[ SOLUTION ] [ MTK ] to Fix Touch not Working on TWRP / Philz Due to Kernel Disabled Touch.

In this tutorial, i'm going to show how i managed to patch kernel to enable touch in recovery TWRP / Philz.

WARNING :






Requirements :




Important Notice :


  • You can use terminal emulator from playstore to run ADB commands; see this post
  • Explanation of the ADB commands ; see this post.
  • how to check if your phone uses the GT** driver? ; see this post
  • how to find the right end address of an uncompressed kernel or you're encountering errors while trying to decompress kernel? ; see this post
  • how to check if your device runs 32 / 64 bit OS? ; see this post
  • If your phone uses AArch64 (ARM v8) then ensure to see this post for the hex values to modify & if IDA isn't working for you, you can use Hopper disassembler
  • On linux or MAC PC, you can use Hopper disassembler @ https://www.hopperapp.com
  • If you're using IDA x64 (64 bit version), you might encounter python related error messages ; check this post
  • Patching 64-bit Kernel Instructions ; see this post



Steps on how to patch kernel to enable touch in recovery TWRP / Philz :

1. Extract Android Image Kitchen & paste your "recovery.img" into the folder
2. Double click on  >>   "unpackimg.bat"

3. After that your Image will Unpack and divides in two folders
>> ramdisk
>> split_img      <<   " zImage" is kernel image and will be found in "split_img" folder

4. Open "recovery.img-zImage" (Kernel) using "7zip" then click on "Info"



5. It will display compression method used to compress the kernel (in my case i have GZ) along with a warning about payload data. Also take note of the "Packed Size" cause you'll need this later on then Exit 7zip



6. To get a decompressable kernel, we need to removed extra data before kernel & extra data after kernel using hxd editor
7. Open the recovery.img-zImage using HXD editor (you can also just drag the file onto HXD window)



8. We're going to use the file signature of GZ (gzip) to search for the start and end address of kernel within this file
9. Once the file is opened, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find



10. In the search window, click Hex-Values tab


Code:
Search for: 1F 8B 
Direction: forward
then click OK



note this value "1F 8B" is the file signature (magic number) for GZ and if your kernel has a different compression method, you may search online for the file signature online)




11. The found item will be highlighted



12. Now select and highlight everything just before the found values till the beginning of the file then right click and CUT (this will remove the values from the file). If the found values are at the very beginning of the file then there's no extra data in front of the kernel so you can skip this step & the next 3 steps



13. Press Ctrl + N in HXD to create a new empty file



14. Click on Edit > Paste Write, the contents you CUT will be pasted into the new window then click File > Save As > save this file with something easy to remember e.g "begin of extra kernel data"



15. Now we've removed the extra data at the beginning of the file, next will be to remove the extra data at the end
16. Return back to the recovery.img-zImage window in HXD, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find > Hex Values

Code:
Search for: 6D 65 64 69 61 74 65 6B 2C 4D 54
Direction: forward
then click OK


note this value "6D 65 64 69 61 74 65 6B 2C 4D 54" is not the end address but we'll use from this point to get the actual end address)

17. The found item will be highlighted, Now scroll up a little bit and you'll find a blank space like in the screenshot below.
18. Look closely at the blank space, just before mine i have E2 00 as the end of my kernel, everything after this is extra data (yours might be different but leave the last two zeros 00 before the non zero values)



19. Now select and highlight everything just after the values (E2 00 in my case) till the very end of the file then right click and CUT (this will remove the values from the file)



20. As we did before, Press Ctrl + N in HXD to create a new empty file, then click on Edit > Paste Write , the contents you CUT will be pasted into the new window then click File > Save As > save this file with something easy to remember e.g "end of extra kernel data"
21. Now save the recovery.img-zImage file, Click File > Save (this will save the changes you've made and the color in HXD should go from red to black)



22. Now close recovery.img-zImage from HXD then open using 7zip > click Info to confirm the file no long has extra payload error. If it doesn't then simply extract the content using 7zip

