Teclast X98 Air 3G: cheap Intel Bay Trail tablet, getting acquainted
I got a Teclast X98 Air 3G tablet from Aliexpress, it costed 168 € ( with free shipping) and has a high-definition screen and it's an Intel Bay Trail device; so Android, x86 architecture, 2GiB of RAM and 32 GiB of storage on EMMC.
I think the product has some minor design issues:
- the speakers are on the same side, the short side, not great when watching videos, but you want headphones or external speakers for better sound anyway;
- when displaying content with a white background at medium brightness, the screen shows some —very light— yellowish gradient;
- when using the leather cover the SIM slot and the MicroSD slot cannot be accessed, they are, well, covered;
- the device does not rotate the screen automatically when booted in landscape mode, the android login screen is shown always in portrait mode at boot; this is inconvenient when booting the tablet while it's on the desk; BTW the firmware screens and the boot logos are also always shown in portrait mode, I guess that's OK for a tablet, but I would have picked a logo with some radial symmetry, or maybe drawn it at an angle, in order to alleviate the feeling of wrong orientation when booting with the device in landscape orientation;
- the UEFI firmware informative screen is shown at boot, giving the boot experience and old PC feeling, or maybe I should say classic or familiar, I am not sure; this can be disabled in the firmware settings tho;
but beside that it's not bad considering the price, it's got HDMI output, 3G and a MicroSD slot (yeah, I'm lookin' right atch-ya, Google Nexuses...).
I eventually intend to run Debian on it, but let's take a look at the specs and do a full backup first.
Hardware and kernel support
Some info about the CPU:
ao2@localhost:~/WIP/Teclast $ adb shell cat /proc/cpuinfo | grep model\ name | uniq model name : Intel(R) Atom(TM) CPU Z3736F @ 1.33GHz
On Debian unstable
adb is available in the
Here is the full dmesg log.
It's pretty easy to get it, as the device came pre-rooted:
ao2@localhost:~/WIP/Teclast $ adb root ao2@localhost:~/WIP/Teclast $ adb shell dmesg > dmesg-Teclast_X98_Air_3G.log
UEFI firmware backup (with flashrom)
The firmware configuration menu (Aptio Setup Utility) can be accessed by pressing ESC or DEL on a USB keyboard connected to the USB OTG adapter.
The version I have reports these informations:
BIOS Vendor American Megatrends Core version 5.008 Compliancy UEFI 2.3; PI 1.2 Project Version A3G069 1.01 x64 Build Date and Time 08/29/2014 09:41:04 ...
There are newer firmware versions available on the net, so if I am going to test them it's better to save the one I have right now.
Get and compile flashrom on an x86 host:
ao2@localhost:~/WIP/Teclast $ git svn clone svn://flashrom.org/flashrom/trunk flashrom ao2@localhost:~/WIP/Teclast $ cd flashrom ao2@localhost:~/WIP/Teclast/flashrom $ make NEED_FTDI=no NEED_USB=no CFLAGS=-static LDFLAGS=-static
Copy it on the target device and read the firmware:
ao2@localhost:~/WIP/Teclast/flashrom $ adb push flashrom /data ao2@localhost:~/WIP/Teclast/flashrom $ cd .. ao2@localhost:~/WIP/Teclast $ adb root ao2@localhost:~/WIP/Teclast $ adb shell root@x98air3g_c6j6:/ # cd /data root@x98air3g_c6j6:/data # ./flashrom -p internal -r Teclast_X98_Air_3G_IFWI_flashrom_dump.rom flashrom v0.9.7-r1854 on Linux 3.10.20-g4a0098e-dirty (x86_64) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. No DMI table found. Found chipset "Intel Bay Trail". This chipset is marked as untested. If you are using an up-to-date version of flashrom *and* were (not) able to successfully update your firmware with it, then please email a report to email@example.com including a verbose (-V) log. Thank you! Enabling flash write... OK. Found Winbond flash chip "W25Q64.W" (8192 kB, SPI) mapped at physical address 0x00000000ff800000. Reading flash... done. root@x98air3g_c6j6:/data # exit ao2@localhost:~/WIP/Teclast $ adb pull /data/Teclast_X98_Air_3G_IFWI_flashrom_dump.rom
So flashrom can read the flash memory just fine, I haven't tried to write it yet, but I think I'll do it soon. Since it's an SPI flash there is a chance that it's reasonably easy to re-program it with an external programmer in case of a brick. I haven't taken the device apart yet to see what physical package the flash chip uses.
unit : sectors /dev/mmcblk0p1 : start = 40, size = 131072, Id=XX /dev/mmcblk0p2 : start = 131112, size = 131072, Id=XX /dev/mmcblk0p3 : start = 262184, size = 32768, Id=XX /dev/mmcblk0p4 : start = 294952, size = 32768, Id=XX /dev/mmcblk0p5 : start = 327720, size = 32768, Id=XX /dev/mmcblk0p6 : start = 360488, size = 32768, Id=XX /dev/mmcblk0p7 : start = 393256, size = 131072, Id=XX /dev/mmcblk0p8 : start = 524328, size = 65536, Id=XX /dev/mmcblk0p9 : start = 589864, size = 32768, Id=XX /dev/mmcblk0p10 : start = 622632, size = 32768, Id=XX /dev/mmcblk0p11 : start = 655400, size = 32768, Id=XX /dev/mmcblk0p12 : start = 688168, size = 2097152, Id=XX /dev/mmcblk0p13 : start = 2785320, size = 65536, Id=XX /dev/mmcblk0p14 : start = 2850856, size = 2097152, Id=XX /dev/mmcblk0p15 : start = 4948008, size = 56115160, Id=XX
And the corresponding partition labels are:
ao2@localhost:~/WIP/Teclast $ adb shell 'ls -l /dev/block/platform/intel/by-label/' | sort -t '>' -k 2.21n | column -t lrwxrwxrwx root root 2014-11-20 13:38 ESP -> /dev/block/mmcblk0p1 lrwxrwxrwx root root 2014-11-20 13:38 reserved -> /dev/block/mmcblk0p2 lrwxrwxrwx root root 2014-11-20 13:38 boot -> /dev/block/mmcblk0p3 lrwxrwxrwx root root 2014-11-20 13:38 recovery -> /dev/block/mmcblk0p4 lrwxrwxrwx root root 2014-11-20 13:38 fastboot -> /dev/block/mmcblk0p5 lrwxrwxrwx root root 2014-11-20 13:38 reserved_1 -> /dev/block/mmcblk0p6 lrwxrwxrwx root root 2014-11-20 13:38 test -> /dev/block/mmcblk0p7 lrwxrwxrwx root root 2014-11-20 13:38 panic -> /dev/block/mmcblk0p8 lrwxrwxrwx root root 2014-11-20 13:38 factory -> /dev/block/mmcblk0p9 lrwxrwxrwx root root 2014-11-20 13:38 misc -> /dev/block/mmcblk0p10 lrwxrwxrwx root root 2014-11-20 13:38 config -> /dev/block/mmcblk0p11 lrwxrwxrwx root root 2014-11-20 13:38 cache -> /dev/block/mmcblk0p12 lrwxrwxrwx root root 2014-11-20 13:38 logs -> /dev/block/mmcblk0p13 lrwxrwxrwx root root 2014-11-20 13:38 system -> /dev/block/mmcblk0p14 lrwxrwxrwx root root 2014-11-20 13:38 data -> /dev/block/mmcblk0p15
I didn't have an empty MicroSD card handy, so I used an external hard drive connected to the USB OTG adapter to strore the backups, I had to use adb via TCP/IP:
ao2@localhost:~/WIP/Teclast $ adb tcpip ao2@localhost:~/WIP/Teclast $ adb connect 192.168.0.99 ao2@localhost:~/WIP/Teclast $ adb root ao2@localhost:~/WIP/Teclast $ adb shell
And I ran this script:
#!/system/bin/sh # The data partition is more than 20GiB, let's skip it. find /dev/block/platform/intel/by-label -type l | grep -v '/data$' | while read partition; do OUTPUT_FILE="/storage/usbcard1/$(basename "$partition").img" echo "Dumping '$partition' to '$OUTPUT_FILE'" dd if="$partition" of="$OUTPUT_FILE" done
First quick inspection
There are some Android bootimgs (
recovery) which can be modified with these Bootimg-scripts, I noticed that the kernel is compiled for a 32-bit architecture.
