Acer BeTouch E130

I bought this phone for 5990 baht (199 USD), mostly because of the form factor (looks like a blackberry with qwerty keyboard). This is my first Android exploration (I tried Android in SmartQ 7 but it was not an official version, and it was not very stable/comfortable to use, so I never realy explored it).

Some of the things that people may not like:

  • Resistive screen (no multitouch)
  • No auto focus (some apps wont run on it)

I don't really care about the screen because most of the time I use the keyboard. I don't use the camera much, so I don't care for the absence of autofocus.

So far what I been able able to do is:

  • Root the device without flashing the firmware (using USBModeSwitch exploit that I found)
  • Run debian in chroot
  • Rebuild the firmware in linux then flash the firmware in Windows. Then I reverse engineerd the Rom Update Tool so I can flash the firmware in Linux.
  • Compile the linux kernel
  • Fix the SD card problem (happens especially when running debian chroot)
  • Compile compcache (useful in running some apps in debian)
  • Compile Android 2.1

I tried compiling Android 2.2 but there were so many Acer Proprietary library and program linking to the old library, so I decided that it wasn't worth the effort.

Rooting

I've tried several exploits, and none of them worked for me. I noticed that /system/bin/USBModeSwitch is setuid. Doing strings on it yields:

 stop adbd
 rmmod g_android
 echo /dev/block/vold/179:0 > /sys/devices/platform/pnx67xx_ehci_udc.0/gadget/lun0/file
 insmod /system/lib/modules/nf_conntrack.ko
 insmod /system/lib/modules/nf_defrag_ipv4.ko
 insmod /system/lib/modules/nf_conntrack_ipv4.ko
 insmod /system/lib/modules/x_tables.ko
 insmod /system/lib/modules/nf_nat.ko
 insmod /system/lib/modules/ipt_MASQUERADE.ko
 insmod /system/lib/modules/ip_tables.ko
 insmod /system/lib/modules/iptable_nat.ko
 echo 1 > /proc/sys/net/ipv4/ip_forward
 Problems with pipe
 line=%s
 insmod ./system/lib/modules/g_serial.ko
 insmod g_serial result=%d
 setprop rw.pnx67xx.startbridge 1
 busybox killall bridge_pt
 setprop rw.pnx67xx.startbridge 0
 rmmod g_multi
 insmod ./system/lib/modules/g_android.ko
 start adbd
 Start enable g_serial

Interesting, I think the binary just wraps some system(2) calls. Notice that the paths for the executables (rmmod, insmod, etc) are not absolute.

So I made this small script (named rmmod):

 #!/system/bin/sh
 cp /data/local/tmp/su /system/bin/
 chown root.root /system/bin/su
 chmod 4755 /system/bin/su

Using adb, I put that file and su binary in /data/local/tmp. Then I did something like this:

cd /data/local/tmp
chmod 755 rmmod
export PATH=/data/local/tmp:$PATH
/system/bin/USBModeSwitch 1

In the last line, I actually don't know what the parameter 1 means, what I know is that you need to give it a parameter (as far as I know, anything will do).

After that, you need to restart your phone, and should get a setuid /system/bin/su.

Keyboard

The keyboard is fine for typing most characters, but it sucks when I have to use it in terminal (difficult to type characters such as |, ~, {, }, etc). I decided to modify Android Terminal Emulator and ConnectBot to make better use of my "Sym" key.

If anyone is interested, my modification is available at: https://github.com/yohanes/

Warning: Those two modifications are just a quick hack (I modify those two in about an hour or so). I coded some of the modification on the phone itself. I use ssh to connect to my desktop, and I forward the ADB connection using SSH, so I can install the compiled program from my desktop.

Debian chroot

May be one day I can get debian to run natively on Acer E130, but for now debian chroot is perfect for me (I can run both Debian and android apps). To add support for ext3, I compiled ext3.ko

Start debian (first partition of sd card is for FAT)

 #!/system/bin/sh
 #start debian

 lsmod | grep -q mbcache
 if [ $? -ne 0 ]; then
    insmod /system/xbin/mbcache.ko
 fi

 lsmod | grep -q jbd
 if [ $? -ne 0 ]; then
    insmod /system/xbin/jbd.ko
 fi

 lsmod | grep -q ext3
 if [ $? -ne 0 ]; then
    insmod /system/xbin/ext3.ko
 fi

 mount | grep -q /system/debian/
 if [ $? -ne 0 ]; then
   mount -t ext3 -o noatime  /dev/block/mmcblk0p1 /system/debian/
 fi

 mount | grep -q /system/debian/sdcard
 if [ $? -ne 0 ]; then
    mount -t vfat /dev/block/mmcblk0p1 /system/debian/sdcard
 fi

 mount | grep -q /system/debian/dev/pts
 if [ $? -ne 0 ]; then
    mount -t devpts none /system/debian/dev/pts
 fi

 mount | grep -q /system/debian/proc
 if [ $? -ne 0 ]; then
   mount -t proc proc /system/debian/proc
 fi

 chroot /system/debian /bin/bash --login

Stop debian

 #!/system/bin/sh
 #stop debian

 killall sshd
 sync
 umount /system/debian/sdcard
 umount /system/debian/dev/pts
 umount /system/debian/proc
 umount /system/debian/

I run mutt on the phone (not ssh-ing to another host), mail is retrieved using offlineimap. With the keyboard hack and with some customization, mutt is surprisingly usable for me.

mutt.png

I can use emacs, but I think vi is more usable:

emacs.png

Problems

SD Card Problem

With the original kernel, the SD card will have a write error when writing large blocks of data (usually during apt-get install). The problem description is almost exactly the same as this unrelated hardware:

http://code.google.com/p/sim1/wiki/SDCard

According to this post https://groups.google.com/d/msg/sim1/gLlzWeXGFr8/KevXinUXfc8J, it is because of spi crc. In my case, it is a different problem, it seems that the hardware DMA for scatter gather doesn't always work properly. Changing maximum physical segment to 1 (that is disabling the scatter gather), and enabling bounce buffer seems to fix the error.

Because of this one error, I spent hours changing the kernel, compiling, and testing it.

Acer Doesn't Provide Complete Source Code

Only the kernel source is available, the source code for u-boot and for busybox is not available in Acer's website. The other problem is that: the kernel config file doesn't match with the running kernel on the phone. It seems that there is at least one missing header file that contains #defines to build proper kernel. By comparing the dmesg output with the kernel source code, I was able to

Need 3rd party tool to reflash the image (Not anymore)

The first thing that I think of to root the phone was to unpack the .nb0 firmware file using freely available tools, modify it, pack it, and write the new firmware using acer update utility. Unfortunately it doesn't work, the phone won't boot. I don't know exactly what happened, but I didn't want to spend time finding out why (and I have to use windows to do that).

Few days after that I found out that I can use RUT V1.2.1.exe, a third party tool to flash .nb0 to my phone (I don't know about the legality of this tool). I hate to have to go to windows to update my phone firmware, so I reverse engineer the protocol, and now I can flash the firmware in Linux.

Some info about the firmware

This device uses Jaluna Osware Hypervisor. It runs a realtime kernel and linux. I think the realtime kernel is for running the modem.

You can activate ROM Update Tool (the USB Descriptor says it is 'U-Boot') by holding power and up button while booting.

Compiling The Kernel

I was worried that there is a checksum or a signature that prevents modification of the kernel, it turns out that there is only a partition header (in the extracted firmware it has the name *.ptt_header with file size in it. I tried to extract the kernel from mtdblock16, modify a string in it, and try to write it back. The kernel boots and the string was changed in the dmesg, so there is no signature checking.

The kernel on the phone was not compiled with CONFIG_IKCONFIG enabled, so I can't get the .config for the running kernel. I tried compiling the kernel using arch/arm/configs/acer_k3_defconfig and it didn't boot. After carefully looking at the dmesg output and the contents of /proc/kallsyms, I was able to add proper #defines to get the kernel compiled, and the symbol table (System.map) matches almost perfectly. Only some names that starts with fih on the running kernel is changed to acer on my kernel build (I could also change this, but I think ACER looks nicer).

I don't know exactly the structure of ptt_header, but it contains the filesize of the partition file (repeated twice) and a number that I don't understand. I decided not to change the ptt_header file, and just create kernel image that is smaller or equal than the original kernel. One of the obvious thing to remove from the kernel config is the NFS client support (it can be changed into kernel module if you need it).

Steps to flash the kernel:

#host side
make menuconfig
make
./flash.sh # will generate vmlinux.linux
cat K3-0-0011.linux.ptt_header vmlinux.linux > newkernel.bin # K3-0-0011.linux.ptt_header is from OS image in acer website
adb push newkernel.bin /sdcard    
adb push ./drivers/power/battmon.ko /sdcard
adb push ./drivers/power/pnx_battery.ko /sdcard
adb push ./drivers/power/drvchg.ko /sdcard


adb shell
#android side
su -
dd if=/sdcard/newkernel.bin of=/dev/block/mtdblock16
cp /sdcard/*.ko /system/lib/modules

My modified kernel is available here: https://github.com/yohanes/Acer-BeTouch-E130-Linux-Kernel

Android stuff

udev rule to connect to adb automatically when device is plugged in:

 SUBSYSTEM!="tty", ACTION!="add", GOTO="acere130_remove"

 ID_VENDOR_ID=="0502",ID_MODEL_ID="3235", \
   RUN+="/sbin/ifconfig usb0 192.168.239.2", \
   RUN+="/home/yohanes/android-sdk-linux_x86/platform-tools/adb connect 192.168.239.4", \
   GOTO="acere130_end"

 LABEL="acere130_remove"

 SUBSYSTEM!="tty", ACTION!="remove", GOTO="acere130_end"

 ID_VENDOR_ID=="0502",ID_MODEL_ID="3235", \
    RUN+="/home/yohanes/android-sdk-linux_x86/platform-tools/adb disconnect"


 LABEL="acere130_end"

Copyright © 2009-2010 Yohanes Nugroho