• Announcements

    • Reminder - MoDaCo position on illegal content   07/30/15

      ILLEGAL CONTENT I'd like to just reaffirm MoDaCo's position regarding piracy and illegal content in the light of some recent questions / postings. Posts will be censored by myself or my moderation team if the contain or link to: Illegal / pirated / cracked software or sites that host such softwareNintendo emulators / ROMs or sites hosting them (in light of Nintendo's legal stance)CUSTOM ROMS You may discuss and post links to custom device ROMs on MoDaCo, provided the following rules are adhered to: ROMs must not contain any illegal 3rd party software (this includes trial versions included without permission)ROMs must give full credit to the original authorISSUES If you have any issues with this policy, please contact PaulOBrien directly via PM.
    • Reminder: Selling items on the forum directly is not allowed   07/30/15

      Please note that selling items on the forum directly is not allowed by the forum rules. There is a forum for eBay auctions whereby you can list the items on eBay and link to them there. This is the ONLY forum for this type of activity. You may also advertise links to the eBay forum in your signature. Please note that selling directly in contravention of these rules will result in a warning / suspension / ban.

Cannot mount /system as RW even as root

23 posts in this topic

Posted · Report post

I've installed latest JB firmware Acer_AV051.S500.RV04RC09.WW.GEN1.

I've then rooted the phone by pushing Superuser-3.2-RC3-arm-signed.zip and root checker says I'm root.

I can not remount the /system with RW permissions what ever I try; the ES file explorer aquires root but then says operation failed.

If I run the remount command either from the adb shell or after logging in with a SSH server I get:

root@android:/ # mount -o remount,rw /devicepath /system

mount: Operation not permitted

255|root@android:/ # id

uid=0(root) gid=0(root) groups=0(root)

This goes contrary to all my Unix knoledge.

Is the new kernel now disallowing mounting /system with write permissions regardless?

0

Share this post


Link to post
Share on other sites

Posted · Report post

Hi,

Stock kernel include a security check that disable remount on /system partition, even if you're rooted..

0

Share this post


Link to post
Share on other sites

Posted · Report post

This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00

which is the start of the compressed part of the kernel.

with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string

seg000:8AFE9C aSystem         DCB "/system",0                                    

seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0

seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.

It seems to be somewhere around 0xc0000000

A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version

with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?

0

Share this post


Link to post
Share on other sites

Posted · Report post

This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00

which is the start of the compressed part of the kernel.

with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string

seg000:8AFE9C aSystem DCB "/system",0

seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0

seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.

It seems to be somewhere around 0xc0000000

A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version

with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?

Why not just compile kernel from source?! About signature, yes you must unlock bootloader.. Search it on Modaco, it's well explained

0

Share this post


Link to post
Share on other sites

Posted · Report post

This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00

which is the start of the compressed part of the kernel.

with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string

seg000:8AFE9C aSystem DCB "/system",0

seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0

seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.

It seems to be somewhere around 0xc0000000

A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version

with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?

It was done here before we have kernel sources : http://www.modaco.com/topic/359724-kernel-patched-jb-kernel-v2/.

As davidevinavil stated, easier to compil kernel from source with CONFIG_ACER_SECURE_MOUNT disabled.

0

Share this post


Link to post
Share on other sites

Posted · Report post

I am quite new to this Android thing and I wasn't aware the sources are available. I guess the GPL makes them publish the sources.

The Acer_AV051_S500_RV14RB02_WW_GEN1 has an unlocked bootloader but the system is unstable and crashes a lot while

Acer_AV051.S500.RV04RC09.WW.GEN1 doesn't. I don't know yet how to keep the unlocked bootloader while upgrade to the

last version (I have actually asked this in another thread). I need to figure out what is the purpose of each partition.

NON-HLOS.bin is the closed source firmware for the 3G baseband - so this is important to update. If I only keep sbl1.mbn sbl2.mbn

sbl3.mbn from the old version would that be enough for the bootloader? From a quick peek the code is not encrypted so I think I need

to spend some time in IDA and look at the disassembly to understand each file purpose.

0

Share this post


Link to post
Share on other sites

Posted · Report post

You cannot flash only some files for the boot process. You have to flash all, or none. Each process part do security check (almost signature check) before launching the next step. (before sbl1 load sbl2, it will be checked, sbl2 will check sbl3...). All *mbn (including tz and rpm) files are signed with unique key, that varies from firmware version.

