24-03-2019, 07:41 PM
In this tutorial, i'm going to show how i managed to patch kernel to enable touch in recovery TWRP / Philz.
WARNING
This worked for me and with my results, i've posted a working TWRP with touch @ https://www.hovatek.com/forum/thread-27138.html . You can try on your device if you wish and let us know if it works for you or not, but there's no guarantees it will work on your phone.
Requirements
- Your phone must be rooted
- Download Android Image Kitchen @ https://forum.xda-developers.com/showthr...?t=2073775
- Download & install 7-zip @ https://www.7-zip.org/
- Download & install HXD hex editor @ https://mh-nexus.de/en/hxd/
- Download & install IDA Pro @ https://getintopc.com/softwares/disassem...d-6782632/
- Install ADB & fastboot on your PC @ https://www.hovatek.com/forum/thread-588.html
- Download kallsyms_loader.idc @ https://mega.nz/#!kg1UDSLS!5S1w3nuOPnXFS...49E7zoHEks
- Download & extract Gzip for windows @ https://sourceforge.mirrorservice.org/g/...-1-bin.zip
- You can download the full tutorial in PDF format (the guide on this thread has more info though) @ https://mega.nz/#!HThWEAoQ!DRA1J2gDkd7kP...FlveufwOvY
Important Notice
- You can use terminal emulator from playstore to run ADB commands; see this post
- Explanation of the ADB commands ; see this post
- how to check if your phone uses the GT** driver? ; see this post
- how to find the right end address of an uncompressed kernel or you're encountering errors while trying to decompress kernel? ; see this post
- how to check if your device runs 32 / 64 bit OS? ; see this post
- If your phone uses AArch64 (ARM v8) then ensure to see this post for the hex values to modify & if IDA isn't working for you, you can use Hopper disassembler
- On linux or MAC PC, you can use Hopper disassembler @ https://www.hopperapp.com
- If you're using IDA x64 (64 bit version), you might encounter python related error messages ; check this post
- If this procedure seems too difficult, lengthy or practically impossible to follow; see alternative methods
Steps on how to patch kernel to enable touch in recovery TWRP / Philz
- Extract Android Image Kitchen & paste your recovery.img into the folder
- Double click on >> unpackimg.bat
- After that your Image will Unpack and divides in two folders
>> ramdisk
>> split_img << zImage is kernel image and will be found in split_img folder
- Open recovery.img-zImage (kernel) using 7zip then click on "Info"
- It will display compression method used to compress the kernel (in my case i have GZ) along with a warning about payload data. Also take note of the "Packed Size" cause you'll need this later on then Exit 7zip
- To get a decompressable kernel, we need to removed extra data before kernel & extra data after kernel using hxd editor
- Open the recovery.img-zImage using HXD editor (you can also just drag the file onto HXD window)
- We're going to use the file signature of GZ (gzip) to search for the start and end address of kernel within this file
- Once the file is opened, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find
- In the search window, click Hex-Values tab
Code:Search for: 1F 8B
Direction: forward
then click OK
note this value "1F 8B" is the file signature (magic number) for GZ and if your kernel has a different compression method, you may search online for the file signature online)
- The found item will be highlighted
- Now select and highlight everything just before the found values till the beginning of the file then right click and CUT (this will remove the values from the file). If the found values are at the very beginning of the file then there's no extra data in front of the kernel so you can skip this step & the next 3 steps
- Press Ctrl + N in HXD to create a new empty file
- Click on Edit > Paste Write, the contents you CUT will be pasted into the new window then click File > Save As > save this file with something easy to remember e.g "begin of extra kernel data"
- Now we've removed the extra data at the beginning of the file, next will be to remove the extra data at the end
- Return back to the recovery.img-zImage window in HXD, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find > Hex Values
Code:Search for: 6D 65 64 69 61 74 65 6B 2C 4D 54
Direction: forward
then click OK
note this value "6D 65 64 69 61 74 65 6B 2C 4D 54" is not the end address but we'll use from this point to get the actual end address)
- The found item will be highlighted, Now scroll up a little bit and you'll find a blank space like in the screenshot below.
- Look closely at the blank space, just before mine i have E2 00 as the end of my kernel, everything after this is extra data (yours might be different but leave the last two zeros 00 before the non zero values)
- Now select and highlight everything just after the values (E2 00 in my case) till the very end of the file then right click and CUT (this will remove the values from the file)
- As we did before, Press Ctrl + N in HXD to create a new empty file, then click on Edit > Paste Write , the contents you CUT will be pasted into the new window then click File > Save As > save this file with something easy to remember e.g "end of extra kernel data"
- Now save the recovery.img-zImage file, Click File > Save (this will save the changes you've made and the color in HXD should go from red to black)
- Now close recovery.img-zImage from HXD then open using 7zip > click Info to confirm the file no long has extra payload error. If it doesn't then simply extract the content using 7zip
- Now we need to dump the symbols from phone and get the touch driver entry point (loading point) from the phone using ADB. Launch ADB window and type the commands below, press Enter key after each line
Code:adb shell
su
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms >/sdcard/symbl.txt
cat /proc/kallsyms | grep tpd_i2c_probe
exit
exit
adb pull /sdcard/symbl.txt
NOTE: the EXIT command remove su and adb shell thus reverts everything back to regular adb so you can pull
- The above commands will save symbols as symbl.txt on your phone then copy it over to your PC in adb folder and the last command will display the location of touch drivers, note down this address location somewhere. in my case i have "c06c4348"
- Now Launch IDA Pro > File > Open > locate the kernel~ file you extracted in the previous steps and Open the file
- Set Processor type as ARM little-endian (ARM) and leave the remaining values as they are then click OK
- Next change the values of "ROM start address" and "Loading address", leave the rest as they are then click OK
Code:32 bit = 0xC0008000
64 bit = 0xFFFFFFC000080000
- You may get a message about "IDA can not identify the entry point automatically as there is no standard of binaries" click OK to proceed
- Now you need to wait till IDA loads the kernel file completely, look out from when the yellow circle turns green. Once its green then IDA is done loading
- Click File > Script file... then navigate to and select the kallsyms_loader.idc you downloaded, after the file is loaded IDA will request for symbols, now select the symbl.txt file which we pulled from the phone earlier on.
