Jump to content

Efforts to develop firmware for H96 MAX V56 RK3566 8G/64G


Recommended Posts

✔️ Temperature display works on docker management https://casaos.io/

VFD display isn't needed, It's a GPIO function from android with an custom app runing the GPIO.

😰include this board on armbian standart is BIG Work. @hzdm
You will need to compare our DTS file with the StationM2 file, and create a H96MAXv56.DTS 
easy to describe, hard to work around. It's enough work for a team
because you will need to take into account the files included in DTSi and DTS
are fitted in a cascade, you will need to understand the kernel 6.2 DTS and 6.4 DTS modifications


Edited by hotnikq
Link to comment
Share on other sites


Using your Armbian TV-Box for cripto 

After build your own Debian SD-card (other Method) image RELEASE=bullseye
and make your own debian EMMC image with that.
Flash your H96Max with your Armbian Build.

Don't use any pre-compled image on criptocurrency.

H96 Max v56 Debian 11 (Bullseye)

Build Using the @hzdm method (Custom Build)


./compile.sh build BOARD=h96-max-v56 BRANCH=current BUILD_DESKTOP=no BUILD_MINIMAL=yes KERNEL_CONFIGURE=no RELEASE=bullseye




This tutorial can be out of date, consider take it from source


Original Source
Armbian Flag



maximum recomended Crypto value on it: 0.02BTC

you can make your RaspBlitz image over Armbian.



First Boot

1#ssh root to the armbian H96MAX

ssh root@
Password: 1234

2#Set Raspiblitz Password

Set New Root Passwd: raspiblitz
Create new User: admin
set new user Passwd: raspiblitz


reboot now



Basesystem Prepare

4#Login as admin account:

User: admin
Passwd: raspiblitz


5#Update BaseSystem

sudo apt-get update
sudo apt-get upgrade


6#before start add raspberry repo:

echo deb http://archive.raspberrypi.org/debian/ buster main | sudo tee /etc/apt/sources.list.d/raspberrypi.list


echo deb http://archive.raspberrypi.org/debian/ bullseye main | sudo tee /etc/apt/sources.list.d/raspberrypi.list

7#add Raspberry Keys

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7FA3303E
sudo apt-get update

8#Install Raspiconfig

sudo apt-get install raspi-config



Install Python 3.10


sudo apt-get install python3.10


# select version
majorPythonVersion=$(echo "$pythonVersion" | awk -F. '{print $1"."$2}' )
# update and upgrade
sudo apt update
sudo apt upgrade -y
# dependencies
sudo apt install wget software-properties-common build-essential libnss3-dev zlib1g-dev libgdbm-dev libncurses5-dev libssl-dev libffi-dev libreadline-dev libsqlite3-dev libbz2-dev -y
# download
wget https://www.python.org/ftp/python/${pythonVersion}/Python-${pythonVersion}.tgz
# optional signature for verification
wget https://www.python.org/ftp/python/${pythonVersion}/Python-${pythonVersion}.tgz.asc
# get PGP pubkey of Pablo Galindo Salgado
gpg --recv-key CFDCA245B1043CF2A5F97865FFE87404168BD847
# check for: Good signature from "Pablo Galindo Salgado <pablogsal@gmail.com>"
gpg --verify Python-${pythonVersion}.tgz.asc
# unzip
tar xvf Python-${pythonVersion}.tgz
cd Python-${pythonVersion}
# configure
./configure --enable-optimizations
# install
sudo make altinstall
# move the python binary to the expected directory
sudo mv $(which python${majorPythonVersion}) /usr/bin/
# check
ls -la /usr/bin/python${majorPythonVersion}
# make the new version the default
sudo rm /etc/alternatives/python
sudo update-alternatives --install /usr/bin/python python /usr/bin/python${majorPythonVersion} 1
sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python${majorPythonVersion} 1
# check
python --version
python3 --version



Clone and Install Raspiblitz

9# download the build script

wget https://raw.githubusercontent.com/rootzoll/raspiblitz/dev/build_sdcard.sh


sudo bash build_sdcard.sh
# Options:
#   -h, --help                               this help info
#   -i, --interaction [0|1]                  interaction before proceeding with execution (default: 1)
#   -f, --fatpack [0|1]                      fatpack mode (default: 1)
#   -u, --github-user [rootzoll|other]       github user to be checked from the repo (default: rootzoll)
#   -b, --branch [v1.10|v1.9]                 branch to be built on (default: v1.10)
#   -d, --display [lcd|hdmi|headless]        display class (default: lcd)
#   -t, --tweak-boot-drive [0|1]             tweak boot drives (default: 1)
#   -w, --wifi-region [off|US|GB|other]      wifi iso code (default: US) or 'off'


11#Set your custom Build (this is my build)

sudo bash build_sdcard.sh --interaction true --fatpack false --github-user raspiblitz --display headless --tweak-boot-drive false --wifi-region off

'what to spect from this comands? H96 isn't the fast system in the world. so, let it build for a while.


# LCD repo already cloned/downloaded (1)


- calling: blitz.display.sh set-display hdmi

# blitz.display.sh set-display hdmi 


# old(lcd)

# new(hdmi)


raspberrypi-bootloader was already set on hold.

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

xinput-calibrator is already the newest version (0.7.5+git20140201-1+b2).

0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

sed: can't read /boot/cmdline.txt: No such file or directory

# OK uninstall LCD done ... reboot needed

# hdmi install ... set framebuffer width/height

# blitz.conf.sh set displayClass hdmi

# FAIL: missing config file: /mnt/hdd/raspiblitz.conf


# OK - a restart is needed: sudo shutdown -r now

# BUILD DONE - see above

what to spect from this comands? if you try to use Debian 12 or Ubuntu 22.04:


# the last step from build
added 157 packages, and audited 158 packages in 16s
> mempool-backend@2.4.0 build
> npm run tsc
> mempool-backend@2.4.0 tsc
> ./node_modules/typescript/bin/tsc
# blitz.display.sh set-display lcd 
# old(headless)
# new(lcd)
# auto-login of pi user already active
err='baseimage not supported'



This is a great time to make an backup image!

Using the V0.7 tutorial


Transfer your Raspblitz image from your server to a thumbdrive (16gb)

mount /dev/sda/ /mnt/
rsync -avx / /mnt/

Take the /dev/sda uuid


edit the /etc/fstab uuid from flash drive copy partition

sudo nano /mnt/etc/fstab

UUID=68f4d0f2-3968-4914-8e80-6fe2aa6e5044 / ext4 defaults,noatime,commit=600,errors=remount-ro 0 1

to  be effective, you will need to edit the boot partition EXTLINUX file with the uuid from your /dev/sda thumbdrive

mount /dev/mmcblk1p1 /boot
nano -w /boot/extlinux/extlinux.conf


 create a Rootfs.img from that thumbdrive on an external linux computer.

sudo dd if=/dev/sda of=~/root.img bs=4096 status=progress


you can apply v0.7 + v1.0 method from @hotnikq or v0.8 + v0.9 method from @hzdm

now you have a H96MAX raspiblitz image that you can replicate.

Backup the bootfs partition from EMMC

sudo dd if=/dev/mmcblk1p1 of=~/bootfs.img bs=4096 status=progress

Create a Backup Image file:  Armbian-Raspiblitz_23.11.0-trunk_H96-max-v56_bullseye_current_6.1.63_gnome_desktop.tar.xz



shutdown now


attach datadrive

Plug HDD on USB3.0




Follow the Original Tutorial


Troubleshot: #ssh root to the armbian H96MAX

User: admin
Passwd: raspiblitz

Troubleshot: resize Root Filesystem.

df -h
sudo resize2fs /dev/mmcblk1p2
df -h

Troubleshot: Reboot

sudo reboot now


Troubleshot: ssh again

ssh admin@
Password: raspiblitz

Troubleshot: the wizard should ask for HDD/SSD Create the EXT4

sudo fdisk /dev/sda
sudo mkfs.ext4 /dev/sda


Troubleshot: set the disk to boot on /mnt/hdd

sudo nano /etc/fstab
UUID=bbced6d5-4c02-4413-bd8d-ff52c3f50a16 /mnt/hdd/              ext4    defaults,errors=remount-ro 0 0

