While still running an older OS, I did the following:
$ sudo apt install mtd-utils
$ wget https://github.com/starfive-tech/VisionFive2/releases/download/VF2_v3.6.1/u-boot-spl.bin.normal.out
$ wget https://github.com/starfive-tech/VisionFive2/releases/download/VF2_v3.6.1/visionfive2_fw_payload.img
$ ls -l u-boot-spl.bin.normal.out visionfive2_fw_payload.img
-rw-r--r-- 1 user user 147336 Aug 31 12:07 u-boot-spl.bin.normal.out
-rw-r--r-- 1 user user 2969989 Aug 31 12:07 visionfive2_fw_payload.img
$ sha1sum u-boot-spl.bin.normal.out visionfive2_fw_payload.img
72382a6e4944961fc4b20ca146bce9636b559daf u-boot-spl.bin.normal.out
8f7aa8f33b7f00a5a492597f1f742bcba4f1a169 visionfive2_fw_payload.img
$ md5sum u-boot-spl.bin.normal.out visionfive2_fw_payload.img
e8570dd7b2d4e988698ca0de422f0861 u-boot-spl.bin.normal.out
ed7bd86fa97ebcbc39efedd99df3db96 visionfive2_fw_payload.img
(I always use two or more checksums because the odds of one file being corrupt and matching two different hashing algorithms is basically zero. And if someone was deliberately trying to force two different files of the same size to have the same hash (a hash collision), it is next best thing to impossible with two or more different hash functions.
$ sudo flashcp -v u-boot-spl.bin.normal.out /dev/mtd0
$ sudo flashcp -v visionfive2_fw_payload.img /dev/mtd1
I would validate the checksums/hashes before I would attempt to write the image file to a MicroSD card:
$ ls -l starfive-jh7110-202308-SD-minimal-desktop.img
-rw-r--r-- 1 user user 4194304000 Aug 31 12:07 starfive-jh7110-202308-SD-minimal-desktop.img
$ sha1sum starfive-jh7110-202308-SD-minimal-desktop.img
530e05fe9e819583b8c638edd266617a8cf1af77 starfive-jh7110-202308-SD-minimal-desktop.img
$ md5sum starfive-jh7110-202308-SD-minimal-desktop.img
8bfe66dc1c262dbcbc2da4f326d6e85d starfive-jh7110-202308-SD-minimal-desktop.img
$
Once happy that the files were valid, I would find out the device name of my newly inserted MicroSD card (Inside USB to SD card adapter) and overwrite it. I used sdX below because your new/older MicroSD card that you are about to overwrite could be /dev/sda /dev/sdb, /dev/sdc, /dev/sdd, … Whatever it shows up as you will probably know it by the size, just be careful not overwrite the storage for the OS you are using.
$ lsblk
sdX 8:32 1 58G 0 disk
└─sdX1 8:33 1 57.9G 0 part
$ wipefs --all --backup /dev/sdX
$ sudo dd if=./starfive-jh7110-202308-SD-minimal-desktop.img of=/dev/sdX bs=4M status=progress conv=fdatasync
4190109696 bytes (4.2 GB, 3.9 GiB) copied, 258 s, 16.2 MB/s4194304000 bytes (4.2 GB, 3.9 GiB) copied, 258.458 s, 16.2 MB/s
1000+0 records in
1000+0 records out
4194304000 bytes (4.2 GB, 3.9 GiB) copied, 292.309 s, 14.3 MB/s
$ sync
$ sync
$ sync
I’m lazy so I expand the 4th partition here (Inside USB to SD card adapter) before I boot from it.
$ sudo e2fsck -f -y -v -C 0 /dev/sdX4
I used step 2 from the official StarFive guide to change the partition size.
