[Q] Acer Iconia A1 810 almost rooted - suid not enough ?

Search This thread

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
Dear all,

I almost managed to root my A1 810... But I need advice to effectively achieve it.
Here are the main steps I followed :
Under linux (Ubuntu 14.04) (These are not detailed instructions, only the main steps. I will post a detailed step by step once finalized)
Code:
- From PC : upload busybox binary file to the tablet
- From Tablet : install "ExDialer & Contacts"
- From Tablet : initiate engineer mode (Dial *#*#3646633#*#* from  ExDialer)
- From Tablet : initiate telnetd (run command from MTKlogger from within  ExDialer)
- From PC : initiate a shell on tablet with adb
- From the shell : initiate a telnet local connection to tablet
- From the telnet session find out the position of the Android partition (cat /proc/dumchar_info)
- From the telnet session dump the android partition to a gzip file (dd if=/dev/block/mmcblk0 bs=4096 skip=17664 count=262144 | gzip > /data/local/tmp/system.img.gz)
- From PC : download the system image
- From PC : mount the system image on a loop device
- From PC : copy a su binary file to /system/bin ()within the mounted system image)
- From PC : set the correct permissions to the su executable (sudo chmod 06755 su) => it's here that you really getting the root permission
- From PC : unmount image
- From PC : upload the upaded image to the tablet (adb push)
- From the telnet session copy the updated system image to the android partition (zcat /data/local/tmp/system.img.gz | dd of=/dev/block/mmcblk0 bs=4096 seek=17664 count=262144) (Take care that's the dangerous part !!!!)
- Restart the tablet.

I didn't brick my tablet :) ... But it is not effectively rooted either :(

I checked from the terminal emulator that "su" has the correct properties :
ls -l su
-rwsr-sr-x root shell 311872 2014-08-15 23:16 su

But when I try something like :
su
ls /data

I get : opendir failed. Permission denied.

Obviously, I am not root...

Any idea ?
 
Last edited:

Stuart Little

Senior Member
Aug 12, 2013
4,740
627
Utrecht
www.mailtown.tk
You can root with:

POOT: This app is a one click root app. No computer needed

Framaroot: Framaroot is a oneclick root app . No computer needed
This is the most popular one!

Z4Root: Z4Root is an oneclick root app . No computer needed

Towelroot: Towelroot is an oneclick root app. No computer needed

Baidu: No information

Vroot: No information

Gingerbreak: This app can root almost all gingerbread devices

Downloads:

Poot - Download the app >>here<<

Framaroot - Download the app inside this XDA Thread - >> CLICK HERE <<

Z4ROOT - Download the app inside this XDA Thread - >> CLICK HERE <<

Towelroot - Download the app inside this XDA Thread - >> CLICK HERE <<

Baidu ROOT - Download the app >> HERE <<

vROOT - Download the app >> HERE <<


Gingerbreak - Download the app inside this XDA Thread - >> CLICK HERE <<

Flash a SU ZIP - Download the ZIP >> HERE << and flash it on your unlocked bootloader phone !

Hit thanks if you liked this post or this post has helped you out !<br/>

Sent through my Galaxy Note using Tapatalk 4
 

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
Bink Feed: Thank you for trying.

There are many people trying to root this tablet since KitKat OTA has been issued... without any success.
Most or all the tools you listed have already been tested, again, without any success.
(see [ToolKit] Acer Iconia v0.8.3)

Since KitKat, the [ToolKit] Acer Iconia v0.8.3 does not work anymore. The main reason is that the "run command" used in engineering mode disappeared.
Yesterday, I found it again : it is now in the parameters from MTKLogger (!)
With that finding, I now have access to the guts of the android system.

I need help from the community to understand what I is missing :
Based on the rooting guide Acer Iconia B1 A71 Root written by entonjackson (many thanks to him)
  • I managed to extract a valid system image (dd if=/dev/block/mmcblk0 ... | gzip > system.img.gz)
  • I mounted that image (mount -o loop system.img /media/iconia)
  • I changed the permission of /system/xbin/su (chmod 06755 su)
  • I wrote back the system image to the tablet android partition (zcat system.img.gz | dd of=/dev/block/mmcblk0 ...)
et voilà !

... the only remaining problem is that I did not gain root access, even if su has now the correct properties (-rwsr-sr-x root root)

Anybody can tell me what else should I change in the android system image ?
 

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
Answering to myself...
##STANDARD DISCLAIMER => No responsibility, blah, blah, :p...##

With KitKat, it is also necessary to have a running "su daemon".
A solution is to create a "install-recovery.sh" file in /system/etc. This script is executed at each boot.

