0x00080000 0x0000E000, where 0x00080000 is the size (256MB) and 0x0000E000 is the offset.

Read system.img:
rkflashtool r 0xE000 0x80000 >system.img

Mount system.img to e.g. /mnt/system:
mount -t cramfs -o loop system.img /mnt/system

Copy contents to another dir
mkdir /home/user/mysystem
cp -rf /mnt/system/* /home/user/mysystem
[EDIT]
thanks to ivops follow-up post, you better use the -a option like this:
cp -a /mnt/system/* /home/user/mysystem
[/EDIT]
chown and chmod mysystem
chown root:root /home/user/mysystem
chmod 777 /home/usr/mysystem

do whatever you want to change in your system-dir (direct changes in cramfs are not possible, thats why you have to copy stuff in another dir!)
Things you might want to change are:

cp su /home/user/mysystem/bin
chmod 6755 /home/user/mysystem/bin/su
(roots your device :), make sure to have a proper su binary)

then repack all the stuff:
mkcramfs /home/user/mysystem newsystem.img

and flash it back:
rkflashtool w 0xE000 0x80000 <newsystem.img

BE CAREFUL WITH TYPOS!

Do not bother if the new system.img is much smaller than the one you read from flash. When reading from flash you read the whole 256MB, even if only 130MB are used. rkflashttool will take care of it and fill the rest up with ones or zeros :)

Good luck.
BTW: If you do something wrong, you always can reflash with an original update.img from your vendor.

Questions?
 
Last edited:

ivop

Member
Sep 30, 2011
15
19
SnakyJake, thanks for all the help you supplied.

I'd like to add, instead of using cp -rf and (trying to) fix all the permissions and ownership in a crude way, you'd better use cp -a (as root) which preserves all ownership and permissions (see man cp).

To others, keep on posting your adventures with your rk2[89]xx tablets. It can always help others. And if you encounter plain errors with the tool, pm me. I suppose I'll get mail when i'm pm'ed.
 
  • Like
Reactions: SnakyJake

SnakyJake

Member
Dec 27, 2011
6
4
I'd like to add, instead of using cp -rf and (trying to) fix all the permissions and ownership in a crude way, you'd better use cp -a (as root) which preserves all ownership and permissions (see man cp).

Thanks for the important hint.

I never used -a and everything worked out ok, but you never know what permissions and stuff are set in the original image - so all of you please use -a (archive) instead of -rf (recursive and force overwrite)
 

Ofloo

Member
Nov 10, 2010
24
0
Geel
very nice explanation,.. so if i backup those i can always flash them back even if the tablet is frozen? For some apparent reason the original supplier doesn't supply the update.img, .. it's a lenco tab-1011 rockchip RK2918 CPU based, which is basically a arnova 10 g2, .. however the arnova update image isn't recognized, and the tabs firmware just planly sucks appslib doesn't work, arctools don't work, nothing works on the tab aside from what is installed manually. So i found a full root image (for arnova 10 g2) and i was planning on backing up the current images, .. and testing those images, ..

Code:
PARM_^B^@^@FIRMWARE_VER:0.2.3
MACHINE_MODEL:AN10G2-LN
MACHINE_ID:007
MANUFACTURER:RK29SDK
MAGIC: 0x5041524B
ATAG: 0x60000800
MACHINE: 2929
CHECK_MASK: 0x80
KERNEL_IMG: 0x60408000
COMBINATION_KEY: F,0,1
CMDLINE: console=ttyS1,115200n8n androidboot.console=ttyS1 init=/init initrd=0x62000000,0x500000 mtdparts=rk29xxnand:[email protected](misc),[email protected](kernel),[email protected](boot),[email protected](recovery),[email protected](system),[email protected](backup),[email protected](cache),[email protected](userdata),[email protected](kpanic),[email protected](user)
so i should basicly interpret this as <offset>@<size> [email protected](system)

so for in order to install new image i need to update all the images, .. or just leave recovery for the time being just to be safe? also i've noticed [email protected] what's am i supposed to put instead of the -?
 
Last edited:

ivop

Member
Sep 30, 2011
15
19
It's the other way around, i.e. [email protected](name)

The last entry, at offset 0x001cc000, runs until the end of the nand flash memory.

You can also verify that for each partition, the current offset is equal to the offset of the previous partition plus its size (that's all in 512-byte locks btw).

