Sunday 1 February 2015

Reconstructing MTK LCM drivers

This is another one of my "why didn't I think of that sooner" ideas that could have saved me a few days. Basically Chinese touchscreen datasheets do not exist, or not that I can find for free anyway. Out of all of the phones on my desk I only got 1 "close" match for the controller datasheet and it wasn't any use for writing a driver as the screen initialisation info is in the LCD datasheet (I couldn't even find the company that apparently made this screen. I think it probably begins with J!).

From the LK or kernel console, the LCD timings are easy enough to pick out. If you're lucky enough not to have bought an "agold" special then you also should have the name of the LCM controller. Some phones have multiple supported in each firmware (important).

That's great - apart from you don't have the initialisation commands. Again if you're incredibly lucky (or paid extra and got a Wiko/Lenovo/Acer/etc) then you might be able to find the exact driver on github. If not, then either you could randomly keep trying similar sounding drivers (...bad idea!) or just pull the struct from a working firmware's lk.bin. Most (but not all) of the drivers are boilerplate and using the same struct to store the data - there shouldn't be much to change between devices.

Example:

qHD 4.5" screen, driver IC either RM68191 or OTM9605

Looking at lk.bin, in the chunk of data at the end: the RM68191 data was first (sequences start with "0x55 0xAA 0x52 0x08 0x03" as seen in similar drivers), then the OTM9605 data that I wanted for this phone. It's in the same layout that you would expect knowing the struct: cmd (yellow), count (green), para_list (red)

22 columns made things line up nicely

I dd'ed just the initialisation data out and formatted it ready to copy/paste using this (note: minimal error checking etc - common sense may be required!)

Then put it all together and try it out to see if you missed anything...

This sort of thing happens if you miss a bracket!

Typo fixed and then it worked fine. Figured it was pointless to add a photo of a working phone though!

26 comments:

  1. please tell me how to extract lk.bin

    ReplyDelete
    Replies
    1. From what exactly? Most answers will end up being: use dd

      Delete
    2. from my stock firmware
      what is dd ?
      i am trying to port kitkat to my jellybean device and i read in a thread that if the phone boots up and goes off repeatedly then it is possible to run kitkat on jb only need to put the correct lcm drivers
      please just tell me the method i am ready to waste my time

      Delete
  2. http://en.wikipedia.org/wiki/Dd_%28Unix%29

    Still not exact enough to give a good answer... stock firmware in what format? Still on a working device, manufacturer provided, nandroid backup, raw emmc dump, some other format?

    If the phone works, get root, "cat /proc/mtd" or "cat /proc/dumchar_info" depending on the age of the firmware. Whichever one of those two commands works will tell you where uboot/lk.bin is being held. Then copy it to a file on your SD card using dd.

    Just my opinion, but I think this will end up being a much bigger & more difficult task than you are expecting :/ Good luck though!

    ReplyDelete
  3. i have mtk backup with sp flash tool blocks complete stock rom backup. i have all the files that i need to use to flash using SP flash tool. I already have my lk.bin file.

    All i want you to tell me is how to decompile lk.bin or extract the lcm drivers whatever it is called will be huge help man the only thing that is holding me back from getting kitkat is the lack of me not being able to extract lk.bin.

    ReplyDelete
    Replies
    1. Oh, well in that case just follow what I've written above. In a numbered list, steps are:

      1. Get an idea of what the driver is based around. Manufacturer and screen res are better than nothing. Also grab the timings from boot log (lk or kernel, should be identical)
      2. Find a few similar drivers in GPL sources (e.g. lenovo/acer/github various). The same IC range differ on timings and init sequence
      3. Find the init sequence in good lk.bin using a hex editor, extract it somehow. (copy & paste is better than nothing...!)
      4. Put the data from (1) and (3) into the best looking (2)


      Got any neat tricks on getting the GPIO map or battery charge data right? Those two really slow me down

      Delete
  4. please help
    only need to unpack/extract/decompile lk.bin

    ReplyDelete
  5. hello, i have 2 lk.bin files, i need to extract a lcd driver from one and put it onto another one, maybe copy/paste, how can i do that, i'm not good with linux
    i know the driver name.
    what software can i open that lk.bin under windows?