23. Now we need to dump the symbols from phone and get the touch driver entry point (loading point) from the phone using ADB. Launch ADB window and type the commands below, press Enter key after each line


Code:
adb shell
su
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms >/sdcard/symbl.txt
cat /proc/kallsyms | grep tpd_i2c_probe
exit
exit
adb pull /sdcard/symbl.txt



NOTE: the EXIT command remove su and adb shell thus reverts everything back to regular adb so you can pull



24. The above commands will save symbols as symbl.txt on your phone then copy it over to your PC in adb folder and the last command will display the location of touch drivers, note down this address location somewhere. in my case i have "c06c4348"
25. Now Launch IDA Pro > File > Open > locate the kernel~ file you extracted in the previous steps and Open the file
26. Set Processor type as ARM little-endian (ARM) and leave the remaining values as they are then click OK
27. Next change the values of "ROM start address" and "Loading address", leave the rest as they are then click OK


Code:
32 bit = 0xC0008000
64 bit = 0xFFFFFFC000080000




28. You may get a message about "IDA can not identify the entry point automatically as there is no standard of binaries" click OK to proceed
29. Now you need to wait till IDA loads the kernel file completely, look out from when the yellow circle turns green. Once its green then IDA is done loading
30. Click File > Script file... then navigate to and select the kallsyms_loader.idc you downloaded, after the file is loaded IDA will request for symbols, now select the symbl.txt file which we pulled from the phone earlier on.
31. Wait until IDA loads everything completely



32. Right click on the Yellow marked section and select "jump to address" > type in the address gotten from ADB (remember mine is "c06c4348") then click Enter



33. Here it has taken us to where touch is been loaded or not depending if the phone is booted into recovery or normal boot.



34. Get_boot_mode <<< it checks whether it is recovery mode or boot mode.


Code:
#2 is for recovery
#0 is for boot.
If it got getbootmode = 0; then it will activate touch or touch driver basically thinking the phone is going into boot mode.



35. In IDA, click Options > General > Disassembly Tab > Number of opcode bytes: 6 then click OK



36. You'll notice the yellow marked section has changed to hex values
37. We need to note down at least 4 - 5 lines of this hex values. In my case i have the following values below


Code:
02 00 50 E3 46 00 00 0A 04 10 A0 E1 00 08 04 E3



38. Close IDA and relaunch HXD editor then open the extracted kernel~ file using HXD
39. Once the file is opened, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find > Hex Values


Code:
Search for: the hex values you noted down from the previous step above  (in my case it is "02 00 50 E3 46 00 00 0A 04 10 A0 E1 00 08 04 E3")
Direction: forward
then click OK




40. Once found, modify the first value from 02 to 00 then save. Patching is done now time to recompress



41. Return back to the top offset in HXD, we need to take note of certain details needed in order to compress. Close HXD once you're done


Code:
1) It is default file signature by gz.
2) The parameters or properties of compressed gz file.
3) Here is no Name of compressed file.



Explanation of points 2 and 3.
  • Point 2.the 3rd value (usually in offset 02) in gz file always denotes compression method In my case it's 08 which means "Deflate Compression method".the 9th value (usually in offset 08) denotes Compression type In my case it's 02 which means "Max compression"

  • Point 3 When we gzip any kernel the output file must have the same filename with the actual file kernel we're compressing It is clear that 7zip cannot be used to compress it. So ensure to use gzip for windows.