Troubleshot: to mount permanently this script edits the `/ect/fstab`

sudo /home/admin/config.scripts/blitz.datadrive.sh fstab sda1


Troubleshot: Format External SSD

# can try to format with the script
sudo /home/admin/config.scripts/blitz.datadrive.sh format ext4 sda

## or manually
# make the partition
parted -s /dev/sda mkpart primary ext4 1024KiB 100%
# format to ext4, label BLOCKCHAIN
mkfs.ext4 -F -L BLOCKCHAIN /dev/sda1

# check the mounts
df -h

# if there is no /mnt/hdd yet mount /dev/sda1 
sudo mount /dev/sda1 /mnt/hdd

# to mount permanently this script edits the `/ect/fstab`
sudo /home/admin/config.scripts/blitz.datadrive.sh fstab sda1

# return to the setup





Troubleshot: return to the setup


 Troubleshot: clear all keys: This comand will generate a new SSH keys to your server.

sudo -u admin config.scripts/blitz.preparerelease.sh


Troubleshot: After clear, reset device by power cord And clear SSH from your desktop.

Troubleshot: Comand Example: generate all new hash keys on your device.


deleting raspiblitz & system logs ..


cleaning raspiblitz.info


deleting SSH Pub keys ...

they will get recreated on fresh bootup, by _bootstrap.sh service



deleting local DNS confs ...



deleting old API conf ...



deleting local WIFI conf ...

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev





Will shutdown now.


Troubleshot: the last comand deleted all the redis service folder, you will need to make this folder again!


root@station-m2:/home/admin# systemctl start redis

Job for redis-server.service failed because the control process exited with error code.

See "systemctl status redis-server.service" and "journalctl -xeu redis-server.service" for details.

root@station-m2:/home/admin# systemctl status redis-server.service

× redis-server.service - Advanced key-value store

     Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)

     Active: failed (Result: exit-code) since Sun 2023-11-26 15:28:11 -03; 657ms ago

       Docs: http://redis.io/documentation,


    Process: 10614 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no (code=exited, status=1/FAILURE)

   Main PID: 10614 (code=exited, status=1/FAILURE)

        CPU: 251ms


nov 26 15:28:11 station-m2 systemd[1]: redis-server.service: Scheduled restart job, restart counter is at 5.

nov 26 15:28:11 station-m2 systemd[1]: Stopped Advanced key-value store.

nov 26 15:28:11 station-m2 systemd[1]: redis-server.service: Start request repeated too quickly.

nov 26 15:28:11 station-m2 systemd[1]: redis-server.service: Failed with result 'exit-code'.

nov 26 15:28:11 station-m2 systemd[1]: Failed to start Advanced key-value store.

Troubleshot: Create the redis folder again

sudo mkdir -p  /var/log/redis/ && sudo touch /var/log/redis/redis-server.log && sudo chown redis:redis /var/log/redis/redis-server.log

Troubleshot: now you can start redis again

systemctl start redis

 Troubleshot: Install Whiptail


sudo apt-get install whiptail

 Troubleshot: reboot

sudo reboot now


You can try to reset this by deleting the file:

sudo rm /home/admin/provision.flag


and restart the bootstrap process:

sudo systemctl restart bootstrap


Other files used to record the state (so can be deleted to restart the setup process) are:

sudo rm /home/admin/raspiblitz.info
sudo rm /mnt/hdd/raspiblitz.conf


Follow the raspiblitz tutorial.

Edited by hotnikq
Link to comment
Share on other sites

On 11/28/2023 at 3:42 PM, OICQ said:

I am unable to connect to wired networks.

did you test v0.7 v0.9 v1.0 or custom build?
send a picture from the board of your box 
sometimes the factory changes board and pinout

Need to be something like this.

Edited by hotnikq
Link to comment
Share on other sites

2 hours ago, Evgeny Radchenko said:

No luck (


Try v1.0 image update

H96 MAX V56 RK3566 8gb EMMC Chainloader to mainline HotnikQ images:

                  Tutorial EMMC Version v1.0 ARMBIAN
                               Armbian 23.11.0 Server Minimal V1.0 The Latest
                               Armbian 23.11.0 Desktop Gnome V1.0 The Latest

                               Debian 12 BookWorm Server Minimal v1.0 The Latest

                               Debian 12 BookWorm Desktop Gnome v1.0 The Latest

Link to comment
Share on other sites

15 hours ago, Evgeny Radchenko said:

No luck (

You have to check write by Address.


