[BUG FIX] Phantom keypress and screen shot

Search This thread

electric bill

Inactive Recognized Developer
Jun 24, 2011
128
76
Moto G7 Plus
I've been working on fixing this issue for awhile. Here's the deal:

The problem.
The four keys at the bottom of the phone are monitored by a melfas touchkey chip (http://www.melfas.com/english/touch/sensor.asp) that connects to the main processor via an I2C bus (http://en.wikipedia.org/wiki/i2c). The melfas chip generates an interrupt whenever one of the keys is touched or released. The processor then reads the key value from this chip over the i2c bus. The problem is that the touchkey chip is located right next to the 3G antenna. When the phone is accessing the 3G network the RF energy gets transferred to the interrupt and i2c clock and data lines causing false interrupts to occur. The processor responds to the interrupt by reading the key value from the cypress chip. The symptoms occur more frequently in low signal areas because the phone outputs a higher RF level in those situations which causes more RF interference on the interrupt line.

Most of the time when a false interrupt has occurred the touchkey chip will return a value of zero for the key and the driver will recognize this as a bad key press and ignore it. Sometimes the RF interference on the i2c clock and/or data line causes a valid value to be returned and the driver reports a key press value to the application. In the case where the driver reports a ‘back’ key down, the software sees this as holding the back key down so when you press the power button you get a screen shot. The easiest way to cure this is to always press and release the back key before pushing the power button. This causes the software to see both a key down and key up event which cancels the screenshot mode.

This RFI induced touchkey interrupt happens hundreds of times per second when the phone is using 3G. It produces lots of different symptoms including applications that always seem to shut down. A wide variety of problems can be attributed to this failure. In addition, the processor spends a lot of time servicing these bogus interrupts, which take cpu time away from the other applications. This can make the phone appear to be slow or even freeze up for short periods of time. There’s a good chance that most people have experience this to some degree without realizing the root cause.

Solution one. Fix the driver.

Since this is a true hardware failure, a software solution is going to be less than perfect. After dozens of experiments rewriting the interrupt service routines in the driver I’ve settled on a combination of fixes. The first is to re-test the interrupt input line several times. In normal operation when you touch or release a button, the touchkey chip drives the interrupt line low and keeps it low until the driver reads data over the i2c interface. Since the RF interference is a sine wave and is being sampled it causes the interrupt line to go high and low at a fast rate. Sampling the line multiple times in software increases the chance of finding it in the high state. This is done both in the interrupt handler and then again in the interrupt thread. About 90% of the false interrupts are filtered out by testing the line in the handler. If the interrupt handler doesn’t find the line high after 10 samples, it masks the interrupt so that another falling edge doesn’t produce another interrupt. In testing I’ve noticed that the interrupt handler would run multiple times before the interrupt thread was even called. Once in a while, so many interrupts would get stacked up that the phone would just reboot. It was probably a stack or buffer overflow that wasn’t being handled. Remember, this interrupt would happen many hundreds of times a second. About 90% of the remaining false interrupts are filtered out by sampling this line in the thread. That leaves about 1% of the interrupts that need to be further tested. The second test is to read the data from the chip and discard anything that isn’t a valid key press value. This is easily done with a case statement. Finally, since occasionally a bogus valid value will get through, I set up a timer so that any key down event that doesn’t have a corresponding key up event within 3 seconds is canceled by calling the all_keys_up routine.

This combination all but eliminates the symptoms produced by this failure. The only draw back is that the processor still spends a considerable amount of time servicing the false interrupts. And rarely a phantom keypress does get through. In all, it’s a fairly good piece of duct tape and JB Weld.

During my experiments I used a copy of the kgb kernel. My version with the modified driver is in github at https://github.com/dmriley/kgb. If you want to try this yourself, be sure to use the ‘dev’ branch.


Solution two. Fix the hardware.