Best is to backup everything up to and including the backup partition. The rest is not really necessary, although you can backup everything of course and be able to restore to how your tablet is at this moment exactly.
 
  • Like
Reactions: Ofloo

Ofloo

Member
Nov 10, 2010
24
0
Geel
yeah sorry i input it right but i wrote it wrong on the forum :p

Code:
sudo rkflashtool w 0x0000E000 0x00080000<system.img
sudo rkflashtool w 0x0000A000 0x00004000<recovery.img
sudo rkflashtool w 0x00004000 0x00004000<kernel.img
sudo rkflashtool w 0x00008000 0x00002000<boot.img
sudo rkflashtool w 0x00002000 0x00002000<misc.img

for my lenco arnova 10 g2 tab, .. and it worked fine.
 

SnakyJake

Member
Dec 27, 2011
6
4
enlarging internal memory

Hi,

playing around with my tablet PMP5080B (Prestigio) I wanted to increase internal memory storage a bit. Not even 256MB are not enough, free maybe around 100MB; always had to move apps to external sd (no preset there to tell android to always put them to the 16GB external sd)

So what I wanted to do: decrease the internal (fake) sd and give some space to the userdata partition.

Sounds quite easy, and it actually is, if you know the hurdles.

Be careful: YOUR DATA WILL BE LOST!

Step 1: adjust the parameters (offset 0x0000, size 0x2000)
so what I did first:
rkflashtool r 0x0 0x2000 >orgparams
Code:
The size 0x00080000 is 256MB, 0x00100000 would be 512MB. Change it:
Code:
Important: you need to change all following offsets!

To flash back your parameters you need to recalculate the checksum. To do that you will need the tool rkcrc from naobsd. The checksum is only calculated from the datablock, so do the following:
Cut off the first 8 bytes of the file (PARM+4 Byte length, which you should write down - your file should now start with "FIRMWARE"); cut off all after "(user) 0x0d 0x0a" - its the 4-byte checksum.
You now should have a file, around 500-600 Byte in size.
Add the checksum:

rkcrc myparams myparamswithcrc

now re-add the 8 Byte header (PARM+size, where the size actually should not have changed, so you probably can take the old value you wrote down. Else just take the filesize of the naked file before adding the checksum - you need it in HEX and turn around all bytes!)

Now you can flash back your params. On my tablet those parameters are stored every 20 blocks about 5 times (probably for recovery or something)
So I overwrote all 5 blocks like this:

rkflashtool w 0x00 0x20 <myparamswithcrc
rkflashtool w 0x20 0x20 <myparamswithcrc
rkflashtool w 0x40 0x20 <myparamswithcrc
rkflashtool w 0x60 0x20 <myparamswithcrc
rkflashtool w 0x80 0x20 <myparamswithcrc

Now try to boot your device. It should boot up, maybe take 2 or 3 tries and take some longer, since the phone/tablet will re-arrange the partitions and format them.

When started my userdata-partition size had not yet changed. Still 256MB. So we will need to feed him a self-created ext3 512MB file to 0x0014a000.

Here the problems begin.

STEP 2: create a 512MB userdata partition.

To create an ext3 partition you will need to use the tool mke2fs. I thought, I could just take my JoliOS tool, but PC and RK29 seem to deal differently with the journal, so ext3-Tools from PC WILL NOT WORK! Don't even try to mount (userdata) on PC and reflash it. I tried: did not work! Your phone/tablet will recreate the userdata partition in its default size (256MB), since it cannot read it anymore.

Se use the devices mke2fs!

So what I did: (I used adb shell, you can do it with "terminal emulator" on the device)

adb shell (or in terminal emulator)
$ dd if=/dev/zero of=/sdcard/newuserdata bs=1048576 count=512
$ mke2fs /sdcard/newuserdata

(mke2fs will mourn about newuserdata not being a block device, press y for ack and go ahead)

Now get the newly generated 512MB file on your PC
(Easy per adb with "adb pull /sdcard/newuserdata", or just via your sdcard)

Flash it:
rkflashtool w 0x14a000 0x100000 <newuserdata

Boot device. It will take some time, maybe it will hang in a loop. I needed to hardreset it once, after the animation would not stop. The device does a filesystem check and recreates all needed directories within userdata, which may take a while.
After all I had an internal storage of 470MB, which is 512MB minus filesystem data :)

Probably works with 1GB too, whatever you want. Just use the ext3 tools of your device, not the PC tools.