Detailed step by step:
Files: (remove [grr] from ht[grr]tp)
busybox binary, for example from ht[grr]tp://busybox.net/downloads/binaries/latest/busybox-armv7l (to be renamed to busybox)
su binary, Superuser.apk and install-recovery.sh to be extracted from ht[grr]tp://download.clockworkmod.com/superuser/superuser.zip​
Operating system:
Any decent Linux distribution (I'm on Ubuntu since years)​
1/ copy busybox binary to the tablet
user@PC:~$ adb push busybox /data/local/tmp/
user@PC:~$ adb shell
shell@mango:/ $ chmod 755 /data/local/tmp/busybox​
2/ start a telnet daemon on the tablet
install "ExDialer - Dialer & Contacts" on the tablet
Initiate engineering mode: dial *#*#ENGMODE#*#*
Go to the "Log and Debugging" tab
Launch MTKLogger
Go to the settings
Select "Run Command"
Type: /data/local/tmp/busybox telnetd -l /system/bin/sh -p 1234
Press ok. Now a telnet daemon should be running on the tablet with some kind of privileges.
3/ connect to the tablet (adb shell + telnet):
user@PC:~$ adb shell
shell@mango:/ $ /data/local/tmp/busybox telnet 127.0.0.1 1234​
4/ Find out the start address and size of the System partition
shell@mango:/ $ cat /proc/dumchar_info​
Code:
Part_Name       Size    StartAddr       Type    MapTo
preloader    0x0000000000c00000   0x0000000000000000   2   /dev/misc-sd
mbr          0x0000000000080000   0x0000000000000000   2   /dev/block/mmcblk0
ebr1         0x0000000000080000   0x0000000000080000   2   /dev/block/mmcblk0p1
pmt          0x0000000000400000   0x0000000000100000   2   /dev/block/mmcblk0
pro_info     0x0000000000300000   0x0000000000500000   2   /dev/block/mmcblk0
nvram        0x0000000000500000   0x0000000000800000   2   /dev/block/mmcblk0
protect_f    0x0000000000a00000   0x0000000000d00000   2   /dev/block/mmcblk0p2
protect_s    0x0000000000a00000   0x0000000001700000   2   /dev/block/mmcblk0p3
seccfg       0x0000000000020000   0x0000000002100000   2   /dev/block/mmcblk0
uboot        0x0000000000060000   0x0000000002120000   2   /dev/block/mmcblk0
bootimg      0x0000000000600000   0x0000000002180000   2   /dev/block/mmcblk0
recovery     0x0000000000a00000   0x0000000002780000   2   /dev/block/mmcblk0
sec_ro       0x0000000000600000   0x0000000003180000   2   /dev/block/mmcblk0p4
misc         0x0000000000080000   0x0000000003780000   2   /dev/block/mmcblk0
logo         0x0000000000300000   0x0000000003800000   2   /dev/block/mmcblk0
expdb        0x0000000000a00000   0x0000000003b00000   2   /dev/block/mmcblk0
android      0x0000000040000000   0x0000000004500000   2   /dev/block/mmcblk0p5
cache        0x000000002bc00000   0x0000000044500000   2   /dev/block/mmcblk0p6
usrdata      0x0000000332020000   0x0000000070100000   2   /dev/block/mmcblk0p7
bmtpool      0x0000000000000000   0x00000000ff3f00a8   2   /dev/block/mmcblk0
Part_Name:Partition name you should open;
Size:size of partition
StartAddr:Start Address of partition;
Type:Type of partition(MTD=1,EMMC=2)
MapTo:actual device you operate
Look at the line "android". Convert the associated start address and the size in number of 4096 blocks. Considering the values above, I obtained: start adress = 17664x4096, size = 262144x4096.​
5/ dump the content of the android partition (it's there that the su binary will go)
shell@mango:/ $ dd if=/dev/block/mmcblk0 bs=4096 skip=17664 count=262144 | /data/local/tmp/busybox gzip > /data/local/tmp/system.img.gz​
6/ copy that file to the PC and make a copy (who knows... it may be useful)
user@PC:~$ adb pull /data/local/tmp/system.img.gz
user@PC:~$ cp system.img.gz system.img.untouched.gz
7/ mount that file (change "user" to your current user name in the following instructions)
user@PC:~$ mkdir /home/user/Iconia_system
user@PC:~$ gunzip system.img.gz
user@PC:~$ sudo mount -o loop system.img /home/user/Iconia_system​
8/ make some change to the android file system (removing old su binary, backing up old install-recovery.sh, installing new su, new install-recovery.sh):