There are three signals that connect from the melfas touchkey chip to the processor. They are the two i2c lines: sdc which is the clock and sda which is the data. The third line is the interrupt. In troubleshooting this problem, I took my phone apart and put oscilloscope probes on the three lines. This allowed me to see the real cause of the problem. Since the interference is RFI (or EMI) the only real way to fix the problem is to either remove the RF or make the impedance of the signals much lower. Removing the RF is easy if you don’t need to use 3G. When the phone is using wifi (or no network connectivity at all) the problem does not exist. Also, when you are very close to a cell tower, the phone transmits at a much lower level. This lower level greatly reduces the RFI. Lowering the impedance is a little harder. I2C uses active pull down and passive pull up for the logic levels for both sda and sdc. This means that the impendence is mostly governed by the pull up resistor. This resistor value is typically upwards of 1kohm and probably as high as 3kohms (I didn’t measure it in this phone). Since the impedance only needs to be lowered for the 3G frequencies of around 800MHz, a capacitor can be added from the signal source to signal ground. At 800MHZ a 100 pf cap is about 2 ohms (1/ 2*pi*f*c). That’s a couple of orders of magnitude lower than the pull up resistor alone, and much too low for the RF signal to induce any significant voltage on the line. This value is also low enough not to interfere with the signal rise and fall times for the interrupt line. In the case of the interrupt line, the melfas chip drives the signal low and keeps it low until the interrupt is serviced. Discharging a 100pf cap with a 2mA driver takes only microseconds. This much delay is not noticeable when touching the key and is much less than the amount of time that the processor takes to service the interrupt.

Adding the cap to the interrupt line eliminates false interrupts. A chance does exist that a valid key event during 3G access could cause an incorrect key value to be returned due to RFI on the clock and data lines. The i2c protocol is designed to compensate for capacitive loading on the lines. Although it would cause the clock period to be stretched out significantly it would still only take milliseconds to read the key data from the chip. The difference would be imperceptible. To date I have only added the cap to the interrupt line and have yet to experience an invalid key press.

I’ll post pictures of cap mod.

Summary.

Most people will be satisfied using the software fix. I think that a couple of the kernel devs are incorporating some or most of the driver mods outlined in this document. Both comradesven (kgb dev) and ssewk2x aka Efpophis (glitch dev) were involved in the test and debug process. Much appreciation is given to both of them for the help that they gave me and for allowing me to use and hack up their code on github. Efpophis saved me hours of searching through code. Without their help, I’d still be unable to build a kernel.


UPDATE:30 Mar 2012
The phone had been working fine since the mod. I hadn't seen a screen capture or any of the other symptoms. Then, a couple of nights ago, while I running maps on 3G (a data intensive app) the touchkey backlights started flashing rapidly like the phone was having a little seizure. And then it happened, the voice search popped up. A couple of debug kernels later I've come to the conclusion (and I'm never wrong) that the clock line (SCL) going to the melfas chip was being toggled by the same RF interference that was causing the false interrupts. A random clock along with random data was causing the chip to turn the backlights on and off as well as generate a false interrupt. I was able to reliably duplicate the problem in a couple of really low signal level areas (not hard to find when you live out in the boonies).

I tore the phone apart (again) today and added a 100pf cap to the scl line right next to the chip. I also added another cap in parallel with the 100pf on the interrupt line. I spent about 1/2 hour tonight running 3G data apps in the same location where the problem first appeared. So far, no problems and none of the debug messages have shown up on dmesg.

If anyone wants pics of the added cap I'll open it back up, no problem, otherwise if you look at this photo you can see which pin is scl (although I incorrectly labeled it SDC in the photo). http://xdaforums.com/attachment.php?attachmentid=953824&d=1332117055

If anyone tries these mods I'd be real interested in your results.
 
Last edited:

yohobojo

Senior Member
Oct 30, 2010
97
7
Kennesaw
Awesome, thanks for doing this for all of us. Phantom key press is really annoying

Sent from my SCH-I500 using XDA App
 

electric bill

Inactive Recognized Developer
Jun 24, 2011
128
76
Moto G7 Plus
Last edited:

k_nivesout

Senior Member
Mar 27, 2011
2,338
431
Wow, we're lucky to have someone as capable as yourself figure out this annoying issue! I've kinda kept up on your work, but seeing this breakdown and the photos is helpful in understanding the root cause of the problem. I do wonder sometimes how Samsung missed this issue in their testing, but at least we have custom kernels that implement your fixes and dramatically reduce the phantom presses!
 

electric bill

Inactive Recognized Developer
Jun 24, 2011
128
76
Moto G7 Plus
Uuuhm...You're an awesome human being. Holy crap. -_-

That's some amazing work, thanks!

wasn't just me. had help from other members here. I didn't even know where to start looking when I first started. It's so cool that people are willing to do the level of work that the devs here do without expecting anything back.
 

neh4pres

Senior Member
Nov 22, 2010
2,180
469
wasn't just me. had help from other members here. I didn't even know where to start looking when I first started. It's so cool that people are willing to do the level of work that the devs here do without expecting anything back.

