• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Asus tf700t bootloader unlock app source

Search This thread

amoamare

Senior Member
Jul 17, 2006
476
318
Why should they? The server is not intended to be used with a Web browser anyway.

I assume the check is just an additional safety measure that you are the really device owner before you go on voiding your warranty. Before you accuse Asus of privacy invasion, at least make sure you understand the code and find out what exactly the software does with the password.

Anyway, by reverse engineering the unlocker we will probably gain more knowledge how the unlocking process works, but it will still not give us any way to do it without Asus servers.

If they pass any type of private information to that server IT SHOULD BE SECURED. Thats why they should. Doesn't matter if its not intended to be used by a browser, its a security risk.

Using your gmail acct to check to see who you are, that's really f*ing stupid. You can add another account and sign in with a fake acct. So that makes no sense.

I never ACCUSED Asus of anything you read wrong I simply said IT SEEMS < SEEMS more like a privacy invasion then anything. There is no LEGITIMATE reason for them to obtain use, transfer information about your gmail acct. Google doesnt do, Motorola Doesnt do it, HTC doesnt do, Sony doesnt do it. So why does asus need to?

Who care's who you are, they have serial numbers on the device thats all they need. If someone unlocks the device and its not you, thats a legal matter between you and that person not asus and you.
 
  • Like
Reactions: Captivasion

ostar2

Senior Member
Nov 22, 2012
142
24
If they pass any type of private information to that server IT SHOULD BE SECURED. Thats why they should. Doesn't matter if its not intended to be used by a browser, its a security risk.

Using your gmail acct to check to see who you are, that's really f*ing stupid. You can add another account and sign in with a fake acct. So that makes no sense.

I never ACCUSED Asus of anything you read wrong I simply said IT SEEMS < SEEMS more like a privacy invasion then anything. There is no LEGITIMATE reason for them to obtain use, transfer information about your gmail acct. Google doesnt do, Motorola Doesnt do it, HTC doesnt do, Sony doesnt do it. So why does asus need to?

Who care's who you are, they have serial numbers on the device thats all they need. If someone unlocks the device and its not you, thats a legal matter between you and that person not asus and you.

amoamare, I had looked through that code myself well before you and was uncomfortable with what ASUS did. Also, I think changing the return value for all the possible outcomes to return true. If you do that it won't even ask for any info.
 

bradslinux

Senior Member
Oct 2, 2009
110
52
Somerset
I am about to decompile and deobfsucate the CMClient and DMClient apk file. I will post the source code shortly
I received a reply from Asus support...actually several that where very vague and minimal in their answers. Here is the latest reply from Joe Song @ Asus support.

"Dear Valued Customer,

Thank you for contacting ASUS Customer Service.

My name is Joe and it's my pleasure to help you with your problem.

CMClient is a part of ComfortClick Manager home automation software package, the most comfortable home automation solution for system integrators and DIYs. CMClient application is used for visualization, monitoring and control of home automation systems based on EIB KNX communication standard.

DMClient is for systmen update.It belongs to the default system.


If you continue to experience issues in the future, please do not hesitate
to contact us.

Best Regard
Joe
"

Hmmmm indeed.
Brad
 

ostar2

Senior Member
Nov 22, 2012
142
24
I received a reply from Asus support...actually several that where very vague and minimal in their answers. Here is the latest reply from Joe Song @ Asus support.

"Dear Valued Customer,

Thank you for contacting ASUS Customer Service.

My name is Joe and it's my pleasure to help you with your problem.

CMClient is a part of ComfortClick Manager home automation software package, the most comfortable home automation solution for system integrators and DIYs. CMClient application is used for visualization, monitoring and control of home automation systems based on EIB KNX communication standard.

DMClient is for systmen update.It belongs to the default system.


If you continue to experience issues in the future, please do not hesitate
to contact us.

Best Regard
Joe
"

Hmmmm indeed.
Brad


Sorry, I could not find the cmclient and dmclient files. Also, I am surprised that ASUS actually told you what those files did.
 

oroo708

Senior Member
Dec 16, 2010
353
29
I received a reply from Asus support...actually several that where very vague and minimal in their answers. Here is the latest reply from Joe Song @ Asus support.

"Dear Valued Customer,

Thank you for contacting ASUS Customer Service.

My name is Joe and it's my pleasure to help you with your problem.

CMClient is a part of ComfortClick Manager home automation software package, the most comfortable home automation solution for system integrators and DIYs. CMClient application is used for visualization, monitoring and control of home automation systems based on EIB KNX communication standard.

DMClient is for systmen update.It belongs to the default system.


If you continue to experience issues in the future, please do not hesitate
to contact us.

Best Regard
Joe
"

Hmmmm indeed.
Brad

isn't this like CIQ?? so this mean they have access to monitor what ever we do to our devices?? no privacy??