I have not figured out how to put files in those ext3-filesystems, since I cannot mount them on PC. The reason why I have not figured out how to turn my cramfs-system.img into ext3.

Next try is to mount userdata with ext4 :) Should work, but you will also need to modify init.rc (boot.img), where the mounts are done.

[EDIT]
There seems to be a more simple method:

Just do the adjustments mentioned in Step1, so edit your params and flash them to the device.

Boot the device (might take long) and go to settings->privace->factory data reset

The device will reformat data and cache, now with the new size :)
[/EDIT]
 
Last edited:
  • Like
Reactions: Ofloo

Ofloo

Member
Nov 10, 2010
24
0
Geel
i was thinking of downloading the image, then downloading the userdata image, mounting both images, .. and copying all the current data from one image to the other, .. or something like that,.. cause i notice you seem to use the clear nandflash or whatever to format the image, .. so maybe put the userdata on it afterwards, ..

now the end of the dirve is - how could i make sure i got the whole drive i think it's 256mb, .. i'm pretty sure of it, but pretty sure never cuts it, with these things you need to be 300% sure, .. one could probably calculate the end, .. however how would you tell from data you pull from the device does anyone know. I calculated the end would be 0x00080000

edit:

is this what you where looking for ?

Code:
$ adb pull /sdcard/newuserdata
4131 KB/s (536870912 bytes in 126.898s)
$ pwd
/tmp
$ ls -lh newuserdata 
-rw-r--r-- 1 ofloo ofloo 512M 2011-12-31 22:21 newuserdata
$ sudo mount -o loop /tmp/newuserdata /tmp/blah
$ mount | grep -i loop
/dev/loop0 on /tmp/blah type ext2 (rw)
$ ls /tmp/blah
lost+found

btw happy new year :p
 
Last edited:

kenshinta

Senior Member
Dec 13, 2004
348
60
Reading thru this thread, we now have some concrete ideas on how to:

* re-size partitions (at least data);
* pack/ repack system, boot partitons;
* flash using unix rkflashtool (excellent tool);

Can someone please do a concrete howto on:

* convert system to ext3/4 from cramfs;
* bake Chainfire3D into system assuming it is still cramfs;

or if these arent feasible explain why not for further learning ...


Thanks!
 

cheesebread

New member
Dec 26, 2011
2
0
write no possible at 0x610000 and above

Hi,

1st thanks for this nice tool.
I use RK2918 based Odys Xpress tablet.
My problem is that the table seems to be always in "flash mode". So I don't have to press the menu button when doing reset (the normal way to enter flash mode) and the table does not start up anymore. I am able to write the flash below offset 0x610000 (about 3 GB). To the area 0x610000 and above the rkflashtool seems to be not able to write. When I read this "high" area I get repeatedly similar looking data containing the string "USB".

Does anyone know where the loader is located in the flash ? It seems to be a special area (in the normal flash ?) because with the windows tool RKAndroidTool.exe no offset has to be entered for the loader.

CB
 

Top Liked Posts

  • There are no posts matching your filters.
  • 14
    Hi,

    Because I don't run Windows nor NetBSD, I rewrote rkflash from scratch with the use of libusb-1.0, so you can now read and write your rk2818-based tablet's flash memory under Linux (also w/o the need to root your tablet). Credit for reverse-engineering the protocol goes to the original author of rkflash (see source).

    Small guide

    - unzip the file
    - compile

    Linux (Debian, Ubuntu, ...)
    Code:
    sudo apt-get install libusb-1.0-0-dev
    gcc -o rkflashtool rkflashtool.c -lusb-1.0 -O2 -W -Wall -s

    Mac OS X (thanks to surfer63, binary here)
    Code:
    sudo port install libusb
    gcc -I/opt/local/include -I/opt/local/include/libusb-1.0 \
    -L/opt/local/lib -o rkflashtool rkflashtool.c -lusb-1.0 -O2 -W -Wall

    Preparation
    - powerdown your tablet
    - disconnect all cables

    To get into flash mode differs for many tablets. Google around or use trial and error :)

    - insert the USB cable in computer
    - hold vol+ (or put on/off/locked-switch in the locked position)
    - insert the other end of your cable in the tablet
    - wait a few seconds
    - release vol+

    Now if you run lsusb, the following line should appear:

    Bus 001 Device 044: ID 2207:281a (290a for rk2918 based tablets)

    Bus and device number may be different. The screen of your tablet stays black.

