• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Asus tf700t bootloader unlock app source

Search This thread


Senior Member
Sep 8, 2008
unable to unlock using asus unlock tool

Hello there seems like you guys know what is going on with this asus unlock tool and maybe you can help me and others
I have tf700 running 4.2.1 I registered with asus , can get my tablet to be tracked with asus device tracker , but when i look inside about tablet at s/n says "unknown" have trying everything installed asus unlock tool v7 when I run it get error unable to connect to network try again later
I think it has something to do with tablet not showing s/n question
1) is there another way to unlock this tablet
2) is there a way to put the s/n into tablet that is show up in about tablet
3) is there a different place I should post this to get help Q&A section no one can get answer

thanks for any help


Senior Member
May 23, 2011
I think there is no way to unlocked the bootloader without the Asus tool. I has the same problem and send my tablet back to amazon and refund my money. This was my Last Asus Tablet.....

Gesendet von meinem A700 mit Tapatalk 2

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    The code harpik3d posted is the class that writes the unlock command to the device.
    mmcblk0p3 is the partition that sends commands to the bootloader such as boot into recovery or fastboot, unlock, etc.
    In this case, the raw text "boot-unlock" is written to the first few bytes of this partition, and another set of data (which is the unlock code) is written to mmcblk0p4.
    edit: the string "recovery\lf" (\lf is the line feed character) is also written starting at byte 64 on this partition. Im not sure why, perhaps to delete the DRM keys in stock recovery?

    After this the device reboots, and the bootloader checks mmcblk0p3, sees the unlock command, and flashes the unlock code from mmcblk0p4 to another partition. (I think)

    s.class creates the main unlock function with the input variable being a string which is the unlock code.
    this function is executed by unlock activity, which gets the unlock code from f.class
    f.class gets the tegra chipid from another class, and sends that id to, and recieves the unlock code from dmclient.

    If you wanted to trace the unlock code back to the source you would have to pull and decompile dmclient.
    Most likely the unlock code is downloaded from asus server since it is, I'm assuming, a the digital signature for the device's tegra chipid which must be signed by asus's secret signing key. There is no way to generate this signature without that key. There is also no known way to change the chipid to match a known signature (if someone found a way to do that, we could have a non-asus bootloader unlock). The bootloader should only contain the public key used to verify the unlock code (which it does on every boot before booting an unsigned custom firmware), and the private key can't be computed from the publc key without a mathematical breakthrough in integer factorization.

    At this point, it we would want to find another way to unlock the tablet, we would have to disassemble the bootloader code and check for weaknesses.
    I have fully decompiled and deobfsucated the bootloader unlock tool provided by Asus for the tf700t. I was wondering if someone here would be able to modify it so it would not submit data to Asus and void the warranty. I believe that this would be a great help to any one who owns the Asus Transformer Pad infinity.
    This has been tried before with the Prime. In order for it to unlock the device needs to communicate with the Asus servers to get the unlock token that's specific to each device.

    Sent from my ADR6425LVW using XDA Premium.
    This exactly, the unlock requires something to be signed by asus, however I don't really think that reversing the unlock tool is going to help as it doesn't perform the unlock, it only requests the token.

    I agree with you, i think it connects to asus server to request the key and then signs in to your google account to mark the device as unlocked (so it cannot play DRM contents)

    in fact it gets the key from th url:
    String str = ((TelephonyManager)this.mContext.getSystemService("phone")).getDeviceId();
    if (str == null)
      str = ((WifiManager)this.mContext.getSystemService("wifi")).getConnectionInfo().getMacAddress().replace(":", "").toUpperCase();
    return str;
    md5(deviceId + Build.SERIAL + NativeKey + "dm_server" + "nEEd_query_STATe")
    Why should they? The server is not intended to be used with a Web browser anyway.

    I assume the check is just an additional safety measure that you are the really device owner before you go on voiding your warranty. Before you accuse Asus of privacy invasion, at least make sure you understand the code and find out what exactly the software does with the password.

    Anyway, by reverse engineering the unlocker we will probably gain more knowledge how the unlocking process works, but it will still not give us any way to do it without Asus servers.

    If they pass any type of private information to that server IT SHOULD BE SECURED. Thats why they should. Doesn't matter if its not intended to be used by a browser, its a security risk.

    Using your gmail acct to check to see who you are, that's really f*ing stupid. You can add another account and sign in with a fake acct. So that makes no sense.

    I never ACCUSED Asus of anything you read wrong I simply said IT SEEMS < SEEMS more like a privacy invasion then anything. There is no LEGITIMATE reason for them to obtain use, transfer information about your gmail acct. Google doesnt do, Motorola Doesnt do it, HTC doesnt do, Sony doesnt do it. So why does asus need to?

    Who care's who you are, they have serial numbers on the device thats all they need. If someone unlocks the device and its not you, thats a legal matter between you and that person not asus and you.