Mini Project: Reverse Engineering the Samsung Galaxy S2 Touch Screen Interface

This is my last year at university studying for my Masters degree, hence the lack of posts this year – I’ve been pretty busy. My final project involves working with touch screens to improve the signal quality through hardware based processing and the more data I can get, the better. My hope was to intercept the touch screen on a mobile phone to see if I could get to the raw data. I knew that it probably wouldn’t work out that way because most of processing would probably be done by the touch screen controller (TSC) but I thought I’d have a go anyway – a challenge is always fun.

My old mobile phone is a Samsung Galaxy S2 which isn’t really worth much to anyone nowadays so I was willing to risk it in my endeavours. Looking at tear downs for information, I opened up the device and figured out where the touch screen connector was on the MLB (main logic board). Luckily, the touch screen was connected to the AP (application processor) via an i2c bus which meant two things: there was a pull-up resistor on the SDA (data) and SCL (clock) lines that I could probe, and my oscilloscope could decode the data for me in real-time.

The main problem was that the resistors that I wanted to probe sat underneath the ribbon cable that connected the touch panel to the MLB. This meant that I couldn’t access the resistors to hold the probes onto while the screen was running – I had to solder probe wires on. But these were 0204 resistors. I’ve worked on modern mobile phones in a previous internship so I’m not afraid to take them apart and poke them with a soldering iron – even dealing with 0102 resistors is okay if you have a microscope, fine gauge wire and a fine tipped soldering iron. The trouble is that I have none of this stuff and my home setup is adequate to deal with parts down to about 0603 size.

The only way to get wire this thin was to pull apart some solder wick to acquire two very thin copper strands. I’d have to be careful as they’re not insulated but it would do the job. I made a number of attempts to get the wires onto the resistors, but they were too close together and I couldn’t get both attached at once. I decided to solder the wires onto the connector which turned out to be much simpler. After finding a suitable (good enough) ground connection on the board, I could now read the i2c data as it travelled from the TSC to the AP and I began the process of reverse engineering the protocol.

img_2667

Samsung Galaxy S2 with probe wires soldered onto the screen connector.

I was disappointed to see that the TSC was not sending the entire frame of information to the AP, even though I had known this was probably the case. Every time I touched the screen, there would be some activity on the bus (I assumed this was triggered by the interrupt pin, however I did not probe it as everything was so tiny) and when I moved my finger on the screen there was a new packet every 14.29ms which indicated an update rate of about 70Hz. Every transaction began with the same write operation from the AP to the TSC, folled by a packet of 9 bytes in response.

screenshot-from-2017-03-03-214545

One such i2c interaction between the TSC and the AP

I used the android developer tools so that I could see what information the system was receiving from the touch screen, and I used that to correlate the information to the packets. Here is what I found.

# Name Description
1 Touch Number Because this touch panel supports multitouch, the first byte indicates which finger touch this packet describes. Values are offset by one, ie the first finger touch has ID 0x02. If this is the last packet, then this byte will take a value of 0xFF and the rest of the packet will be the same as the previous packet that was sent (basically a redundant packet). For example, if there are 3 fingers on the screen, then you will get four packets each beginning 0x02, 0x03, 0x04 and 0xFF.
2 Data Type 0xc0 = new touch

0x90 = touch has moved

0x84 = beginning of a long touch

0x20 = end of long touch

3 X Location The horizontal location on the display.
4 Y Location The vertical location on the display.
5 ? Not sure exactly what this byte represents. Both nibbles in the byte are always a multiple of 4 (ie 0, 4, 8 or C). Probably some kind of flags.
6 Touch Pressure This value indicates approximately how hard the touch is.
7 Touch ID Each touch is assigned an ID when it is first detected so that it can be traced when it moves.
8 00 Always 0x00.
9 Next Packet # This indicates the Touch Number of the next packet. If this is the last packet then it takes the value 0xFF.

 

The highest (x, y) coordinate I saw was (0x76, 0xc3) indicating a horizontal resolution of 119 and a vertical resolution of 196.

An example of an interaction with 3 packets may be this:

02 90 0e 0f 0c 03 1c 00 03  = first finger touch (ID 0x1c) has moved to location (14, 15) with a pressure of 3. The next packet will describe the second finger touch.

03 c0 6a 06 cc 04 17 00 04 = second finger touch (ID 0x17) is a new touch at location (106, 6) with a pressure of 4. The next packet will describe the third finger touch.

04 84 6f bf 84 05 16 00 FF = third finger touch (ID 0x16) is a long press at (111, 191) with a pressure of 5. The next packet is the final packet.

FF c0 6f bf 84 05 16 00 FF = this is the final packet with the same information as before.

Even though this doesn’t allow me to get the data I wanted for my project it was still an interesting challenge for an afternoon.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s