Acer BeTouch E130
I bought this phone for 5990 baht (199 USD), mostly because of the form factor (looks like a blackberry with qwerty keyboard). This is my first Android exploration (I tried Android in SmartQ 7 but it was not an official version, and it was not very stable/comfortable to use, so I never realy explored it).
Some of the things that people may not like:
- Resistive screen (no multitouch)
- No auto focus (some apps wont run on it)
I don't really care about the screen because most of the time I use the keyboard. I don't use the camera much, so I don't care for the absence of autofocus.
So far what I been able able to do is:
- Root the device without flashing the firmware (using
USBModeSwitchexploit that I found)
- Run debian in chroot
- Rebuild the firmware in linux then flash the firmware in Windows. Then I reverse engineerd the Rom Update Tool so I can flash the firmware in Linux.
- Compile the linux kernel
- Fix the SD card problem (happens especially when running debian chroot)
- Compile compcache (useful in running some apps in debian)
- Compile Android 2.1
I tried compiling Android 2.2 but there were so many Acer Proprietary library and program linking to the old library, so I decided that it wasn't worth the effort.
I've tried several exploits, and none of them worked for me. I noticed that
/system/bin/USBModeSwitch is setuid. Doing
strings on it yields:
stop adbd rmmod g_android echo /dev/block/vold/179:0 > /sys/devices/platform/pnx67xx_ehci_udc.0/gadget/lun0/file insmod /system/lib/modules/nf_conntrack.ko insmod /system/lib/modules/nf_defrag_ipv4.ko insmod /system/lib/modules/nf_conntrack_ipv4.ko insmod /system/lib/modules/x_tables.ko insmod /system/lib/modules/nf_nat.ko insmod /system/lib/modules/ipt_MASQUERADE.ko insmod /system/lib/modules/ip_tables.ko insmod /system/lib/modules/iptable_nat.ko echo 1 > /proc/sys/net/ipv4/ip_forward Problems with pipe line=%s insmod ./system/lib/modules/g_serial.ko insmod g_serial result=%d setprop rw.pnx67xx.startbridge 1 busybox killall bridge_pt setprop rw.pnx67xx.startbridge 0 rmmod g_multi insmod ./system/lib/modules/g_android.ko start adbd Start enable g_serial
Interesting, I think the binary just wraps some
system(2) calls. Notice that the paths for the executables (
insmod, etc) are not absolute.
So I made this small script (named
#!/system/bin/sh cp /data/local/tmp/su /system/bin/ chown root.root /system/bin/su chmod 4755 /system/bin/su
adb, I put that file and
su binary in
/data/local/tmp. Then I did something like this:
cd /data/local/tmp chmod 755 rmmod export PATH=/data/local/tmp:$PATH /system/bin/USBModeSwitch 1
In the last line, I actually don't know what the parameter
1 means, what I know is that you need to give it a parameter (as far as I know, anything will do).
After that, you need to restart your phone, and should get a setuid
The keyboard is fine for typing most characters, but it sucks when I have to use it in terminal (difficult to type characters such as
}, etc). I decided to modify Android Terminal Emulator and ConnectBot to make better use of my "Sym" key.
If anyone is interested, my modification is available at: https://github.com/yohanes/
Warning: Those two modifications are just a quick hack (I modify those two in about an hour or so). I coded some of the modification on the phone itself. I use ssh to connect to my desktop, and I forward the ADB connection using SSH, so I can install the compiled program from my desktop.
May be one day I can get debian to run natively on Acer E130, but for now debian chroot is perfect for me (I can run both Debian and android apps). To add support for ext3, I compiled
Start debian (first partition of sd card is for FAT)
#!/system/bin/sh #start debian lsmod | grep -q mbcache if [ $? -ne 0 ]; then insmod /system/xbin/mbcache.ko fi lsmod | grep -q jbd if [ $? -ne 0 ]; then insmod /system/xbin/jbd.ko fi lsmod | grep -q ext3 if [ $? -ne 0 ]; then insmod /system/xbin/ext3.ko fi mount | grep -q /system/debian/ if [ $? -ne 0 ]; then mount -t ext3 -o noatime /dev/block/mmcblk0p1 /system/debian/ fi mount | grep -q /system/debian/sdcard if [ $? -ne 0 ]; then mount -t vfat /dev/block/mmcblk0p1 /system/debian/sdcard fi mount | grep -q /system/debian/dev/pts if [ $? -ne 0 ]; then mount -t devpts none /system/debian/dev/pts fi mount | grep -q /system/debian/proc if [ $? -ne 0 ]; then mount -t proc proc /system/debian/proc fi chroot /system/debian /bin/bash --login
#!/system/bin/sh #stop debian killall sshd sync umount /system/debian/sdcard umount /system/debian/dev/pts umount /system/debian/proc umount /system/debian/
I run mutt on the phone (not ssh-ing to another host), mail is retrieved using
offlineimap. With the keyboard hack and with some customization, mutt is surprisingly usable for me.
I can use emacs, but I think vi is more usable:
SD Card Problem
With the original kernel, the SD card will have a write error when writing large blocks of data (usually during apt-get install). The problem description is almost exactly the same as this unrelated hardware:
According to this post https://groups.google.com/d/msg/sim1/gLlzWeXGFr8/KevXinUXfc8J, it is because of spi crc. In my case, it is a different problem, it seems that the hardware DMA for scatter gather doesn't always work properly. Changing maximum physical segment to 1 (that is disabling the scatter gather), and enabling bounce buffer seems to fix the error.
Because of this one error, I spent hours changing the kernel, compiling, and testing it.
Acer Doesn't Provide Complete Source Code
Only the kernel source is available, the source code for u-boot and for busybox is not available in Acer's website. The other problem is that: the kernel config file doesn't match with the running kernel on the phone. It seems that there is at least one missing header file that contains
#defines to build proper kernel. By comparing the
dmesg output with the kernel source code, I was able to
Need 3rd party tool to reflash the image (Not anymore)
The first thing that I think of to root the phone was to unpack the .nb0 firmware file using freely available tools, modify it, pack it, and write the new firmware using acer update utility. Unfortunately it doesn't work, the phone won't boot. I don't know exactly what happened, but I didn't want to spend time finding out why (and I have to use windows to do that).
Few days after that I found out that I can use RUT V1.2.1.exe, a third party tool to flash .nb0 to my phone (I don't know about the legality of this tool). I hate to have to go to windows to update my phone firmware, so I reverse engineer the protocol, and now I can flash the firmware in Linux.
Some info about the firmware
This device uses Jaluna Osware Hypervisor. It runs a realtime kernel and linux. I think the realtime kernel is for running the modem.
You can activate ROM Update Tool (the USB Descriptor says it is 'U-Boot') by holding power and up button while booting.
Compiling The Kernel
I was worried that there is a checksum or a signature that prevents modification of the kernel, it turns out that there is only a partition header (in the extracted firmware it has the name
*.ptt_header with file size in it. I tried to extract the kernel from
mtdblock16, modify a string in it, and try to write it back. The kernel boots and the string was changed in the
dmesg, so there is no signature checking.
The kernel on the phone was not compiled with
CONFIG_IKCONFIG enabled, so I can't get the .config for the running kernel. I tried compiling the kernel using
arch/arm/configs/acer_k3_defconfig and it didn't boot. After carefully looking at the dmesg output and the contents of
/proc/kallsyms, I was able to add proper
#defines to get the kernel compiled, and the symbol table (
System.map) matches almost perfectly. Only some names that starts with
fih on the running kernel is changed to
acer on my kernel build (I could also change this, but I think ACER looks nicer).
I don't know exactly the structure of
ptt_header, but it contains the filesize of the partition file (repeated twice) and a number that I don't understand. I decided not to change the ptt_header file, and just create kernel image that is smaller or equal than the original kernel. One of the obvious thing to remove from the kernel config is the NFS client support (it can be changed into kernel module if you need it).
Steps to flash the kernel:
#host side make menuconfig make ./flash.sh # will generate vmlinux.linux cat K3-0-0011.linux.ptt_header vmlinux.linux > newkernel.bin # K3-0-0011.linux.ptt_header is from OS image in acer website adb push newkernel.bin /sdcard adb push ./drivers/power/battmon.ko /sdcard adb push ./drivers/power/pnx_battery.ko /sdcard adb push ./drivers/power/drvchg.ko /sdcard adb shell #android side su - dd if=/sdcard/newkernel.bin of=/dev/block/mtdblock16 cp /sdcard/*.ko /system/lib/modules
My modified kernel is available here: https://github.com/yohanes/Acer-BeTouch-E130-Linux-Kernel
udev rule to connect to adb automatically when device is plugged in:
SUBSYSTEM!="tty", ACTION!="add", GOTO="acere130_remove" ID_VENDOR_ID=="0502",ID_MODEL_ID="3235", \ RUN+="/sbin/ifconfig usb0 192.168.239.2", \ RUN+="/home/yohanes/android-sdk-linux_x86/platform-tools/adb connect 192.168.239.4", \ GOTO="acere130_end" LABEL="acere130_remove" SUBSYSTEM!="tty", ACTION!="remove", GOTO="acere130_end" ID_VENDOR_ID=="0502",ID_MODEL_ID="3235", \ RUN+="/home/yohanes/android-sdk-linux_x86/platform-tools/adb disconnect" LABEL="acere130_end"
Copyright © 2009-2018 Yohanes Nugroho