I just bought a Cube U30GT Android tablet, based on the Rockchip RK3066 ARM chipset. Here are the instructions to root it under Linux.
The U30GT is a nice tablet. It only cost me about 180 euros (€150 tablet + shipping, €30 VAT or “BTW” as it’s called in the Netherlands). Value for money!
Now the reason I bought this very tablet is that it’s specs are nearing older Intel “Atom” chips, which could mean that this €180 tablet is actually a €350 laptop – minus keyboard. So the first thing to do here was to root the thing.
Here is the step-by-step instructions for rooting this tablet under Linux. Usual disclaimers apply: do not try this at home; if you break your tablet, it’s broken; no guarantees. It worked for me, quite easily, but it may not work for you.
2012-04-12 I received some reports of non-bootable machines, please read the update.
2014-06-16 Updated update: unbrick your Neo X7 and most likely unbrick and/or flash other RK3XYZ machines. The warning no longer applies. Also, see below.
- get the rkflashtool source code from sourceforge.net/projects/rkflashtool.
- Add USB identification for the RK3066 chip, 0x2207, 0x300a. Your code will now look like:
if (!(h = libusb_open_device_with_vid_pid(c, 0x2207, 0x290a)))
if (!(h = libusb_open_device_with_vid_pid(c, 0x2207, 0x281a)))
if (!(h = libusb_open_device_with_vid_pid(c, 0x2207, 0x300a)))
fatal("cannot open device\n"); - Install libusb-1.0-0-dev and compile:
sudo apt-get install libusb-1.0-0-dev
gcc -o rkflashtool rkflashtool.c -lusb-1.0 -O2 -W -Wall -s - Turn off your U30GT. Insert the USB cable. Hold the “volume +” button, then push the “power” button for about 5 seconds. Afterwards, “lsusb” should show the U30GT identification, something like Bus 001 Device 007: ID 2207:300a
- Read the partition information for your U30GT:
sudo ./rkflashtool r 0x0000 0x2000 > /tmp/parm - in /tmp/parm you will find something like:
CMDLINE: console=ttyFIQ0 androidboot.console=ttyFIQ0 init=/init initrd=0x62000000
,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(misc),0x00004000@0x00004000
(kernel),0x00008000@0x00008000(boot),0x00008000@0x00010000(recovery),0x00100000@0
x00018000(backup),0x0003a000@0x00118000(cache),0x00200000@0x00152000(userdata),0x
00002000@0x00352000(kpanic),0x00100000@0x00354000(system),-@0x00454000(user)
It’s the “(system)” partition that we’re after. In this case: 0x00100000@0x00354000 - Use rkflashtool again, with our newly found parameters:
sudo ./rkflashtool r 0x00354000 0x00100000 > /tmp/system.loop - Save this file in a safe place, it is your original!
- From hereon, it’s rather trivial. Mount the image, change whatever you like and write it back. Something like:
sudo mount -o loop /tmp/system.loop /mnt
cd /mnt/app
cp ~/Download/Superuser.apk /mnt/app
cp ~/Download/su.arm /mnt/bin/su
There are lots of other things that you may want to do, like removing buyu.apk CCCCACDE.apk com.chaozh.iReaderFree_145459.apk cube.0.3.0_v2963.apk es.apk Galaxy4.apk hd.apk HoloSpiralWallpaper.apk MagicSmokeWallpapers.apk qq_hd_1.7.0.apk uc.apk, change the bootanimation.zip and mess around freely. You did copy your image in step 8, didn’t you? - Write back and reboot:
sudo umount /mnt
sudo ./rkflashtool w 0x00354000 0x00100000 < /tmp/system.loop
I guess you need to write back withsudo ./upgrade_tool di -s /tmp/system.loop, see here for more information about upgrade_tool; but I’ll try to find a spare moment to write a separate blog post about it. Then reboot.
sudo ./rkflashtool b
That’s all, folks!
Hi,
I have an android device UG802 based on the same RK3066 chip. I was trying to use the method you described above for reading the internal flash of the device, but I failed.