user@PC:~$ sudo rm -f /home/user/Iconia_system/bin/su
user@PC:~$ sudo rm -f home/user/Iconia_system/xbin/su
user@PC:~$ sudo rm -f /system/app/Superuser.*
user@PC:~$ sudo rm -f /system/app/Supersu.*
user@PC:~$ sudo rm -f /system/app/superuser.*
user@PC:~$ sudo rm -f /system/app/supersu.*
user@PC:~$ sudo rm -f /system/app/SuperUser.*
user@PC:~$ sudo rm -f /system/app/SuperSU.*
user@PC:~$ sudo cp /home/user/Iconia_system/etc/install-recovery.sh /home/user/Iconia_system/etc/install-recovery.sh.bak
user@PC:~$ sudo cp su /home/user/Iconia_system/xbin/su
user@PC:~$ sudo chown root.root /home/user/Iconia_system/xbin/su
user@PC:~$ sudo chmod 6755 /home/user/Iconia_system/xbin/su
user@PC:~$ sudo ln -s /system/xbin/su /home/user/Iconia_system/bin/su
user@PC:~$ sudo cp Superuser.apk /home/user/Iconia_system/app
user@PC:~$ sudo chmod 644 /home/user/Iconia_system/app/Superuser.apk
user@PC:~$ sudo cp install-recovery.sh /home/user/Iconia_system/etc/install-recovery.sh
user@PC:~$ sudo chmod 755 /home/user/Iconia_system/etc/install-recovery.sh
9 remove some bloatware (optional)
user@PC:~$ sudo rm /home/user/Iconia_system/app/e.g. PlusOne.apk
user@PC:~$ sudo rm /home/user/Iconia_system/priv-app/e.g. AccuWeather.apk
10/ unmount the android file system
user@PC:~$ sudo umount /home/user/Iconia_system​
11/ compress the file
user@PC:~$ gzip system.img​
12/ push it back to the tablet
user@PC:~$ adb push system.img.gz /data/local/tmp/​
13/ connect to the tablet and "burn" the modified file system (be patient, will take up to 10 minutes)
user@PC:~$ adb shell
shell@mango:/ $ /data/local/tmp/busybox telnet 127.0.0.1 1234
shell@mango:/ $ /data/local/tmp/busybox zcat /data/local/tmp/system.img.gz | dd of=/dev/block/mmcblk0 bs=4096 seek=17664 count=262144
shell@mango:/ $ exit
shell@mango:/ $ exit
14/ restart the tablet
 

Optimissimus99

Senior Member
Feb 21, 2014
362
122
Huge Thanx, works for me too :) Great work

Edit: Mhh, OK, The system boots with "preinstalled" Superuser, but if i try to give some apps root permission, there is no root popup from superuser, and no root. Can you Plesse upload your system.img.gz to test it with that?

Maybe it works With the SuperSu Binarys...
 
Last edited:

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
I confirm it works with superuser.apk from clockworkmod.
SuperSU seems a little bit more tricky to install if you don't have direct rw access to /system.

Did you copy the install-recovery.sh script into /system/etc and set the correct rights (755) ?
Maybe you need to clean some cache ?
Do you have another supersuser app (or binary) installed ?
The "su" command from adb shell works ?


I am uploading my system.img.gz (be careful, it is for Acer_AV0K0_A1-810_RV0BRC01_WW_GEN1) (2 hours left)

Huge Thanx, works for me too :) Great work

Edit: Mhh, OK, The system boots with "preinstalled" Superuser, but if i try to give some apps root permission, there is no root popup from superuser, and no root. Can you Plesse upload your system.img.gz to test it with that?

Maybe it works With the SuperSu Binarys...
 

fREAST

Senior Member
Jan 19, 2011
108
54
I confirm it works with superuser.apk from clockworkmod.
SuperSU seems a little bit more tricky to install if you don't have direct rw access to /system.

Did you copy the install-recovery.sh script into /system/etc and set the correct rights (755) ?
Maybe you need to clean some cache ?
Do you have another supersuser app (or binary) installed ?
The "su" command from adb shell works ?


I am uploading my system.img.gz (be careful, it is for Acer_AV0K0_A1-810_RV0BRC01_WW_GEN1) (2 hours left)

Im getting the same problems as @Optimissimus99.
install-recovery has the right perms, using superuser from cwm, su in adb shell works, but i cant remount /system
Code:
cn@chronos ~/iconia $ adb shell
shell@mango:/ $ su
root@mango:/ # mount -o rw,remount /system
mount: Operation not permitted
 

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
Im getting the same problems as @Optimissimus99.
install-recovery has the right perms, using superuser from cwm, su in adb shell works, but i cant remount /system
Code:
cn@chronos ~/iconia $ adb shell
shell@mango:/ $ su
root@mango:/ # mount -o rw,remount /system
mount: Operation not permitted

I think it is not the same problem: I also cannot remount /system rw. It seems to be a new security level introduced with KitKat on the A1-810.
I am still looking for a solution.
A potential solution is to change the content default.prop in boot.img.
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.allow.mock.location=0
persist.mtk.aee.aed=on
ro.debuggable=0
ro.adb.secure=1
persist.sys.usb.config=mtp
persist.service.acm.enable=0
ro.mount.fs=EXT4
ro.persist.partition.support=no

I read that ro.secure=1 should be change to ro.secure=0 and ro.debuggable=0 to ro.debuggable=1

But for that, boot.img has to be dumped, splitted (kernel + ramdisk), ramdisk has to be "uncpio", changed, "cpio", merged back with the kernel and write back to the tablet.

The standard tools (abootimg, unpack-bootimg.pl, ...) cannot split correctly boot.img (they look for a gzip magic number preceded by some zeros... But in that case, the gzip magic numbers are preceded by FFs...).
Moreover, the boot.img (dumped directly from the tablet since it is not available from Acer web site) has 3 ramdisks, which is really unusual !

I am a little bit scared to brick my tablet...
 
Last edited:

fREAST

Senior Member
Jan 19, 2011
108
54
I think it is not the same problem: I also cannot remount /system rw. It seems to be a new security level introduced with KitKat on the A1-810.
I am still looking for a solution.
A potential solution is to change the content default.prop in boot.img.
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.allow.mock.location=0
persist.mtk.aee.aed=on
ro.debuggable=0
ro.adb.secure=1
persist.sys.usb.config=mtp
persist.service.acm.enable=0
ro.mount.fs=EXT4
ro.persist.partition.support=no

I read that ro.secure=1 should be change to ro.secure=0 and ro.debuggable=0 to ro.debuggable=1

But for that, boot.img has to be dumped, splitted (kernel + ramdisk), ramdisk has to be "uncpio", changed, "cpio", merged back with the kernel and write back to the tablet.

The standard tools (abootimg, unpack-bootimg.pl, ...) cannot split correctly boot.img (they look for a gzip magic number preceded by some zeros... But in that case, the gzip magic numbers are preceded by FFs...).
Moreover, the boot.img (dumped directly from the tablet since it is not available from Acer web site) has 3 ramdisks, which is really unusual !

I am a little bit scared to brick my tablet...

That sounds like a probable cause for the system partition.
Anyway i got root working (still no system R/W), using files and the binaries from http://download.chainfire.eu/supersu with a modified script (update-binary form that zip, which is used in recovery) to work while the system.img is mounted.




sudo mkdir /home/user/iconia
cd /home/user/iconia/
sudo mkdir system
wget http://download.chainfire.eu/452/SuperSU/UPDATE-SuperSU-v2.02.zip?retrieve_file=1
unzip UPD[...] -d supersu
wget http://fs1.d-h.st/download/00138/WBX/update-binary
sudo chmod u+x update-binary
sudo mount -o loop system.img system
sudo ./update-binary
sudo umount system
gzip system.img and so on
 
Last edited:
  • Like
Reactions: Bruno25

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
I confirm it works with superuser.apk from clockworkmod.
SuperSU seems a little bit more tricky to install if you don't have direct rw access to /system.

Did you copy the install-recovery.sh script into /system/etc and set the correct rights (755) ?
Maybe you need to clean some cache ?
Do you have another supersuser app (or binary) installed ?
The "su" command from adb shell works ?


I am uploading my system.img.gz (be careful, it is for Acer_AV0K0_A1-810_RV0BRC01_WW_GEN1) (2 hours left)

Upload finished (remove [grr] from ht[grr]tp) => ht[grr]tp://mq3dk1y9c3.mesfichiers.org/
 

twu2

Senior Member
Oct 25, 2009
177
281
Taipei
blog.teatime.com.tw
Im getting the same problems as @Optimissimus99.
install-recovery has the right perms, using superuser from cwm, su in adb shell works, but i cant remount /system
Code:
cn@chronos ~/iconia $ adb shell
shell@mango:/ $ su
root@mango:/ # mount -o rw,remount /system
mount: Operation not permitted

In A1-810, you need this command to remount /system:
Code:
mount -o remount,rw /system /system/
 

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
In A1-810, you need this command to remount /system:
Code:
mount -o remount,rw /system /system/

No joy :(

Code:
root@mango:/ # mount -o remount,rw /system /system/
mount: permission denied (are you root?)

By the way, I noticed that my mount command is weird :

Code:
root@mango:/ # which mount
/system/bin/mount
root@mango:/ # ls -l /system/bin/mount                                         
lrwxrwxrwx root     root              2013-08-23 12:51 mount -> wrapper.sh

Content of wrapper.sh :
Code:
#!/system/bin/sh

CMD=`basename $0`
ARG="$*"
NEWARG="-o remount,rw /system /system/"
LArg=$(eval echo \$$#)

case "$CMD" in
  "busybox")
    if [ $1 == "mount" ] && (([ $2 == "-o" ] && ([ $3 == "rw,remount" ] || [ $3 == "remount,rw" ])) || [ $2 == "-oremount,rw" ] || [ $2 == "-oremount,rw" ]); then
      if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
        /system/xbin/.mount_wrapper/mount $NEWARG
#       return $?
        return 0
      fi
    fi
    /system/xbin/busybox $ARG
#   return $?
    return 0
    ;;

  "mount")
    if ([ $1 == "-o" ] && ([ $2 == "rw,remount" ] || [ $2 == "remount,rw" ])) || [ $1 == "-oremount,rw" ] || [ $1 == "-orw,remount" ]; then
      if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
        /system/xbin/.mount_wrapper/mount $NEWARG
#       return $?
        return 0
      fi
    fi
    /system/bin/toolbox mount $ARG
#   return $?
    return 0
  ;;
esac

exit 0

It may come from a previous JB busybox installation (?)

If I force the use of toolbox :
Code:
root@mango:/ # toolbox mount -o remount,rw /system /system/ 
mount: Operation not permitted

Am I the only one with that messy configuration ?
 

fREAST

Senior Member
Jan 19, 2011
108
54
No joy :(

Code:
root@mango:/ # mount -o remount,rw /system /system/
mount: permission denied (are you root?)

By the way, I noticed that my mount command is weird :

Code:
root@mango:/ # which mount
/system/bin/mount
root@mango:/ # ls -l /system/bin/mount                                         
lrwxrwxrwx root     root              2013-08-23 12:51 mount -> wrapper.sh

Content of wrapper.sh :
Code:
#!/system/bin/sh

CMD=`basename $0`
ARG="$*"
NEWARG="-o remount,rw /system /system/"
LArg=$(eval echo \$$#)

case "$CMD" in
  "busybox")
    if [ $1 == "mount" ] && (([ $2 == "-o" ] && ([ $3 == "rw,remount" ] || [ $3 == "remount,rw" ])) || [ $2 == "-oremount,rw" ] || [ $2 == "-oremount,rw" ]); then
      if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
        /system/xbin/.mount_wrapper/mount $NEWARG
#       return $?
        return 0
      fi
    fi
    /system/xbin/busybox $ARG
#   return $?
    return 0
    ;;

  "mount")
    if ([ $1 == "-o" ] && ([ $2 == "rw,remount" ] || [ $2 == "remount,rw" ])) || [ $1 == "-oremount,rw" ] || [ $1 == "-orw,remount" ]; then
      if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
        /system/xbin/.mount_wrapper/mount $NEWARG
#       return $?
        return 0
      fi
    fi
    /system/bin/toolbox mount $ARG
#   return $?
    return 0
  ;;
esac

exit 0

It may come from a previous JB busybox installation (?)

If I force the use of toolbox :
Code:
root@mango:/ # toolbox mount -o remount,rw /system /system/ 
mount: Operation not permitted

Am I the only one with that messy configuration ?

IIRC that wrapper is included in the toolkit for the A1 root, i think @twu2 made it

Skickat från min GT-I9505 via Tapatalk
 
  • Like
Reactions: Bruno25

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
I don't have kitkat in my a1-810 (not got any OTA about this).....
in JB, yes, mount /system command will force to use busybox to mount it (toolbox not work).

Dear twu2, since you are still with JB ;), could you post the content of your /default.prop ? I would like to check what should be changed in mine to get rw access to /system

/default.prop, Android 4.4.2, Acer Iconia A1-810
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.allow.mock.location=0
persist.mtk.aee.aed=on
ro.debuggable=0
ro.adb.secure=1
persist.sys.usb.config=mtp
persist.service.acm.enable=0
ro.mount.fs=EXT4
ro.persist.partition.support=no
 

carl031462

New member
Mar 30, 2014
3
0
Kitkat Root

In A1-810, you need this command to remount /system:
Code:
mount -o remount,rw /system /system/

No joy :(

Code:
root@mango:/ # mount -o remount,rw /system /system/
mount: permission denied (are you root?)

By the way, I noticed that my mount command is weird :

Code:
root@mango:/ # which mount
/system/bin/mount
root@mango:/ # ls -l /system/bin/mount                                         
lrwxrwxrwx root     root              2013-08-23 12:51 mount -> wrapper.sh

Content of wrapper.sh :
Code:
#!/system/bin/sh

CMD=`basename $0`
ARG="$*"
NEWARG="-o remount,rw /system /system/"
LArg=$(eval echo \$$#)

case "$CMD" in
  "busybox")
    if [ $1 == "mount" ] && (([ $2 == "-o" ] && ([ $3 == "rw,remount" ] || [ $3 == "remount,rw" ])) || [ $2 == "-oremount,rw" ] || [ $2 == "-oremount,rw" ]); then
      if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
        /system/xbin/.mount_wrapper/mount $NEWARG
#       return $?
        return 0
      fi
    fi
    /system/xbin/busybox $ARG
#   return $?
    return 0
    ;;

  "mount")
    if ([ $1 == "-o" ] && ([ $2 == "rw,remount" ] || [ $2 == "remount,rw" ])) || [ $1 == "-oremount,rw" ] || [ $1 == "-orw,remount" ]; then
      if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
        /system/xbin/.mount_wrapper/mount $NEWARG
#       return $?
        return 0
      fi
    fi
    /system/bin/toolbox mount $ARG
#   return $?
    return 0
  ;;
esac

exit 0

It may come from a previous JB busybox installation (?)

If I force the use of toolbox :
Code:
root@mango:/ # toolbox mount -o remount,rw /system /system/ 
mount: Operation not permitted

Am I the only one with that messy configuration ?
For the RW workaround, you need to place a superuser app in /system/app, an su binary in /system/bin an su binary in /system/xbin, a busybox binary in /system/bin, and an su binary in /system/bin/.ext4. The one in /system/bin/.ext4 lets you do a mount -o remount,RW /system /system/ for RW workaround. You need all 3 su binaries. Take this system.IMG.gz as an example. Do a mount -o loop to see contents. Do not flash it to tablet because it is a jellybean a1-810 image. I repeat, do not flash it.
http://xdaforums.com/showthread.php?t=2240029
Press a1-810 and download the pa_cus1 image. I can't post the direct link due to the 10 post policy.
 

Bruno25

Senior Member
Aug 16, 2014
51
18
Rio de Janeiro
Redmi Note 11
For the RW workaround, you need to place a superuser app in /system/app, an su binary in /system/bin an su binary in /system/xbin, a busybox binary in /system/bin, and an su binary in /system/bin/.ext4. The one in /system/bin/.ext4 lets you do a mount -o remount,RW /system /system/ for RW workaround. You need all 3 su binaries. Take this system.IMG.gz as an example. Do a mount -o loop to see contents. Do not flash it to tablet because it is a jellybean a1-810 image. I repeat, do not flash it.
http://xdaforums.com/showthread.php?t=2240029
Press a1-810 and download the pa_cus1 image. I can't post the direct link due to the 10 post policy.

No joy, yet,

Code:
root@mango:/ # ls -al /system/bin/.ext4/                                       
lrwxrwxrwx root     root              2014-08-29 22:08 su -> /system/xbin/su
root@mango:/ # busybox mount -o remount,rw /system /system/
mount: permission denied (are you root?)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Bink Feed: Thank you for trying.

    There are many people trying to root this tablet since KitKat OTA has been issued... without any success.
    Most or all the tools you listed have already been tested, again, without any success.
    (see [ToolKit] Acer Iconia v0.8.3)

    Since KitKat, the [ToolKit] Acer Iconia v0.8.3 does not work anymore. The main reason is that the "run command" used in engineering mode disappeared.
    Yesterday, I found it again : it is now in the parameters from MTKLogger (!)
    With that finding, I now have access to the guts of the android system.

    I need help from the community to understand what I is missing :
    Based on the rooting guide Acer Iconia B1 A71 Root written by entonjackson (many thanks to him)
    • I managed to extract a valid system image (dd if=/dev/block/mmcblk0 ... | gzip > system.img.gz)
    • I mounted that image (mount -o loop system.img /media/iconia)
    • I changed the permission of /system/xbin/su (chmod 06755 su)
    • I wrote back the system image to the tablet android partition (zcat system.img.gz | dd of=/dev/block/mmcblk0 ...)
    et voilà !

    ... the only remaining problem is that I did not gain root access, even if su has now the correct properties (-rwsr-sr-x root root)

    Anybody can tell me what else should I change in the android system image ?
    3
    Answering to myself...
    ##STANDARD DISCLAIMER => No responsibility, blah, blah, :p...##

    With KitKat, it is also necessary to have a running "su daemon".
    A solution is to create a "install-recovery.sh" file in /system/etc. This script is executed at each boot.

    Detailed step by step:
    Files: (remove [grr] from ht[grr]tp)
    busybox binary, for example from ht[grr]tp://busybox.net/downloads/binaries/latest/busybox-armv7l (to be renamed to busybox)
    su binary, Superuser.apk and install-recovery.sh to be extracted from ht[grr]tp://download.clockworkmod.com/superuser/superuser.zip​
    Operating system:
    Any decent Linux distribution (I'm on Ubuntu since years)​
    1/ copy busybox binary to the tablet
    user@PC:~$ adb push busybox /data/local/tmp/
    user@PC:~$ adb shell
    shell@mango:/ $ chmod 755 /data/local/tmp/busybox​
    2/ start a telnet daemon on the tablet
    install "ExDialer - Dialer & Contacts" on the tablet
    Initiate engineering mode: dial *#*#ENGMODE#*#*
    Go to the "Log and Debugging" tab
    Launch MTKLogger
    Go to the settings
    Select "Run Command"
    Type: /data/local/tmp/busybox telnetd -l /system/bin/sh -p 1234
    Press ok. Now a telnet daemon should be running on the tablet with some kind of privileges.
    3/ connect to the tablet (adb shell + telnet):
    user@PC:~$ adb shell
    shell@mango:/ $ /data/local/tmp/busybox telnet 127.0.0.1 1234​
    4/ Find out the start address and size of the System partition
    shell@mango:/ $ cat /proc/dumchar_info​
    Code:
    Part_Name       Size    StartAddr       Type    MapTo
    preloader    0x0000000000c00000   0x0000000000000000   2   /dev/misc-sd
    mbr          0x0000000000080000   0x0000000000000000   2   /dev/block/mmcblk0
    ebr1         0x0000000000080000   0x0000000000080000   2   /dev/block/mmcblk0p1
    pmt          0x0000000000400000   0x0000000000100000   2   /dev/block/mmcblk0
    pro_info     0x0000000000300000   0x0000000000500000   2   /dev/block/mmcblk0
    nvram        0x0000000000500000   0x0000000000800000   2   /dev/block/mmcblk0
    protect_f    0x0000000000a00000   0x0000000000d00000   2   /dev/block/mmcblk0p2
    protect_s    0x0000000000a00000   0x0000000001700000   2   /dev/block/mmcblk0p3
    seccfg       0x0000000000020000   0x0000000002100000   2   /dev/block/mmcblk0
    uboot        0x0000000000060000   0x0000000002120000   2   /dev/block/mmcblk0
    bootimg      0x0000000000600000   0x0000000002180000   2   /dev/block/mmcblk0
    recovery     0x0000000000a00000   0x0000000002780000   2   /dev/block/mmcblk0
    sec_ro       0x0000000000600000   0x0000000003180000   2   /dev/block/mmcblk0p4
    misc         0x0000000000080000   0x0000000003780000   2   /dev/block/mmcblk0
    logo         0x0000000000300000   0x0000000003800000   2   /dev/block/mmcblk0
    expdb        0x0000000000a00000   0x0000000003b00000   2   /dev/block/mmcblk0
    android      0x0000000040000000   0x0000000004500000   2   /dev/block/mmcblk0p5
    cache        0x000000002bc00000   0x0000000044500000   2   /dev/block/mmcblk0p6
    usrdata      0x0000000332020000   0x0000000070100000   2   /dev/block/mmcblk0p7
    bmtpool      0x0000000000000000   0x00000000ff3f00a8   2   /dev/block/mmcblk0
    Part_Name:Partition name you should open;
    Size:size of partition
    StartAddr:Start Address of partition;
    Type:Type of partition(MTD=1,EMMC=2)
    MapTo:actual device you operate
    Look at the line "android". Convert the associated start address and the size in number of 4096 blocks. Considering the values above, I obtained: start adress = 17664x4096, size = 262144x4096.​
    5/ dump the content of the android partition (it's there that the su binary will go)
    shell@mango:/ $ dd if=/dev/block/mmcblk0 bs=4096 skip=17664 count=262144 | /data/local/tmp/busybox gzip > /data/local/tmp/system.img.gz​
    6/ copy that file to the PC and make a copy (who knows... it may be useful)
    user@PC:~$ adb pull /data/local/tmp/system.img.gz
    user@PC:~$ cp system.img.gz system.img.untouched.gz
    7/ mount that file (change "user" to your current user name in the following instructions)
    user@PC:~$ mkdir /home/user/Iconia_system
    user@PC:~$ gunzip system.img.gz
    user@PC:~$ sudo mount -o loop system.img /home/user/Iconia_system​
    8/ make some change to the android file system (removing old su binary, backing up old install-recovery.sh, installing new su, new install-recovery.sh):

    user@PC:~$ sudo rm -f /home/user/Iconia_system/bin/su
    user@PC:~$ sudo rm -f home/user/Iconia_system/xbin/su
    user@PC:~$ sudo rm -f /system/app/Superuser.*
    user@PC:~$ sudo rm -f /system/app/Supersu.*
    user@PC:~$ sudo rm -f /system/app/superuser.*
    user@PC:~$ sudo rm -f /system/app/supersu.*
    user@PC:~$ sudo rm -f /system/app/SuperUser.*
    user@PC:~$ sudo rm -f /system/app/SuperSU.*
    user@PC:~$ sudo cp /home/user/Iconia_system/etc/install-recovery.sh /home/user/Iconia_system/etc/install-recovery.sh.bak
    user@PC:~$ sudo cp su /home/user/Iconia_system/xbin/su
    user@PC:~$ sudo chown root.root /home/user/Iconia_system/xbin/su
    user@PC:~$ sudo chmod 6755 /home/user/Iconia_system/xbin/su
    user@PC:~$ sudo ln -s /system/xbin/su /home/user/Iconia_system/bin/su
    user@PC:~$ sudo cp Superuser.apk /home/user/Iconia_system/app
    user@PC:~$ sudo chmod 644 /home/user/Iconia_system/app/Superuser.apk
    user@PC:~$ sudo cp install-recovery.sh /home/user/Iconia_system/etc/install-recovery.sh
    user@PC:~$ sudo chmod 755 /home/user/Iconia_system/etc/install-recovery.sh
    9 remove some bloatware (optional)
    user@PC:~$ sudo rm /home/user/Iconia_system/app/e.g. PlusOne.apk
    user@PC:~$ sudo rm /home/user/Iconia_system/priv-app/e.g. AccuWeather.apk
    10/ unmount the android file system
    user@PC:~$ sudo umount /home/user/Iconia_system​
    11/ compress the file
    user@PC:~$ gzip system.img​
    12/ push it back to the tablet
    user@PC:~$ adb push system.img.gz /data/local/tmp/​
    13/ connect to the tablet and "burn" the modified file system (be patient, will take up to 10 minutes)
    user@PC:~$ adb shell
    shell@mango:/ $ /data/local/tmp/busybox telnet 127.0.0.1 1234
    shell@mango:/ $ /data/local/tmp/busybox zcat /data/local/tmp/system.img.gz | dd of=/dev/block/mmcblk0 bs=4096 seek=17664 count=262144
    shell@mango:/ $ exit
    shell@mango:/ $ exit
    14/ restart the tablet
    2
    How would one create and load that module?

    download the kernel source code from acer's support website.
    extract it under linux, there's a README file tell you how to build your kernel.
    after build the kernel.... write a new module (it's same as linux, google it you will get a lots of sample), build it...

    when you've the module you built (*.ko), put it to A1-810 /system/lib/modules/, then using adb or ssh or terminal to the shell, su to root, insmod such .ko file.
    if it work... put the load command to /system/etc/install-recovery.sh, it should load the module after boot the system.
    1
    I think it is not the same problem: I also cannot remount /system rw. It seems to be a new security level introduced with KitKat on the A1-810.
    I am still looking for a solution.
    A potential solution is to change the content default.prop in boot.img.
    Code:
    #
    # ADDITIONAL_DEFAULT_PROPERTIES
    #
    ro.secure=1
    ro.allow.mock.location=0
    persist.mtk.aee.aed=on
    ro.debuggable=0
    ro.adb.secure=1
    persist.sys.usb.config=mtp
    persist.service.acm.enable=0
    ro.mount.fs=EXT4
    ro.persist.partition.support=no

    I read that ro.secure=1 should be change to ro.secure=0 and ro.debuggable=0 to ro.debuggable=1

    But for that, boot.img has to be dumped, splitted (kernel + ramdisk), ramdisk has to be "uncpio", changed, "cpio", merged back with the kernel and write back to the tablet.

    The standard tools (abootimg, unpack-bootimg.pl, ...) cannot split correctly boot.img (they look for a gzip magic number preceded by some zeros... But in that case, the gzip magic numbers are preceded by FFs...).
    Moreover, the boot.img (dumped directly from the tablet since it is not available from Acer web site) has 3 ramdisks, which is really unusual !

    I am a little bit scared to brick my tablet...

    That sounds like a probable cause for the system partition.
    Anyway i got root working (still no system R/W), using files and the binaries from http://download.chainfire.eu/supersu with a modified script (update-binary form that zip, which is used in recovery) to work while the system.img is mounted.




    sudo mkdir /home/user/iconia
    cd /home/user/iconia/
    sudo mkdir system
    wget http://download.chainfire.eu/452/SuperSU/UPDATE-SuperSU-v2.02.zip?retrieve_file=1
    unzip UPD[...] -d supersu
    wget http://fs1.d-h.st/download/00138/WBX/update-binary
    sudo chmod u+x update-binary
    sudo mount -o loop system.img system
    sudo ./update-binary
    sudo umount system
    gzip system.img and so on
    1
    system rw workaround for a1-810

    I write a kernel module for A1-810 to do /system remount, you can download here (include source code):
    a1-810_system_remount.tgz 123 KB
    https://mega.co.nz/#!lVo0VCjS!H9IyknDwgjZxLFDS7-VAWrN5En-l1gmrHX3YvJbmodM

    Because my A1-810's touch screen was broken.... and my tablet still in 4.2.2, so I only test it under 4.2.2:
    0. you need a rooted A1-810
    1. extract the tarball
    2. 3.4.5/system_remount.ko is for kernel 3.4.5 (used in 4.2.2), 3.4.67/system_remount.ko is for kernel 3.4.67 (used in 4.4.2)
    3. use adb to push such file to /data/local/tmp/
    4. execute adb shell to the device
    5. execute su in shell
    6. execute: insmod /data/local/tmp/system_remount.ko
    if nothing wrong (no error message), then /system should be remount as rw mode
    7. do some test or put system_remount.ko into /system/lib/modules/
    8. execute: rmmod system_remount
    if nothing wrong, /system should be readonly again.

    If it work, you can modify the a1su.tgz (the old workaround method), change the wrapper.sh, when we need to remount /system to rw, use this command (if without path for the .ko file, you need put the file to /system/lib/modules/ ):
    Code:
    insmod system_remount
    and add a check for remount /system to ro, use this command:
    Code:
    rmmod system_remount


    WARNNING: I don't test this under KitKat.... if the mount point for /system is different (in JB, it's /dev/block/mmcblk0p5), you need to modify the source, then build a new .ko to use. and... it based on the Acer kernel source 3.4.5, so it might not work in 3.4.67.... if it not work... we need to wait acer release the source again.



    ---------- Post added at 01:34 PM ---------- Previous post was at 01:32 PM ----------

    For tests u can use an USB otg cable with a mouse
    good ideal , I'll try it later...

    but I found I still can use adb connect to the device, so I wrote a module, and test it under JB, it work fine.