In loader mode , MiniLoaderAll.bin is not checked.

In maskrom mode , MiniLoaderAll.bin is checked.

When the error is occurred, the device seems to be in loader mode.

Edited by blust0ne
Link to comment
Share on other sites



thanks everybody for hard work for this box.

I have followed guide from this post by hzdm, and everything is working fine:


It ran for 30 days without problem, docker, virtual machines, compiling...

Updates are also working except for kernel.


So, today I decided to try to upgrade kernel manually, read here and there, but haven't found definitive answer how is done.


I have compiled new image using same procedure, put these packages to the box:



and did "sudo dpkg -i ..." in the order linux-dtb, linux-image, linux-u-boot.


As more experienced members probably already know, after reboot it wasn't started.


Since this is just the box for experimentation, I have just re-flashed it with new image and everything is working fine again.


So, my question is, how do you update kernel?

is linux-dtb and linux-image enough, or there is something else that should be done?




Link to comment
Share on other sites

Finally installed armbian on my box.

Tryed v1.0 and 0.7

All works fine except ethernet.


Here is "ip a":

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 82:0d:55:5a:53:43 brd ff:ff:ff:ff:ff:ff
    altname end0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether f0:27:65:fd:46:ce brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute wlan0
       valid_lft 581sec preferred_lft 581sec
    inet6 fe80::a069:33d9:57b4:f527/64 scope link noprefixroute
       valid_lft forever preferred_lft forever


interface seems to be work, but no connection.


Make some photos of my board.

Pls, hlp




Link to comment
Share on other sites

5 hours ago, Evgeny Radchenko said:

All works fine except ethernet.

Welcome to Chinese TV box Nightmare
Here on this side of Linux, the manufacturer modifies the hardware without notifying anyone.
The only creativity that comes from China is changing adapters on consolidated boards, otherwise everything is a copy.
you will need to inject the driver for your LAN device.


This device Looks like RTL8211C


Use wifi to connect to the web.


sudo apt-get install hwinfo



Thats the device that originally work on my device.

  P: /devices/platform/fe010000.ethernet/mdio_bus/stmmac-0/stmmac-0:00
  M: stmmac-0:00
  R: 00
  U: mdio_bus
  T: PHY
  V: RTL8211F Gigabit Ethernet
  E: DEVPATH=/devices/platform/fe010000.ethernet/mdio_bus/stmmac-0/stmmac-0:00
  E: SUBSYSTEM=mdio_bus
  E: DRIVER=RTL8211F Gigabit Ethernet
  E: OF_NAME=ethernet-phy
  E: OF_FULLNAME=/ethernet@fe010000/mdio/ethernet-phy@0
  E: OF_COMPATIBLE_0=ethernet-phy-ieee802.3-c22
  E: MODALIAS=of:Nethernet-phyT(null)Cethernet-phy-ieee802.3-c22

If you identify that the device is the same as the original driver,
then there are physical problems with your device or the cable,
check if everything works fine on Android. rewrite the android to the device and test the LAN



sd: /devices/platform/fd000000.usb/xhci-hcd.7.auto/usb3/3-1/3-1:1.0/host0/target0:0:0/0:0:0:0
RTL8226B_RTL8221B 2.5Gbps PHY: module = realtek
RTL8221B-VM-CG 2.5Gbps PHY: module = realtek
RTL8208 Fast Ethernet: module = realtek
RTL8221B-VB-CG 2.5Gbps PHY: module = realtek
RTL8201CP Ethernet: module = realtek
RTL8366RB Gigabit Ethernet: module = realtek
RTL8211F Gigabit Ethernet: /devices/platform/fe010000.ethernet/mdio_bus/stmmac-0/stmmac-0:00
RTL8211F Gigabit Ethernet: module = realtek
RTL8211B Gigabit Ethernet: module = realtek
RTL8226B-CG_RTL8221B-CG 2.5Gbps PHY: module = realtek
RTL8211DN Gigabit Ethernet: module = realtek
RTL8211 Gigabit Ethernet: module = realtek
RTL8226-CG 2.5Gbps PHY: module = realtek
RTL8226 2.5Gbps PHY: module = realtek
Generic FE-GE Realtek PHY: module = realtek
RTL8211F-VD Gigabit Ethernet: module = realtek
RTL8365MB-VC Gigabit Ethernet: module = realtek
RTL8211E Gigabit Ethernet: module = realtek
RTL8201F Fast Ethernet: module = realtek
RTL8211C Gigabit Ethernet: module = realtek
RTL9000AA_RTL9000AN Ethernet: module = realtek

