Cannot mount /system as RW even as root

[Guest zelea2]

I've installed latest JB firmware Acer_AV051.S500.RV04RC09.WW.GEN1.

I've then rooted the phone by pushing Superuser-3.2-RC3-arm-signed.zip and root checker says I'm root.

I can not remount the /system with RW permissions what ever I try; the ES file explorer aquires root but then says operation failed.

If I run the remount command either from the adb shell or after logging in with a SSH server I get:

root@android:/ # mount -o remount,rw /devicepath /system

mount: Operation not permitted

255|root@android:/ # id

uid=0(root) gid=0(root) groups=0(root)

This goes contrary to all my Unix knoledge.

Is the new kernel now disallowing mounting /system with write permissions regardless?

[Guest vache]

Hi,

Stock kernel include a security check that disable remount on /system partition, even if you're rooted..

[Guest zelea2]

This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00

which is the start of the compressed part of the kernel.

with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string

seg000:8AFE9C aSystem         DCB "/system",0                                    

seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0

seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.

It seems to be somewhere around 0xc0000000

A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version

with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?

[Guest davidevinavil]

This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00

which is the start of the compressed part of the kernel.

with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string

seg000:8AFE9C aSystem DCB "/system",0

seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0

seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.

It seems to be somewhere around 0xc0000000

A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version

with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?

Why not just compile kernel from source?! About signature, yes you must unlock bootloader.. Search it on Modaco, it's well explained

[Guest vache]

This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00

which is the start of the compressed part of the kernel.

with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string

seg000:8AFE9C aSystem DCB "/system",0

seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0

seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.

It seems to be somewhere around 0xc0000000

A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version

with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?

It was done here before we have kernel sources : http://www.modaco.com/topic/359724-kernel-patched-jb-kernel-v2/.

As davidevinavil stated, easier to compil kernel from source with CONFIG_ACER_SECURE_MOUNT disabled.

[Guest zelea2]

I am quite new to this Android thing and I wasn't aware the sources are available. I guess the GPL makes them publish the sources.

The Acer_AV051_S500_RV14RB02_WW_GEN1 has an unlocked bootloader but the system is unstable and crashes a lot while

Acer_AV051.S500.RV04RC09.WW.GEN1 doesn't. I don't know yet how to keep the unlocked bootloader while upgrade to the

last version (I have actually asked this in another thread). I need to figure out what is the purpose of each partition.

NON-HLOS.bin is the closed source firmware for the 3G baseband - so this is important to update. If I only keep sbl1.mbn sbl2.mbn

sbl3.mbn from the old version would that be enough for the bootloader? From a quick peek the code is not encrypted so I think I need

to spend some time in IDA and look at the disassembly to understand each file purpose.

[Guest vache]

You cannot flash only some files for the boot process. You have to flash all, or none. Each process part do security check (almost signature check) before launching the next step. (before sbl1 load sbl2, it will be checked, sbl2 will check sbl3...). All *mbn (including tz and rpm) files are signed with unique key, that varies from firmware version.

So if you have different signature, you will just brick the phone cause the boot process cannot be achieve. (already append to me after different *ninja* attemps)

I posted a link that detailed the boot process in your other thread, you should have a look. An other interesting link : http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

[Guest zelea2]

Thanks for your input.

I am familiar with the boot process on gaming consoles like PSP and Wii and these smartphones seem to have a lot in common.

In Wii you have a masked ROM containg boot0 which has unique IDs and a public key (root certificate) and boot1 which is loaded

from NAND has its MD5 hash signed with the privare key and boot0 refuses to load boot1 if the signature check fails.

boot1 then loads boot2 which is signed with a different key and boot2 loads the OS. In this way a chain of trust is constructed.

The main difference I can see it that on consoles all the code is also encrypted (beside signed) while on Android is plain.

This is a big advantage because this means you can disassemble everything and search for exploits.

I wanted to convince myself about not being able to flash individual components so I've created a new kernel image.

I've changed the ro.secure=0 in default.prop from initrd.img(although I already have root) and

I've patched the kernel with ACER_SECURE_MOUNT disabled and reconstructed it with

a great tool which I've found on linux - abootimg. This is the output of fastboot:

$ fastboot -i 0x0502 flash boot nboot.img

sending 'boot' (5152 KB)...

OKAY [ 0.405s]

writing 'boot'...

FAILED (remote: Due to device is fused, non-merged file is not supported)

So for now I did the next best thing; I've patched my hosts file to get rid of the ads. I've got the hosts file from my tablet

and I've made and update zip which I've self-signed with signapk.jar and placed it on my SD card. Then I've used

'fastboot -i 0x0502 boot CWM-6.0.1.5_S500.img' and installed the update. If someone else wants it you can grab it

here hosts-update.zip

What is interesting is that you can still boot non-signed programs like the CWM; you are only disallowed to store them in flash.

A good read I've found about the rooting process is here.

Edited May 29, 2013 by zelea2

[Guest BannedHost]

Or do the simple thing.. Install Acer S500 Tool 0.3 then open the program, select the 4th option, connect the mobile via usb cable, enable developer mode, and voila the system its now RW till reboot.

[Guest zelea2]

I was able to change the boot (kernel) by using the same procedure. So now I have a permanent RW system. I made this file.

and to my surprize the modified kernel booted. So no I have on my phone Acer_AV051.S500.RV04RC09.WW.GEN1

with an unsigned kernel.

I wish somebody could explain me why this is possible. Is it because the phone had at some previous stage the

bootloader unlocked and this disabled some security fuse in the phone? Right now it seems that I can modify

any part of the flash I want with the update-binary utility.

For referece these are all the commands accepted by update-binary :

"mount" "is_mounted" "unmount" "format" "show_progress" "set_progress" "delete"

"delete_recursive" "package_extract_dir" "package_extract_file" "symlink"

"set_perm" "set_perm_recursive" "getprop" "file_getprop" "write_raw_image"

"apply_patch" "apply_patch_check" "apply_patch_space" "read_file" "sha1_check"

"ui_print" "run_program"

With "package_extract_file" you can overwrite any partition you want.

Why is the signature not checked at run time?

[Guest aropop]

I was able to change the boot (kernel) by using the same procedure. So now I have a permanent RW system. I made this file.

and to my surprize the modified kernel booted. So no I have on my phone Acer_AV051.S500.RV04RC09.WW.GEN1

with an unsigned kernel.

I wish somebody could explain me why this is possible. Is it because the phone had at some previous stage the

bootloader unlocked and this disabled some security fuse in the phone? Right now it seems that I can modify

any part of the flash I want with the update-binary utility.

For referece these are all the commands accepted by update-binary :

"mount" "is_mounted" "unmount" "format" "show_progress" "set_progress" "delete"

"delete_recursive" "package_extract_dir" "package_extract_file" "symlink"

"set_perm" "set_perm_recursive" "getprop" "file_getprop" "write_raw_image"

"apply_patch" "apply_patch_check" "apply_patch_space" "read_file" "sha1_check"

"ui_print" "run_program"

With "package_extract_file" you can overwrite any partition you want.

Why is the signature not checked at run time?

So with this kernel it is possible to mount system RW?

Do you need unlocked bootloader for this? Because i'm on RV04RC9 too but did not unlock?

[Guest zelea2]

So with this kernel it is possible to mount system RW?

Do you need unlocked bootloader for this? Because i'm on RV04RC9 too but did not unlock?

Yes the /system is RW.

I don't know the answer at the second question. That's what I'm trying to find out too.

I've only started looking at Android less than a week ago. Maybe someone with more

experience can answer this.

I had an unlocked bootloader but the I've upgraded the whole system to RV04RC9 so this

replaced the bootloader too but somehow the unsigned ROM still booted.

[Guest aropop]

Yes the /system is RW.

I don't know the answer at the second question. That's what I'm trying to find out too.

I've only started looking at Android less than a week ago. Maybe someone with more

experience can answer this.

I had an unlocked bootloader but the I've upgraded the whole system to RV04RC9 so this

replaced the bootloader too but somehow the unsigned ROM still booted.

All I know is that you can boot (adb boot boot.img) from a other kernel, but you need an unlocked bootload to actually flash the image.

[Guest vache]

If you already unlock you're bootloader then install a new firmware, you're device is still unlocked (that mean you can use custom boot/recovery) but Acer added an other check that make you can only flash complete .bin file.

That's why you can see the message that says your device is "fused" while trying to flash a new boot. But you still can flash with recovery.

Remember that you can check current bootloader state with : fastboot -i 0x0502 oem device-info

[Guest zelea2]

Ok, I finally got it. Once a phone is unlocked it stays unlocked (it's a fuse).

Even unlocked phones cannot be flashed with individual files because of the state of an extra check and you'll get this message

FAILED (remote: Due to device is fused, non-merged file is not supported)

You can still change partitions, kernel and files via the update.zip method

We don't know yet how to create merged files because of the first 16 bytes. Every other byte in the firmware files is accounted

for. There might also be a connection to which of the 16 keys are used to encrypt the header but I doubt it.

The answer for those 16 bytes is in the disassembly of emmc_appsboot. It's probably a hash over the merged file, truncated

to 16 bytes and encrypted with some AES key. Here are the strings from the leaked unlocked and recent bootloaders.

You can see the message about the non-merged file is new. The keys for firmware header decryption are also in there.

At this point I kind of lost interest because my phone is unlocked, I have the latest JB system, rooted and with my own kernel

and everyone with a CPU_TYPE=8260a-3 can do this. The problem is that the rest of the people are left in the cold.

[Guest vache]

Already bricked 2 phones trying to unlock 8260a-1 bootloader, so i'm out for that.

[Guest zelea2]

There is always JTAG to reflash but I won't take my phone appart to figure where the JTAG pins are.

If you have 2 bricked you could sacrifice one to teardown and experiment with.

[Guest A427]

@zelea2 : regarding your patched kernel (http://uglyduck.ath.cx/Acer/kernel_patch.zip), is it the stock JB kernel with only the modification to allow R/W mounting, or did you change anything else? I'm asking because I want to keep my kernel as stock as possible. Thanks in advance for your answer.

[Guest razvankim]

I think it's stock kernel with R/W mounting acces. Nothing else was changed when I installed it xD ..

[Guest A427]

Thx for your reply, razvankim. I don't know if zelea2 is still around to confirm… would be nice…

[Guest razvankim]

OFFLINE Last Active Jul 24 2013 09:29 PM ... zelea2 last login.. so i think it's on a vacation or something..but you can use it ..it works perfect. xd

[Guest A427]

Yes I'll give it a try of course. Thx a lot :)

[Guest razvankim]

No problem.