42. Gzip is a command line tool so we must use within CMD or powershell
43. Open the bin folder within the extracted Gzip, hold shift key then select open command prompt window or powershell window here
44. Type the command below and hit Enter to compress the kernel back to GZ


Code:
gzip -n -k -9 "C:\Users\Sachin\Downloads\Android Image Kitchen\gzip kernel~"



remember the points 2 and 3 we noted in the previous steps, this is where they play their part
-n this indicates the file should have no name
-9 indicates max compression
-k keeps the original file i.e the original file won't be deleted incase you need it
set the file location to the location on your PC and if the folder location of your kernel has spaces then you must enclose with ""



45. Once compression is done,

46. Open the newly compressed file using 7zip then click INFO, check and ensure the "Packed Size" matches the original file (the one you took note of earlier on)
47. If it doesn't match the original file e.g the packed size is reduced by 1 byte, open the uncompressed kernel in hxd > scroll down to the end and add "00" in the hex section > re-compress back to GZ and check if the new Packed size matches. (The packed size must match that of the original or the recovery wont boot)
48. Once the packed size matches then you can proceed to the next step
49. Launch HXD, open the files you saved earlier on.
  • "begin of extra kernel data",
  • "end of extra kernel data"
  • the newly GZ compressed kernel file in the previous step above

50. Select and copy everything from the newly GZ compressed kernel. (Shortcut keys is Ctrl + A then Ctrl + C)

51. Paste the copied data at the very end of "begin of extra kernel data" in HXD

52. Next, select and copy everything from "end of extra kernel data" then paste at the end of the newly modified "begin of extra kernel data" then Save As "recovery.img-zImage"
53. So what you've done now is "begin + kernel + end"

54. Copy the new "recovery.img-zImage" file into the split_img folder within Android Image Kitchen

55. Repack the recovery by double clicking on >> "repackimg.bat"

56. Now you can test the new patched custom recovery by flashing into recovery partition then check if the touch now works

Patching 64-bit Kernel :

1. This is an original Kernel of Tecno CX Air using the Aarch64 (64 bit) i'm using as an example



2. Right Click on file >> 7-zip >> Open Archive >>



3. Remove the extra data at the end of the kernel ; see this post
4. Recheck the packed size again ; Right Click on file >> 7-zip >> Open Archive >>



5. Extract it using 7-zip and open the extracted file using IDA x64
6. In IDA, fill as shown in screenshot below then click OK


7. Fill again then click OK


8. Right click the yellow highlighted section >> jump the addres >> input your driver loading address here (the address you must have gotten using ADB or from symbl.txt file). In my case it is                "FFFFFFC0006F3668"


9. If IDA shows you undecode codes then do the next step if not then skip


10. Click Edit > Segments > edit segment... > Select the values below then click OK (If a window pops up saying everything will lost click OK to proceed)

CODE :
combination : public
segment bitness : 64 bit


11. Load the script and symbl.txt >> then see instruction
Code :
BL    get_boot_mode
CMP   W0, #2



12. Go to HEX View (copy out about two lines of hex values starting from CMP... you will need this when searching)
Code :
1F 08 00 71 00 0A 00 54  00 00 00 90 A1 1F 40 F9 63 31 00 B0 E2 03 13 2A  00 70 2E 91 63 54 25 91
13. Search in HXD Editor using the values you copied from IDA's hex view



14. In HXD editor, replace "1F 08 00 71" with "1F 00 00 71"


Note :


  • *While packing/compressing kernel the packed size was reduced by 200-300 bytes with compared to original file after removed payload data. ( In case of Tecno CX Air )
  • * To obtain the original packed size, I added  300 bytes of random data with some "00"s of the end of  patched-uncompressed kernel and repack it until packed size doesn't match.
  • * Recovery won't boot until packed size match with original gz file after removed payload. 15. Save the file and follow step no. 41 on main guide here @

In case you're wondering what the ADB commands are for, here's a quick explanation :


1. "ADB shell" and "SU"
adb commands to open root in adb window

2. echo 0 > /proc/sys/kernel/kptr_restrict
There is a restriction in kernel to dump symbols. This command removes the restriction

3. cat /proc/kallsyms >/sdcard/symbl.txt
cat command reads the contents of "kallsyms" and then outputs the contents into a new file "symbl.txt"

4. cat /proc/kallsyms | grep tpd_i2c_probe
cat command reads the contents of kallsyms then grep command searches for "tpd_i2c_probe" & filters the rest away and outputs any line containing "tpd_i2c_probe"

