Thanks for your input.
I am familiar with the boot process on gaming consoles like PSP and Wii and these smartphones seem to have a lot in common.
In Wii you have a masked ROM containg boot0 which has unique IDs and a public key (root certificate) and boot1 which is loaded
from NAND has its MD5 hash signed with the privare key and boot0 refuses to load boot1 if the signature check fails.
boot1 then loads boot2 which is signed with a different key and boot2 loads the OS. In this way a chain of trust is constructed.
The main difference I can see it that on consoles all the code is also encrypted (beside signed) while on Android is plain.
This is a big advantage because this means you can disassemble everything and search for exploits.
I wanted to convince myself about not being able to flash individual components so I've created a new kernel image.
I've changed the ro.secure=0 in default.prop from initrd.img(although I already have root) and
I've patched the kernel with ACER_SECURE_MOUNT disabled and reconstructed it with
a great tool which I've found on linux - abootimg. This is the output of fastboot:
$ fastboot -i 0x0502 flash boot nboot.img
sending 'boot' (5152 KB)...
OKAY [ 0.405s]
FAILED (remote: Due to device is fused, non-merged file is not supported)
So for now I did the next best thing; I've patched my hosts file to get rid of the ads. I've got the hosts file from my tablet
and I've made and update zip which I've self-signed with signapk.jar and placed it on my SD card. Then I've used
'fastboot -i 0x0502 boot CWM-126.96.36.199_S500.img' and installed the update. If someone else wants it you can grab it
What is interesting is that you can still boot non-signed programs like the CWM; you are only disallowed to store them in flash.
A good read I've found about the rooting process is here.
Edited by zelea2, 29 May 2013 - 01:34 PM.