Jump to content


Photo

Cannot mount /system as RW even as root

- - - - -

  • Please log in to reply
22 replies to this topic

#1
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
I've installed latest JB firmware Acer_AV051.S500.RV04RC09.WW.GEN1.
I've then rooted the phone by pushing Superuser-3.2-RC3-arm-signed.zip and root checker says I'm root.

I can not remount the /system with RW permissions what ever I try; the ES file explorer aquires root but then says operation failed.
If I run the remount command either from the adb shell or after logging in with a SSH server I get:

root@android:/ # mount -o remount,rw /devicepath /system
mount: Operation not permitted
255|root@android:/ # id
uid=0(root) gid=0(root) groups=0(root)

This goes contrary to all my Unix knoledge.
Is the new kernel now disallowing mounting /system with write permissions regardless?

  • 0

#2
vache

vache

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,038 posts
  • Gender:Male
  • Devices:Acer CloudMobile
  • Twitter:@vachounet
Hi,

Stock kernel include a security check that disable remount on /system partition, even if you're rooted..

  • 0

#3
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00
which is the start of the compressed part of the kernel.
with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string
seg000:8AFE9C aSystem         DCB "/system",0                                    
seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0
seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.
It seems to be somewhere around 0xc0000000
A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version
with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?

  • 0

#4
davidevinavil

davidevinavil

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,005 posts
  • Gender:Male
  • Location:Crevoladossola (VB)
  • Devices:Acer Liquid Metal

This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00
which is the start of the compressed part of the kernel.
with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string
seg000:8AFE9C aSystem DCB "/system",0
seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0
seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.
It seems to be somewhere around 0xc0000000
A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version
with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?


Why not just compile kernel from source?! About signature, yes you must unlock bootloader.. Search it on Modaco, it's well explained

  • 0
If you like my work, offer me a beer

#5
vache

vache

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,038 posts
  • Gender:Male
  • Devices:Acer CloudMobile
  • Twitter:@vachounet

This page explains how to extract various components from boot.img

I've used the split_bootimg.pl script to get the boot.img-kernel (size 4870536), then searched for 1F 8B 08 00
which is the start of the compressed part of the kernel.
with 'dd if=boot.img-kernel bs=1 skip=16319 | zcat > vmlinux' the decompressed vmlinux (size 12463748) is created

I've then loaded vmlinux in IDA and disassembled the ARM code. I've already found the '/system' comparisson string
seg000:8AFE9C aSystem DCB "/system",0
seg000:8AFEA4 aOperationNotPe DCB "Operation not permitted or illegal root ",0xA,0
seg000:8AFECE aNamespace_sem DCB "&namespace_sem",0

There are no references to this string but that's because I'm not yet sure of the kernel loading address in memory.
It seems to be somewhere around 0xc0000000
A quick fix would be to patch just the '/system' string to disable the read-only mount.

After I'll figure out how to reconstruct everything back to boot.img and replace the stock kernel with my version
with 'fastboot flash boot boot.img' will the phone still boot or is there any digital signature checked?


It was done here before we have kernel sources : http://www.modaco.co...d-jb-kernel-v2/.

As davidevinavil stated, easier to compil kernel from source with CONFIG_ACER_SECURE_MOUNT disabled.

  • 0

#6
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
I am quite new to this Android thing and I wasn't aware the sources are available. I guess the GPL makes them publish the sources.

The Acer_AV051_S500_RV14RB02_WW_GEN1 has an unlocked bootloader but the system is unstable and crashes a lot while
Acer_AV051.S500.RV04RC09.WW.GEN1 doesn't. I don't know yet how to keep the unlocked bootloader while upgrade to the
last version (I have actually asked this in another thread). I need to figure out what is the purpose of each partition.

NON-HLOS.bin is the closed source firmware for the 3G baseband - so this is important to update. If I only keep sbl1.mbn sbl2.mbn
sbl3.mbn from the old version would that be enough for the bootloader? From a quick peek the code is not encrypted so I think I need
to spend some time in IDA and look at the disassembly to understand each file purpose.