If your device is not in the above list then you need to install the correct driver


"ip a" Command:


2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
    altname end0
    inet ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff scope global dynamic noprefixroute eth0
       valid_lft 2467sec preferred_lft 2467sec
    inet6 ff:ff:ff:ff:ff:ff scope global dynamic noprefixroute 
       valid_lft 2712sec preferred_lft 2712sec
    inet6 ff:ff:ff:ff:ff:ff scope link noprefixroute 
       valid_lft forever preferred_lft forever

3: docker0: 

85: veth5f87d43@if84: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether  brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 ff:ff:ff:ff:ff:ff scope link 
       valid_lft forever preferred_lft forever




Edited by hotnikq
Link to comment
Share on other sites

Hey, community 🙂!

Planning use my box for some home lab Kubernetes too.

Wonder to firm my box  but what type of USB cable did you use, is it  just USB male male? Planning  do it  from my Linux PC.

Could you suggest may be  method /tool  to backup my original partition with firmware?

Thank you for any help indeed.

Link to comment
Share on other sites

@hotnikq Hello guys I am new to armbian and linux firmware etc. I bought h96 max v56 because I read this thread and I thinked armbian is working this device. I can succesfully installed this img ''Armbian_23.11.0-trunk_H96-max-v56_jammy_current_6.1.62_xfce_desktop.img''  but I think it isn't run smooth (working but too slow). So I tried hotnik's img but rk tool says that ''found one maskrom device'' after the flash operation. I am trying to flash 8G_Update_Armbian_23.11.0-trunk_Station-m2_bookworm_edge_6.2.16_gnome_desktop.tar.img. Must I flash another rom before this img? I read this thread many times but I couldn't find where am I doing wrong ?

I am using rk flastool 2.86 ( downloaded from hotnik's link). Please help me 😅

Link to comment
Share on other sites

Posted (edited)
On 3/8/2024 at 9:11 AM, Engin Demir said:

''found one maskrom device'' after the flash operation.


this error happened to other users
If you follow the tutorial
You you find the  8GB devices Fix



On 3/8/2024 at 9:11 AM, Engin Demir said:

but I think it isn't run smooth (working but too slow)

If you're hoping to run a graphical user interface, stick to Android.
the original video driver came from android (kernel 4.2)


Edited by hotnikq
Link to comment
Share on other sites

Posted (edited)

🏆 Become a sponsor, help to add other boards in armbian standart, you don't need to be a programmer to help the community,
just need a copy of the ARM BOARD and a x86 computer to compile new versions.

EMMC: V1.1 HZDM Release Version



If you like what you see here and want to help: Donate Armbian the like button only costs a few dollars.

Armbian Needs you help!


If you given up of Armbian Linux on your H96MAX RK3566 TV box
Think Again and again and again and again, because:

@hzdm updated armbian Build configuration:

V1.1 HZDM original Build Armbian Tutorial:


On Linux:

1 - Follow the Build Armbian instructions
if it doesnt Build your image as espected
rm -rf build
git clone --depth 1 --branch v24.02 https://github.com/armbian/build
try again and again and again and again

2 -  Download H96MAX Armbian Build Config  (Original Source)
3 - Copy the h96-max-v56 directory to build/packages/blobs/  directory
4 - Copy the h96-max-v56.conf file to the build/config/boards/ directory
5 - Run the image build


On Windows:

6 - Download the Armbian.cfg file to RKDevTool (Original Source)

7 - Drop it on RKDevTool




Boot, MiniLoaderAll:



8 - Shutting down H96 MAX.
9 - Press the Reset button.
10 - Turn on the H96 MAX.
11 - Wait until The message "Found One MASKROM Device" or "Found One LOADER Device" should appear. (1) 
12 - Mark all 2 sections with check marks (2)
13 - Open 2 files for each section (3)
14 - Check "Write by Address" (4).