Thanks so much for all the work, and the detail in your post. It is amazing the work everybody does here and the knowledge you pass on to us.
I do have a few questions


Would you mind sharing what kind off iron you used? is that the most bottom line on the board you soldered to? If so, did you have to scratch it or something first? Is it the farthest left line on the chip that was used? Do they make caps that size with leads coming of the 2 sides, and if so would that be a easier mod? Is there a positive and negative side to that capacitor?

I'm really thinking about doing this, if i decide to would you mind sending me 5 of your extra caps for a $10 donation?

Sent from my SCH-I500 using xda premium
 

electric bill

Inactive Recognized Developer
Jun 24, 2011
128
76
Moto G7 Plus
Thanks so much for all the work, and the detail in your post. It is amazing the work everybody does here and the knowledge you pass on to us.
I do have a few questions


Would you mind sharing what kind off iron you used? is that the most bottom line on the board you soldered to? If so, did you have to scratch it or something first? Is it the farthest left line on the chip that was used? Do they make caps that size with leads coming of the 2 sides, and if so would that be a easier mod? Is there a positive and negative side to that capacitor?

I'm really thinking about doing this, if i decide to would you mind sending me 5 of your extra caps for a $10 donation?

Sent from my SCH-I500 using xda premium

I did the mod at my workplace under a microscope. I used a metcal (http://www.okinternational.com/product_soldering/mx500) soldering iron but you could use just about any low wattage iron with a really fine tip.

There's four pins on each side of the melfas chip. One end of the cap is soldered right to the interrupt pin which is the closest to the corner. the other end is connected to the ground side of C2 via a solder bridge.

View attachment 953824

I doubt that they make caps that small with leads on them. You could look. It's not hard to make the solder bridge. Remember the scale that were talking about here. That cap is 0.06 inches long by 0.03 inches wide. I wouldn't try to scratch the solder resist from the board because it's a flex circuit on top. Also, the cap is not polarized.

I bought a hundred of these caps for less than $6 including shipping. I'd feel terrible charging someone $10 for five. If you pm me your address I'll stick a couple in an envelope and send them. If you want to give away ten bucks, donate it to a charity like destiny rescue or UMCOR (http://new.gbgm-umc.org/umcor/about/financialinformation/).

Disclaimer:I've been working with parts this size for years and am pretty good at soldering. You risk dorking up your phone if you don't do this correctly. Only attempt if you are skilled at soldering. All information is presented "as is" and without warranty for fitness or use. Your mileage may vary. Void where prohibited, taxed or licensed.
 

IamUmpire57

Member
Apr 24, 2012
15
1
What is the easiest way to implement the band-aid software fix?

I am on CSpire so there are not many proven custom roms out there.
 

electric bill

Inactive Recognized Developer
Jun 24, 2011
128
76
Moto G7 Plus
What is the easiest way to implement the band-aid software fix?

I am on CSpire so there are not many proven custom roms out there.

The fix is in the kernel. I used the KGB kernel as the source for my build. You can download it from github and build your own. If you're running all stock (rom & kernel) you can mod the stock kernel.

I'm really not the expert here on choices. Maybe someone else could chime in.
 

CoffeeDregs

New member
Mar 30, 2011
3
1
Too tiny to solder so band-aid?

Excellent research, fix and documentation. I was going to follow the fix, but, when I finally got the phone disassembled, I saw that the bits were much too small for me to solder. And I'm an ex-electronics guy who's worked on surface mount stuff before, so I doubt amateurs will have much luck, either.

So the problem is that RFI is hopping onto the I2C and interrupt lines... Could we just block the RFI? Sure. A grounded piece of aluminum foil which covered the whole Melfus+lines area should do that. So I tried that. Worked great for the soft keys, but, for reasons not apparent to me, my phone would no longer do 3G (stuck in 1X). Perhaps because the big old piece of grounded foil in the middle of the 3G antenna soaked up too much signal?