Some ext4 filesystems (
Some raw data partitions (
ESP partition is the UEFI boot partition (EFI System Partition), it's a FAT32 filesystem and can be loop-mounted with no problems.
A quick analysis with binwalk shows that this partition contains some 800x1000 bitmaps:
ao2@localhost:~/WIP/Teclast $ binwalk ESP.img DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 1051648 0x100C00 Microsoft portable executable 1149888 0x118BC0 PC bitmap, Windows 3.x format, 800 x 1000 x 24 2465927 0x25A087 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 3620864 0x374000 Microsoft portable executable 3676128 0x3817E0 PC bitmap, Windows 3.x format, 800 x 1000 x 24 4992167 0x4C2CA7 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 6100480 0x5D1600 Microsoft portable executable 6198720 0x5E95C0 PC bitmap, Windows 3.x format, 800 x 1000 x 24 7514759 0x72AA87 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size
The pictures can be spotted with a really rough approach using
rawtoppm from netpbm:
ao2@localhost:~/WIP/Teclast $ rawtoppm -bgr 800 $(($(stat -c "%s" ESP.img) / 3 / 800)) ESP.img > ESP.ppm
It turns out that all the three pictures are equal: it's the logo shown at boot right after the UEFI firmware screen.
The logo is contained once in each of the EFI binaries:
ao2@localhost:~/WIP/Teclast $ mkdir ESP ao2@localhost:~/WIP/Teclast $ sudo mount -o loop ESP.img ESP/ ao2@localhost:~/WIP/Teclast $ find ESP/ ESP/ ESP/EFI ESP/EFI/Intel ESP/EFI/Intel/Data ESP/EFI/Intel/efilinux.efi ESP/EFI/Intel/warmdump.efi ESP/EFI/BOOT ESP/EFI/BOOT/bootx64.efi ao2@localhost:~/WIP/Teclast $ binwalk ESP/EFI/BOOT/bootx64.efi DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Microsoft portable executable 98240 0x17FC0 PC bitmap, Windows 3.x format, 800 x 1000 x 24 1414279 0x159487 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size ao2@localhost:~/WIP/Teclast $ dd if=ESP/EFI/BOOT/bootx64.efi of=boot_logo.bmp skip=$((0x0017fc0)) count=$((800 * 1000 * 3 + 0x36)) iflag=count_bytes,skip_bytes ao2@localhost:~/WIP/Teclast $ sudo umount ESP
I guess the logo can be pretty easily replaced with a custom one, but I haven't done that yet.
Maybe the EFI binaries just display the logo and then boot an Android boot image from the right partition, depending on the boot option.
The tablet has three boot options:
- normal boot (just quick press the power button);
- DROIDBOOT PROVISION OS (quick press the power button and keep pressed for a while the volume-down key);
- DnX mode, accepting fastboot commands (quick press the power button and keep pressed both volume keys for a while);
and there are three efi binaries, are these things connected?
I need to learn more about how this UEFI thing works in order to confirm that.
Just to conclude the boot-logos-analysis™, the device shows three logos during the boot sequence:
- the generic Teclast t-pad logo mentioned before;
- an animated logo referring the X98 Air 3G device, it's in Chinese but it's pretty straightforward to see that, even with zero knowledge of the language;
- an Intel-Inside logo.
The last two logos are boot animations, fired up one after the other by the
bootanim service invoked by the
init.rc file that is on the
boot partition; the animation data is taken from the
system partition, it's in the
media/bootanimation.zip file: just PNGs, one per frame.
Pictures attached below.
So after some hours of looking I found that it'd be super easy to customize the root filesystem and even all the logos of the boot sequence; however what I really want to do is to load a custom kernel, but that's meat for another day.