Discovered the rkspi wrapper format during offline RC4 probing:
the RKNS-wrapper sector at 0x8000 is plaintext. Zero padding
fills 0x8200..0x85FF. Encoded metadata sits at 0x8600. The TPL
(DDR blob) starts at 0x8800 in plaintext -- not RC4 encrypted
as I first guessed.
New checks:
- TPL entry signature (0x01 0x00 0x00 0x14 = b +4 skipping header)
at offset 0x8800 -- catches silent TPL corruption
- optional --blob <path>: byte-by-byte compare SPI[0x8800:+len(blob)]
against a reference DDR blob file, reports sha256 + first-diff
offset on mismatch
Validated against stock SPI with stock blob (PASS, sha 13c04c4f),
patched SPI with patched blob (PASS, sha 85799151), and the
cross-pair (FAIL with diagnostics).
Closes the remaining gap in phase-1 static validation -- now
we catch not just |image has no idbloader| but also |image has
the wrong DDR bytes|.
Would have caught today|s 3-brick cycle (all-fb, midlate-fb, early-fb
bricked GenBook identically). Patched SPI images had 0xFF in the
entire idbloader region because u-boot|s mkimage silently failed
to produce idbloader-spi.img when the DDR blob grew by 548 bytes.
Static-only — no emulation yet. Phase 1 of the broader test-harness
task. Phase 2 will extend ddr_emu2 to execute TPL from SPI image
with stubbed MMIO.
test0r