I’m able to switch the device into the service mode, so I can see it in Linux when using lsusb (Bus 002 Device 008: ID 2207:300a). I’ve downloaded, modified (enabled the 2207:300a device)
and compiled the rkflashtool. Now, the problem I have is the rkflashtool fails when using bulk transfers. I can see a lot of messages like this on the console:
libusb:warning [do_sync_bulk_transfer] unrecognised status code 1
When I print the number of transfered bytes and return code of the libusb_bulk_transfer is can see this:
rkflashtool: info: transfered = 0
rkflashtool: info: ret=-99
Interestingly the libusb_open_device_with_vid_pid(…) and libusb_claim_interface(h, 0) fuction call (in the rkflashrool) returned no error so the device can be accessed by the libusb…
So the question is: did you encounter similar problem? If not, what Linux distibution do you use and which version. I tried ubuntu 12.04, 11.10 and 10.04, and I got the same bulk transfer errors. I also tried to connect to a usb hub or directly to my laptop, but it didn’t help.
Unfortunately, that’s exactly what I get. I, too, have a UG802 and I also tried to use rkflashtool for it (you need to shorten two pins on the board, then 2207:300a appears). But all I get is the same “unrecognised status code 1”. As it won’t even transfer a single byte, (“transferred = 0”), I also tried to read first, but that doesn’t do anything. I simply can’t get it to work and I don’t know why. So for my Cube U30GT it works, for my UG802 it doesn’t.
Thanks for the info. That means my computer and libusb are fine. I tried to use the old libusb-0.1.12 (similar rkflash tool using old libusb from here: https://github.com/Ithamar/rkutils), which doesn’t return errors during bulk transfers, but there were no data in the input/output buffer.
Some progress on UG802. I switched to the recovery mode via android terminal:
su
reboot bootloader
(requires rooted UG802). This also enables the USB device 2207:300a without shortening the pins. Then I used the Ithamar’s rkutils (see link in my previous post) to read the flash and I got this result:
PARM[^B^@^@FIRMWARE_VER:4.0.4
MACHINE_MODEL:rk30sdk
MACHINE_ID:007
MANUFACTURER:RK30SDK
MAGIC: 0xXXXXXXXX
ATAG: 0x60000800
MACHINE: 3066
CHECK_MASK: 0x80
KERNEL_IMG: 0x60408000
#RECOVER_KEY: 1,1,0,20,0
CMDLINE: console=ttyFIQ0 androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(misc),0x00004000@0x00004000(kernel),0x00008000@0x00008000(boot),0x00008000@0x00010000(recovery),0x000C0000@0x00018000(backup),0x00040000@0x000D8000(cache),0x00100000@0x00118000(userdata),0x00002000@0x00218000(kpanic),0x000A0000@0x0021A000(system),-@0x0033A000(user)
heya there, found this very usefull.I dont own this device yet, but in a few days with hope. While I understand most of the stuff written here, I’m quite a beginner at rooting android device but I did it sucessfully two time on two different device (woot =p).
My question is can is use the same CWM-superSU-v0.92 software I used already ? (su.arm and superuser.apk)
as you see my trouble isnt a big one =)
Thanks a lot for this guide!
I can confirm that reading the flash according to these instructions works on a Fedora 15 Linux box. The tablet is a TreckStor Ventos 9.7 (RK3066).
You probably can. Just try and see if it works.
Cool guide, thank you! Worked well for MK806 mini-pc (RK3066)!
Hi dawe, may you please provide the tools and procedures, that you have used for MK808 for the whole community ?
(http://www.freaktab.com/forumdisplay.php?110-Android-TV-Players)
I follow this guide, make backup, make changes, write back, superuser app show up however i still haven’t root permissions so i write backup to device and… now i am stuck on boot, on first, non-moving screen. I have second exactly same tablet to read data, but when i read system and write it to mine tablet, problem still occur. Help!
I have a Nextway F9 tablet, also based on RK3066. I have succeeded in reading the ROM, but when I flash it back, the tablet doesn’t boot, it’s just stuck on the first splash (the non-moving one), even if I flash the original thing back to the same offset and everything. Even what I read back from the tablet is the same as the one I read before flashing. Can someone please advise me where to look for errors or what could possibly have gone wrong?
I can experiment with it freely as the rk batch tool still flashes everything back to normal.