How about not grounding the Aluminum foil? It wouldn't be tied to ground, so the potential of the Alu foil would wobble, but it might prevent enough RFI from reaching the I2C and interrupt lines.

I opened the phone back up and squished the Alu foil a bit so that it just covered the Melfus chip and the lines heading to the left, and so that it didn't touch what-I-think-is the ground plane right at the upper edge of the PCB. Now, the piece of Alu foil was a rectangle about 6mm wide and 3mm tall. Seems to prevent softkey misfires and my phone seems more responsive. Assuming the results hold, this is a 5 minute fix for the issue and it doesn't require anything more than a tiny screwdriver, a spot of aluminum foil and a moderately steady hand. Wish me luck!
 
  • Like
Reactions: coronero

electric bill

Inactive Recognized Developer
Jun 24, 2011
128
76
Moto G7 Plus
Excellent research, fix and documentation. I was going to follow the fix, but, when I finally got the phone disassembled, I saw that the bits were much too small for me to solder. And I'm an ex-electronics guy who's worked on surface mount stuff before, so I doubt amateurs will have much luck, either.

So the problem is that RFI is hopping onto the I2C and interrupt lines... Could we just block the RFI? Sure. A grounded piece of aluminum foil which covered the whole Melfus+lines area should do that. So I tried that. Worked great for the soft keys, but, for reasons not apparent to me, my phone would no longer do 3G (stuck in 1X). Perhaps because the big old piece of grounded foil in the middle of the 3G antenna soaked up too much signal?

How about not grounding the Aluminum foil? It wouldn't be tied to ground, so the potential of the Alu foil would wobble, but it might prevent enough RFI from reaching the I2C and interrupt lines.

I opened the phone back up and squished the Alu foil a bit so that it just covered the Melfus chip and the lines heading to the left, and so that it didn't touch what-I-think-is the ground plane right at the upper edge of the PCB. Now, the piece of Alu foil was a rectangle about 6mm wide and 3mm tall. Seems to prevent softkey misfires and my phone seems more responsive. Assuming the results hold, this is a 5 minute fix for the issue and it doesn't require anything more than a tiny screwdriver, a spot of aluminum foil and a moderately steady hand. Wish me luck!

That's great work. I tried that initially with some foil tape over the whole melfas chip without success. This was all documented in the github problem log but it got deleted when the ticket was closed out. In my basement where I was doing my testing, the signal strength is very low so it's a worst case scenario. Maybe the shield will work better if it's shaped just right. I'm not an RF guy so my shield was just a guess. Share some pics with us if you find a solid solution. The shield would be much easier to implement.
 

CoffeeDregs

New member
Mar 30, 2011
3
1
I tried that initially with some foil tape over the whole melfas chip without success.

What was not successful about it? You still had phantom keypresses or you lost 3G?

Also, how did you ground the foil? I grounded it against what I thought was a ground plane. And I covered the entire L-shaped assembly (Melfas, lines and all).

[Stating the obvious...:] The idea of covering the Melfas chip and lines with foil assumes that the RFI is getting to the lines from above the chip+lines. The foil wouldn't do anything were the RFI hopping over from elsewhere. But AFAICT the top layer of the PCB is a ground plan and the signal lines head down into buried layers directly from the connector, so I'm not sure how else RFI could get the I2C lines except from in the module...

My un-grounded foil seems to be an improvement, but not a fix, so I might try grounded-foil again and try to figure out why it killed my 3G.

Good to hear that you have a microscope; I still have 20/20 vision as a 40yo, but that's a tiny little area!

I gotta say that I am wildly disappointed in Samsung. If a few electronics-savvy folks polking around the interwebs can find root cause and propose multiple fixes, it's shocking that Samsung won't acknowledge it, much less fix it. I'm due a phone upgrade and I'd love to get an SGS III, but I really don't trust Samsung.
 

electric bill

Inactive Recognized Developer
Jun 24, 2011
128
76
Moto G7 Plus
What was not successful about it? You still had phantom keypresses or you lost 3G?

Also, how did you ground the foil? I grounded it against what I thought was a ground plane. And I covered the entire L-shaped assembly (Melfas, lines and all).

[Stating the obvious...:] The idea of covering the Melfas chip and lines with foil assumes that the RFI is getting to the lines from above the chip+lines. The foil wouldn't do anything were the RFI hopping over from elsewhere. But AFAICT the top layer of the PCB is a ground plan and the signal lines head down into buried layers directly from the connector, so I'm not sure how else RFI could get the I2C lines except from in the module...

My un-grounded foil seems to be an improvement, but not a fix, so I might try grounded-foil again and try to figure out why it killed my 3G.

Good to hear that you have a microscope; I still have 20/20 vision as a 40yo, but that's a tiny little area!

I gotta say that I am wildly disappointed in Samsung. If a few electronics-savvy folks polking around the interwebs can find root cause and propose multiple fixes, it's shocking that Samsung won't acknowledge it, much less fix it. I'm due a phone upgrade and I'd love to get an SGS III, but I really don't trust Samsung.

Yeah, I used what I thought was a ground pad and covered pretty much everything on that little flex board that has the chip on it. It didn't stop the problem. Also, I had a bunch of dmesg stuff in the driver so I could see every time that there was a "missfire" vs just seeing the actual symptoms. A shield could theoretically fix the problem, I'm just not a RF engineer so I went with what I know. With the microscope, it's pretty easy to add the caps. Without, it'd be kinda hard. It probably only took me 20 minutes or so to do the last one I did. The good news it, the cap fix does the trick 100%. We've been running it on three phones without a problem for a few months now.

I totally agree on Samsung's failure. That design defect should have been caught pretty early in development. Maybe these guys have never heard of a Peer Review :(. It's even sadder if they knew it might be a problem but decided to risk it to save 1/2 cent per phone.

I understand the corporate mentality of denying a problem exists (iphone signal loss is a good example). If they admit it, then they have to fix it and that would be very costly. I'm sure when they started to have a problem they did a cost analysis and decided that losing N number of customers was cheaper than actually fixing all the bad phones.

What made it even worse was trying to find info on the phone design. Samsung was completely unresponsive when I contacted them to get data sheets on the CPU and other info on the phone. It's as if they didn't want me to solve the problem. Come to think of it, they probably didn't want me to. Solving it verifies that the problem exists and isn't just user error.

Anyway, now with my phone fixed and the excellent AOKP ROM and Glitch kernel, I love my fassy.
 

CoffeeDregs

New member
Mar 30, 2011
3
1
Yeah, I used what I thought was a ground pad and covered pretty much everything on that little flex board that has the chip on it. It didn't stop the problem. Also, I had a bunch of dmesg stuff in the driver so I could see every time that there was a "missfire" vs just seeing the actual symptoms. A shield could theoretically fix the problem, I'm just not a RF engineer so I went with what I know. With the microscope, it's pretty easy to add the caps. Without, it'd be kinda hard. It probably only took me 20 minutes or so to do the last one I did. The good news it, the cap fix does the trick 100%. We've been running it on three phones without a problem for a few months now.

I totally agree on Samsung's failure. That design defect should have been caught pretty early in development. Maybe these guys have never heard of a Peer Review :(. It's even sadder if they knew it might be a problem but decided to risk it to save 1/2 cent per phone.

I understand the corporate mentality of denying a problem exists (iphone signal loss is a good example). If they admit it, then they have to fix it and that would be very costly. I'm sure when they started to have a problem they did a cost analysis and decided that losing N number of customers was cheaper than actually fixing all the bad phones.

What made it even worse was trying to find info on the phone design. Samsung was completely unresponsive when I contacted them to get data sheets on the CPU and other info on the phone. It's as if they didn't want me to solve the problem. Come to think of it, they probably didn't want me to. Solving it verifies that the problem exists and isn't just user error.

Anyway, now with my phone fixed and the excellent AOKP ROM and Glitch kernel, I love my fassy.

Yeah: dmesg would be lots better!

My foil status: decent. I'm getting a lot less buzzing, but I still do get **some** in low signal areas (my bedroom). So I'm happier.

Samsung's response: I'm not at all surprised. I used to be an FAE for Cirrus Logic and worked a lot with ARM processors (back in 2000-2003). I got ahold of some of Samsung's datasheets on their ARM processors and was staggered: the datasheet was about 4 pages long and was full of errors, inaccuracies or glossings-over. Our datasheets were 40 pages long and we had 200 page programming manuals available on the web. You got no love from Samsung unless you were looking to buy 5M chips.

Anyways, thanks for you research and help!
 

electric bill

Inactive Recognized Developer
Jun 24, 2011
128
76
Moto G7 Plus
Second cap

I finally got around to mod'ing our last phone. Actually, I was finally able to pry it from my teen's hands long enough to do the work. I think she sat home all afternoon and twitched.

Anyway, here's a pic of the two caps. One is on the interrupt line and the other is on the clock (or scl) line. I melted the insulation from a piece of real fine magnet wire to connect between the clock pin and the second cap. The other end of the second cap is just solder bridged to the same ground as the first cap.
 

Attachments

  • IMG_20120724_183725.jpg
    IMG_20120724_183725.jpg
    235.9 KB · Views: 428
  • Like
Reactions: longplaypg

Top Liked Posts

  • There are no posts matching your filters.
  • 20
    I've been working on fixing this issue for awhile. Here's the deal:

    The problem.
    The four keys at the bottom of the phone are monitored by a melfas touchkey chip (http://www.melfas.com/english/touch/sensor.asp) that connects to the main processor via an I2C bus (http://en.wikipedia.org/wiki/i2c). The melfas chip generates an interrupt whenever one of the keys is touched or released. The processor then reads the key value from this chip over the i2c bus. The problem is that the touchkey chip is located right next to the 3G antenna. When the phone is accessing the 3G network the RF energy gets transferred to the interrupt and i2c clock and data lines causing false interrupts to occur. The processor responds to the interrupt by reading the key value from the cypress chip. The symptoms occur more frequently in low signal areas because the phone outputs a higher RF level in those situations which causes more RF interference on the interrupt line.

    Most of the time when a false interrupt has occurred the touchkey chip will return a value of zero for the key and the driver will recognize this as a bad key press and ignore it. Sometimes the RF interference on the i2c clock and/or data line causes a valid value to be returned and the driver reports a key press value to the application. In the case where the driver reports a ‘back’ key down, the software sees this as holding the back key down so when you press the power button you get a screen shot. The easiest way to cure this is to always press and release the back key before pushing the power button. This causes the software to see both a key down and key up event which cancels the screenshot mode.

    This RFI induced touchkey interrupt happens hundreds of times per second when the phone is using 3G. It produces lots of different symptoms including applications that always seem to shut down. A wide variety of problems can be attributed to this failure. In addition, the processor spends a lot of time servicing these bogus interrupts, which take cpu time away from the other applications. This can make the phone appear to be slow or even freeze up for short periods of time. There’s a good chance that most people have experience this to some degree without realizing the root cause.

    Solution one. Fix the driver.

    Since this is a true hardware failure, a software solution is going to be less than perfect. After dozens of experiments rewriting the interrupt service routines in the driver I’ve settled on a combination of fixes. The first is to re-test the interrupt input line several times. In normal operation when you touch or release a button, the touchkey chip drives the interrupt line low and keeps it low until the driver reads data over the i2c interface. Since the RF interference is a sine wave and is being sampled it causes the interrupt line to go high and low at a fast rate. Sampling the line multiple times in software increases the chance of finding it in the high state. This is done both in the interrupt handler and then again in the interrupt thread. About 90% of the false interrupts are filtered out by testing the line in the handler. If the interrupt handler doesn’t find the line high after 10 samples, it masks the interrupt so that another falling edge doesn’t produce another interrupt. In testing I’ve noticed that the interrupt handler would run multiple times before the interrupt thread was even called. Once in a while, so many interrupts would get stacked up that the phone would just reboot. It was probably a stack or buffer overflow that wasn’t being handled. Remember, this interrupt would happen many hundreds of times a second. About 90% of the remaining false interrupts are filtered out by sampling this line in the thread. That leaves about 1% of the interrupts that need to be further tested. The second test is to read the data from the chip and discard anything that isn’t a valid key press value. This is easily done with a case statement. Finally, since occasionally a bogus valid value will get through, I set up a timer so that any key down event that doesn’t have a corresponding key up event within 3 seconds is canceled by calling the all_keys_up routine.

    This combination all but eliminates the symptoms produced by this failure. The only draw back is that the processor still spends a considerable amount of time servicing the false interrupts. And rarely a phantom keypress does get through. In all, it’s a fairly good piece of duct tape and JB Weld.

    During my experiments I used a copy of the kgb kernel. My version with the modified driver is in github at https://github.com/dmriley/kgb. If you want to try this yourself, be sure to use the ‘dev’ branch.


    Solution two. Fix the hardware.

    There are three signals that connect from the melfas touchkey chip to the processor. They are the two i2c lines: sdc which is the clock and sda which is the data. The third line is the interrupt. In troubleshooting this problem, I took my phone apart and put oscilloscope probes on the three lines. This allowed me to see the real cause of the problem. Since the interference is RFI (or EMI) the only real way to fix the problem is to either remove the RF or make the impedance of the signals much lower. Removing the RF is easy if you don’t need to use 3G. When the phone is using wifi (or no network connectivity at all) the problem does not exist. Also, when you are very close to a cell tower, the phone transmits at a much lower level. This lower level greatly reduces the RFI. Lowering the impedance is a little harder. I2C uses active pull down and passive pull up for the logic levels for both sda and sdc. This means that the impendence is mostly governed by the pull up resistor. This resistor value is typically upwards of 1kohm and probably as high as 3kohms (I didn’t measure it in this phone). Since the impedance only needs to be lowered for the 3G frequencies of around 800MHz, a capacitor can be added from the signal source to signal ground. At 800MHZ a 100 pf cap is about 2 ohms (1/ 2*pi*f*c). That’s a couple of orders of magnitude lower than the pull up resistor alone, and much too low for the RF signal to induce any significant voltage on the line. This value is also low enough not to interfere with the signal rise and fall times for the interrupt line. In the case of the interrupt line, the melfas chip drives the signal low and keeps it low until the interrupt is serviced. Discharging a 100pf cap with a 2mA driver takes only microseconds. This much delay is not noticeable when touching the key and is much less than the amount of time that the processor takes to service the interrupt.

    Adding the cap to the interrupt line eliminates false interrupts. A chance does exist that a valid key event during 3G access could cause an incorrect key value to be returned due to RFI on the clock and data lines. The i2c protocol is designed to compensate for capacitive loading on the lines. Although it would cause the clock period to be stretched out significantly it would still only take milliseconds to read the key data from the chip. The difference would be imperceptible. To date I have only added the cap to the interrupt line and have yet to experience an invalid key press.

    I’ll post pictures of cap mod.

    Summary.

    Most people will be satisfied using the software fix. I think that a couple of the kernel devs are incorporating some or most of the driver mods outlined in this document. Both comradesven (kgb dev) and ssewk2x aka Efpophis (glitch dev) were involved in the test and debug process. Much appreciation is given to both of them for the help that they gave me and for allowing me to use and hack up their code on github. Efpophis saved me hours of searching through code. Without their help, I’d still be unable to build a kernel.


    UPDATE:30 Mar 2012
    The phone had been working fine since the mod. I hadn't seen a screen capture or any of the other symptoms. Then, a couple of nights ago, while I running maps on 3G (a data intensive app) the touchkey backlights started flashing rapidly like the phone was having a little seizure. And then it happened, the voice search popped up. A couple of debug kernels later I've come to the conclusion (and I'm never wrong) that the clock line (SCL) going to the melfas chip was being toggled by the same RF interference that was causing the false interrupts. A random clock along with random data was causing the chip to turn the backlights on and off as well as generate a false interrupt. I was able to reliably duplicate the problem in a couple of really low signal level areas (not hard to find when you live out in the boonies).

    I tore the phone apart (again) today and added a 100pf cap to the scl line right next to the chip. I also added another cap in parallel with the 100pf on the interrupt line. I spent about 1/2 hour tonight running 3G data apps in the same location where the problem first appeared. So far, no problems and none of the debug messages have shown up on dmesg.

    If anyone wants pics of the added cap I'll open it back up, no problem, otherwise if you look at this photo you can see which pin is scl (although I incorrectly labeled it SDC in the photo). http://xdaforums.com/attachment.php?attachmentid=953824&d=1332117055

    If anyone tries these mods I'd be real interested in your results.
    11
    the cap. yeah, that's a normal size pen to show scale
    View attachment 951812

    on the board
    View attachment 951821

    with notes
    View attachment 951820

    the antenna problem
    View attachment 951822

    close up showing touckey circuit. micro sd card for scale
    View attachment 951834

    my finger
    View attachment 951836

    back off
    View attachment 951838

    another view
    View attachment 951837


    BTW, I took these pictures with my son's fascinate :)
    7
    Uuuhm...You're an awesome human being. Holy crap. -_-

    That's some amazing work, thanks!

    wasn't just me. had help from other members here. I didn't even know where to start looking when I first started. It's so cool that people are willing to do the level of work that the devs here do without expecting anything back.
    5
    Samsung SPH-D710

    This thread provided the information I needed to get Sprint (and Samsung) on board with a solution for the Galaxy S II 'Epic 4G Touch' model number SPH-D710.

    Using this thread as a starting point, I that the problem with the Sprint S2 phones is also caused by RF interference. Here is the reply:

    When the radio turns up power to maintain connection with the towers it can cause Electronic Noise to leak over the connection between the capacitive buttons at the bottom of the handset and the main board, making the phone think that there was a key press. This is due to a piece of shielding tape on the device not being up to snuff. The tape can't be replaced on its own in store, the entire screen assembly needs to be replaced.

    This issue took quite a bit of time to track down and determine a root cause by Sprint/Samsung because of the large number of devices in the field with varying parts since launch and the multitude of potential causes. It needed to be determined how widespread the issue was, and the different types of hardware affected by this versus other issues with potentially similar symptoms.

    The MENU button being "pressed" on its own is considered a known issue and can be fixed in a Service and Repair store by replacing the screen assembly (The replacement parts from Samsung are a combined LCD/TSP assembly from the factory so they are both replaced at once). It does appear more apparent in low signal/roaming environments due to the nature of the issue. If a store does not have parts available or is unable to fix it, they can exchange the device for you. Exchanges will be for the same model refurbished device, just as if you went through Samsung to haev it repaired/replaced. The refurbished devices should have the fixed part in place already from the warehouse. If you do not have TEP/ESRP from Sprint the $50 repair fee is waived for the repair/exchange for this issue. I do not know a specific date that this was posted in the internal device solutions portal, I just checked it today specifically for this issue.

    Thanks to the OP of this thread and all those who contributed to its awesomeness!
    4
    Thanks so much for all the work, and the detail in your post. It is amazing the work everybody does here and the knowledge you pass on to us.
    I do have a few questions


    Would you mind sharing what kind off iron you used? is that the most bottom line on the board you soldered to? If so, did you have to scratch it or something first? Is it the farthest left line on the chip that was used? Do they make caps that size with leads coming of the 2 sides, and if so would that be a easier mod? Is there a positive and negative side to that capacitor?

    I'm really thinking about doing this, if i decide to would you mind sending me 5 of your extra caps for a $10 donation?

    Sent from my SCH-I500 using xda premium

    I did the mod at my workplace under a microscope. I used a metcal (http://www.okinternational.com/product_soldering/mx500) soldering iron but you could use just about any low wattage iron with a really fine tip.

    There's four pins on each side of the melfas chip. One end of the cap is soldered right to the interrupt pin which is the closest to the corner. the other end is connected to the ground side of C2 via a solder bridge.

    View attachment 953824

    I doubt that they make caps that small with leads on them. You could look. It's not hard to make the solder bridge. Remember the scale that were talking about here. That cap is 0.06 inches long by 0.03 inches wide. I wouldn't try to scratch the solder resist from the board because it's a flex circuit on top. Also, the cap is not polarized.

    I bought a hundred of these caps for less than $6 including shipping. I'd feel terrible charging someone $10 for five. If you pm me your address I'll stick a couple in an envelope and send them. If you want to give away ten bucks, donate it to a charity like destiny rescue or UMCOR (http://new.gbgm-umc.org/umcor/about/financialinformation/).

    Disclaimer:I've been working with parts this size for years and am pretty good at soldering. You risk dorking up your phone if you don't do this correctly. Only attempt if you are skilled at soldering. All information is presented "as is" and without warranty for fitness or use. Your mileage may vary. Void where prohibited, taxed or licensed.