So if you have different signature, you will just brick the phone cause the boot process cannot be achieve. (already append to me after different *ninja* attemps)

I posted a link that detailed the boot process in your other thread, you should have a look. An other interesting link : http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

Thanks for your input.

I am familiar with the boot process on gaming consoles like PSP and Wii and these smartphones seem to have a lot in common.

In Wii you have a masked ROM containg boot0 which has unique IDs and a public key (root certificate) and boot1 which is loaded

from NAND has its MD5 hash signed with the privare key and boot0 refuses to load boot1 if the signature check fails.

boot1 then loads boot2 which is signed with a different key and boot2 loads the OS. In this way a chain of trust is constructed.

The main difference I can see it that on consoles all the code is also encrypted (beside signed) while on Android is plain.

This is a big advantage because this means you can disassemble everything and search for exploits.

I wanted to convince myself about not being able to flash individual components so I've created a new kernel image.

I've changed the ro.secure=0 in default.prop from initrd.img(although I already have root) and

I've patched the kernel with ACER_SECURE_MOUNT disabled and reconstructed it with

a great tool which I've found on linux - abootimg. This is the output of fastboot:

$ fastboot -i 0x0502 flash boot nboot.img

sending 'boot' (5152 KB)...

OKAY [ 0.405s]

writing 'boot'...

FAILED (remote: Due to device is fused, non-merged file is not supported)

So for now I did the next best thing; I've patched my hosts file to get rid of the ads. I've got the hosts file from my tablet

and I've made and update zip which I've self-signed with signapk.jar and placed it on my SD card. Then I've used

'fastboot -i 0x0502 boot CWM-6.0.1.5_S500.img' and installed the update. If someone else wants it you can grab it

here hosts-update.zip

What is interesting is that you can still boot non-signed programs like the CWM; you are only disallowed to store them in flash.

A good read I've found about the rooting process is here.

Edited by zelea2
0

Share this post


Link to post
Share on other sites

Posted · Report post

Or do the simple thing.. Install Acer S500 Tool 0.3 then open the program, select the 4th option, connect the mobile via usb cable, enable developer mode, and voila the system its now RW till reboot.

0

Share this post


Link to post
Share on other sites

Posted · Report post

I was able to change the boot (kernel) by using the same procedure. So now I have a permanent RW system. I made this file.

and to my surprize the modified kernel booted. So no I have on my phone Acer_AV051.S500.RV04RC09.WW.GEN1

with an unsigned kernel.

I wish somebody could explain me why this is possible. Is it because the phone had at some previous stage the

bootloader unlocked and this disabled some security fuse in the phone? Right now it seems that I can modify

any part of the flash I want with the update-binary utility.

For referece these are all the commands accepted by update-binary :

"mount" "is_mounted" "unmount" "format" "show_progress" "set_progress" "delete"

"delete_recursive" "package_extract_dir" "package_extract_file" "symlink"

"set_perm" "set_perm_recursive" "getprop" "file_getprop" "write_raw_image"

"apply_patch" "apply_patch_check" "apply_patch_space" "read_file" "sha1_check"

"ui_print" "run_program"

With "package_extract_file" you can overwrite any partition you want.

Why is the signature not checked at run time?

0

Share this post


Link to post
Share on other sites

Posted · Report post

I was able to change the boot (kernel) by using the same procedure. So now I have a permanent RW system. I made this file.

and to my surprize the modified kernel booted. So no I have on my phone Acer_AV051.S500.RV04RC09.WW.GEN1

with an unsigned kernel.

I wish somebody could explain me why this is possible. Is it because the phone had at some previous stage the

bootloader unlocked and this disabled some security fuse in the phone? Right now it seems that I can modify

any part of the flash I want with the update-binary utility.

For referece these are all the commands accepted by update-binary :

"mount" "is_mounted" "unmount" "format" "show_progress" "set_progress" "delete"

"delete_recursive" "package_extract_dir" "package_extract_file" "symlink"

"set_perm" "set_perm_recursive" "getprop" "file_getprop" "write_raw_image"

"apply_patch" "apply_patch_check" "apply_patch_space" "read_file" "sha1_check"

"ui_print" "run_program"

With "package_extract_file" you can overwrite any partition you want.

Why is the signature not checked at run time?

