Unlocking the touchpad driver when booting in recovery mode on MTK processors Device or OS, firmware: android
Unlocking the touchpad driver when booting in recovery mode on MTK processors. Like many who build / port TWRP to devices with an MTK processor, I ran into a non-working touchpad. In the branch, one fresh Chinese smartphone appeared TWRP from a respected jemmini made through
Order table of custom recovery (Post jemmini # 55966593), but as it turned out the touch did not work there, the one who ordered did not check, in general, a muddy story, and OTG did not have this miracle. After that, I ported TWRP from several devices on the same chip, they all loaded, but the touch did not work. Here it became clear that the matter is in the core. In search of information stumbled upon
this postwhere there were two wonderful links, one could say theory and practice. Be sure to read the article on the first
referenceto understand the following description. In the article, the author tells in detail the theory and briefly some practice. For a second more practice. The essence of the method is that in the procedure
tpd_i2c_probe looking for a place to check the boot mode
get_boot_mode and this check is deleted, or the conditional jump is deleted. I propose to make the function
get_boot_mode always returned boot mode
NORMAL_BOOT = 0 , then the driver of the wheelbarrow will be loaded. Moreover, it is much less procedure
tpd_i2c_probe , and the call to this function was not obvious to me. The finished TWRP from jemmini was taken as the test subject, well, do not lose the good.
And so we will need the following tools:
IDA Pro v6.8and a small repacker with
github. The only utility, probably out of a dozen of me tested, which is correct! I unpacked my image, but it may break off on others. AndImgTool will help many people to disassemble (in this post, an assembly of several utilities, almost a kitchen), you can unpack it with your hands,
In general, this is a separate complex topic. Carefully understand the installation of IDA, be sure to install
python inside the IDA distribution. Instructions for installing IDA, though in Chinese, but there are only 3 points.
1. Copy the experimental test named recovery.img to the directory
\ MTbootimg \ _in \. We parse the recovery in MTbootimg by executing unpack.bat and extract the kernel
\ MTbootimg \ _work \ kernel. We need exactly the kernel kernel, its size is about 20MB, not to be confused with zImage (6-7MB)
2. Copy the file
kernelin a separate place where we will work with him and load it into IDA.
3. Moreover, for kernels of version 4.x.x, the initial boot address is set as
0xFFFFFF8008080000 for 3.x.x -
0xFFFFFFC000080000 but there may be exceptions. There were also kernels with the address 0xC0008000.
4. Change the bit depth of the segment. Although this is not always required.
5. Next, load the kallsyms_all.py script for parsing procedures and functions. If the body is in the hands, you can merge the kallsyms and see there (first line)
The options I have met are C0008180, C0008240, C0100000, C0200000, FFFFFF8008081000, FFFFFF8008082000, FFFFFFC000081000 ... write to you in person, add here. How to determine exactly, I do not know, everything is intuitive and brute force. If anyone knows - share.
If such an error occurs, then the address is not correct.
6. We are waiting for the end of the script, the named part should appear in the left part, and we find the function
get_boot_mode . To do this, sort the functions and procedures alphabetically by clicking on the header of the column. In the left column, click 2 times on the function found and it opens in the right window. You can search through the menu search, in which window the cursor is looking there. We are interested in the variable
W0 . She needs to assign a value of 0, which means loading mode
NORMAL_BOOT .
7. We will edit this line to get
MOV W0, # 0 . For this is necessary in the line
0xFFFFFF8008537094 replace the first 4 bytes with
00 00 80 52 . The variable name W0 may be different, for example R0, then the replacement bytes will be different. For example, you can do a search by code
and spy as these 4 bytes look like.
8. Save changes
9. When comparing in TC a patched and bucked original, it should turn out similar to this.
10. Next patched
kernelwe copy with replacement in
\ MTbootimg \ _work \ kerneland pack pack.bat.
Repackaged recovery is in
\ MTbootimg \ _out \ boot_repack.imgI did it like this
https://www.youtube.com/watch?v=9shCBgfS4GYCollected on knees, does not always take into account file names
MTbootimg.zip(2.82 MB)
Acknowledgments
LazyC0DErand Igor Skochinsky, in the process of filling, we throw off addresses for me, I will add
kallsyms_all.zip(2.14 KB)
Adapted utility to build zImage, unfortunately not all formats are parsed / assembled correctly, thanks
And_pdaand
acdevAndImgTool_1_3_0_v3.zip(5.54 MB)
In general, we share information, help each other.
Post has been editedPawill - 19.12.18, 23:59