--- title: "how to disable mouse pointer acceleration on android" description: "suffering through android system libraries" author: "slonkazoid" created_at: 2024-04-22T20:24:00+03:00 tags: - assembly - hacking - tutorial --- # how to disable mouse pointer acceleration on android -or, why my workspaces look like this ![3 workspaces in plasma. the first one has 3 windows tiled neatly, the second one has a cacophony of windows with some tiled in a 2x2 grid, some floating in random places](/media/accel/workspaces.png) a tale of laziness and assembly patching if you are only interested in the [tutorial](#tutorial), skip to that section ## android has pointer acceleration??? yes. yes it does. turns out this can be disabled with root and an app called [SetEdit](https://github.com/MuntashirAkon/SetEdit). oh wait, it no longer works. the acceleration is hardcoded now. ## how to disable mouse pointer acceleration on kde plasma 1. press the super/windows/meta key 2. type "Mouse" 3. press enter/click on the Mouse option 4. change "Pointer acceleration" from "Standard" to "None" ## tutorial *required tools: [Ghidra](https://github.com/NationalSecurityAgency/ghidra), [adb & fastboot](https://developer.android.com/tools/releases/platform-tools) (fastboot for contingency), [Magisk](https://github.com/topjohnwu/Magisk) already installed and set up, a hex editor (i used [hexedit](https://github.com/pixel/hexedit)), patience, lack of self respect, abnormal understanding of priorities, a browser* *assumes you have experience in writing Magisk modules, patching assembly using a hex editor, reading C & C++, and using a browser* ### set up a workspace make a directory for all this stuff and cd into it ```sh mkdir ~/accel cd ~/accel mkdir ghidra # ghidra project dir mkdir disable-accel # magisk module dir ``` launch ghidra and create a project in the `ghidra` directory. the name doesn't matter. download your ROM's clean `boot.img` file or generate it somehow. this is for ~~if~~ when you bootloop your phone. ### locate and transfer the libinput.so file connect to your phone using adb. the libinput.so file should be at `/system/lib64/libinput.so`. retrieve it using `adb pull`. ```sh adb pull /system/lib64/libinput.so cp libinput.so{,.bak} # copy to libinput.so.bak, just in case ``` ### disassemble it open the CodeBrowser tool from the tool chest in ghidra ![the tool chest with CodeBrowser highlighted](/media/accel/tool_chest.png) drag & drop the `libinput.so` file on the CodeBrowser (which i will just call 'ghidra') navigate to your android version's `libs/inputs/VelocityControl.cpp` file. [here](https://android.googlesource.com/platform/frameworks/native/+/686c83d5232ecef194acef1f1e7a3789422dbb20/libs/input/VelocityControl.cpp)'s it from the commit i will use as a reference. locate the [these lines](https://android.googlesource.com/platform/frameworks/native/+/686c83d5232ecef194acef1f1e7a3789422dbb20/libs/input/VelocityControl.cpp) in the assembly. in my case they were located at the address `00149478`, which is byte `0x0049478` in the actual file. ![screenshot of ghidra displaying the instruction alongside the decompiled versions](/media/accel/ifs.png) now all you have to do is to patch the `str` (store) calls with a `nop`. you want to do this for *both* deltaX and deltaY or you will have pointer acceleration in one direction which is truthfully horrifying. first, take note of the address and the bytes of the `str` instructions. mine were at `00149490` and `001494a0`, and the instruction bytes were `80 02 00 bd` and `60 02 00 bd`. you will use these to locate the instructions in the hex editor. then, right click the `str` instruction and choose "Patch Instruction" from the context menu. the first time you do this a loading popup will appear, it will take a good while to load. after it loads, remove the parameters (right side), and replace the instruction (left side) with a `nop`. ![str replaced with nop as just described](/media/accel/nop.png) press enter to make the change. the instruction bytes should now be `1f 20 03 d5`, but if you are reading this in the future with an arm64v21 cpu or something it might be different. i will refer to the `nop` instruction bytes by their value (`1f 20 03 d5`) for the rest of this post. repeat for the other delta variable. ### edit the binary in the end, i had made 2 changes to the binary address `00149490` (actual location `0x049490`): `80 02 00 bd` -> `1f 20 03 d5` address `001494a0` (actual location `0x0494a0`): `60 02 00 bd` -> `1f 20 03 d5` i changed these bytes in the hex editor and saved the file ![hex editor just before saving the file](/media/accel/hex_editor.png) ### create a Magisk module if you don't know how to do this, follow the [official guide](https://topjohnwu.github.io/Magisk/guides.html) edit the `disable-accel/magisk.prop` file. you can just paste the content below or write your own. ```sh id=disable-pointer-acceleration name="Disable pointer acceleration" version=v1 versionCode=1 author=me description="Disable pointer acceleration on Android by patching the libinput.so file" ``` copy the `libinput.so` file to `disable-accel/system/lib64/libinput.so` ```sh mkdir -p disable-accel/system/lib64 cp libinput.so disable-accel/system/lib64 ``` push the module to your phone and reboot ```sh adb push disable-accel /data/adb/modules adb reboot ``` ## my phone is bootlooping good job. i bootlooped my phone several times while trying to figure this out. what worked was not using ghidra's export feature but using a hex editor to patch the binary myself. to un-bootloop your phone, follow these steps: 1. boot to fastboot and `fastboot flash boot boot.img` 2. reboot into your now no longer bootlooping ROM and run `adb shell rm -rf /data/adb/modules/disable-accel` 3. reinstall magisk ## questions you can find my contact information on my website: