Asus tf700t bootloader unlock app source

Search This thread

ostar2

Senior Member
Nov 22, 2012
142
24
I have fully decompiled and deobfsucated the bootloader unlock tool provided by Asus for the tf700t. I was wondering if someone here would be able to modify it so it would not submit data to Asus and void the warranty. I believe that this would be a great help to any one who owns the Asus Transformer Pad infinity.
 

Attachments

  • UnLock_Device_App_V7_decompiled.7z
    8.2 KB · Views: 1,178
Last edited:

ostar2

Senior Member
Nov 22, 2012
142
24
Cracking the bootloader key

Thanks. Would it be possible to crack the device bootloaders key or alter the eep rom allowing you to overwrite the bootloader?
 

ostar2

Senior Member
Nov 22, 2012
142
24
Also, I have the keystore from the apk file. So is there a possibility that it may not be device specific? I also looked through the code and none of even hints connecting to Asus's servers. It only connects to Google and the Google play login server. So, if "keystore.bks" contains the bootloader key, then wouldn't be possible to crack the keystore password and gain access to the keys? :confused: :confused:
 

Attachments

  • keystore.7z
    739 bytes · Views: 205
Last edited:

amoamare

Senior Member
Jul 17, 2006
476
319
I have nothing to do with this, was just reading but I do like how you click that site and it says
"It works !"

And oddly enough asus did not secure it. To cheap to buy another certificate I guess.

---------- Post added at 10:13 PM ---------- Previous post was at 09:58 PM ----------

Just a quick look at it. Looks like your looking at the wrong apk anyway.


///This shows that it obtains information from class_19.java that function is below
//Once that information is grabbed it then creates a broadcast intent. for application package com.asus.dm.c2dm.C2DMRecevier
// And sends that notification to that package.

private void method_31() {
this.field_25 = "0";
field_23 = false;
Intent var1 = new Intent();
var1.setClassName("com.asus.dm", "com.asus.dm.c2dm.C2DMReceiver");
var1.setAction("com.asus.unlock.intent.REGISTRATION");
var1.putExtra("registration_cpu_id", class_19.method_55());
this.mContext.sendBroadcast(var1);
Log.d("NotifyDMServer", "Notify DM Client Successfully");
}

///This function is from class_19.java, looks to grab some identifier information from the device. Returns it back to function above.
// $FF: renamed from: <clinit> () void
static void method_53() {
String[] var0 = new String[]{"/system/bin/cat", "/proc/cpuinfo"};
field_36 = var0;
field_38 = "/system/bin/";
field_37 = 500;
}



/// I put this here because this is a receiver for a intent. From the looks of it, it receives information from most likely the package above.
/// The received information is to notify this application that the unlock code or information was received or generated or what ever.
public void onReceive(Context var1, Intent var2) {
class_16.method_30(this.field_42, var2.getStringExtra("unlock_info"));
String[] var4 = class_16.method_29(this.field_42).split(";;");
class_16.method_33(this.field_42, var4[0]);
class_16.method_34(this.field_42, var4[1]);
Log.d("NotifyDMServer", "unlock recieve successfully, ready to unlock");
class_16.method_32(true);
class_16.method_27(this.field_42).unregisterReceiver(class_16.method_28());
}


I didn't spend hardly anytime looking in it, I just figured i'd throw out some input that I saw. It looks as if there is two parts that handle the unlock. My other concern is why it wants/uses your google login information (Gmail Username/ Password) ?

---------- Post added at 10:16 PM ---------- Previous post was at 10:13 PM ----------

Only reason why I looked in this thread, my friend has the asus prime. Sorry to say it but ASUS sucks at programming. The fact that there unlock utility works <15% is sad. Servers can not be that overloaded all the time. It took over a week to finally get the program to work and unlock his device.

---------- Post added at 10:22 PM ---------- Previous post was at 10:16 PM ----------

Looking at it a little more, I'm pretty sure this just collects information and sends to asus. Gets key sends and intent and another apk handle's the actual unlock.
Edited: Ill hold off on saying anything about that.

I dont even know why im in this thread lol
 

ostar2

Senior Member
Nov 22, 2012
142
24
I have nothing to do with this, was just reading but I do like how you click that site and it says
"It works !"

And oddly enough asus did not secure it. To cheap to buy another certificate I guess.

---------- Post added at 10:13 PM ---------- Previous post was at 09:58 PM ----------

Just a quick look at it. Looks like your looking at the wrong apk anyway.


