Skip to content

Instantly share code, notes, and snippets.

@JamesHagerman

JamesHagerman/kw88_notes.md

Last active September 24, 2019 04:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save JamesHagerman/167ced4c9991ba16d711c88e91228ebb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save JamesHagerman/167ced4c9991ba16d711c88e91228ebb to your computer and use it in GitHub Desktop.
Download ZIP
Just my notes on the KW88 watch
Raw
kw88_notes.md

KW88 Watch

Asian watch company = no android source code

So, we're kinda on our own here.

Basics

The device comes with a bunch of wonky software on it. The important software to get is Google Play and WatchClockSkin.

SoC/Custom ROM stuff

It's a MediaTek device. Powered off, it enumerates as a MediaTek MT65xx Preloader USB device. Powered on, it enumerates as a MediaTek KW88 USB device.

When it's off/in preloader mode, SP Flash Tool should be able to flash custom ROMs to the device assuming there's a scatter file explaining to SP Flash the memory map of the KW88 to use for each chunk of the image. At the end of this Gist you'll find the MT6580_Android_scatter.txt that came with the KW88_CS1_B_GSM_PHT_20170112.zip ROM image I just happened to find a while back.

A kernel source tree that may work:

https://github.com/OpenWatchProject/android_kernel_mediatek_mt6580

SP Flash

Somewhere along the line, I found a version of SP Flash Tool that was somehow specific to the KW88 chip. The zip it came in was named 6580_SP.zip and the top level directory in that zip was named SP_Flash_Tool_exe_Windows_v5.1548.00.000.

At the time of writing, the version available directly from the https://spflashtool.com site is SP_Flash_Tool_v5.1744_Win.zip.

NOTE: I had to use the custom version! Otherwise, the checksum of logo.bin doesn't pass the check the latest version of the tool performs!

Required VCOM drivers

To use SP Flash, you need to manually install the MediaTek USB VCOM drivers. Note: The device "bounces" in device manager. You'll have to install it using these steps:

Click on any device in the tree
Action Menu -> Add legacy hardware
Install the hardware that I manually select from a list (Advanced)
Show All Devices
Have Disk...
Browse for: MediaTek_USB_VCOM_drivers\MediaTek USB VCOM drivers\Drivers\USB VCOM Driver\Win7\usb2ser_Win764.inf
SELECT THIS DEVICE: MediaTek PreLoader USB VCOM Port

Again, the driver you want comes from this file: MediaTek_USB_VCOM_drivers\MediaTek USB VCOM drivers\Drivers\USB VCOM Driver\Win7\usb2ser_Win764.inf

And the "Model" is: MediaTek PreLoader USB VCOM Port

Once you've done all that, SP Flash will be able to trigger your device into preloader mode correctly so it can read and write from it's flash memory.

Notes about using SP Flash

There really isn't a reason to touch the PRELOADER or DSP_BL areas of memory! These will royally screw your device up!

BEFORE you click Download, make sure you understand the little drop down in SP Flash:

  • Download Only - Only writes the checked areas of memory with a new image
  • Firmware Upgrade - WRITES EVERY IMAGE EVEN IF IT IS NOT CHECKED!

ROM images I have

I'm not sure where I got these from but they are on my hard drive so I guess they were useful at some point.

KW88_CS1_B_GSM_PHT_20170112.zip KW88-CS1-B-GSM-PHT-20171111.rar

I'm currently running 20171111 so that one should work fine.

Installing TWRP on a KW88 (and rooting with SuperSU)

TWRP Source tree for the kw88: https://github.com/OpenWatchProject/twrp_device_mediatek_harmony

Follow these:

taken from: https://discourse.fullandroidwatch.com/t/twrp-for-harmony-kw88-98-99-thor-s-les1-i2-di01-more/34889

If you have TWRP installed already:

  1. Download the first link which is just the twrp image files
  2. Copy the image file to your watch
  3. Boot into twrp
  4. Click install
  5. Click install image
  6. Navigate to the twrp image you copied over and select it
  7. Find recovery in the list and select it
  8. Swipe to confirm
  9. You’re done

If you don’t have TWRP installed:

  1. With your watch turned on, copy the file “Harmony_TWRP_patcher.zip” to the /sdcard directory.

Optional: Also copy over SuperSU-v2.82-201705271822.zip and flash it after Step 9.

  1. Turn off your watch.
  2. Open sp flash tool
  3. In the “Scatter-loading File” box choose the “MT6580_Android_scatter.txt” file that you downloaded
  4. Select the twrp image you downloaded and do it for the boot and recovery partitions
  5. Press on “Download”.
  6. Connect the watch to the computer and wait until a green tick appears on the screen.
  7. Unplug your watch and power it on

WARNING: the following step (9) will install an android 5.1 compatible boot.img. If you have an android 8.1 rom installed, be sure to flash it after finishing this guide.

