- Dec 16, 2010
The code harpik3d posted is the class that writes the unlock command to the device.
mmcblk0p3 is the partition that sends commands to the bootloader such as boot into recovery or fastboot, unlock, etc.
In this case, the raw text "boot-unlock" is written to the first few bytes of this partition, and another set of data (which is the unlock code) is written to mmcblk0p4.
edit: the string "recovery\lf" (\lf is the line feed character) is also written starting at byte 64 on this partition. Im not sure why, perhaps to delete the DRM keys in stock recovery?
After this the device reboots, and the bootloader checks mmcblk0p3, sees the unlock command, and flashes the unlock code from mmcblk0p4 to another partition. (I think)
s.class creates the main unlock function with the input variable being a string which is the unlock code.
this function is executed by unlock activity, which gets the unlock code from f.class
f.class gets the tegra chipid from another class, and sends that id to, and recieves the unlock code from dmclient.
If you wanted to trace the unlock code back to the source you would have to pull and decompile dmclient.
Most likely the unlock code is downloaded from asus server since it is, I'm assuming, a the digital signature for the device's tegra chipid which must be signed by asus's secret signing key. There is no way to generate this signature without that key. There is also no known way to change the chipid to match a known signature (if someone found a way to do that, we could have a non-asus bootloader unlock). The bootloader should only contain the public key used to verify the unlock code (which it does on every boot before booting an unsigned custom firmware), and the private key can't be computed from the publc key without a mathematical breakthrough in integer factorization.
At this point, it we would want to find another way to unlock the tablet, we would have to disassemble the bootloader code and check for weaknesses.
I would like to do it, but I am no programmer.