I think we need some pros in here to check things out. is TrevE still around here?
 
I have seen something that seems useful in the unlock tool released for the padfone 2. It is in the s.class. I'm going to try to attach both the unlock.jar(you can open it with jd_gui) and the zipped s.smali because it seems that dex2jar couldn't translate this correctly.

in one of its functions it writes something to /dev/block/mmcblk0p3 and /dev/block/mmcblk0p4 which in my device are named as sbl2 and sbl3 (

Smali code is a mess to me, but if someone can read it...

Code:
:try_start_0
    new-instance v2, Ljava/io/FileOutputStream;

    const-string v0, "/dev/block/mmcblk0p3"

    invoke-direct {v2, v0}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;)V
    :try_end_0
    .catchall {:try_start_0 .. :try_end_0} :catchall_0
    .catch Ljava/io/FileNotFoundException; {:try_start_0 .. :try_end_0} :catch_0
    .catch Ljava/io/IOException; {:try_start_0 .. :try_end_0} :catch_1

    :try_start_1
    invoke-virtual {v2, v3}, Ljava/io/FileOutputStream;->write([B)V

    new-instance v1, Ljava/io/FileOutputStream;

    const-string v0, "/dev/block/mmcblk0p4"

    invoke-direct {v1, v0}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;)V
    :try_end_1
    .catchall {:try_start_1 .. :try_end_1} :catchall_1
    .catch Ljava/io/FileNotFoundException; {:try_start_1 .. :try_end_1} :catch_3
    .catch Ljava/io/IOException; {:try_start_1 .. :try_end_1} :catch_2

    :try_start_2
    invoke-virtual {v1, v4}, Ljava/io/FileOutputStream;->write([B)V

    const-string v0, "UnLockFlagAndReboot"

    const-string v2, "============= writeRecoveryCmd  success ======================="

    invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
    :try_end_2
    .catchall {:try_start_2 .. :try_end_2} :catchall_0
    .catch Ljava/io/FileNotFoundException; {:try_start_2 .. :try_end_2} :catch_0
    .catch Ljava/io/IOException; {:try_start_2 .. :try_end_2} :catch_1

    if-eqz v1, :cond_3

    invoke-virtual {v1}, Ljava/io/FileOutputStream;->close()V
 

Attachments

  • s.zip
    1.4 KB · Views: 28
  • UnLock_dex2jar.jar
    32.8 KB · Views: 17

ostar2

Senior Member
Nov 22, 2012
142
24
I have seen something that seems useful in the unlock tool released for the padfone 2. It is in the s.class. I'm going to try to attach both the unlock.jar(you can open it with jd_gui) and the zipped s.smali because it seems that dex2jar couldn't translate this correctly.

in one of its functions it writes something to /dev/block/mmcblk0p3 and /dev/block/mmcblk0p4 which in my device are named as sbl2 and sbl3 (

Smali code is a mess to me, but if someone can read it...

Code:
:try_start_0
    new-instance v2, Ljava/io/FileOutputStream;

    const-string v0, "/dev/block/mmcblk0p3"

    invoke-direct {v2, v0}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;)V
    :try_end_0
    .catchall {:try_start_0 .. :try_end_0} :catchall_0
    .catch Ljava/io/FileNotFoundException; {:try_start_0 .. :try_end_0} :catch_0
    .catch Ljava/io/IOException; {:try_start_0 .. :try_end_0} :catch_1

    :try_start_1
    invoke-virtual {v2, v3}, Ljava/io/FileOutputStream;->write([B)V

    new-instance v1, Ljava/io/FileOutputStream;

    const-string v0, "/dev/block/mmcblk0p4"

    invoke-direct {v1, v0}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;)V
    :try_end_1
    .catchall {:try_start_1 .. :try_end_1} :catchall_1
    .catch Ljava/io/FileNotFoundException; {:try_start_1 .. :try_end_1} :catch_3
    .catch Ljava/io/IOException; {:try_start_1 .. :try_end_1} :catch_2

    :try_start_2
    invoke-virtual {v1, v4}, Ljava/io/FileOutputStream;->write([B)V

    const-string v0, "UnLockFlagAndReboot"

    const-string v2, "============= writeRecoveryCmd  success ======================="

    invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
    :try_end_2
    .catchall {:try_start_2 .. :try_end_2} :catchall_0
    .catch Ljava/io/FileNotFoundException; {:try_start_2 .. :try_end_2} :catch_0
    .catch Ljava/io/IOException; {:try_start_2 .. :try_end_2} :catch_1

    if-eqz v1, :cond_3

    invoke-virtual {v1}, Ljava/io/FileOutputStream;->close()V

It is better to decompile with fern flower. It doesn't decompile to byte code, but readable java code. It also has a function to deobfuscate the code.
 