  • 0

#7
vache

vache

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,038 posts
  • Gender:Male
  • Devices:Acer CloudMobile
  • Twitter:@vachounet
You cannot flash only some files for the boot process. You have to flash all, or none. Each process part do security check (almost signature check) before launching the next step. (before sbl1 load sbl2, it will be checked, sbl2 will check sbl3...). All *mbn (including tz and rpm) files are signed with unique key, that varies from firmware version.
So if you have different signature, you will just brick the phone cause the boot process cannot be achieve. (already append to me after different *ninja* attemps)

I posted a link that detailed the boot process in your other thread, you should have a look. An other interesting link : http://blog.azimuths...bootloader.html

  • 0

#8
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
Thanks for your input.
I am familiar with the boot process on gaming consoles like PSP and Wii and these smartphones seem to have a lot in common.
In Wii you have a masked ROM containg boot0 which has unique IDs and a public key (root certificate) and boot1 which is loaded
from NAND has its MD5 hash signed with the privare key and boot0 refuses to load boot1 if the signature check fails.
boot1 then loads boot2 which is signed with a different key and boot2 loads the OS. In this way a chain of trust is constructed.
The main difference I can see it that on consoles all the code is also encrypted (beside signed) while on Android is plain.
This is a big advantage because this means you can disassemble everything and search for exploits.

I wanted to convince myself about not being able to flash individual components so I've created a new kernel image.
I've changed the ro.secure=0 in default.prop from initrd.img(although I already have root) and
I've patched the kernel with ACER_SECURE_MOUNT disabled and reconstructed it with
a great tool which I've found on linux - abootimg. This is the output of fastboot:
$ fastboot -i 0x0502 flash boot nboot.img
sending 'boot' (5152 KB)...
OKAY [ 0.405s]
writing 'boot'...
FAILED (remote: Due to device is fused, non-merged file is not supported)

So for now I did the next best thing; I've patched my hosts file to get rid of the ads. I've got the hosts file from my tablet
and I've made and update zip which I've self-signed with signapk.jar and placed it on my SD card. Then I've used
'fastboot -i 0x0502 boot CWM-6.0.1.5_S500.img' and installed the update. If someone else wants it you can grab it
here hosts-update.zip

What is interesting is that you can still boot non-signed programs like the CWM; you are only disallowed to store them in flash.

A good read I've found about the rooting process is here.

Edited by zelea2, 29 May 2013 - 01:34 PM.

  • 0

#9
BannedHost

BannedHost

    Newbie

  • Members
  • Pip
  • 17 posts
  • Gender:Male
  • Location:Cluj-Napoca
  • Interests:Software testing
  • Devices:Acer Cloudmobile
Or do the simple thing.. Install Acer S500 Tool 0.3 then open the program, select the 4th option, connect the mobile via usb cable, enable developer mode, and voila the system its now RW till reboot.

  • 0

#10
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
I was able to change the boot (kernel) by using the same procedure. So now I have a permanent RW system. I made this file.
and to my surprize the modified kernel booted. So no I have on my phone Acer_AV051.S500.RV04RC09.WW.GEN1
with an unsigned kernel.

I wish somebody could explain me why this is possible. Is it because the phone had at some previous stage the
bootloader unlocked and this disabled some security fuse in the phone? Right now it seems that I can modify
any part of the flash I want with the update-binary utility.
For referece these are all the commands accepted by update-binary :
"mount" "is_mounted" "unmount" "format" "show_progress" "set_progress" "delete"
"delete_recursive" "package_extract_dir" "package_extract_file" "symlink"
"set_perm" "set_perm_recursive" "getprop" "file_getprop" "write_raw_image"
"apply_patch" "apply_patch_check" "apply_patch_space" "read_file" "sha1_check"
"ui_print" "run_program"
With "package_extract_file" you can overwrite any partition you want.
Why is the signature not checked at run time?

  • 0

#11
aropop

aropop

    Newbie

  • Members
  • Pip
  • 10 posts
  • Devices:Acer S500

I was able to change the boot (kernel) by using the same procedure. So now I have a permanent RW system. I made this file.
and to my surprize the modified kernel booted. So no I have on my phone Acer_AV051.S500.RV04RC09.WW.GEN1
with an unsigned kernel.

I wish somebody could explain me why this is possible. Is it because the phone had at some previous stage the
bootloader unlocked and this disabled some security fuse in the phone? Right now it seems that I can modify
any part of the flash I want with the update-binary utility.
For referece these are all the commands accepted by update-binary :
"mount" "is_mounted" "unmount" "format" "show_progress" "set_progress" "delete"
"delete_recursive" "package_extract_dir" "package_extract_file" "symlink"
"set_perm" "set_perm_recursive" "getprop" "file_getprop" "write_raw_image"
"apply_patch" "apply_patch_check" "apply_patch_space" "read_file" "sha1_check"
"ui_print" "run_program"
With "package_extract_file" you can overwrite any partition you want.
Why is the signature not checked at run time?

So with this kernel it is possible to mount system RW?
Do you need unlocked bootloader for this? Because i'm on RV04RC9 too but did not unlock?

  • 0

#12
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500

So with this kernel it is possible to mount system RW?
Do you need unlocked bootloader for this? Because i'm on RV04RC9 too but did not unlock?

Yes the /system is RW.
I don't know the answer at the second question. That's what I'm trying to find out too.
I've only started looking at Android less than a week ago. Maybe someone with more
experience can answer this.
I had an unlocked bootloader but the I've upgraded the whole system to RV04RC9 so this
replaced the bootloader too but somehow the unsigned ROM still booted.

  • 0

#13
aropop

aropop

    Newbie

  • Members
  • Pip
  • 10 posts
  • Devices:Acer S500

Yes the /system is RW.
I don't know the answer at the second question. That's what I'm trying to find out too.
I've only started looking at Android less than a week ago. Maybe someone with more
experience can answer this.
I had an unlocked bootloader but the I've upgraded the whole system to RV04RC9 so this
replaced the bootloader too but somehow the unsigned ROM still booted.

All I know is that you can boot (adb boot boot.img) from a other kernel, but you need an unlocked bootload to actually flash the image.

  • 0

#14
vache

vache

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,038 posts
  • Gender:Male
  • Devices:Acer CloudMobile
  • Twitter:@vachounet
If you already unlock you're bootloader then install a new firmware, you're device is still unlocked (that mean you can use custom boot/recovery) but Acer added an other check that make you can only flash complete .bin file.
That's why you can see the message that says your device is "fused" while trying to flash a new boot. But you still can flash with recovery.

Remember that you can check current bootloader state with : fastboot -i 0x0502 oem device-info

  • 0

#15
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
Ok, I finally got it. Once a phone is unlocked it stays unlocked (it's a fuse).
Even unlocked phones cannot be flashed with individual files because of the state of an extra check and you'll get this message
FAILED (remote: Due to device is fused, non-merged file is not supported)
You can still change partitions, kernel and files via the update.zip method

We don't know yet how to create merged files because of the first 16 bytes. Every other byte in the firmware files is accounted
for. There might also be a connection to which of the 16 keys are used to encrypt the header but I doubt it.
The answer for those 16 bytes is in the disassembly of emmc_appsboot. It's probably a hash over the merged file, truncated
to 16 bytes and encrypted with some AES key. Here are the strings from the leaked unlocked and recent bootloaders.
You can see the message about the non-merged file is new. The keys for firmware header decryption are also in there.

At this point I kind of lost interest because my phone is unlocked, I have the latest JB system, rooted and with my own kernel
and everyone with a CPU_TYPE=8260a-3 can do this. The problem is that the rest of the people are left in the cold.

  • 0

#16
vache

vache

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,038 posts
  • Gender:Male
  • Devices:Acer CloudMobile
  • Twitter:@vachounet
Already bricked 2 phones trying to unlock 8260a-1 bootloader, so i'm out for that.

  • 0

#17
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
There is always JTAG to reflash but I won't take my phone appart to figure where the JTAG pins are.
If you have 2 bricked you could sacrifice one to teardown and experiment with.

  • 0

#18
A427

A427

    Regular

  • Members
  • PipPip
  • 58 posts
  • Devices:Acer CloudMobile
@zelea2 : regarding your patched kernel (http://uglyduck.ath....ernel_patch.zip), is it the stock JB kernel with only the modification to allow R/W mounting, or did you change anything else? I'm asking because I want to keep my kernel as stock as possible. Thanks in advance for your answer.

  • 0

#19
razvankim

razvankim

    Diehard

  • Members
  • PipPipPipPip
  • 409 posts
  • Gender:Male
  • Location:Sibiu
  • Interests:Developing
  • Devices:Samsung Galaxy SIII I9300
  • Twitter:@none
I think it's stock kernel with R/W mounting acces. Nothing else was changed when I installed it xD ..

  • 0
Cheers | Hit THANKS if I helped you.
razvankim@MoDaCo

#20
A427

A427

    Regular

  • Members
  • PipPip
  • 58 posts
  • Devices:Acer CloudMobile
Thx for your reply, razvankim. I don't know if zelea2 is still around to confirm… would be nice…

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users