  1. In the recovery, go to Install -> Install Zip and select the previously copied file “TWRP_patcher.zip” Wait until it finishes and that’s it!

  2. Flash SuperSU-v2.82-201705271822.zip if you put it on the watch too...

My bad guess notes DO NOT FOLLOW THESE:

This is me guessing at how this works.

This thread hosted the files: https://forum.xda-developers.com/smartwatch/other-smartwatches/recovery-twrp-3-2-2-0-t3816674

  • Harmony_twrp.img is actually supposed to be a REPLACEMENT for recovery.img from a normal ROM image. In theory we move the recovery.img out of the way, and rename Harmony_twrp.img to take it's place
  • MT6580_Android_scatter.txt is exactly the one extracted from KW88-CS1-B-GSM-PHT-20171111.rar
  • Harmony_TWRP_patcher.zip is a patcher file that MUST BE INSTALLED ON /sdcard BEFORE FLASHING OVER recovery.img!

So, order of operations is:

  • Get official ROM
  • Get files mentioned above
  • Flash normal ROM images (excluding preloader!) to the watch using SP Flash
    • Optional: Manually edit the Checksum.ini file; update logo=0x0??? to logo=0x04d7 if SP Flash yells about a checksum error.
    • Load the MT6580_Android_scatter.txt file from the official extracted ROM
    • Power off the phone
    • Uncheck preloader
    • Dropdown should be Download Only
    • Click Download
    • Plug in watch, wait for it to flash
  • Boot the watch. Make sure it works right. (i.e. doesn't boot loop too bad; mine did when I turned on the cellular modem; I had to reboot it a few times, leave it powered on, wait for it to optomize the apps, all that, then it finally worked.)
  • Reboot the watch at least once to make sure it's working okay.
  • Mount the watch to a computer and move Harmony_TWRP_patcher.zip to /sdcard
  • Power off the watch

Note: This is where the guessing begins...

  • Move recovery.img out of the way in the extracted ROM
  • Rename Harmony_twrp.img to recovery.img and move it into the extracted ROM directory.
  • Load the same scatter file
  • Un-check everything EXCEPT recovery.img
  • Click Download
  • Plug in watch
  • Cross fingers that it boots into TWRP
  • Tell it to flash Harmony_TWRP_patcher.zip
  • When that's done, reboot the watch
  • Cross fingers that it boots into the normal ROM

I don't know what to do after this...

Modfying an existing ROM

I don't know if this is a good idea. I'd LOVE to be able to remove some of the bloat ware on this thing though. The default calander app sucks, and there's a bunch of other crap I just don't want on the device.

I don't know if the ROMs are signed, but I'd guess they are.

Also, obviously, I'd like to root the thing.

Unpacking, Editing and Re-Packing the images

I haven't tested these scripts but they seem promising: https://github.com/bgcngm/mtk-tools

They linked to this page, (which I partially stole to see the exact commands): http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images

If you are good with a hex editor, you can open up any of these images and strip off the first 2k of data. Then, look for a bunch of zeroes followed by the hex 1F 8B (which is the magic number of a gzip file). Copy everything from the first line of the file, through the zeroes, and stopping at the 1F 8B. That is the kernel. Everything from the 1F 8B through the end is the ramdisk. You could save each of these files separately. In order to see the contents of the ramdisk, you need to un-gzip it and then un-cpio it. You could use a command like this (ideally after creating a new directory and cd'ing into it):

gunzip -c ../your-ramdisk-file | cpio -i

That will place all of the files from the ramdisk in your working directory. You can now edit them. In order to re-create the ramdisk, you need to re-cpio them and re-gzip those files, with a command like the following (remember, cpio will include everything in the current working directory, so you probably want to remove any other cruft you might have in there):

find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz

The final step is to combine the kernel and your new ramdisk into the full image, using the mkbootimg program (which you should download and compile from the git repository):

mkbootimg --cmdline 'no_console_suspend=1 console=null' --kernel your-kernel-file --ramdisk newramdisk.cpio.gz -o mynewimage.img

Now, there's a lot of hassle in pulling apart files in hex editors and remembering all of these commands, so I wrote unpack and repack perl scripts for you. Hooray.