I've been a bit short of time, but have analyzed the decompiled s.class and i think the partition used to store the boot parameters is /dev/block/mmcblk0p3 because the modifications there are common for all devices (what seems logical because the structure for the stored parameters in the partition should be the same)

This is the decompiled class, what do you think?:
Code:
// Decompiled by DJ v3.12.12.96 Copyright 2011 Atanas Neshkov  Date: 07/12/2012 9:09:09
// Home Page: http://members.fortunecity.com/neshkov/dj.html  http://www.neshkov.com/dj.html - Check often for new version!
// Decompiler options: packimports(3) 

package com.asus.unlock;

import android.content.Context;
import android.os.PowerManager;
import android.util.Log;
import java.io.*;
import java.math.BigInteger;

public class s
{

    public s(Context context)
    {
        e = 500;
        o = "";
        mContext = context;
    }

    public static byte[] a(String s1)
    {
        return (new BigInteger(s1, 16)).toByteArray();
    }

    private void d(String s1)
    {
        byte abyte0[];
        byte abyte1[];
        FileOutputStream fileoutputstream;
        int i = 0;
        abyte0 = new byte[1088];
        abyte1 = a(s1);
        byte abyte2[] = new byte[11];
        abyte2[0] = 98;
        abyte2[1] = 111;
        abyte2[2] = 111;
        abyte2[3] = 116;
        abyte2[4] = 45;
        abyte2[5] = 117;
        abyte2[6] = 110;
        abyte2[7] = 108;
        abyte2[8] = 111;
        abyte2[9] = 99;
        abyte2[10] = 107;
        byte abyte3[] = new byte[9];
        abyte3[0] = 114;
        abyte3[1] = 101;
        abyte3[2] = 99;
        abyte3[3] = 111;
        abyte3[4] = 118;
        abyte3[5] = 101;
        abyte3[6] = 114;
        abyte3[7] = 121;
        abyte3[8] = 10;
        for(int j = 0; j < abyte2.length; j++)
            abyte0[j] = 0;

        for(int k = 0; k < abyte2.length; k++)
            abyte0[k + 0] = abyte2[k];

        for(; i < abyte3.length; i++)
            abyte0[i + 64] = abyte3[i];

        fileoutputstream = null;
        FileOutputStream fileoutputstream1 = new FileOutputStream("/dev/block/mmcblk0p3");
        fileoutputstream1.write(abyte0);
        fileoutputstream = new FileOutputStream("/dev/block/mmcblk0p4");
        fileoutputstream.write(abyte1);
        Log.d("UnLockFlagAndReboot", "============= writeRecoveryCmd  success =======================");
        if(fileoutputstream != null)
            fileoutputstream.close();
_L1:
        return;
        FileNotFoundException filenotfoundexception;
        filenotfoundexception;
_L5:
        filenotfoundexception.printStackTrace();
        if(fileoutputstream != null)
            fileoutputstream.close();
          goto _L1
        IOException ioexception;
        ioexception;
_L4:
        ioexception.printStackTrace();
        if(fileoutputstream != null)
            fileoutputstream.close();
          goto _L1
        Exception exception;
        exception;
_L3:
        if(fileoutputstream != null)
            fileoutputstream.close();
        throw exception;
        exception;
        fileoutputstream = fileoutputstream1;
        if(true) goto _L3; else goto _L2
_L2:
        ioexception;
        fileoutputstream = fileoutputstream1;
          goto _L4
        filenotfoundexception;
        fileoutputstream = fileoutputstream1;
          goto _L5
    }

    public void c(String s1)
    {
        d(s1);
_L1:
        return;
        IOException ioexception;
        ioexception;
        ioexception.printStackTrace();
          goto _L1
    }

    public void reboot()
    {
        ((PowerManager)mContext.getSystemService("power")).reboot(null);
    }

    private int e;
    private Context mContext;
    private String o;
}
 

rightonred

Senior Member
Jun 27, 2012
115
59
The code harpik3d posted is the class that writes the unlock command to the device.
mmcblk0p3 is the partition that sends commands to the bootloader such as boot into recovery or fastboot, unlock, etc.
In this case, the raw text "boot-unlock" is written to the first few bytes of this partition, and another set of data (which is the unlock code) is written to mmcblk0p4.
edit: the string "recovery\lf" (\lf is the line feed character) is also written starting at byte 64 on this partition. Im not sure why, perhaps to delete the DRM keys in stock recovery?

After this the device reboots, and the bootloader checks mmcblk0p3, sees the unlock command, and flashes the unlock code from mmcblk0p4 to another partition. (I think)

s.class creates the main unlock function with the input variable being a string which is the unlock code.
this function is executed by unlock activity, which gets the unlock code from f.class
f.class gets the tegra chipid from another class, and sends that id to, and recieves the unlock code from dmclient.

If you wanted to trace the unlock code back to the source you would have to pull and decompile dmclient.
Most likely the unlock code is downloaded from asus server since it is, I'm assuming, a the digital signature for the device's tegra chipid which must be signed by asus's secret signing key. There is no way to generate this signature without that key. There is also no known way to change the chipid to match a known signature (if someone found a way to do that, we could have a non-asus bootloader unlock). The bootloader should only contain the public key used to verify the unlock code (which it does on every boot before booting an unsigned custom firmware), and the private key can't be computed from the publc key without a mathematical breakthrough in integer factorization.

At this point, it we would want to find another way to unlock the tablet, we would have to disassemble the bootloader code and check for weaknesses.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    The code harpik3d posted is the class that writes the unlock command to the device.
    mmcblk0p3 is the partition that sends commands to the bootloader such as boot into recovery or fastboot, unlock, etc.
    In this case, the raw text "boot-unlock" is written to the first few bytes of this partition, and another set of data (which is the unlock code) is written to mmcblk0p4.
    edit: the string "recovery\lf" (\lf is the line feed character) is also written starting at byte 64 on this partition. Im not sure why, perhaps to delete the DRM keys in stock recovery?

    After this the device reboots, and the bootloader checks mmcblk0p3, sees the unlock command, and flashes the unlock code from mmcblk0p4 to another partition. (I think)

    s.class creates the main unlock function with the input variable being a string which is the unlock code.
    this function is executed by unlock activity, which gets the unlock code from f.class
    f.class gets the tegra chipid from another class, and sends that id to, and recieves the unlock code from dmclient.

    If you wanted to trace the unlock code back to the source you would have to pull and decompile dmclient.
    Most likely the unlock code is downloaded from asus server since it is, I'm assuming, a the digital signature for the device's tegra chipid which must be signed by asus's secret signing key. There is no way to generate this signature without that key. There is also no known way to change the chipid to match a known signature (if someone found a way to do that, we could have a non-asus bootloader unlock). The bootloader should only contain the public key used to verify the unlock code (which it does on every boot before booting an unsigned custom firmware), and the private key can't be computed from the publc key without a mathematical breakthrough in integer factorization.

    At this point, it we would want to find another way to unlock the tablet, we would have to disassemble the bootloader code and check for weaknesses.
    2
    I have fully decompiled and deobfsucated the bootloader unlock tool provided by Asus for the tf700t. I was wondering if someone here would be able to modify it so it would not submit data to Asus and void the warranty. I believe that this would be a great help to any one who owns the Asus Transformer Pad infinity.
    1
    This has been tried before with the Prime. In order for it to unlock the device needs to communicate with the Asus servers to get the unlock token that's specific to each device.

    Sent from my ADR6425LVW using XDA Premium.
    1
    This exactly, the unlock requires something to be signed by asus, however I don't really think that reversing the unlock tool is going to help as it doesn't perform the unlock, it only requests the token.

    I agree with you, i think it connects to asus server to request the key and then signs in to your google account to mark the device as unlocked (so it cannot play DRM contents)

    in fact it gets the key from th url:
    Code:
    https://mdm.asus.com/DMServer/DeviceState?id=<deviceID>&AUTH=<AuthString>&ACTION=get
    
    where:
    [B]deviceId[/B]=
    String str = ((TelephonyManager)this.mContext.getSystemService("phone")).getDeviceId();
    if (str == null)
      str = ((WifiManager)this.mContext.getSystemService("wifi")).getConnectionInfo().getMacAddress().replace(":", "").toUpperCase();
    return str;
    
    [B]AuthString[/B]=
    md5(deviceId + Build.SERIAL + NativeKey + "dm_server" + "nEEd_query_STATe")
    1
    Why should they? The server is not intended to be used with a Web browser anyway.

    I assume the check is just an additional safety measure that you are the really device owner before you go on voiding your warranty. Before you accuse Asus of privacy invasion, at least make sure you understand the code and find out what exactly the software does with the password.

    Anyway, by reverse engineering the unlocker we will probably gain more knowledge how the unlocking process works, but it will still not give us any way to do it without Asus servers.

    If they pass any type of private information to that server IT SHOULD BE SECURED. Thats why they should. Doesn't matter if its not intended to be used by a browser, its a security risk.

    Using your gmail acct to check to see who you are, that's really f*ing stupid. You can add another account and sign in with a fake acct. So that makes no sense.

    I never ACCUSED Asus of anything you read wrong I simply said IT SEEMS < SEEMS more like a privacy invasion then anything. There is no LEGITIMATE reason for them to obtain use, transfer information about your gmail acct. Google doesnt do, Motorola Doesnt do it, HTC doesnt do, Sony doesnt do it. So why does asus need to?

    Who care's who you are, they have serial numbers on the device thats all they need. If someone unlocks the device and its not you, thats a legal matter between you and that person not asus and you.