    ReplyDelete
    Replies
    1. Hi,
      It'll not be as easy as that unfortunately. The LCM init sequences are easy to see because they are large amounts of data arranged in a specific order in the file. The rest of the driver is made up of individual values and timings which you won't be able to find and replace. Your only option that I know about is to compile your own from source (not publically available, though lots of manufacturers have distributed it). It's nowhere near as complicated as a full kernel/android build because you don't need to worry about accelerometer/alsps/camera/sound/magsensor/etc drivers.

      Delete
  6. What do you mean by "agold special"?
    I think I have one of those (Ulefone Be Touch 2).
    When I do the *#*#114#*#*, it reports that the LCM is "HLY_55NT_1185A".
    I can't find any information about this anywhere.

    ReplyDelete
    Replies
    1. They produce android builds even more dodgy than usual - some of their config options (from the phone I had) include:
      AGOLD_CHEAT_EVALUATING_SOFTWARE_CPU_CORE_CHANGED = 8核
      AGOLD_CHEAT_EVALUATING_SOFTWARE_CPU_CORE_ORIGIN = 单核,單核
      AGOLD_CHEAT_EVALUATING_SOFTWARE_LIKE_ANTUTU_USE_OPENGL = yes

      and it'll boot-loop if you try to remove any of their spyware apps (APK)...

      At a guess, I'd say HLY are the initials of whoever made the panel, the "55" probably is the size (as in 5.5 inch) and NT_1185A the controller, i.e. something from Novatek. Are there no clues in the boot logs (either bootloader or kernel)? The resolution might help narrow it down (*actual* resolution... don't belive anything agold tells you!)

      If you can find a way to send it the ID command and give you the result (2x 8-bit values) that might be another way to see. Alternatively pull the init sequence out of the bootloader and comb through different manufacturers until one looks close.

      I moved on to a different non-agold-butchered phone so I don't think I did identify the controller on that, but I'll check through anything I saved just in case

      Delete
    2. I'm kind of a newbie here, so... What do you mean by pulling the init sequence?
      Is it about the boot.img and the ramdisk?

      Delete
    3. Yes, basically LCDs need some commands sending when they're first powered on before they can be used. For some reason that I still haven't figured out, the details of each screens commands are a closely guarded secret by the controller manufacturers which makes writing drivers impossible. The contents of this post describe how I took the (initialisation) command sequence for my specific LCD out of the phone's secondary bootloader and spliced it in to a similar driver for some other phone.

      However I did find a suspiciously similar looking/sounding phone to yours which isn't running an agold butchered firmware. It's using just one LCM driver - nt35596

      Delete
  7. hello Steven,
    thank you for sharing these precious informations.
    recently i've been searching all around the internet about the "chinese serial number:0123456789abcdef" with no results.
    From what i understood, in the boot process, the bootloader (aka lk) send an unknown serial number to the kernel, which in turn somehow change that unknown SN into the "chinese id" and send it to the init process through cmdline.
    I have 2 questions:
    1) Is it technically possible to change that serial number?
    2) If yes, how?

    ReplyDelete
    Replies
    1. Hi. Yes that is possible, providing that you have the bootloader source.
      In the version of lk that I have, in the file:

      bootable/bootloader/lk/app/mt_boot/mt_boot.c

      you will find what you're looking for.

      #define DEFAULT_SERIAL_NUM "0123456789ABCDEF"
      /*
      * Support read barcode from /dev/pro_info to be serial number.
      * Then pass the serial number from cmdline to kernel.
      */
      #define SERIAL_NUM_FROM_BARCODE
      ...
      ...
      ...
      #ifdef SERIAL_NUM_FROM_BARCODE
      /* Append androidboot.serialno=xxxxyyyyzzzz in cmdline */
      sprintf(cmdline, "%s%s%s", cmdline, " androidboot.serialno=", sn_buf);
      #endif
      ...
      ...
      (and so on)

      Delete
  8. Hi Steve.
    Can you help me in my LCD drivers issue??
    I have a clone mobile of knew v8+ named as Auxus One.

    Everything is identical except the name.

