---
title: "how to disable mouse pointer acceleration on android"
description: "suffering through android system libraries"
author: "slonkazoid"
created_at: 2024-04-22T20:24:00+03:00
tags:
 - assembly
 - hacking
 - tutorial
---

# how to disable mouse pointer acceleration on android

-or, why my workspaces look like this

<img alt="3 workspaces in plasma. the first one has 3 windows tiled neatly, the second one has a cacophony of windows with some tiled in a 2x2 grid, some floating in random places" src="/media/accel/workspaces.png">

**UPDATE**: this no longer works on Android 14+ because they changed
how mouse acceleration works. i will be sure to update this blog post
if i figure out an easy way to setprop or patch that out. for now, i
wish you luck.

**UPDATE**: *This feature is complete, and should launch in the 25Q4 release unless something goes badly wrong.*
[source](https://issuetracker.google.com/issues/386671300#comment7)

a tale of laziness and assembly patching

if you are only interested in the [tutorial](#tutorial), skip to that section

## android has pointer acceleration???

yes. yes it does. turns out this can be disabled with root and an app called [SetEdit](https://github.com/MuntashirAkon/SetEdit). oh wait, it no longer works. the acceleration is hardcoded now.

UPDATE: they are working on a feature to change this! soon this post will be useless for newest android. [**issue tracker link**](https://issuetracker.google.com/issues/386671300#comment3)

## how to disable mouse pointer acceleration on kde plasma

1. press the super/windows/meta key
2. type "Mouse"
3. press enter/click on the Mouse option
4. change "Pointer acceleration" from "Standard" to "None"

## tutorial

*required tools: [Ghidra](https://github.com/NationalSecurityAgency/ghidra), [adb & fastboot](https://developer.android.com/tools/releases/platform-tools) (fastboot for contingency), [Magisk](https://github.com/topjohnwu/Magisk) already installed and set up, a hex editor (i used [hexedit](https://github.com/pixel/hexedit)), patience, lack of self respect, abnormal understanding of priorities, a browser*

*assumes you have experience in writing Magisk modules, patching assembly using a hex editor, reading C & C++, and using a browser*

### set up a workspace

make a directory for all this stuff and cd into it

```sh
mkdir ~/accel
cd ~/accel
mkdir ghidra        # ghidra project dir
mkdir disable-accel # magisk module dir
```

launch ghidra and create a project in the `ghidra` directory. the name doesn't matter.

download your ROM's clean `boot.img` file or generate it somehow. this is for ~~if~~ when you bootloop your phone.

### locate and transfer the libinput.so file

connect to your phone using adb. the libinput.so file should be at `/system/lib64/libinput.so`. retrieve it using `adb pull`.

```sh
adb pull /system/lib64/libinput.so
cp libinput.so{,.bak} # copy to libinput.so.bak, just in case
```

### disassemble it

open the CodeBrowser tool from the tool chest in ghidra

![the tool chest with CodeBrowser highlighted](/media/accel/tool_chest.png)

drag & drop the `libinput.so` file on the CodeBrowser (which i will just call 'ghidra')

navigate to your android version's `libs/inputs/VelocityControl.cpp` file. [here](https://android.googlesource.com/platform/frameworks/native/+/686c83d5232ecef194acef1f1e7a3789422dbb20/libs/input/VelocityControl.cpp)'s it from the commit i will use as a reference.

locate the [these lines](https://android.googlesource.com/platform/frameworks/native/+/686c83d5232ecef194acef1f1e7a3789422dbb20/libs/input/VelocityControl.cpp#109) in the assembly. in my case they were located at the address `00149478`, which is byte `0x0049478` in the actual file (explained later).

![screenshot of ghidra displaying the instruction alongside the decompiled versions](/media/accel/ifs.png)

to make your job easier, you can use the Search -> For Instruction Patterns tool. simply enter it, click the "Enter bytes manually" button, set it to hex mode, and paste the following:

```
00 09 20 1e
80 02 00 bd
```

searching this pattern *should* take you to the appropriate place in the binary.

![screenshot of the instruction pattern searcher tool, set to search for a sequence of fmul and str. it has found one occurence. note that the addresses in this screenshot do not match with the actual ones as i took it way later cuz i upgraded to android 14 and had to redo this](/media/accel/pattern_search.png)

now all you have to do is to patch the `str` (store) calls with a `nop`. you want to do this for *both* deltaX and deltaY or you will have pointer acceleration in one direction which is truthfully horrifying.

first, take note of the address and the bytes of the `str` instructions. mine were at `00149490` and `001494a0`, and the instruction bytes were `80 02 00 bd` and `60 02 00 bd`. you will use these to locate the instructions in the hex editor.

then, right click the `str` instruction and choose "Patch Instruction" from the context menu. the first time you do this a loading popup will appear, it will take a good while to load.

after it loads, remove the parameters (right side), and replace the instruction (left side) with a `nop`.

![str replaced with nop as just described](/media/accel/nop.png)

press enter to make the change. the instruction bytes should now be `1f 20 03 d5`, but if you are reading this in the future with an arm64v21 cpu or something it might be different. i will refer to the `nop` instruction bytes by their value (`1f 20 03 d5`) for the rest of this post.

repeat for the other delta variable, but **do not export the binary**. doing that in *ghidra* will make you bootloop in old magisk, or boot into safe mode (all modules disabled) in new magisk.

### edit the binary

to get the actual location of the instructions in the binary, go to Help -> About libinput.so and subtract the 'Minimum Address' from the address in the disassembler. this gives you a byte offset that you can use to navigate in your hex editor.

in the end, i had made 2 changes to the binary

address `00149490` (actual location `0x049490`): `80 02 00 bd` -> `1f 20 03 d5`  
address `001494a0` (actual location `0x0494a0`): `60 02 00 bd` -> `1f 20 03 d5`

i changed these bytes in the hex editor and saved the file

![hex editor just before saving the file](/media/accel/hex_editor.png)

### create a Magisk module

if you don't know how to do this, follow the [official guide](https://topjohnwu.github.io/Magisk/guides.html)

edit the `disable-accel/module.prop` file. you can just paste the content below or write your own.

```sh
id=disable-pointer-acceleration
name=Disable pointer acceleration
version=v1
versionCode=1
author=slonkazoid
description=Disable pointer acceleration on Android by patching the libinput.so file
```

copy the `libinput.so` file to `disable-accel/system/lib64/libinput.so`

```sh
mkdir -p disable-accel/system/lib64
cp libinput.so disable-accel/system/lib64
```

push the module to your phone and reboot

```sh
adb root
adb push disable-accel /data/adb/modules
adb reboot
```

## my phone is bootlooping

good job. i bootlooped my phone several times while trying to figure this out. what worked was not using ghidra's export feature but using a hex editor to patch the binary myself.

to un-bootloop your phone, follow these steps:

1. boot to fastboot and `fastboot flash boot boot.img`
2. reboot into your now no longer bootlooping ROM and run `adb shell rm -rf /data/adb/modules/disable-accel`
3. reinstall magisk

## questions

you can find my contact information on my website: <https://slonk.ing/#contact>