- Wait until IDA loads everything completely
- Right click on the Yellow marked section and select "jump to address" > type in the address gotten from ADB (remember mine is "c06c4348") then click Enter
- Here it has taken us to where touch is been loaded or not depending if the phone is booted into recovery or normal boot.
- Get_boot_mode <<< it checks whether it is recovery mode or boot mode.
Code:#2 is for recovery
#0 is for boot.
If it got getbootmode = 0; then it will activate touch or touch driver basically thinking the phone is going into boot mode.
- In IDA, click Options > General > Disassembly Tab > Number of opcode bytes: 6 then click OK
- You'll notice the yellow marked section has changed to hex values
- We need to note down at least 4 - 5 lines of this hex values. In my case i have the following values below
Code:02 00 50 E3 46 00 00 0A 04 10 A0 E1 00 08 04 E3
- Close IDA and relaunch HXD editor then open the extracted kernel~ file using HXD
- Once the file is opened, click the beginning of the middle section (the middle section is the one in hex view) then click Search > Find > Hex Values
Code:Search for: the hex values you noted down from the previous step above (in my case it is "02 00 50 E3 46 00 00 0A 04 10 A0 E1 00 08 04 E3")
Direction: forward
then click OK
- Once found, modify the first value from 02 to 00 then save. Patching is done now time to recompress
- Return back to the top offset in HXD, we need to take note of certain details needed in order to compress. Close HXD once you're done
Code:1) It is default file signature by gz.
2) The parameters or properties of compressed gz file.
3) Here is no Name of compressed file.
Explanation of points 2 and 3.- Point 2.
the 3rd value (usually in offset 02) in gz file always denotes compression method
In my case it's 08 which means "Deflate Compression method".
the 9th value (usually in offset 08) denotes Compression type
In my case it's 02 which means "Max compression"
- Point 3
When we gzip any kernel the output file must have the same filename with the actual file kernel we're compressing
It is clear that 7zip cannot be used to compress it. So ensure to use gzip for windows.
- Point 2.
- Gzip is a command line tool so we must use within CMD or powershell
- Open the bin folder within the extracted Gzip, hold shift key then select open command prompt window or powershell window here
- Type the command below and hit Enter to compress the kernel back to GZ
Code:gzip -n -k -9 "C:\Users\Sachin\Downloads\Android Image Kitchen\gzip kernel~"
remember the points 2 and 3 we noted in the previous steps, this is where they play their part
-n this indicates the file should have no name
-9 indicates max compression
-k keeps the original file i.e the original file won't be deleted incase you need it
set the file location to the location on your PC and if the folder location of your kernel has spaces then you must enclose with ""
- Once compression is done,
- Open the newly compressed file using 7zip then click INFO, check and ensure the "Packed Size" matches the original file (the one you took note of earlier on)
- If it doesn't match the original file e.g the packed size is reduced by 1 byte, open the uncompressed kernel in hxd > scroll down to the end and add "00" in the hex section > re-compress back to GZ and check if the new Packed size matches. (The packed size must match that of the original or the recovery wont boot)
- Once the packed size matches then you can proceed to the next step
- Launch HXD, open the files you saved earlier on.
- "begin of extra kernel data",
- "end of extra kernel data"
- the newly GZ compressed kernel file in the previous step above
- "begin of extra kernel data",
- Select and copy everything from the newly GZ compressed kernel. (Shortcut keys is Ctrl + A then Ctrl + C)
- Paste the copied data at the very end of "begin of extra kernel data" in HXD
- Next, select and copy everything from "end of extra kernel data" then paste at the end of the newly modified "begin of extra kernel data" then Save As "recovery.img-zImage"
- So what you've done now is "begin + kernel + end"
- Copy the new "recovery.img-zImage" file into the split_img folder within Android Image Kitchen
- Repack the recovery by double clicking on >> "repackimg.bat"
- Now you can test the new patched custom recovery by flashing into recovery partition then check if the touch now works
Credits
- Wikipedia mostly for useful info concerning gzip
- Myself @SachinBorkar (for making a whole lot of research and patching some of the original guide on github to work)
- If this helped you then click the thanks / rate button