    My problem is when I flash stock ROM of inew v8+ to mine everything is working fine.

    Now when I flash my stock ROM of Auxus LCD is not lighting up, everything is working normal in the background.

    After working around using SPMDT Tool, what I found is, the uboot file in inew's firmware has 2 lcd drivers 70544 and 70744. The second one works. Whereas the lk.bin in Auxus' one has only one driver 70544.

    What I did was replace lk.bin of Auxus' with inew's, but phone doesn't boot up but LCD works. Even tried with preloader, A gold driver etc.. But no use.

    I tried binary edit of the files but doesn't have any knowledge in it and hence didn't succeed.

    Can you give me a solution??

    Thanks in advance..

    By the way mine is MTK6592 chipset

    ReplyDelete
    Replies
    1. Hi. Can you upload the few files somewhere and I'll take a look? Basically should just be: the two lk.bin files, uart boot logs of the working ROM.

      Delete
    2. Here are the lk.bin files of both firmwares..
      https://www.dropbox.com/s/321dbb02zxcrgs1/lk_inew.bin?dl=0
      https://www.dropbox.com/s/v8ugunyfn6g7pmr/lk_auxus.bin?dl=0

      If u still need UART boot logs, I will get them..
      Thanks for your time.

      Delete
    3. Hmm, they're both 'agold' butchered code so I'll not be able to be much help unfortunately. My 2 suggestions were going to be to mess with the SPMDT tool (which you already have), and swap the init sequences for the lcds... but they look the same (assuming I'm looking in the right place... it's a guess)

      $ dd status=none if=lk_inew.bin bs=1 count=128 skip=243588 | xxd
      $ dd status=none if=lk_auxus.bin bs=1 count=128 skip=240800 | xxd

      The uart logs should give more of a clue as to what is happenning when the boot process fails, or LCD init fails but boot continues.

      Delete
    4. Did you notice the AGOLD_DRIVER partition just after NVRAM?

      Delete
  9. Here are the files of firmware (screenshot)
    https://www.dropbox.com/s/q3qjpsepr59p4bk/2016_07_18_00.02.49.png?dl=0
    https://www.dropbox.com/s/k87r7u2f0traqmb/IMG_20160409_125257.jpg?dl=0
    I tried the AGOLD_DRIVER replacement while flashing but didn't worked.
    Please check this scatter file of working ROM
    https://www.dropbox.com/s/bd24kdgkqy45qv8/MT6592_Android_scatter.txt?dl=0

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Hello Steven
    I have Pixi 4 (4) kernel source MT6580 and I want to port it to my Infinix Hot 2, I have the LK.bin and I know the name of my LCM controller, but I don't know exactly how to decode the LCM controller inside the source, I found one similar in name but still couldn't edit it.

    ReplyDelete
  12. Hello Steven,

    Since SP Multiport Download Tool current & former versions don't support MT67xx, I can't manage to switch LCD drivers for related lk in case of multiple support = SPMDT returns failure error while trying to load lk.

    For instance I have a MT6795 WQHD 6" device, that has lk.bin with dual support for r63419_wqhd_auo_booyi_3d_vdo & nt35598_wqhd_dsi_vdo_truly. I'd like to switch init sequence in order to test such lk with other MT6795 WQHD 6" devices that use same r63419 or nt35598 & same camera/sensors.

    Is there an alternative tool that allows to change/switch LCM (as formerly possible with SPMDT on MT65xx) ?

    Otherwise, can those changes be performed manually through HEX editing ?

    Thanks in advance.

    ReplyDelete
    Replies
    1. Hi. Unfortunately I've been busy with other things and not had any time to play with the MT67xx devices yet. I did buy some though and will get to it eventually! Anything interesting that I find out I'll post on here. From a quick look through their source they've made some annoying default changes to non-engineer builds.

      Delete
    2. Hello

      First, thanks for your reply ;).

      In case You need further info and/or feedbacks now I'm working on 2 MT6795 WQHD 6" devices (PPTV King7 & Freetel Samurai Kiwami FTJ152D) + 2 MT6795 WQHD 5.5" devices (Creo MARK 1 & AMOI L861 also branded as Stonex One or Santin Dante).

      Delete