So with this kernel it is possible to mount system RW?

Do you need unlocked bootloader for this? Because i'm on RV04RC9 too but did not unlock?

0

Share this post


Link to post
Share on other sites

Posted · Report post

So with this kernel it is possible to mount system RW?

Do you need unlocked bootloader for this? Because i'm on RV04RC9 too but did not unlock?

Yes the /system is RW.

I don't know the answer at the second question. That's what I'm trying to find out too.

I've only started looking at Android less than a week ago. Maybe someone with more

experience can answer this.

I had an unlocked bootloader but the I've upgraded the whole system to RV04RC9 so this

replaced the bootloader too but somehow the unsigned ROM still booted.

0

Share this post


Link to post
Share on other sites

Posted · Report post

Yes the /system is RW.

I don't know the answer at the second question. That's what I'm trying to find out too.

I've only started looking at Android less than a week ago. Maybe someone with more

experience can answer this.

I had an unlocked bootloader but the I've upgraded the whole system to RV04RC9 so this

replaced the bootloader too but somehow the unsigned ROM still booted.

All I know is that you can boot (adb boot boot.img) from a other kernel, but you need an unlocked bootload to actually flash the image.

0

Share this post


Link to post
Share on other sites

Posted · Report post

If you already unlock you're bootloader then install a new firmware, you're device is still unlocked (that mean you can use custom boot/recovery) but Acer added an other check that make you can only flash complete .bin file.

That's why you can see the message that says your device is "fused" while trying to flash a new boot. But you still can flash with recovery.

Remember that you can check current bootloader state with : fastboot -i 0x0502 oem device-info

0

Share this post


Link to post
Share on other sites

Posted · Report post

Ok, I finally got it. Once a phone is unlocked it stays unlocked (it's a fuse).

Even unlocked phones cannot be flashed with individual files because of the state of an extra check and you'll get this message

FAILED (remote: Due to device is fused, non-merged file is not supported)

You can still change partitions, kernel and files via the update.zip method

We don't know yet how to create merged files because of the first 16 bytes. Every other byte in the firmware files is accounted

for. There might also be a connection to which of the 16 keys are used to encrypt the header but I doubt it.

The answer for those 16 bytes is in the disassembly of emmc_appsboot. It's probably a hash over the merged file, truncated

to 16 bytes and encrypted with some AES key. Here are the strings from the leaked unlocked and recent bootloaders.

You can see the message about the non-merged file is new. The keys for firmware header decryption are also in there.

At this point I kind of lost interest because my phone is unlocked, I have the latest JB system, rooted and with my own kernel

and everyone with a CPU_TYPE=8260a-3 can do this. The problem is that the rest of the people are left in the cold.

0

Share this post


Link to post
Share on other sites

Posted · Report post

Already bricked 2 phones trying to unlock 8260a-1 bootloader, so i'm out for that.

0

Share this post


Link to post
Share on other sites

Posted · Report post

There is always JTAG to reflash but I won't take my phone appart to figure where the JTAG pins are.

If you have 2 bricked you could sacrifice one to teardown and experiment with.

0

Share this post


Link to post
Share on other sites

Posted · Report post

@zelea2 : regarding your patched kernel (http://uglyduck.ath.cx/Acer/kernel_patch.zip), is it the stock JB kernel with only the modification to allow R/W mounting, or did you change anything else? I'm asking because I want to keep my kernel as stock as possible. Thanks in advance for your answer.

0

Share this post


Link to post
Share on other sites

Posted · Report post

I think it's stock kernel with R/W mounting acces. Nothing else was changed when I installed it xD ..

0

Share this post


Link to post
Share on other sites

Posted · Report post

Thx for your reply, razvankim. I don't know if zelea2 is still around to confirm… would be nice…

0

Share this post


Link to post
Share on other sites

Posted · Report post

OFFLINE Last Active Jul 24 2013 09:29 PM ... zelea2 last login.. so i think it's on a vacation or something..but you can use it ..it works perfect. xd

0

Share this post


Link to post
Share on other sites

Posted · Report post

Yes I'll give it a try of course. Thx a lot :)

0

Share this post


Link to post
Share on other sites

Posted · Report post

No problem.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

MoDaCo is part of the MoDaCo.network, © Paul O'Brien 2002-2015. MoDaCo uses IntelliTxt technology.