Generating quasi reproducible BootROM firmware for Rock Chips SoC
Introduction
The official wiki is nicely describing in general all stages for booting devices based on Rock-Chips SoCs like popular RK3399 PinebookPro, RK3288 Asus C201, etc. Here I will extend this guide explaining how to create quasi-reproducible (the final firmware is not derived from fully open-source data(hopefully in the future it will change) but at least the process of creating binaries is transparent and the results are verifiable by its checksums) rkxx_loader_vx.xx.xxx.bin files using opensource tool rkdeveloptool and the necessary ddr.bin, usbplug.bin, miniloader.bin binary blobs from the official https://github.com/rockchip-linux/rkbin repository.
Why should you care?
https://reproducible-builds.org/ matters, BootROM(that can be only updated via USB from other machine) is the very first stage for booting various families of Rock-Chips SoCs. Unfortunately this is also the only place that still is enforcing us to use the vendor closed rkxx_loader_vx.xx.xxx.bin firmware. Normally you can generate it in non-reproducible way by default using legacy tool boot_merger or open-source rkdeveloptool. The problem is that there are already too many different, unverified, outdated and potentially compromised versions of this stage1 core component endorsed by u-boot docs, PineBookPro wiki, Radxa Products, etc. Below I'm presenting step-by-step easy solution how to fix this issue.
Preparing the binary blobs
$ git clone https://github.com/rockchip-linux/rkbin
$ cd rkbin
$ cp RKBOOT/RKxxxxMINIALL.ini config.iniEdit config.ini and fix the LOADER# numbering lines (i.e. LOADER1 change to LOADER0 and LOADER2 into LOADER1) or recompile rkdeveloptool with this changes https://github.com/rockchip-linux/rkdeveloptool/pull/48
In the config.ini you can also make some additional tuning by replacing standard ddr.bin blob with various clocked RAM alternatives that are available in the rkbin/bin directory (do it at your own risk and be aware that you can permanently damage your hardware)
Making rkdeveloptool pack results reproducible
- Apply my small changes that basically just freeze the auto-generated timestamp into your dev environment from this fork, upstream or some linux distribution maintainer repository like, i.e. https://salsa.debian.org/debian/rkdeveloptool
- Follow the official Readme.txt to understand the build process.
- Install all the required dependencies, configure and make build
rkdeveloptool
$ apt install -y build-essential libncurses5-dev git make bison flex python3 device-tree-compiler bc libssl-dev lzop kmod libudev-dev dh-autoreconf libglib2.0-dev libusb-1.0-0-dev
$ git clone https://github.com/martinSusz/rkdeveloptool/
$ cd rkdeveloptool && aclocal && autoreconf -i && autoheader && automake --add-missing && ./configure && make- Copy the compiled
rkdeveloptoolintorkbindirectory where you previously prepared theconfig.inifile - Contribute to my PR https://github.com/rockchip-linux/rkdeveloptool/pull/78 so it could be merged into upstream repository.
Generating final rkxx_loader_vx.xx.xxx.bin
from rkbin directory:
$ export SOURCE_DATE_EPOCH=1639566000
$ ./rkdeveloptool pack reproducibly
$ mv rkxx_loader_vx.xx.xxx.bin rkxx_loader_vx.xx.xxx.bin1
$ ./rkdeveloptool pack reproducibly
$ sha512sum rkxx_loader_vx.xx.xxx.bin*Automation
#!/usr/bin/env bash
SOURCE_DATE_EPOCH=1639566000
for file in RKBOOT/*
do
if [[ -f $file ]]; then
cp $file config.ini
# workaround from https://github.com/rockchip-linux/rkdeveloptool/pull/48
sed -i 's/LOADER1/LOADER0/g' config.ini
sed -i 's/LOADER2/LOADER1/g' config.ini
./rkdeveloptool pack reproducibly
fi
done
# remove failed binaries (some firmware require additional uboot.img and other stuffs)
find . -name "*.bin" -type f -size -6k -delete
sha512sum *.bin
Verify results
check if your checksums corresponds to https://github.com/martinSusz/rkdeveloptool/releases/tag/v0.0.1 and send me your negative or positive feedback signed with your GPG key to build the trustworthy database for this binaries inspired by https://www.gitian.org/ approach.