///This shows that it obtains information from class_19.java that function is below
//Once that information is grabbed it then creates a broadcast intent. for application package com.asus.dm.c2dm.C2DMRecevier
// And sends that notification to that package.

private void method_31() {
this.field_25 = "0";
field_23 = false;
Intent var1 = new Intent();
var1.setClassName("com.asus.dm", "com.asus.dm.c2dm.C2DMReceiver");
var1.setAction("com.asus.unlock.intent.REGISTRATION");
var1.putExtra("registration_cpu_id", class_19.method_55());
this.mContext.sendBroadcast(var1);
Log.d("NotifyDMServer", "Notify DM Client Successfully");
}

///This function is from class_19.java, looks to grab some identifier information from the device. Returns it back to function above.
// $FF: renamed from: <clinit> () void
static void method_53() {
String[] var0 = new String[]{"/system/bin/cat", "/proc/cpuinfo"};
field_36 = var0;
field_38 = "/system/bin/";
field_37 = 500;
}



/// I put this here because this is a receiver for a intent. From the looks of it, it receives information from most likely the package above.
/// The received information is to notify this application that the unlock code or information was received or generated or what ever.
public void onReceive(Context var1, Intent var2) {
class_16.method_30(this.field_42, var2.getStringExtra("unlock_info"));
String[] var4 = class_16.method_29(this.field_42).split(";;");
class_16.method_33(this.field_42, var4[0]);
class_16.method_34(this.field_42, var4[1]);
Log.d("NotifyDMServer", "unlock recieve successfully, ready to unlock");
class_16.method_32(true);
class_16.method_27(this.field_42).unregisterReceiver(class_16.method_28());
}


I didn't spend hardly anytime looking in it, I just figured i'd throw out some input that I saw. It looks as if there is two parts that handle the unlock. My other concern is why it wants/uses your google login information (Gmail Username/ Password) ?

---------- Post added at 10:16 PM ---------- Previous post was at 10:13 PM ----------

Only reason why I looked in this thread, my friend has the asus prime. Sorry to say it but ASUS sucks at programming. The fact that there unlock utility works <15% is sad. Servers can not be that overloaded all the time. It took over a week to finally get the program to work and unlock his device.

---------- Post added at 10:22 PM ---------- Previous post was at 10:16 PM ----------

Looking at it a little more, I'm pretty sure this just collects information and sends to asus. Gets key sends and intent and another apk handle's the actual unlock.
Edited: Ill hold off on saying anything about that.

I dont even know why im in this thread lol

Thanks, Do you think it actually needs the Google login credentials or could that be bypassed? Or would cause problems to bypass it considering I think that you just have make it return the value for success even if the wrong credentials are entered.
 

amoamare

Senior Member
Jul 17, 2006
476
319
Truthfully i dont know why they even need your google login. This seems more like a privacy invasion then anything. They clearly collect your username and password within the software. If its sent anywhere I dont know didn't look much further then what I did. I dont have this device so sorry. The other thing is if they were to cheap to buy a SSL certificate for that domain, and for what ever reasons they do collect username and password. IT could mean your username and password is being sent in raw text string. Which mean's a man in the middle could easily obtain your gmail username and password. Sense i didnt see any level of encryption in the software just a straight up box asking for your password if your not signed in.
 
Last edited:

ostar2

Senior Member
Nov 22, 2012
142
24
I do not own any apple products but I know they ask for an apple account and password to make changes. Do you think its simply to make sure that you own the device?

Also, I found this on the permissions ASUS web storage app on Google play:


YOUR ACCOUNTS
DISCOVER KNOWN ACCOUNTS
Allows the app to get the list of accounts known by the tablet. Allows the app to get the list of accounts known by the phone.

I think this also may be why it asks for Google credentials, to prevent access to this and other services.
 
Last edited:

bradslinux

Senior Member
Oct 2, 2009
110
52
Somerset
Truthfully i dont know why they even need your google login. This seems more like a privacy invasion then anything. They clearly collect your username and password within the software. If its sent anywhere I dont know didn't look much further then what I did. I dont have this device so sorry. The other thing is if they were to cheap to buy a SSL certificate for that domain, and for what ever reasons they do collect username and password. IT could mean your username and password is being sent in raw text string. Which mean's a man in the middle could easily obtain your gmail username and password. Sense i didnt see any level of encryption in the software just a straight up box asking for your password if your not signed in.

I know that some Asus reps monitor these forums, I am curious as to what....if anything they will say. I am willing to bet that these findings will raise a few eyebrows at Asus. I know it will raise a few here in the XDA community.

This isn't the only privacy concern that has been raised. I have sent Asus support several emails asking about the functions of the CMClient and DMClient. They keep dodging the issues.....go figure.

Brad
 

amoamare

Senior Member
Jul 17, 2006
476
319
I do not own any apple products but I know they ask for an apple account and password to make changes. Do you think its simply to make sure that you own the device?

Also, I found this on the permissions ASUS web storage app on Google play:


YOUR ACCOUNTS
DISCOVER KNOWN ACCOUNTS
Allows the app to get the list of accounts known by the tablet. Allows the app to get the list of accounts known by the phone.

I think this also may be why it asks for Google credentials, to prevent access to this and other services.


Its one thing to discover known accounts, it's a whole other thing to ask for your password or request for password. Let alone store it as a string within the program. Again I haven't looked into if its really storing it, but from the looks of the code it does request it.
Maybe someone more inclined to this should look into it. I will take further look into when I can and maybe if I get my hands on the device I will do further digging around.

But I can see no reason to ask for your password. If they want to validate you are who you say you are a simple e-mail confirmation would have been better.
 
I'm not sure if it could help, but i've recently discovered that Padfone 2 unlock tool have specific classes por A66 (Padfone 1), A68 (Padfone 2) and TF700K.

Decompiling and analyzing this tool may be useful as all three classes seem to use the same URL to connect to asus.

Hope it helps
 

_that

Recognized Developer / Inactive RC
Oct 2, 2012
4,821
4,211
I have nothing to do with this, was just reading but I do like how you click that site and it says
"It works !"

And oddly enough asus did not secure it. To cheap to buy another certificate I guess.

Why should they? The server is not intended to be used with a Web browser anyway.

Truthfully i dont know why they even need your google login. This seems more like a privacy invasion then anything. They clearly collect your username and password within the software. If its sent anywhere I dont know didn't look much further then what I did.

I assume the check is just an additional safety measure that you are the really device owner before you go on voiding your warranty. Before you accuse Asus of privacy invasion, at least make sure you understand the code and find out what exactly the software does with the password.

Anyway, by reverse engineering the unlocker we will probably gain more knowledge how the unlocking process works, but it will still not give us any way to do it without Asus servers.
 

lilstevie

Senior Recognized Developer
Apr 17, 2009
1,339
1,040
I'm not sure if it could help, but i've recently discovered that Padfone 2 unlock tool have specific classes por A66 (Padfone 1), A68 (Padfone 2) and TF700K.

This really does make sense, Padfone 1/2 and TF700K contain different snapdragon CPU's to each other

but it will still not give us any way to do it without Asus servers.

This exactly, the unlock requires something to be signed by asus, however I don't really think that reversing the unlock tool is going to help as it doesn't perform the unlock, it only requests the token.
 

ostar2

Senior Member
Nov 22, 2012
142
24
I am about to decompile and deobfsucate the CMClient and DMClient apk file. I will post the source code shortly
 
This exactly, the unlock requires something to be signed by asus, however I don't really think that reversing the unlock tool is going to help as it doesn't perform the unlock, it only requests the token.

I agree with you, i think it connects to asus server to request the key and then signs in to your google account to mark the device as unlocked (so it cannot play DRM contents)

in fact it gets the key from th url:
Code:
https://mdm.asus.com/DMServer/DeviceState?id=<deviceID>&AUTH=<AuthString>&ACTION=get

where:
[B]deviceId[/B]=
String str = ((TelephonyManager)this.mContext.getSystemService("phone")).getDeviceId();
if (str == null)
  str = ((WifiManager)this.mContext.getSystemService("wifi")).getConnectionInfo().getMacAddress().replace(":", "").toUpperCase();
return str;

[B]AuthString[/B]=
md5(deviceId + Build.SERIAL + NativeKey + "dm_server" + "nEEd_query_STATe")
 
Last edited:
  • Like
Reactions: _that

ostar2

Senior Member
Nov 22, 2012
142
24
I agree with you, i think it connects to asus server to request the key and then signs in to your google account to mark the device as unlocked (so it cannot play DRM contents)

in fact it gets the key from th url:
Code:
https://mdm.asus.com/DMServer/DeviceState?id=<deviceID>&AUTH=<AuthString>&ACTION=get

where:
[B]deviceId[/B]=
String str = ((TelephonyManager)this.mContext.getSystemService("phone")).getDeviceId();
if (str == null)
  str = ((WifiManager)this.mContext.getSystemService("wifi")).getConnectionInfo().getMacAddress().replace(":", "").toUpperCase();
return str;

[B]AuthString[/B]=
md5(deviceId + Build.SERIAL + NativeKey + "dm_server" + "nEEd_query_STATe")

So, in that case perhaps making a fake Google Account to prevent this then. Also, maybe some workarounds to prevent the mac address from being obtained?
 

ostar2

Senior Member
Nov 22, 2012
142
24
Also, if dmclient and cmlient are responsible for the unlock then the source code of the these two files should be quite useful.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    The code harpik3d posted is the class that writes the unlock command to the device.
    mmcblk0p3 is the partition that sends commands to the bootloader such as boot into recovery or fastboot, unlock, etc.
    In this case, the raw text "boot-unlock" is written to the first few bytes of this partition, and another set of data (which is the unlock code) is written to mmcblk0p4.
    edit: the string "recovery\lf" (\lf is the line feed character) is also written starting at byte 64 on this partition. Im not sure why, perhaps to delete the DRM keys in stock recovery?

    After this the device reboots, and the bootloader checks mmcblk0p3, sees the unlock command, and flashes the unlock code from mmcblk0p4 to another partition. (I think)

    s.class creates the main unlock function with the input variable being a string which is the unlock code.
    this function is executed by unlock activity, which gets the unlock code from f.class
    f.class gets the tegra chipid from another class, and sends that id to, and recieves the unlock code from dmclient.

    If you wanted to trace the unlock code back to the source you would have to pull and decompile dmclient.
    Most likely the unlock code is downloaded from asus server since it is, I'm assuming, a the digital signature for the device's tegra chipid which must be signed by asus's secret signing key. There is no way to generate this signature without that key. There is also no known way to change the chipid to match a known signature (if someone found a way to do that, we could have a non-asus bootloader unlock). The bootloader should only contain the public key used to verify the unlock code (which it does on every boot before booting an unsigned custom firmware), and the private key can't be computed from the publc key without a mathematical breakthrough in integer factorization.

    At this point, it we would want to find another way to unlock the tablet, we would have to disassemble the bootloader code and check for weaknesses.
    2
    I have fully decompiled and deobfsucated the bootloader unlock tool provided by Asus for the tf700t. I was wondering if someone here would be able to modify it so it would not submit data to Asus and void the warranty. I believe that this would be a great help to any one who owns the Asus Transformer Pad infinity.
    1
    This has been tried before with the Prime. In order for it to unlock the device needs to communicate with the Asus servers to get the unlock token that's specific to each device.

    Sent from my ADR6425LVW using XDA Premium.
    1
    This exactly, the unlock requires something to be signed by asus, however I don't really think that reversing the unlock tool is going to help as it doesn't perform the unlock, it only requests the token.

    I agree with you, i think it connects to asus server to request the key and then signs in to your google account to mark the device as unlocked (so it cannot play DRM contents)

    in fact it gets the key from th url:
    Code:
    https://mdm.asus.com/DMServer/DeviceState?id=<deviceID>&AUTH=<AuthString>&ACTION=get
    
    where:
    [B]deviceId[/B]=
    String str = ((TelephonyManager)this.mContext.getSystemService("phone")).getDeviceId();
    if (str == null)
      str = ((WifiManager)this.mContext.getSystemService("wifi")).getConnectionInfo().getMacAddress().replace(":", "").toUpperCase();
    return str;
    
    [B]AuthString[/B]=
    md5(deviceId + Build.SERIAL + NativeKey + "dm_server" + "nEEd_query_STATe")
    1
    Why should they? The server is not intended to be used with a Web browser anyway.

    I assume the check is just an additional safety measure that you are the really device owner before you go on voiding your warranty. Before you accuse Asus of privacy invasion, at least make sure you understand the code and find out what exactly the software does with the password.

    Anyway, by reverse engineering the unlocker we will probably gain more knowledge how the unlocking process works, but it will still not give us any way to do it without Asus servers.

    If they pass any type of private information to that server IT SHOULD BE SECURED. Thats why they should. Doesn't matter if its not intended to be used by a browser, its a security risk.

    Using your gmail acct to check to see who you are, that's really f*ing stupid. You can add another account and sign in with a fake acct. So that makes no sense.

    I never ACCUSED Asus of anything you read wrong I simply said IT SEEMS < SEEMS more like a privacy invasion then anything. There is no LEGITIMATE reason for them to obtain use, transfer information about your gmail acct. Google doesnt do, Motorola Doesnt do it, HTC doesnt do, Sony doesnt do it. So why does asus need to?

    Who care's who you are, they have serial numbers on the device thats all they need. If someone unlocks the device and its not you, thats a legal matter between you and that person not asus and you.