15 - Press the "Run" button (5). The download will start.
When the message "Download image OK" appears, the download is finished (6). 
16 - H96 MAX will automatically reboot. 



Alternative: On Linux OS

rkdeveloptool db MiniLoaderAll.bin   # If this is not your first time flashing with this firmware, an error may appear here\. It\'s not a big deal
rkdeveloptool wl 0x0 Your_Armbian_Image-trunk_H96-max-v56_jammy_current_6.1.62.img

rkdeveloptool rd

And because a malware was discovered in the XZ library from Edge trixie and Edge sid
I came here again to remove and ReBuild all afected images.

Ubuntu: One of the most popular Linux distributions is not affected as its xz version is the older 5.4 version. No updates are required.
Debian Linux: No stable versions of the distribution were affected.

but compromised packages were part of test, unstable and experimental versions. Users must update xz-utils.

Read more: CVE-2024-3094


Video drivers:





Edited by Hqnicolas
Link to comment
Share on other sites

On 3/8/2024 at 4:14 AM, Armi said:

what type of USB cable did you use

Male to male USB A


On 3/8/2024 at 4:14 AM, Armi said:

is it  just USB male male?


On 3/8/2024 at 4:14 AM, Armi said:

Planning  do it  from my Linux PC

Follow the last post i did here....


On 3/8/2024 at 4:14 AM, Armi said:

Could you suggest may be  method /tool  to backup my original partition with firmware?

dont put nothing that need backup inside that chinese dogshit box
if you did, you can follow this post and this post


Link to comment
Share on other sites

As it seems interesting, I also purchased a new device RK3566 from Aliexpress. I started at the beginning by wanting to backup what is currently on a device (just in case I fuck something up later on). After reading a few threads I embarked on a journey to dump the eMCC contents. I started with the RKDev Tool and RkDumper with various drivers in Windows 11. I did not get very far, so I gave up for now and switched to Kali. I cloned the redeveloptool git repo, tried to compile it, but it failed out of the box. There is a warning treated as an error so you need to correct the code with static pointer casting and then it compiles.

Lets try to get some info from the flash:

└─$ sudo rkdeveloptool ld  
DevNo=1	Vid=0x2207,Pid=0x350a,LocationID=102	Loader

└─$ sudo rkdeveloptool rfi
Flash Info:
	Manufacturer: SAMSUNG, value=00
	Flash Size: 59640 MB
	Flash Size: 122142720 Sectors
	Block Size: 512 KB
	Page Size: 2 KB
	ECC Bits: 0
	Access Time: 40
	Flash CS: Flash<0> 

└─$ sudo rkdeveloptool ppt
**********Partition Info(GPT)**********
NO  LBA       Name                
00  00002000  security
01  00004000  uboot
02  00006000  trust
03  00008000  misc
04  0000A000  dtbo
05  0000C000  vbmeta
06  0000C800  boot
07  00020800  recovery
08  00056800  backup
09  00110800  cache
10  001D0800  metadata
11  001D8800  baseparameter
12  001D9000  logo
13  001E1000  super
14  007F5000  userdata

└─$ sudo rkdeveloptool rci
Chip Info:  38 36 35 33 0 0 0 0 0 0 0 0 0 0 0 0

└─$ sudo rkdeveloptool rcb
Capability:15 07 00 00 00 00 00 00 
Direct LBA:	enabled
First 4m Access:	enabled
Read Com Log:	enabled
Read Secure Mode:	enabled
New IDB:	enabled


So we have a nice partition info with an address table. Nice. I started to read the eMMC from the first 0 sector till the end sector 122142720. It took a while and to my surprise, the .xz file was only 12ish MB large, which was nearly impossible. So I started to analyze the hex dump and to my surprise, after a while, there were only 0xCC values read from the module. After some digging around I found out that there is a protection in uBoot (I would really like to meet this guy or some stupid project lead that has come up with this idea, which is not secure nor meaningful) that prevents reading anything larger in size than 0x10000. As luck would have it uboot was completely dumped from sector 0x4000 onwards so by extracting it from the whole dump I stored the uboot.img. I found a Python script lying around somewhere that needed to be changed to my needs (offsets and length), which dumped uboot.bin. By loading it into ghidra one could search for this function and edit the branch call. I packed everything back into uboot.img and flashed it to the sector 0x4000 and dumped again. This time the .xz was something more than 2.2 GB, which is in a range of images on China Gadgat reviews page.

Just to be sure I also retried with the RkDumper as the author suggested that his tool works till driver version 4.5 (if I remember correctly) and I knew that the last time I was able to fiddle around with changing driver *.inf files was in Win7, I searched for an already available VirtualBox image and I found a torrent. With some magic, I was able to edit and add the VID and PID device IDs to the driver and install it. After some trial and error, it persuaded VB to mount the RK Loader in win7. RkDumper did its job, but way slooooower as in Linux. Anyway, I have to separate and complete dumps of the whole eMMC.

In the meantime I was also curious about the serial port connector on the board so I soldered the connector. I saw an Image @Hqnicolaswhere he soldered cables for the TTL UART converted and posted UART settings. I used the same principle, but how I was wrong :) the ground is on this board the middle pin, which I must say that in 20 years in the embedded world have not seen. I needed to prove this with a multimeter. From the  UART log I got new information

U-Boot 2017.09-dirty #s02 (Jul 27 2023 - 21:33:25 +0800)<CR><LF>
Model: Rockchip RK3568 Evaluation Board<CR><LF>
PreSerial: 2, raw, 0xfe660000<CR><LF>
DRAM:  7.7 GiB<CR><LF>
Sysmem: init<CR><LF>

Why the use of RK3568??? I have 8 GB of DDR4 RAM running with the frequency of 1056 MHz and also that dtb files are loaded from the kernel partition. Also, the I2C frequency of the bulk converter seems to be the right one for tcs4525 (also to format is correct, but the numbers are so small that I can't read them)., what was mentioned by @Hqnicolas in the 4G thread. So the next move was to dump/extract them all. There is also one Python script somewhere in git repo that dumps them - not so perfectly though. In Linux, I converted them into dts and I am sharing them in this post.


@Hqnicolas For the card reader did you only solder the socket or you also added other components (I don't have the BOM list) as it appears that a lot of condensators were not placed on the board?


So the next steps are going to be analysis of the log files and probing out the armbian linux installation.






androidBoot_asc.txt dts_files.7z dtb_dump.7z

Link to comment
Share on other sites

Posted (edited)
5 hours ago, pocosparc said:

to backup what is currently on a device (just in case I fuck something up later on)


you can burn the android image from https://disk.yandex.ru/d/F29OpGlUWmyfKA?w=1

and in the worst case you can short the EMMC CLK pins "next post image"
Rockchip devices are unbrickable unless you short the power supply or EMMC got out of TBW


5 hours ago, pocosparc said:

RkDumper with various drivers in Windows 11.


Forgot Windows 11
you need the Junkyard 10


5 hours ago, pocosparc said:

there were only 0xCC values read from the module.

I think you need to swith the device mode before dump memory (i did it by trial and error)


5 hours ago, pocosparc said:

. This time the .xz was something more than 2.2 GB, which is in a range of images on China Gadgat reviews page.

nice it's a dump.

5 hours ago, pocosparc said:

Why the use of RK3568???

RK3318 is the same as RK3328
RK3568 is the same as RK3566
you can swap firmwares between them


5 hours ago, pocosparc said:

For the card reader did you only solder the socket

only the socket and a drilled hole on plastic case

with SD card you can archive better results!

Thank's for the board images, I dont have patience to disassemble it again
I think you be the gui that will bring the Video driver and RKNPU2 to armbian


Edited by Hqnicolas
Link to comment
Share on other sites

Posted (edited)
7 hours ago, Werner said:

Press X for 'doubt'.

The CP2102 cannot handle 1.5Mbaud


@Werner Are your CP2102 fake?


I Have the  Chinese Fake CP2102 and it works at 1.5M baud rate

This gui's are fake   ^^^^^^^^^ and this CP2102 works at 1.5M baud rate

but the PL2303HX dont work with anithing :D is an absolute wast of metal

Prolific PL2303 have fake versions to
:ph34r:The Serial UART to USB looks like the TV-Box Market :ph34r:

Edited by Hqnicolas
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines