Login

SachinBorkar · 24-03-2019, 07:41 PM

In this tutorial, i'm going to show how i managed to patch kernel to enable touch in recovery TWRP / Philz.

WARNING

This worked for me and with my results, i've posted a working TWRP with touch @ https://www.hovatek.com/forum/thread-27138.html . You can try on your device if you wish and let us know if it works for you or not, but there's no guarantees it will work on your phone.

Requirements

Your phone must be rooted
Download Android Image Kitchen @ https://forum.xda-developers.com/showthr...?t=2073775
Download & install 7-zip @ https://www.7-zip.org/
Download & install HXD hex editor @ https://mh-nexus.de/en/hxd/
Download & install IDA Pro @ https://getintopc.com/softwares/disassem...d-6782632/
Install ADB & fastboot on your PC @ https://www.hovatek.com/forum/thread-588.html
Download kallsyms_loader.idc @ https://mega.nz/#!kg1UDSLS!5S1w3nuOPnXFS...49E7zoHEks
Download & extract Gzip for windows @ https://sourceforge.mirrorservice.org/g/...-1-bin.zip
You can download the full tutorial in PDF format (the guide on this thread has more info though) @ https://mega.nz/#!HThWEAoQ!DRA1J2gDkd7kP...FlveufwOvY

Important Notice

You can use terminal emulator from playstore to run ADB commands; see this post
Explanation of the ADB commands ; see this post
how to check if your phone uses the GT** driver? ; see this post
how to find the right end address of an uncompressed kernel or you're encountering errors while trying to decompress kernel? ; see this post
how to check if your device runs 32 / 64 bit OS? ; see this post
If your phone uses AArch64 (ARM v8) then ensure to see this post for the hex values to modify & if IDA isn't working for you, you can use Hopper disassembler
On linux or MAC PC, you can use Hopper disassembler @ https://www.hopperapp.com
If you're using IDA x64 (64 bit version), you might encounter python related error messages ; check this post
If this procedure seems too difficult, lengthy or practically impossible to follow; see alternative methods

Steps on how to patch kernel to enable touch in recovery TWRP / Philz

Extract Android Image Kitchen & paste your recovery.img into the folder
Double click on >> unpackimg.bat
After that your Image will Unpack and divides in two folders
>> ramdisk
>> split_img << zImage is kernel image and will be found in split_img folder
Open recovery.img-zImage (kernel) using 7zip then click on "Info"
It will display compression method used to compress the kernel (in my case i have GZ) along with a warning about payload data. Also take note of the "Packed Size" cause you'll need this later on then Exit 7zip
To get a decompressable kernel, we need to removed extra data before kernel & extra data after kernel using hxd editor
Open the recovery.img-zImage using HXD editor (you can also just drag the file onto HXD window)
We're going to use the file signature of GZ (gzip) to search for the start and end address of kernel within this file
Once the file is opened, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find
In the search window, click Hex-Values tab

Code:
Search for: 1F 8B Direction: forward then click OK note this value "1F 8B" is the file signature (magic number) for GZ and if your kernel has a different compression method, you may search online for the file signature online)
The found item will be highlighted
Now select and highlight everything just before the found values till the beginning of the file then right click and CUT (this will remove the values from the file). If the found values are at the very beginning of the file then there's no extra data in front of the kernel so you can skip this step & the next 3 steps
Press Ctrl + N in HXD to create a new empty file
Click on Edit > Paste Write, the contents you CUT will be pasted into the new window then click File > Save As > save this file with something easy to remember e.g "begin of extra kernel data"
Now we've removed the extra data at the beginning of the file, next will be to remove the extra data at the end
Return back to the recovery.img-zImage window in HXD, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find > Hex Values

Code:
Search for: 6D 65 64 69 61 74 65 6B 2C 4D 54 Direction: forward then click OK note this value "6D 65 64 69 61 74 65 6B 2C 4D 54" is not the end address but we'll use from this point to get the actual end address)
The found item will be highlighted, Now scroll up a little bit and you'll find a blank space like in the screenshot below.
Look closely at the blank space, just before mine i have E2 00 as the end of my kernel, everything after this is extra data (yours might be different but leave the last two zeros 00 before the non zero values)
Now select and highlight everything just after the values (E2 00 in my case) till the very end of the file then right click and CUT (this will remove the values from the file)
As we did before, Press Ctrl + N in HXD to create a new empty file, then click on Edit > Paste Write , the contents you CUT will be pasted into the new window then click File > Save As > save this file with something easy to remember e.g "end of extra kernel data"
Now save the recovery.img-zImage file, Click File > Save (this will save the changes you've made and the color in HXD should go from red to black)
Now close recovery.img-zImage from HXD then open using 7zip > click Info to confirm the file no long has extra payload error. If it doesn't then simply extract the content using 7zip
Now we need to dump the symbols from phone and get the touch driver entry point (loading point) from the phone using ADB. Launch ADB window and type the commands below, press Enter key after each line

Code:
adb shell su echo 0 > /proc/sys/kernel/kptr_restrict cat /proc/kallsyms >/sdcard/symbl.txt cat /proc/kallsyms | grep tpd_i2c_probe exit exit adb pull /sdcard/symbl.txt NOTE: the EXIT command remove su and adb shell thus reverts everything back to regular adb so you can pull
The above commands will save symbols as symbl.txt on your phone then copy it over to your PC in adb folder and the last command will display the location of touch drivers, note down this address location somewhere. in my case i have "c06c4348"
Now Launch IDA Pro > File > Open > locate the kernel~ file you extracted in the previous steps and Open the file
Set Processor type as ARM little-endian (ARM) and leave the remaining values as they are then click OK
Next change the values of "ROM start address" and "Loading address", leave the rest as they are then click OK

Code:
32 bit = 0xC0008000 64 bit = 0xFFFFFFC000080000
You may get a message about "IDA can not identify the entry point automatically as there is no standard of binaries" click OK to proceed
Now you need to wait till IDA loads the kernel file completely, look out from when the yellow circle turns green. Once its green then IDA is done loading
Click File > Script file... then navigate to and select the kallsyms_loader.idc you downloaded, after the file is loaded IDA will request for symbols, now select the symbl.txt file which we pulled from the phone earlier on.
Wait until IDA loads everything completely
Right click on the Yellow marked section and select "jump to address" > type in the address gotten from ADB (remember mine is "c06c4348") then click Enter
Here it has taken us to where touch is been loaded or not depending if the phone is booted into recovery or normal boot.
Get_boot_mode <<< it checks whether it is recovery mode or boot mode.

Code:
#2 is for recovery #0 is for boot. If it got getbootmode = 0; then it will activate touch or touch driver basically thinking the phone is going into boot mode.
In IDA, click Options > General > Disassembly Tab > Number of opcode bytes: 6 then click OK
You'll notice the yellow marked section has changed to hex values
We need to note down at least 4 - 5 lines of this hex values. In my case i have the following values below

Code:
02 00 50 E3 46 00 00 0A 04 10 A0 E1 00 08 04 E3
Close IDA and relaunch HXD editor then open the extracted kernel~ file using HXD
Once the file is opened, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find > Hex Values

Code:
Search for: the hex values you noted down from the previous step above (in my case it is "02 00 50 E3 46 00 00 0A 04 10 A0 E1 00 08 04 E3") Direction: forward then click OK
Once found, modify the first value from 02 to 00 then save. Patching is done now time to recompress
Return back to the top offset in HXD, we need to take note of certain details needed in order to compress. Close HXD once you're done

Code:
1) It is default file signature by gz. 2) The parameters or properties of compressed gz file. 3) Here is no Name of compressed file.

Explanation of points 2 and 3.
- Point 2.
  the 3rd value (usually in offset 02) in gz file always denotes compression method
  In my case it's 08 which means "Deflate Compression method".
  
  the 9th value (usually in offset 08) denotes Compression type
  In my case it's 02 which means "Max compression"
- Point 3
  When we gzip any kernel the output file must have the same filename with the actual file kernel we're compressing
  It is clear that 7zip cannot be used to compress it. So ensure to use gzip for windows.
Gzip is a command line tool so we must use within CMD or powershell
Open the bin folder within the extracted Gzip, hold shift key then select open command prompt window or powershell window here
Type the command below and hit Enter to compress the kernel back to GZ

Code:
gzip -n -k -9 "C:\Users\Sachin\Downloads\Android Image Kitchen\gzip kernel~" remember the points 2 and 3 we noted in the previous steps, this is where they play their part -n this indicates the file should have no name -9 indicates max compression -k keeps the original file i.e the original file won't be deleted incase you need it set the file location to the location on your PC and if the folder location of your kernel has spaces then you must enclose with ""
Once compression is done,
Open the newly compressed file using 7zip then click INFO, check and ensure the "Packed Size" matches the original file (the one you took note of earlier on)
If it doesn't match the original file e.g the packed size is reduced by 1 byte, open the uncompressed kernel in hxd > scroll down to the end and add "00" in the hex section > re-compress back to GZ and check if the new Packed size matches. (The packed size must match that of the original or the recovery wont boot)
Once the packed size matches then you can proceed to the next step
Launch HXD, open the files you saved earlier on.
- "begin of extra kernel data",
- "end of extra kernel data"
- the newly GZ compressed kernel file in the previous step above
Select and copy everything from the newly GZ compressed kernel. (Shortcut keys is Ctrl + A then Ctrl + C)
Paste the copied data at the very end of "begin of extra kernel data" in HXD
Next, select and copy everything from "end of extra kernel data" then paste at the end of the newly modified "begin of extra kernel data" then Save As "recovery.img-zImage"
So what you've done now is "begin + kernel + end"
Copy the new "recovery.img-zImage" file into the split_img folder within Android Image Kitchen
Repack the recovery by double clicking on >> "repackimg.bat"
Now you can test the new patched custom recovery by flashing into recovery partition then check if the touch now works

Credits

Wikipedia mostly for useful info concerning gzip
Myself @SachinBorkar (for making a whole lot of research and patching some of the original guide on github to work)
If this helped you then click the thanks / rate button

**X3non** · 25-03-2019, 01:12 AM

(24-03-2019, 07:41 PM)SachinBorkar Wrote: ...
Any corrections may be appreciate.

If useful then thanks me.

Sent from my Titanium Vista 4G using Tapatalk

sunday is more or less rest day

we'll look into drafting the guide for you later today, you could specify your phone model and chipset too (will come in handy when people start complaining it doesn't work for them)

SachinBorkar · 25-03-2019, 03:03 AM

(25-03-2019, 01:12 AM)X3non Wrote:
(24-03-2019, 07:41 PM)SachinBorkar Wrote: ...
Any corrections may be appreciate.

If useful then thanks me.

Sent from my Titanium Vista 4G using Tapatalk

sunday is more or less rest day

we'll look into drafting the guide for you later today, you could specify your phone model and chipset too (will come in handy when people start complaining it doesn't work for them)

MT6735/37 more info embedded with guide.

Sent from my Titanium Vista 4G using Tapatalk

SachinBorkar · 25-03-2019, 10:00 AM

More info about gzip file format is Here :

http://www.onicos.com/staff/iz/formats/gzip.html

Sent from my Titanium Vista 4G using Tapatalk

xerxes · 25-03-2019, 05:17 PM

Hey bro I have two question for you sir my first question is:-

1) what is the exact processor type for Mediatek MT6737M ×64(64bit) processors can you tell me please?

Is that Arm big endian can i try using it?

2)Again can you tell me the start and execution address for Mediatek MT6737M ×64(64bit) processors, I think it is totally different from that off ×64(64bit).

My phone is:-

BRAND:-TECNO
MODEL:-TECNO CX Air
CHIPSET:-MT6737M 64bit
ANDROID:-7.0 Nougat
RAM:-2GB
ROM:-16GB

Please help me, I downloaded all the tool you just mentioned on the tutorial now I am waiting your answer.

Please........Please help me!

I want to have fully functional custom recovery. I am bored with flashing the recovery to boot partition and bla....bla

Sent from my TECNO CX Air using Tapatalk

SachinBorkar · 25-03-2019, 06:02 PM

(25-03-2019, 05:17 PM)Mikesew Wrote: Hey bro I have two question for you sir my first question is:-

1) what is the exact processor type for Mediatek MT6737M ×64(64bit) processors can you tell me please?

Is that Arm big endian can i try using it?

2)Again can you tell me the start and execution address for Mediatek MT6737M ×64(64bit) processors, I think it is totally different from that off ×64(64bit).

My phone is:-

BRAND:-TECNO
MODEL:-TECNO CX Air
CHIPSET:-MT6737M 64bit
ANDROID:-7.0 Nougat
RAM:-2GB
ROM:-16GB

Please help me, I downloaded all the tool you just mentioned on the tutorial now I am waiting your answer.

Please........Please help me!

I want to have fully functional custom recovery. I am bored with flashing the recovery to boot partition and bla....bla

Sent from my TECNO CX Air using Tapatalk

1 ]Try to see info of kernel image in 7z.
2 ] If your processor is 64 bit then use little aindian.
3] 0xFFFFFFC000080000 is starting address of 64bit kernel.

Sent from my Titanium Vista 4G using Tapatalk

xerxes · 25-03-2019, 06:24 PM

What about the execution address?

Sent from my TECNO CX Air using Tapatalk

SachinBorkar · 25-03-2019, 06:26 PM

(25-03-2019, 06:24 PM)Mikesew Wrote: What about the execution address?

Sent from my TECNO CX Air using Tapatalk

0xFFFFFFC000080000

Sent from my Titanium Vista 4G using Tapatalk

SachinBorkar · 25-03-2019, 06:28 PM

(25-03-2019, 06:26 PM)SachinBorkar Wrote:
(25-03-2019, 06:24 PM)Mikesew Wrote: What about the execution address?

Sent from my TECNO CX Air using Tapatalk
0xFFFFFFC000080000

Sent from my Titanium Vista 4G using Tapatalk

Here kernel starts to execute.

Sent from my Titanium Vista 4G using Tapatalk

xerxes · 25-03-2019, 06:29 PM

Does the start and execution address are the same?

Sent from my TECNO CX Air using Tapatalk

Login
Username:
Password:	Lost Password?
	Remember me
OR