    The USB device must be readable and writable for the user running rkflashtool. If that's not the case, you'll see an error like this:

    Code:
    $ ./rkflashtool b
    libusb couldn't open USB device /dev/bus/usb/001/048: Permission denied.
    libusb requires write access to USB device nodes.
    rkflashtool: fatal: cannot open device

    This can be fixed in several ways (chmod, run as root, udev rules) but that's beyond the scope of this posting. For now, chmod 666 the device mentioned in the error message.

    Usage of rkflashtool

    Code:
    $ ./rkflashtool
    rkflashtool: fatal: usage:
    	rkflashtool b                   	reboot device
    	rkflashtool r offset size >file 	read flash
    	rkflashtool w offset size <file 	write flash
    
    	offset and size are in units of 512 bytes

    On my tablet, the boot partition starts at offset 0x8000 (in blocks of 512 bytes)
    Its size is 0x2000 blocks
    To backup the partition, issue:

    Code:
    $ ./rkflashtool r 0x8000 0x2000 >boot.img.backup
    rkflashtool: info: interface claimed
    rkflashtool: info: reading flash memory at offset 0x00008000
    rkflashtool: info: reading flash memory at offset 0x00008020
    .......
    rkflashtool: info: reading flash memory at offset 0x00009fe0

    To write a new boot.img or an old backup back to the device:

    Code:
    $ ./rkflashtool w 0x8000 0x2000 <boot.img.backup
    rkflashtool: info: interface claimed
    rkflashtool: info: writing flash memory at offset 0x00008000
    rkflashtool: info: writing flash memory at offset 0x00008020
    .......
    rkflashtool: info: writing flash memory at offset 0x00009fe0

    You can find a list of all partitions of your tablet in the HWDEF file, which is inside the update.img for your tablet. If no such file is available, you can also look at /proc/cmdline on a running device (either through adb or a terminal app running on the device itself). Depending on the tablet, you might need root access to view /proc/cmdline. Another option is dumping the first 0x2000 blocks of nand flash by issuing rkflashtool r 0x0000 0x2000 >parm. View the file with hexedit, xxd, or a similar program. The kernel parameters contain a description of several mtd partitions (sizes and offsets).

    After reading and writing at will, you can reboot your tablet by issuing
    ./rkflashtool b

    Note that if your tablet has an on/off/locked-switch and it is still in the locked position, rebooting won't work.

    If the file you are writing is smaller than the specified size, the rest is padded with zeroes. If it's bigger, it will be truncated. This is different from rkflash, which will overwrite blocks beyond the partition size.
    rkflashtool does not support flashing a new bootloader directly.
    If you have a different tablet, please try rkflashtool b and r first before flashing (w) something new.
    Standard DISCLAIMER with regard to bricking your tablet applies.

    Enjoy! :)


    EDIT: better build instructions, clean up text
    EDIT2: works on rk2918 tablets too (tested on Arnova 7 G2) if you change the USB product id from 0x281a to 0x290a before compilation
    EDIT3: released version 2 of rkflashtool. now supports rk2918 tablets out of the box. if it doesn't find one, it falls back to rk2808/rk2818. also, updated the wording a bit.
    EDIT4: new mac osx binary
    EDIT5: more ways to find offsets and sizes of partitions on your tablet


    EDIT6: small emphasis changes above and...

    version 1 is here ONLY for archival purposes or if version 2 does not work on your rk28xx tablet. In all other cases, you need to download rkflashtool-v2.zip
    3
    If you are on OSX and have macports installed, you can do the following to build rkflashtool.
    Install libusb from Macports:
    Code:
    sudo port install libusb

    cd into the folder where your rkflashtool.c is is and run the following command:
    Code:
    gcc -I/opt/local/include -I/opt/local/include/libusb-1.0 \
    -L/opt/local/lib -o rkflashtool rkflashtool.c -lusb-1.0 -W -Wall

    This will build rkflashtool for your native environment (OSX version, hardware and config).


    --- removed the rest of the post as well as the attachments. He/She who is interested in building a complete universal distributable rkflashtool can ask via this thread ---
    2
    great! finally I can remove one line from my todo list :)
    thank you!

    EDIT:
    random notes (I don't see your code yet so it may be fixed, then sorry)
    * I always specify b(reboot) for rk2818 tablets with my rkflash because it hanged easily if I try to write multiple times without b
    * parameter file need to be converted with rkcrc -p. official RKAndroid tools flashed it 5 times with offsets. (read & check 1st 0x0-0x2000 block)
    * I logged how to update bootloader, but it's complicated and I could not understand :( probably bootloader can be updated via misc partition. see update-script in update.img. (but not recommended/no reason to do it)

    EDIT2:
    there is libusb for Windows and OS X. rkflashtool may work on them.

    on Windows, there is RKAndroidTool.exe (not batchupgrade). but "read" function in rkflash/rkflashtool may be useful on some case on Windows :)
    2
    I pushed latest my rkutils to https://github.com/naobsd/rkutils

    rkunpack can unpack RKFW image used in RK2918 ROM, RKAF image (update.img), KRNL/PARM image used in some single partition image. unpack will be done recursively.

    rkcrc can make KRNL/PARM images with -k/-p.

    rkafpack can make RKAF image. (I need to write docs/howtos...)

    little off-topic,
    latest RK2918 ROMs which is based on "SDK2.0", new format for boot.img/recovery.img is introduced. it's almost same as common boot.img format for android. unpackbootimg/mkbootimg can be used to unpack/repack it with one exception...
    there is SHA1 hash value in header of boot.img (offset 0x240 bytes). Rockchip changes it by some unknown way. normal mkbootimg can't generate same hash value as Rockchip, so we can't make custom boot.img with new format :(
    fortunately, we can split new boot.img, and we can make separate kernel.img and boot.img(ramdisk) like as pre-SDK2.0 RK2918 ROMs, which is loadable with new bootloader in SDK2.0 ROMs.

    --
    btw I just found interesting one: https://github.com/jhonxie/rk2918_tools
    2
    can anyone tell me how to flash from unix device like ubuntu, .. using rkflashtool, .. how do i know that i have the correct size and offset?

    Ok, I try to explain. I done it with Jolicloud, which is based on some old ubuntu version, but it actually does not matter.

    First make sure you have connected the pad and put it into flashmode (like I had to press [volume down] while connecting usb cable)

    Best check with lsusb on command line.
    Try to read the flash header like:
    rkflashtool r 0x0000 0x2000 >header

    Have a look at this file with some hex tool (xxd) or just open it in a text editor (nano, vi). Quite at the beginning there should be something like
    CMDLINE: console=...

    Follow this text until you see some memory sizes and regions like 0x00002000 0x00002000(misc) and so on. Those are your offsets and sizes. Search for the (system) one. On my pad its 0x00080000 0x0000E000, where 0x00080000 is the size (256MB) and 0x0000E000 is the offset.

    Read system.img:
    rkflashtool r 0xE000 0x80000 >system.img

    Mount system.img to e.g. /mnt/system:
    mount -t cramfs -o loop system.img /mnt/system

    Copy contents to another dir
    mkdir /home/user/mysystem
    cp -rf /mnt/system/* /home/user/mysystem
    [EDIT]
    thanks to ivops follow-up post, you better use the -a option like this:
    cp -a /mnt/system/* /home/user/mysystem
    [/EDIT]
    chown and chmod mysystem
    chown root:root /home/user/mysystem
    chmod 777 /home/usr/mysystem

    do whatever you want to change in your system-dir (direct changes in cramfs are not possible, thats why you have to copy stuff in another dir!)
    Things you might want to change are:

    cp su /home/user/mysystem/bin
    chmod 6755 /home/user/mysystem/bin/su
    (roots your device :), make sure to have a proper su binary)

    then repack all the stuff:
    mkcramfs /home/user/mysystem newsystem.img

    and flash it back:
    rkflashtool w 0xE000 0x80000 <newsystem.img

    BE CAREFUL WITH TYPOS!

    Do not bother if the new system.img is much smaller than the one you read from flash. When reading from flash you read the whole 256MB, even if only 130MB are used. rkflashttool will take care of it and fill the rest up with ones or zeros :)

    Good luck.
    BTW: If you do something wrong, you always can reflash with an original update.img from your vendor.

    Questions?