[Decompiled] Asus - UnLock_Device_App_V6

Search This thread
By:
Advanced…
1wayjonny

1wayjonny

Senior Member
Jan 3, 2007
466
1,197
Decompiled the APK using Brut.alll APK tool and just thought I would share for anyone wants to shift through the codes and commands.

They basically flag the system and kick into recovery to start the unlock process but have a look yourself.

Brut.alll APK Tool: http://code.google.com/p/android-apktool/

Not sure if this will be useful for the original Transformer as Asus stated that this works with ICS only, being the original transformer does not have ICS the bootloader may not be able to handle the steps should someone figure it out.
 

Attachments

  • UnLock_Device_App_V6.zip
    375.4 KB · Views: 2,230
Last edited:
  • Like
Reactions: rwniel, ragnartarod, mattlgroff and 1 other person
Evo_Shift

Evo_Shift

Senior Member
Jan 17, 2011
2,348
482
Is it worth waiting for something to come of this? Like could this be reverse engineered to exclude the communication to asus about your serials?
 
S

skaforey

Senior Member
Nov 5, 2009
603
399
San Diego, CA
Nothing is different, it's just the apk reverse engineered so it is "viewable" (read modifiable) by our devs. Hopefully the devs can come up with something to unlock the bootloader and prevent your warranty from being voided (or come up with a way to relock the bootloader should warranty issues come up).
 
Hawkysoft

Hawkysoft

Senior Member
Jul 21, 2010
762
182
40
Rotterdam
thanks, but no need to post this... people who needed this allready done that...

also this should not be under development.

also you misunderstood what it does... but keep reading im sure you will find out what it does exactly some day

there is a big process before it even does anything to your phone except of reading and transferring info/data
 
Last edited:
1wayjonny

1wayjonny

Senior Member
Jan 3, 2007
466
1,197
Hawkysoft said:
also this should not be under development.

also you misunderstood what it does... but keep reading im sure you will find out what it does exactly some day

there is a big process before it even does anything to your phone except of reading and transferring info/data
Click to expand...
Click to collapse

Sorry about the wrong section and if anyone needs this moved please do so. I understand the process is more then just the flag but I haven't been able to read through all of the code yet (damn work) but it is good practice.

But if you have any great information to share from your end please do so, it always great to spread knowledge (even is some of the info is repeatable info more advanced users) because it help inspire other great minds.

But i understand where your coming from as well. Cheers!

**Update**
It think I see the area you are talking about now, looks like your tablet goes through a registration process with Asus before the flag is kicked on. Still looking if they hand off a code but they probably flag your device in their system as unlocked for warranty reasons as well.
 
Last edited:
jermaine151

jermaine151

Senior Member
Jun 19, 2010
4,237
3,690
Columbus, Ohio
The magic happens in: UnLockFlagAndReboot.smali

Code: 
.class public Lcom/asus/unlock/UnLockFlagAndReboot;
.super Ljava/lang/Object;
.source "UnLockFlagAndReboot.java"


# static fields
.field private static final MISC_PATH:Ljava/lang/String; = "/dev/block/mmcblk0p3"

.field private static final TAG:Ljava/lang/String; = "UnLockFlagAndReboot"

.field private static final USB_PATH:Ljava/lang/String; = "/dev/block/mmcblk0p4"


# instance fields
.field private mBufferReaderSize:I

.field private mContentStr:Ljava/lang/String;

.field private mContext:Landroid/content/Context;


# direct methods
.method public constructor <init>(Landroid/content/Context;)V
    .locals 1
    .parameter "context"

    .prologue
    .line 25
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    .line 20
    const/16 v0, 0x1f4

    iput v0, p0, Lcom/asus/unlock/UnLockFlagAndReboot;->mBufferReaderSize:I

    .line 21
    const-string v0, ""

    iput-object v0, p0, Lcom/asus/unlock/UnLockFlagAndReboot;->mContentStr:Ljava/lang/String;

    .line 26
    iput-object p1, p0, Lcom/asus/unlock/UnLockFlagAndReboot;->mContext:Landroid/content/Context;

    .line 27
    return-void
.end method

.method public static fromHexString(Ljava/lang/String;)[B
    .locals 2
    .parameter "in"

    .prologue
    .line 81
    new-instance v0, Ljava/math/BigInteger;

    const/16 v1, 0x10

    invoke-direct {v0, p0, v1}, Ljava/math/BigInteger;-><init>(Ljava/lang/String;I)V

    .line 82
    .local v0, temp:Ljava/math/BigInteger;
    invoke-virtual {v0}, Ljava/math/BigInteger;->toByteArray()[B

    move-result-object v1

    return-object v1
.end method

.method private writeRecoveryCmd(Ljava/lang/String;)V
    .locals 10
    .parameter "encodeCpuId"
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/io/IOException;
        }
    .end annotation

    .prologue
    .line 43
    const/16 v8, 0x440

    new-array v0, v8, [B

    .line 44
    .local v0, bary:[B
    invoke-static {p1}, Lcom/asus/unlock/UnLockFlagAndReboot;->fromHexString(Ljava/lang/String;)[B

    move-result-object v1

    .line 46
    .local v1, bary2:[B
    const/16 v8, 0xb

    new-array v2, v8, [B

    fill-array-data v2, :array_0

    .line 47
    .local v2, cmd1:[B
    const/16 v8, 0x9

    new-array v3, v8, [B

    fill-array-data v3, :array_1

    .line 49
    .local v3, cmd2:[B
    const/4 v7, 0x0

    .local v7, idx:I
    :goto_0
    array-length v8, v2

    if-ge v7, v8, :cond_0

    .line 50
    const/4 v8, 0x0

    aput-byte v8, v0, v7

    .line 49
    add-int/lit8 v7, v7, 0x1

    goto :goto_0

    .line 52
    :cond_0
    const/4 v7, 0x0

    :goto_1
    array-length v8, v2

    if-ge v7, v8, :cond_1

    .line 53
    add-int/lit8 v8, v7, 0x0

    aget-byte v9, v2, v7

    aput-byte v9, v0, v8

    .line 52
    add-int/lit8 v7, v7, 0x1

    goto :goto_1

    .line 55
    :cond_1
    const/4 v7, 0x0

    :goto_2
    array-length v8, v3

    if-ge v7, v8, :cond_2

    .line 56
    add-int/lit8 v8, v7, 0x40

    aget-byte v9, v3, v7

    aput-byte v9, v0, v8

    .line 55
    add-int/lit8 v7, v7, 0x1

    goto :goto_2

    .line 59
    :cond_2
    const/4 v5, 0x0

    .line 61
    .local v5, fos:Ljava/io/FileOutputStream;
    :try_start_0
    new-instance v6, Ljava/io/FileOutputStream;

    const-string v8, "/dev/block/mmcblk0p3"

    invoke-direct {v6, v8}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;)V
    :try_end_0
    .catchall {:try_start_0 .. :try_end_0} :catchall_0
    .catch Ljava/io/FileNotFoundException; {:try_start_0 .. :try_end_0} :catch_0
    .catch Ljava/io/IOException; {:try_start_0 .. :try_end_0} :catch_1

    .line 62
    .end local v5           #fos:Ljava/io/FileOutputStream;
    .local v6, fos:Ljava/io/FileOutputStream;
    :try_start_1
    invoke-virtual {v6, v0}, Ljava/io/FileOutputStream;->write([B)V

    .line 66
    new-instance v5, Ljava/io/FileOutputStream;

    const-string v8, "/dev/block/mmcblk0p4"

    invoke-direct {v5, v8}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;)V
    :try_end_1
    .catchall {:try_start_1 .. :try_end_1} :catchall_1
    .catch Ljava/io/FileNotFoundException; {:try_start_1 .. :try_end_1} :catch_3
    .catch Ljava/io/IOException; {:try_start_1 .. :try_end_1} :catch_2

    .line 67
    .end local v6           #fos:Ljava/io/FileOutputStream;
    .restart local v5       #fos:Ljava/io/FileOutputStream;
    :try_start_2
    invoke-virtual {v5, v1}, Ljava/io/FileOutputStream;->write([B)V

    .line 68
    const-string v8, "UnLockFlagAndReboot"

    const-string v9, "============= writeRecoveryCmd  success ======================="

    invoke-static {v8, v9}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
    :try_end_2
    .catchall {:try_start_2 .. :try_end_2} :catchall_0
    .catch Ljava/io/FileNotFoundException; {:try_start_2 .. :try_end_2} :catch_0
    .catch Ljava/io/IOException; {:try_start_2 .. :try_end_2} :catch_1

    .line 74
    if-eqz v5, :cond_3

    .line 75
    invoke-virtual {v5}, Ljava/io/FileOutputStream;->close()V

    .line 78
    :cond_3
    :goto_3
    return-void

    .line 69
    :catch_0
    move-exception v4

    .line 70
    .local v4, e:Ljava/io/FileNotFoundException;
    :goto_4
    :try_start_3
    invoke-virtual {v4}, Ljava/io/FileNotFoundException;->printStackTrace()V
    :try_end_3
    .catchall {:try_start_3 .. :try_end_3} :catchall_0

    .line 74
    if-eqz v5, :cond_3

    .line 75
    invoke-virtual {v5}, Ljava/io/FileOutputStream;->close()V

    goto :goto_3

    .line 71
    .end local v4           #e:Ljava/io/FileNotFoundException;
    :catch_1
    move-exception v4

    .line 72
    .local v4, e:Ljava/io/IOException;
    :goto_5
    :try_start_4
    invoke-virtual {v4}, Ljava/io/IOException;->printStackTrace()V
    :try_end_4
    .catchall {:try_start_4 .. :try_end_4} :catchall_0

    .line 74
    if-eqz v5, :cond_3

    .line 75
    invoke-virtual {v5}, Ljava/io/FileOutputStream;->close()V

    goto :goto_3

    .line 74
    .end local v4           #e:Ljava/io/IOException;
    :catchall_0
    move-exception v8

    :goto_6
    if-eqz v5, :cond_4

    .line 75
    invoke-virtual {v5}, Ljava/io/FileOutputStream;->close()V

    :cond_4
    throw v8

    .line 74
    .end local v5           #fos:Ljava/io/FileOutputStream;
    .restart local v6       #fos:Ljava/io/FileOutputStream;
    :catchall_1
    move-exception v8

    move-object v5, v6

    .end local v6           #fos:Ljava/io/FileOutputStream;
    .restart local v5       #fos:Ljava/io/FileOutputStream;
    goto :goto_6

    .line 71
    .end local v5           #fos:Ljava/io/FileOutputStream;
    .restart local v6       #fos:Ljava/io/FileOutputStream;
    :catch_2
    move-exception v4

    move-object v5, v6

    .end local v6           #fos:Ljava/io/FileOutputStream;
    .restart local v5       #fos:Ljava/io/FileOutputStream;
    goto :goto_5

    .line 69
    .end local v5           #fos:Ljava/io/FileOutputStream;
    .restart local v6       #fos:Ljava/io/FileOutputStream;
    :catch_3
    move-exception v4

    move-object v5, v6

    .end local v6           #fos:Ljava/io/FileOutputStream;
    .restart local v5       #fos:Ljava/io/FileOutputStream;
    goto :goto_4

    .line 46
    :array_0
    .array-data 0x1
        0x62t
        0x6ft
        0x6ft
        0x74t
        0x2dt
        0x75t
        0x6et
        0x6ct
        0x6ft
        0x63t
        0x6bt
    .end array-data

    .line 47
    :array_1
    .array-data 0x1
        0x72t
        0x65t
        0x63t
        0x6ft
        0x76t
        0x65t
        0x72t
        0x79t
        0xat
    .end array-data
.end method


# virtual methods
.method public readFileContent()V
    .locals 8

    .prologue
    .line 86
    const/4 v1, 0x0

    .line 88
    .local v1, fr:Ljava/io/FileReader;
    :try_start_0
    new-instance v2, Ljava/io/FileReader;

    const-string v5, "/dev/block/mmcblk0p3"

    invoke-direct {v2, v5}, Ljava/io/FileReader;-><init>(Ljava/lang/String;)V
    :try_end_0
    .catchall {:try_start_0 .. :try_end_0} :catchall_0
    .catch Ljava/io/FileNotFoundException; {:try_start_0 .. :try_end_0} :catch_7
    .catch Ljava/io/IOException; {:try_start_0 .. :try_end_0} :catch_3

    .line 89
    .end local v1           #fr:Ljava/io/FileReader;
    .local v2, fr:Ljava/io/FileReader;
    :try_start_1
    new-instance v3, Ljava/io/BufferedReader;

    iget v5, p0, Lcom/asus/unlock/UnLockFlagAndReboot;->mBufferReaderSize:I

    invoke-direct {v3, v2, v5}, Ljava/io/BufferedReader;-><init>(Ljava/io/Reader;I)V

    .line 90
    .local v3, in:Ljava/io/BufferedReader;
    const-string v4, ""

    .line 91
    .local v4, line:Ljava/lang/String;
    :goto_0
    invoke-virtual {v3}, Ljava/io/BufferedReader;->readLine()Ljava/lang/String;

    move-result-object v4

    if-eqz v4, :cond_1

    .line 92
    new-instance v5, Ljava/lang/StringBuilder;

    invoke-direct {v5}, Ljava/lang/StringBuilder;-><init>()V

    iget-object v6, p0, Lcom/asus/unlock/UnLockFlagAndReboot;->mContentStr:Ljava/lang/String;

    invoke-virtual {v5, v6}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v5

    invoke-virtual {v5, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v5

    invoke-virtual {v5}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v5

    iput-object v5, p0, Lcom/asus/unlock/UnLockFlagAndReboot;->mContentStr:Ljava/lang/String;
    :try_end_1
    .catchall {:try_start_1 .. :try_end_1} :catchall_1
    .catch Ljava/io/FileNotFoundException; {:try_start_1 .. :try_end_1} :catch_0
    .catch Ljava/io/IOException; {:try_start_1 .. :try_end_1} :catch_6

    goto :goto_0

    .line 95
    .end local v3           #in:Ljava/io/BufferedReader;
    .end local v4           #line:Ljava/lang/String;
    :catch_0
    move-exception v0

    move-object v1, v2

    .line 96
    .end local v2           #fr:Ljava/io/FileReader;
    .local v0, e:Ljava/io/FileNotFoundException;
    .restart local v1       #fr:Ljava/io/FileReader;
    :goto_1
    :try_start_2
    invoke-virtual {v0}, Ljava/io/FileNotFoundException;->printStackTrace()V
    :try_end_2
    .catchall {:try_start_2 .. :try_end_2} :catchall_0

    .line 101
    if-eqz v1, :cond_0

    .line 103
    :try_start_3
    invoke-virtual {v1}, Ljava/io/FileReader;->close()V
    :try_end_3
    .catch Ljava/io/IOException; {:try_start_3 .. :try_end_3} :catch_2

    .line 110
    .end local v0           #e:Ljava/io/FileNotFoundException;
    :cond_0
    :goto_2
    return-void

    .line 94
    .end local v1           #fr:Ljava/io/FileReader;
    .restart local v2       #fr:Ljava/io/FileReader;
    .restart local v3       #in:Ljava/io/BufferedReader;
    .restart local v4       #line:Ljava/lang/String;
    :cond_1
    :try_start_4
    const-string v5, "UnLockFlagAndReboot"

    new-instance v6, Ljava/lang/StringBuilder;

    invoke-direct {v6}, Ljava/lang/StringBuilder;-><init>()V

    const-string v7, "content of Unlock Flag: "

    invoke-virtual {v6, v7}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v6

    iget-object v7, p0, Lcom/asus/unlock/UnLockFlagAndReboot;->mContentStr:Ljava/lang/String;

    invoke-virtual {v6, v7}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v6

    invoke-virtual {v6}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v6

    invoke-static {v5, v6}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I
    :try_end_4
    .catchall {:try_start_4 .. :try_end_4} :catchall_1
    .catch Ljava/io/FileNotFoundException; {:try_start_4 .. :try_end_4} :catch_0
    .catch Ljava/io/IOException; {:try_start_4 .. :try_end_4} :catch_6

    .line 101
    if-eqz v2, :cond_3

    .line 103
    :try_start_5
    invoke-virtual {v2}, Ljava/io/FileReader;->close()V
    :try_end_5
    .catch Ljava/io/IOException; {:try_start_5 .. :try_end_5} :catch_1

    move-object v1, v2

    .line 107
    .end local v2           #fr:Ljava/io/FileReader;
    .restart local v1       #fr:Ljava/io/FileReader;
    goto :goto_2

    .line 104
    .end local v1           #fr:Ljava/io/FileReader;
    .restart local v2       #fr:Ljava/io/FileReader;
    :catch_1
    move-exception v0

    .line 106
    .local v0, e:Ljava/io/IOException;
    invoke-virtual {v0}, Ljava/io/IOException;->printStackTrace()V

    move-object v1, v2

    .line 107
    .end local v2           #fr:Ljava/io/FileReader;
    .restart local v1       #fr:Ljava/io/FileReader;
    goto :goto_2

    .line 104
    .end local v3           #in:Ljava/io/BufferedReader;
    .end local v4           #line:Ljava/lang/String;
    .local v0, e:Ljava/io/FileNotFoundException;
    :catch_2
    move-exception v0

    .line 106
    .local v0, e:Ljava/io/IOException;
    invoke-virtual {v0}, Ljava/io/IOException;->printStackTrace()V

    goto :goto_2

    .line 97
    .end local v0           #e:Ljava/io/IOException;
    :catch_3
    move-exception v0

    .line 99
    .restart local v0       #e:Ljava/io/IOException;
    :goto_3
    :try_start_6
    invoke-virtual {v0}, Ljava/io/IOException;->printStackTrace()V
    :try_end_6
    .catchall {:try_start_6 .. :try_end_6} :catchall_0

    .line 101
    if-eqz v1, :cond_0

    .line 103
    :try_start_7
    invoke-virtual {v1}, Ljava/io/FileReader;->close()V
    :try_end_7
    .catch Ljava/io/IOException; {:try_start_7 .. :try_end_7} :catch_4

    goto :goto_2

    .line 104
    :catch_4
    move-exception v0

    .line 106
    invoke-virtual {v0}, Ljava/io/IOException;->printStackTrace()V

    goto :goto_2

    .line 101
    .end local v0           #e:Ljava/io/IOException;
    :catchall_0
    move-exception v5

    :goto_4
    if-eqz v1, :cond_2

    .line 103
    :try_start_8
    invoke-virtual {v1}, Ljava/io/FileReader;->close()V
    :try_end_8
    .catch Ljava/io/IOException; {:try_start_8 .. :try_end_8} :catch_5

    .line 107
    :cond_2
    :goto_5
    throw v5

    .line 104
    :catch_5
    move-exception v0

    .line 106
    .restart local v0       #e:Ljava/io/IOException;
    invoke-virtual {v0}, Ljava/io/IOException;->printStackTrace()V

    goto :goto_5

    .line 101
    .end local v0           #e:Ljava/io/IOException;
    .end local v1           #fr:Ljava/io/FileReader;
    .restart local v2       #fr:Ljava/io/FileReader;
    :catchall_1
    move-exception v5

    move-object v1, v2

    .end local v2           #fr:Ljava/io/FileReader;
    .restart local v1       #fr:Ljava/io/FileReader;
    goto :goto_4

    .line 97
    .end local v1           #fr:Ljava/io/FileReader;
    .restart local v2       #fr:Ljava/io/FileReader;
    :catch_6
    move-exception v0

    move-object v1, v2

    .end local v2           #fr:Ljava/io/FileReader;
    .restart local v1       #fr:Ljava/io/FileReader;
    goto :goto_3

    .line 95
    :catch_7
    move-exception v0

    goto :goto_1

    .end local v1           #fr:Ljava/io/FileReader;
    .restart local v2       #fr:Ljava/io/FileReader;
    .restart local v3       #in:Ljava/io/BufferedReader;
    .restart local v4       #line:Ljava/lang/String;
    :cond_3
    move-object v1, v2

    .end local v2           #fr:Ljava/io/FileReader;
    .restart local v1       #fr:Ljava/io/FileReader;
    goto :goto_2
.end method

.method public reboot()V
    .locals 3

    .prologue
    .line 38
    iget-object v1, p0, Lcom/asus/unlock/UnLockFlagAndReboot;->mContext:Landroid/content/Context;

    const-string v2, "power"

    invoke-virtual {v1, v2}, Landroid/content/Context;->getSystemService(Ljava/lang/String;)Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Landroid/os/PowerManager;

    .line 39
    .local v0, pm:Landroid/os/PowerManager;
    const/4 v1, 0x0

    invoke-virtual {v0, v1}, Landroid/os/PowerManager;->reboot(Ljava/lang/String;)V

    .line 40
    return-void
.end method

.method public writeUnlockFlag(Ljava/lang/String;)V
    .locals 1
    .parameter "encodeCpuId"

    .prologue
    .line 31
    :try_start_0
    invoke-direct {p0, p1}, Lcom/asus/unlock/UnLockFlagAndReboot;->writeRecoveryCmd(Ljava/lang/String;)V
    :try_end_0
    .catch Ljava/io/IOException; {:try_start_0 .. :try_end_0} :catch_0

    .line 35
    :goto_0
    return-void

    .line 32
    :catch_0
    move-exception v0

    .line 33
    .local v0, e:Ljava/io/IOException;
    invoke-virtual {v0}, Ljava/io/IOException;->printStackTrace()V

    goto :goto_0
.end method
 
  • Like
Reactions: Magnesus
Noxious Ninja

Noxious Ninja

Senior Member
Jul 9, 2010
650
425
Dallas, TX
I think the real magic comes in where the argument to writeUnlockFlag is obtained. That class looks pretty simple.
 
Last edited:
Noxious Ninja

Noxious Ninja

Senior Member
Jul 9, 2010
650
425
Dallas, TX
NotifyDMServer seems to be the important part. I think it's getting an unlock key (secretCpuId) back from Asus, so it may not be possible to hack out the phoning home. I haven't looked too closely at that class, though. We need to see if this is actually from Asus, derived from data sent back from Asus, same for all users, etc.

Does the app support relocking? I haven't actually tried it.
 
Last edited:
1wayjonny

1wayjonny

Senior Member
Jan 3, 2007
466
1,197
Lock-N-Load said:
your both wrong.. the real magic will come when someone can make a method or version that does not talk to Asus and giveaway who you are and that you unlocked :)
Click to expand...
Click to collapse

Yea after I got a few minutes from work, I thought about what Hawkysoft said earlier and its clear as day this phones home to get the unlock code and I am sure your blacklisted from warranty support at the same time.

Predseda3D said:
^^^ Yes, but let me expand a bit on unlock or lock.
Click to expand...
Click to collapse

Are you saying this phones home details where locked or unlocked? If so do you know what it shares?

Noxious Ninja said:
NotifyDMServer seems to be the important part. I think it's getting an unlock key (secretCpuId) back from Asus, so it may not be possible to hack out the phoning home. I haven't looked too closely at that class, though. We need to see if this is actually from Asus, derived from data sent back from Asus, same for all users, etc.

Does the app support relocking? I haven't actually tried it.
Click to expand...
Click to collapse

Have not seen anything yet about the re-locking but agreed on the the lock key
 
S

skaforey

Senior Member
Nov 5, 2009
603
399
San Diego, CA
Noxious Ninja said:
NotifyDMServer seems to be the important part. I think it's getting an unlock key (secretCpuId) back from Asus, so it may not be possible to hack out the phoning home. I haven't looked too closely at that class, though. We need to see if this is actually from Asus, derived from data sent back from Asus, same for all users, etc.

Does the app support relocking? I haven't actually tried it.
Click to expand...
Click to collapse

I must be missing something here, so someone correct me where I went wrong...

First off, I do see it phoning home, however, I don't see us ever using anything that is returned from that call to write the recovery partition.

1) The recovery image is written in writeRecoveryCmd (in UnLockFlagAndReboot). This procedure takes in one argument.

2) The writeRecoveryCmd is called from writeUnlockFlag (same class) which just passes in what it receives.

3) This writeUnlockFlag procedure is called from the writeUnlockFlag in the UnLockActivity which passes in this.mNotifyDMServer.getSecretCpuID()

4) the getSecretCpuID() method inside NotifyDMServer returns the local class variable mSecretCpuId.

5) I only ever see mSecretCpuId being initialized to 0.

Now someone find where this is being set to something other than 0. If it doesn't, and my logic is correct, we would all be able to simply use a program that passes in 0 to the writeRecoveryCmd procedure inside UnLockFlagAndReboot.
 
  • Like
Reactions: Magnesus
xsteven77x

xsteven77x

Senior Member
Jul 2, 2010
3,423
768
Pittsburgh
skaforey said:
I must be missing something here, so someone correct me where I went wrong...

First off, I do see it phoning home, however, I don't see us ever using anything that is returned from that call to write the recovery partition.

1) The recovery image is written in writeRecoveryCmd (in UnLockFlagAndReboot). This procedure takes in one argument.

2) The writeRecoveryCmd is called from writeUnlockFlag (same class) which just passes in what it receives.

3) This writeUnlockFlag procedure is called from the writeUnlockFlag in the UnLockActivity which passes in this.mNotifyDMServer.getSecretCpuID()

4) the getSecretCpuID() method inside NotifyDMServer returns the local class variable mSecretCpuId.

5) I only ever see mSecretCpuId being initialized to 0.

Now someone find where this is being set to something other than 0. If it doesn't, and my logic is correct, we would all be able to simply use a program that passes in 0 to the writeRecoveryCmd procedure inside UnLockFlagAndReboot.
Click to expand...
Click to collapse

Ok for the layman does that man their is hope of POSSIBLY making a tool that would not phone home and void us?

Sent from my Transformer Prime TF201 using xda premium
 
  • Like
Reactions: MrMalone
Noxious Ninja

Noxious Ninja

Senior Member
Jul 9, 2010
650
425
Dallas, TX
skaforey said:
I must be missing something here, so someone correct me where I went wrong...

First off, I do see it phoning home, however, I don't see us ever using anything that is returned from that call to write the recovery partition.

1) The recovery image is written in writeRecoveryCmd (in UnLockFlagAndReboot). This procedure takes in one argument.

2) The writeRecoveryCmd is called from writeUnlockFlag (same class) which just passes in what it receives.

3) This writeUnlockFlag procedure is called from the writeUnlockFlag in the UnLockActivity which passes in this.mNotifyDMServer.getSecretCpuID()

4) the getSecretCpuID() method inside NotifyDMServer returns the local class variable mSecretCpuId.

5) I only ever see mSecretCpuId being initialized to 0.

Now someone find where this is being set to something other than 0. If it doesn't, and my logic is correct, we would all be able to simply use a program that passes in 0 to the writeRecoveryCmd procedure inside UnLockFlagAndReboot.
Click to expand...
Click to collapse

Look at NotifyDMServer$CredCpuIdReceiver.smali. onReceive seems to be a callback invoked via a C2DM message. I.e., the app phones home, then waits for a push notification with the unlock key.

Of course I would prefer to be proven wrong. :p
 
Last edited:
  • Like
Reactions: Magnesus
S

skaforey

Senior Member
Nov 5, 2009
603
399
San Diego, CA
Noxious Ninja said:
Look at NotifyDMServer$CredCpuIdReceiver.smali. onReceive seems to be a callback invoked via a C2DM message. I.e., the app phones home, then waits for a push notification with the unlock key.

Of course I would prefer to be proven wrong. :p
Click to expand...
Click to collapse

Right, I see that...but...starting from the write recovery process and working backwards, it doesn't appear that the variable gets set anywhere. It wouldn't be that difficult to at least modify the app to log additional info add it is ruining to verify if it is using a call back key or not


Sent from my Galaxy Nexus
 
  • Like
Reactions: Magnesus
M

Mistar Muffin

Senior Member
Aug 11, 2009
291
413
Noxious Ninja said:
Look at NotifyDMServer$CredCpuIdReceiver.smali. onReceive seems to be a callback invoked via a C2DM message. I.e., the app phones home, then waits for a push notification with the unlock key.

Of course I would prefer to be proven wrong. :p
Click to expand...
Click to collapse

This is the same conclusion I came to when I took a look. I followed the same trace mentioned by the previous poster but also ended up with the C2DM message. It looks like ASUS is computing the secret cpu ID on their end.
 
You must log in or register to reply here.

Similar threads

flumpster
[ROM][May 13][JB 4.2.1] AndroWook Prime Hairy Bean v2.2 **Unleash The Beast!**
Replies
10K
Views
1M
S
sachinkumar1312
Gary Key
  • Locked
Unofficial by Official ASUS Thread - Product Updates
Replies
2K
Views
522K
Diamondback
Diamondback
sparkym3
[ROOT][TOOL]Debugfs automated root [09/18/2012]
Replies
972
Views
728K
D
diaboulo
-viperboy-
[TOOL][Updated 5.9.12]viperMOD PrimeTime v4.6 | Auto Root/Unroot/Busybox/CMW Flash!
Replies
2K
Views
658K
E
evan661212000101
Gary Key
Official ASUS Thread - Users with BT/WiFi Fallout Issues
Replies
1K
Views
346K
whycali
whycali

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 4
    1wayjonny
    1wayjonny
    Decompiled the APK using Brut.alll APK tool and just thought I would share for anyone wants to shift through the codes and commands.

    They basically flag the system and kick into recovery to start the unlock process but have a look yourself.

    Brut.alll APK Tool: http://code.google.com/p/android-apktool/

    Not sure if this will be useful for the original Transformer as Asus stated that this works with ICS only, being the original transformer does not have ICS the bootloader may not be able to handle the steps should someone figure it out.
    View
    4
    D
    ddarvish
    **** like this really angers me.. especially with a device with KNOWN hardware issues, it is annoying to not be able to unlock it, because then you will get denied getting your Wifi issues fixed. Its stupid. Companies should CLEARLY distinguish hardware vs. software warranty issues, and shoulld allow you to relock and get back to a factory state for service to be done on the tablet. man i hope we find a way around this phone home system in the next 60 days because if not im moving on to another tablet...
    View
    2
    sparkym3
    sparkym3
    For anyone who would prefer to look at the code as java, here is a .jar created from the .dex with .class files. This would be in place of the .smali files.
    View
    2
    F
    FunkyMcBain
    Modded Darts said:
    So we have to use Asus' app to unlock the bootloader because their servers generate an unlock key based off our device and/or cpu serial number, right?:confused:

    Does anyone know if Asus is doing a hardware fix for the gps issues or just software?
    Click to expand...
    Click to collapse

    What GPS?

    Sorry had to do it :)
    View
    2
    Noxious Ninja
    Noxious Ninja
    lucasmoore said:
    What if we modify the unlock tool to log the value being returned by Asus. Then some of us who have already unlocked, or are planning on unlocking (I'd be happy to volunteer), can run the tool and compare the logged values.

    This will tell us for sure if the "phone home" is purely to capture our serial numbers for warranty purposes, or if Asus is using it to generate a unique key for each device.
    Click to expand...
    Click to collapse

    I'm working on this now, actually. It's been a while since I last messed with this stuff, though, so I'm not sure how long it will take.
    View

New posts