$ sudo resize2fs -p /dev/sdX4
$ sudo eject /dev/sdX
After I boot for the first time I record what packages were initially installed. With either of the following two commands:
$ apt list --installed > .clean_install_packages-a.txt
$ dpkg --get-selections '*' > .clean_install_packages-b.txt
And then I deliberately block my ability to upgrade any of the packages that were initially shipped with the image (which in reality would be a downgrade because it would remove patched functionality):
$ dpkg --get-selections '*' | wc -l
$ sudo apt-mark hold `dpkg --get-selections '*' | awk '{print $1}' | xargs`
Here is a list of some common hashes for the critical files:
File: u-boot-spl.bin.normal.out (from github)
Size: 147336
CRC-32: a88ec8be
MD5: e8570dd7b2d4e988698ca0de422f0861
SHA-1: 72382a6e4944961fc4b20ca146bce9636b559daf
SHA-256: 61e7a47a7a7838d9ecdea66b8a966168026edd01b3899600fbc7fd7415e0a331
SHA-512: 80fac119a65987ca4d53a23cff7f5e2c732792e183c388436b41d96557239b467419c8544999604196b6ac6ab54bbe518fe53a792d4f6e3023d52dd87c5a9697
SHA3-256: bdd9b656bedd477e878907a2e3cdb656cc5774ed62144a19bc5e3f9de3bb3ada
SHA3-512: 6427a92f00379e9e8a160c319c0c81c3bb20e3ee48855ea550038c750ee0d7f5c57c4a4fa68627eb593e29b39e983f1a3b3a53eba213c6f7b18609cee5276a69
BLAKE2: 3025df18127a8d0cf7d13ef34f8a03e9768dd1ee0bbeeb2f869af5ac073e908a6fb704fecc5c777884089f06170fbe86b145224ff65cea9cdf2c38d604b6b36b
BLAKE3: 66fa32e5222207de1be4f1aacb34104525fd56a1d9154cac5d354ab390e1cb25
File: visionfive2_fw_payload.img (from github)
Size: 2969989
CRC-32: 49462c16
MD5: ed7bd86fa97ebcbc39efedd99df3db96
SHA-1: 8f7aa8f33b7f00a5a492597f1f742bcba4f1a169
SHA-256: 86e0c0eb536e734b200cad0665ba1725e1d8c730698304fd044a0e0c6fe85b4f
SHA-512: b707acfc109df773b908f8e388a9c4bb9638bc13b569c332ac043d8105588f95672bfef6a2a9b8c2b7c7dc25e541d9a24ba9374d927379ca86e6b0cbed70e46b
SHA3-256: 4cdd42c3b8d154ce7739bd6c9d1aa87527a40b3656be6d042e426390e6b3c667
SHA3-512: aa892d5728b02da7aaef3592cb55a0d70249a2e624b03fe2904fe535af75fb92c8528f1331bfe593f86bec9a9616eeceef9c02330b2d8e1cf5baed8a532f66e5
BLAKE2: 9ffd9a10199e4b49e5e3920a1f6370b165104fef598b85bc6a677c43168dee0bd0fb40a573886daef84e9b2786f4fb59eec0bdba1575bd64ad00ec5f1114ce25
BLAKE3: 43501c38b3e1bdd4adc03fe3d347f05678939ef708af4cae2e4a2e091d004ccd
File: starfive-jh7110-202308-SD-minimal-desktop.img.bz2 (from OneDrive)
Size: 1143636944
CRC-32: 9614123f
MD5: 583fa6d0864cf941305babb0b570bf62
SHA-1: 35aafa5a363f91234a262737525cf43a38e29884
SHA-256: 1c64d835e99da364a6d19d1e697bdc1a48031218a824b2124d98785406f8e28a
SHA-512: 7d619df253b3ad2ce6a688e8a3a7d32d498d7162b89a24353c426d429252b48f3c590b6ed74237489227136bcb5bb52ba3cae69e22fe54bd7575410c25bd4d16
SHA3-256: 9bfd9e4bfff455465ec741a7a9cddf8f93f8dc7fcb665bab53e32439bb287677
SHA3-512: 0f00bda52f0f0e1e6d748e6bc108ab993ad0c6271f9af3875b3d1b970d274668b4ae82b6ccd06b4aad1dd204cba718c80ba35f5d73f57f66a645caa2525757b7
BLAKE2: 7046435aecaead34b5ee8d95ddd44c3a5e8fdde1f5df92b15d546a73329969ce982d11ef9631c20ab721981f0ad1486040c22b28ff347b0efa28d8093b416c03
BLAKE3: 70f343e286fa9d5e6cf50b7ddcdd68d5a017eac41e4dca85d007909d6002d0b4
File: starfive-jh7110-202308-SD-minimal-desktop.img (decompressed)
Size: 4194304000
CRC-32: 8a7b33a0
MD5: 8bfe66dc1c262dbcbc2da4f326d6e85d
SHA-1: 530e05fe9e819583b8c638edd266617a8cf1af77
SHA-256: c7de6337bf67c05dfeead131911734f32c028b1b59ca5c61c83ce51051a9a2f4
SHA-512: e435d9171eb1a63735b69f6e9baf4613139d1a666f37aaa0bd75e65d41f0f4916063b1673bf3435780024c98a94743f9204be4dbc60f7b1c463631cd830da324
SHA3-256: e6def0696feffb9ae297abff49240d3e6b8ccaf670a0c20623ee9574f4e43c11
SHA3-512: 9ca6e2444feaabd6fcf056e4f6ca3a3d6715c13c656ab908b78a771cee24928ac2f67447dc33cca650a4b58cfe33f78d4d6b424e53ed2d9e3b6c9469d2e1d538
BLAKE2: 797dd6c740e38978dd82b2002bcf9acfc60eaa8d324f8698cda76e410ec5c0769c9667f4ea8f0ed8e0a7749e85a08299d2b80db0a8798564c9c9f68f3c61c730
BLAKE3: 43943f9643cd4afa0aa1359de7bb3292838f3cc17b210834fd3597919c5a89b9
I always like to see the hashes/checksums of files distributed through a different communication channel that the actual files. If someone gains access to modify files, they can easily change the hashes at the same time, if they are both distributed from the same location. But two different channels of communication makes it a tiny bit harder to compromise both simultaneously. And it also means that any malicious modifications will probably be noticed much faster.