5. Exit
this command terminates and returns a level below. e.g going from 'root #' to 'shell $' OR from 'shell $' to 'adb'

6. adb pull /*****
adb command for copying files from phone to PC


How to check touch driver :

You could check for the GT* driver directly on your phone without a PC, i used the asterisks sign cause GT driver could be GT91xx or GT1xx at least from the little we know
try something like this

download terminal emulator from playstore and run the command below, if using adb on PC then you must run adb shell first

Code:
cat /proc/kallsyms | grep gt91xx
or
cat /proc/kallsyms | grep gt1xx


the output may look something like this. (from the output below, i used the first command & you'll notice i have GT91xx driver). If output is blank then yours doesn't have the particular driver

Code:
00000000 t gt91xx_config_read_proc
00000000 t gt91xx_config_write_proc
00000000 T gn_gt9x_gesture_func
00000000 T gn_gt9x_hall_key_callback

How to find end of compressed kernel :


Finding the start address of GZ is pretty easy using the file signature (magic number) but the end address is a little bit more difficult and requires a trial and error approach. When trying to find the end of compressed kernel, there are two likely errors you might run into. This post is aimed to help provide fix these errors. I'm using boot.img-zImage from tecno CXair as an example here but it's applicable to others as well

Two possible errors encountered while trying to decompress kernel using 7zip
  • There are some data after the end of the payload data
  • Unexpected end of data

How to fix 7zip kernel decompression error messages :

1. Open the file using HXD
2. As usual, we'll search for the hex-value "6D 65 64 69 61 74 65 6B 2C 4D 54" , remember this is not the end address of GZipped kernel but it's the closest point we'll use in order to get the real end address

3. Now we'll start selecting / highlighting and cutting items from this point (you can paste into a new file so as not to misplace what you cut), save the file and try extracting using 7zip
4. If you get the error message "There are some data after the end of the payload data", then it means you still need to remove more values from the end of the file


5. But if you get the error message "Unexpected end of data", then it means you've removed more than you should have. Simply undo and try to remove less than what you removed previously


How to check Android OS / Kernel Bit Type :

  • Download Antutu Benchmark apk from playstore
  • Launch Antutu
  • Click "My Device"
  • Look under "Android" and you'll find the OS Bit type

If you're using IDA x64 (64 bit version), you might encounter python related error messages ;

3 most common IDA error messages and their fix.
I encounter the first error while trying to use IDA x64 and the other two errors while trying to fix the first error. An easy fix on windows PC is to uninstall your current python version then install python-2.7.10.amd64.msi @ https://www.python.org/downloads/release/python-2710/
when installing, ensure to tick "for all users" and "add to path"

IDA error messages

  • LoadLibrary (C:\Program Files\IDA\plugins\python*.dll) error: The specified module could not be found. C:\Program Files\IDA\plugins\python.dll: can't load file

  • LoadLibrary (C:\Program Files\IDA\plugins\python*.dll) error: %1 is not a valid Win32 application

  • IDAPython: importing “site” failed

Don't forget to share if you have other methods of fixing this or any other error messages



Credits :



  • Wikipedia mostly for useful info concerning gzip

  • Myself (for making a whole lot of research and patching some of the original guide on Github to work)

Comments

  1. how to modified Philz/CWM Recovery for jio phone other model...

    ReplyDelete
    Replies
    1. see this story. i explained all in one servival + porting guide.
      https://factopea.blogspot.com/2020/05/one-day-with-jio-phone-f90m-story-of.html

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Sir i tried to port Micromax rom in jiophone F30C , F50Y, LF2403n but it suddenly restarts after booting. But in few models like F90M,F220b,F120b this is working perfectly. I am not able to figure out exact cause of rebooting. Sir if this is a kernal fault then plz help us for further development. We will be thankful to you.

    ReplyDelete
  4. Sir plz reply if u see my comments. I tried since 2 month still indid not sucessed.

    ReplyDelete

Post a Comment