Random Scatter file I have

File name for this ROM was KW88_CS1_B_GSM_PHT_20170112.zip:

############################################################################################################
#
#  General Setting 
#    
############################################################################################################
- general: MTK_PLATFORM_CFG
  info: 
    - config_version: V1.1.2
      platform: MT6580
      project: KW88_B_GSM_PHT
      storage: EMMC
      boot_channel: MSDC_0
      block_size: 0x20000
############################################################################################################
#
#  Layout Setting
#
############################################################################################################
- partition_index: SYS0
  partition_name: preloader
  file_name: preloader_KW88_B_GSM_PHT.bin
  is_download: true
  type: SV5_BL_BIN
  linear_start_addr: 0x0
  physical_start_addr: 0x0
  partition_size: 0x40000
  region: EMMC_BOOT_1
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: BOOTLOADERS
  reserve: 0x00

- partition_index: SYS1
  partition_name: pgpt
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x0
  physical_start_addr: 0x0
  partition_size: 0x80000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS2
  partition_name: proinfo
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x80000
  physical_start_addr: 0x80000
  partition_size: 0x300000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: PROTECTED
  reserve: 0x00

- partition_index: SYS3
  partition_name: nvram
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x380000
  physical_start_addr: 0x380000
  partition_size: 0x500000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: BINREGION
  reserve: 0x00

- partition_index: SYS4
  partition_name: protect1
  file_name: NONE
  is_download: false
  type: EXT4_IMG
  linear_start_addr: 0x880000
  physical_start_addr: 0x880000
  partition_size: 0xa00000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: PROTECTED
  reserve: 0x00

- partition_index: SYS5
  partition_name: protect2
  file_name: NONE
  is_download: false
  type: EXT4_IMG
  linear_start_addr: 0x1280000
  physical_start_addr: 0x1280000
  partition_size: 0xa00000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: PROTECTED
  reserve: 0x00

- partition_index: SYS6
  partition_name: seccfg
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x1c80000
  physical_start_addr: 0x1c80000
  partition_size: 0x40000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS7
  partition_name: lk
  file_name: lk.bin
  is_download: true
  type: NORMAL_ROM
  linear_start_addr: 0x1cc0000
  physical_start_addr: 0x1cc0000
  partition_size: 0x60000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

- partition_index: SYS8
  partition_name: boot
  file_name: boot.img
  is_download: true
  type: NORMAL_ROM
  linear_start_addr: 0x1d20000
  physical_start_addr: 0x1d20000
  partition_size: 0x1000000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

- partition_index: SYS9
  partition_name: recovery
  file_name: recovery.img
  is_download: true
  type: NORMAL_ROM
  linear_start_addr: 0x2d20000
  physical_start_addr: 0x2d20000
  partition_size: 0x1000000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

- partition_index: SYS10
  partition_name: para
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x3d20000
  physical_start_addr: 0x3d20000
  partition_size: 0x80000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS11
  partition_name: logo
  file_name: logo.bin
  is_download: true
  type: NORMAL_ROM
  linear_start_addr: 0x3da0000
  physical_start_addr: 0x3da0000
  partition_size: 0x800000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

- partition_index: SYS12
  partition_name: expdb
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x45a0000
  physical_start_addr: 0x45a0000
  partition_size: 0xa00000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS13
  partition_name: frp
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x4fa0000
  physical_start_addr: 0x4fa0000
  partition_size: 0x100000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS14
  partition_name: nvdata
  file_name: NONE
  is_download: false
  type: EXT4_IMG
  linear_start_addr: 0x50a0000
  physical_start_addr: 0x50a0000
  partition_size: 0x2000000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS15
  partition_name: metadata
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x70a0000
  physical_start_addr: 0x70a0000
  partition_size: 0x2760000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS16
  partition_name: oemkeystore
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0x9800000
  physical_start_addr: 0x9800000
  partition_size: 0x200000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS17
  partition_name: secro
  file_name: secro.img
  is_download: true
  type: NORMAL_ROM
  linear_start_addr: 0x9a00000
  physical_start_addr: 0x9a00000
  partition_size: 0x600000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

- partition_index: SYS18
  partition_name: keystore
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0xa000000
  physical_start_addr: 0xa000000
  partition_size: 0x800000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: INVISIBLE
  reserve: 0x00

- partition_index: SYS19
  partition_name: system
  file_name: system.img
  is_download: true
  type: EXT4_IMG
  linear_start_addr: 0xa800000
  physical_start_addr: 0xa800000
  partition_size: 0x3b800000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

- partition_index: SYS20
  partition_name: cache
  file_name: cache.img
  is_download: true
  type: EXT4_IMG
  linear_start_addr: 0x46000000
  physical_start_addr: 0x46000000
  partition_size: 0x10000000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

- partition_index: SYS21
  partition_name: userdata
  file_name: userdata.img
  is_download: true
  type: EXT4_IMG
  linear_start_addr: 0x56000000
  physical_start_addr: 0x56000000
  partition_size: 0x60000000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

- partition_index: SYS22
  partition_name: flashinfo
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0xFFFF0084
  physical_start_addr: 0xFFFF0084
  partition_size: 0x1000000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: false
  is_reserved: true
  operation_type: RESERVED
  reserve: 0x00

- partition_index: SYS23
  partition_name: sgpt
  file_name: NONE
  is_download: false
  type: NORMAL_ROM
  linear_start_addr: 0xFFFF0004
  physical_start_addr: 0xFFFF0004
  partition_size: 0x80000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: false
  is_reserved: true
  operation_type: RESERVED
  reserve: 0x00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment