[HOWTO] Unlock TF700T in 2020

Search This thread

DieAbrissbirne

Senior Member
Feb 19, 2010
103
9
Dortmund
@DieAbrissbirne
Sorry to hear that.
The suggested fix using fastboot will probably work only on devices that have already been unlocked. Unfortunately, I don't know a reliable method. If access via adb is possible, I would try to restore the original files. Otherwise, there may be a way to install the original firmware again (from the SD card, for example).

Which firmware version is on the device? How did you rename the odex file (the file name, the file extension or both)?

It was on 10.6.1.14.10.
I renamed only the file extension.

Meanwhile I managed to recover it using this guide (maybe this is helpful for others):
 

dzwdz

New member
Apr 5, 2021
2
0
so the method from the original post didn't work for me - i couldn't remount `/system` as rw, the tablet kept crashing after that.
so i came up with a workaround that should work on all tablets (but if you **** up your tablet with this, don't blame me. it *shouldn't* **** anything up, but i'm not 100% sure about that. make backups of all the files you modify)

first you need root, even temporary root will work. i used https://github.com/timwr/CVE-2016-5195, because i don't trust kingoroot, but kingoroot would probably also work just fine

also, you need to have launched the v8 unlock app at least once.

copy over /data/app/[email protected] and /system/app/DMClient.odex to your pc - you'll need to patch both of those.
open them in a hex editor, and search for "https". depending on the file, you'll find one of those (the offsets might be different):
Code:
in classes.dex
00008220: 7000 0568 7474 7073 0014 6874 7470 733a  p..https..https:
00008230: 2f2f 6d64 6d2e 6173 7573 2e63 6f6d 002b  //mdm.asus.com.+

in DMClient.odex
00058cd0: 616d 7300 0568 7474 7073 0008 6874 7470  ams..https..http
00058ce0: 733a 2f2f 0002 6875 0006 6877 5f76 6572  s://..hu..hw_ver
replace the first "https" in both files with some other text.

if you're curious about what this does: the function which adds the asus' ssl certificates has a check if the url begins with "https". you are replacing the string it compares against with garbage, so it always fails and never adds the certs. it's the same one which d.l.i.w used for their DMCLients

now you need to make /system/app writeable. as i've said, i couldn't just remount /system as rw, so i came up with this workaround (enter those commands as root on the device):
Code:
mount -o remount,rw /
mkdir /tmp
mount -t tmpfs tmpfs /tmp
cp -v /system/app/* /tmp
mount -t tmpfs tmpfs /system/app
cp -v /tmp/* /system/app
umount /tmp

after that just put both of those files back. relaunch the unlock app, and hopefully it will work. it took me a few tries to get it to work, though
 
Apr 14, 2021
7
0
I recently got my hands on a Asus TF700T with a locked boot loader. The official unlock app did not work, so I took a closer look. What I found is that the Asus servers are still up and running, but connection fails due to certificate pinning. And that can be dealt with ;)

So here are the instructions:
  1. The device must be rooted. KingoRoot (the app) worked for me.

  2. Download the unlock bundle from the link below. I didn't find a way to directly attach files here.

  3. Copy both apks to /system/app, change the permission to 0644
    For this, a remount of the system partition may be needed:
    mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system

    DMClient.apk replaces the original DMClient.apk and DMClient.odex (i.e. you have to rename/move/delete the .odex file)
    The modified unlock app cannot be installed like any other and must be installed that way

  4. Reboot the device. On startup Android shows that one app is optimized (that's DMClient). The unlock app is now installed.

  5. Use the unlock app. Google account does not matter.

Watch logcat to get some more information on what the unlock app does. On success the device immediately reboots, so redirect adb logcat to a file if you want to keep the log.

I only tested on a TF700T with WW SKU, V10.6.1.14.10. I assume that other firmware versions work as well.
The unlock app for TF700T also supports TF201, TF300T, TF300TG, and TF300TL, but a modified DMClient is needed.


Download links

Unlock app
and DMClient for TF700T
https://leo.pfweb.eu/dl/OaKdx
  • WW_epad-10.6.1.14.10
  • JOP40D.US_epad-10.6.1.14.10-20130801

DMClient for TF300T
https://leo.pfweb.eu/dl/vUHnp

DMClient for TF300TG
https://leo.pfweb.eu/dl/xphHy


DMClient for TF201
https://leo.pfweb.eu/dl/pKvEA
  • WW_epad_10.4.2.17

---------------------------------------------------------------------

Unlock app and DMClient for TF701T
https://leo.pfweb.eu/dl/2AcpB

DMClient for ME301T (also seems to work for ME302KL)
https://leo.pfweb.eu/dl/uiJPN
dear d.l.i.w:

When I use your attached DMClient.apk and UNLOCK V7

After rebooting, in the system/app folder

Found that no DMClient.odex file was created

But ULOCK V7 is successfully installed..

Run the unlock program to display a network error

Is it because the DMClient.odex file is missing?

Or you directly have the DMClient.odex file for me to copy directly to the system/app file box

Thanks for your reply
更多關於此原文的相關資訊需要提供原文才能顯示其他翻譯資訊
 

d.l.i.w

Member
Aug 24, 2020
32
9
It was on 10.6.1.14.10.
I renamed only the file extension.

Meanwhile I managed to recover it using this guide (maybe this is helpful for others):
Thanks for the tip. I put it in the starting post.

I don't know what Android does when it sees unneeded .odex files. But renaming the extension worked for me...
 
Apr 14, 2021
7
0
Certainly not. If you use the supplied DMClient, you do not need the odex file. The instructions clearly say:


Most likely, for SKUs other than WW and US, a separate version of DMClient is needed. Which firmware do you have?
Certainly not. If you use the supplied DMClient, you do not need the odex file. The instructions clearly say:


Most likely, for SKUs other than WW and US, a separate version of DMClient is needed. Which firmware do you have?
dear d.l.i.w:

my firmware is TF700T

3.1.10-g9827b9a
[email protected]#1
Tue May 14 19:45:05 CST2013

JOP40D.TW_EPAD-10.6.1.1.14.8-20130514

thanks your response :)

looking forward to your reply
 
Apr 14, 2021
7
0
我創建了該固件的有效下載鏈接,因此您可以進行以下操作:
[URL unfurl =“ true”] https://leo.pfweb.eu/dl/iFs1B [/ URL]

使用風險自負。祝你好運!
My goodness

I used this link to show me the same situation (internet mistakes)

I try to restore to factory mode, but it is same situation.

Is it because I accidentally deleted CMclient.odex?

or asus DMClient is close?


by the way

I originally had two TF700T pad.

Fallow your accessory was successfully unlocked on last week

But another one can’t be unlocked

I am so confused

Thanks for your reply
 
Last edited:
Apr 14, 2021
7
0
是的,那可能是。

如果您完全按照說明進行操作,而更換DMClient沒有幫助,那麼我可能無濟於事。

I think my tablet may not be able to unlock

By the way

Can you tell me the unlocking method you use

Is it to modify DMClinet.apk and unlock APK?

Or just modify DMClient.apk

thank you for your help. It's so kind of you.
 
Last edited:

sintar85

Member
Apr 8, 2021
5
0
so the method from the original post didn't work for me - i couldn't remount `/system` as rw, the tablet kept crashing after that.
so i came up with a workaround that should work on all tablets (but if you **** up your tablet with this, don't blame me. it *shouldn't* **** anything up, but i'm not 100% sure about that. make backups of all the files you modify)

first you need root, even temporary root will work. i used https://github.com/timwr/CVE-2016-5195, because i don't trust kingoroot, but kingoroot would probably also work just fine

also, you need to have launched the v8 unlock app at least once.

copy over /data/app/[email protected] and /system/app/DMClient.odex to your pc - you'll need to patch both of those.
open them in a hex editor, and search for "https". depending on the file, you'll find one of those (the offsets might be different):
Code:
in classes.dex
00008220: 7000 0568 7474 7073 0014 6874 7470 733a  p..https..https:
00008230: 2f2f 6d64 6d2e 6173 7573 2e63 6f6d 002b  //mdm.asus.com.+

in DMClient.odex
00058cd0: 616d 7300 0568 7474 7073 0008 6874 7470  ams..https..http
00058ce0: 733a 2f2f 0002 6875 0006 6877 5f76 6572  s://..hu..hw_ver
replace the first "https" in both files with some other text.

if you're curious about what this does: the function which adds the asus' ssl certificates has a check if the url begins with "https". you are replacing the string it compares against with garbage, so it always fails and never adds the certs. it's the same one which d.l.i.w used for their DMCLients

now you need to make /system/app writeable. as i've said, i couldn't just remount /system as rw, so i came up with this workaround (enter those commands as root on the device):
Code:
mount -o remount,rw /
mkdir /tmp
mount -t tmpfs tmpfs /tmp
cp -v /system/app/* /tmp
mount -t tmpfs tmpfs /system/app
cp -v /tmp/* /system/app
umount /tmp

after that just put both of those files back. relaunch the unlock app, and hopefully it will work. it took me a few tries to get it to work, though

this is awesome !!! it worked for me !!! thanks a lot !!
 

erictmc

New member
  • Dec 8, 2020
    4
    0
    Anyone can help? Trying to root TF300T with Kingaroot but always got download error. If I can't root then I cannot use this method to unlock the bootloader...
     

    erictmc

    New member
  • Dec 8, 2020
    4
    0
    so the method from the original post didn't work for me - i couldn't remount `/system` as rw, the tablet kept crashing after that.
    so i came up with a workaround that should work on all tablets (but if you **** up your tablet with this, don't blame me. it *shouldn't* **** anything up, but i'm not 100% sure about that. make backups of all the files you modify)

    first you need root, even temporary root will work. i used https://github.com/timwr/CVE-2016-5195, because i don't trust kingoroot, but kingoroot would probably also work just fine

    also, you need to have launched the v8 unlock app at least once.

    copy over /data/app/[email protected] and /system/app/DMClient.odex to your pc - you'll need to patch both of those.
    open them in a hex editor, and search for "https". depending on the file, you'll find one of those (the offsets might be different):
    Code:
    in classes.dex
    00008220: 7000 0568 7474 7073 0014 6874 7470 733a  p..https..https:
    00008230: 2f2f 6d64 6d2e 6173 7573 2e63 6f6d 002b  //mdm.asus.com.+
    
    in DMClient.odex
    00058cd0: 616d 7300 0568 7474 7073 0008 6874 7470  ams..https..http
    00058ce0: 733a 2f2f 0002 6875 0006 6877 5f76 6572  s://..hu..hw_ver
    replace the first "https" in both files with some other text.

    if you're curious about what this does: the function which adds the asus' ssl certificates has a check if the url begins with "https". you are replacing the string it compares against with garbage, so it always fails and never adds the certs. it's the same one which d.l.i.w used for their DMCLients

    now you need to make /system/app writeable. as i've said, i couldn't just remount /system as rw, so i came up with this workaround (enter those commands as root on the device):
    Code:
    mount -o remount,rw /
    mkdir /tmp
    mount -t tmpfs tmpfs /tmp
    cp -v /system/app/* /tmp
    mount -t tmpfs tmpfs /system/app
    cp -v /tmp/* /system/app
    umount /tmp

    after that just put both of those files back. relaunch the unlock app, and hopefully it will work. it took me a few tries to get it to work, though
    Hi, I can't root with Kingaroot and would like to try your timwr method but have no idea how to do that, can you please give some information? Thanks in advance
     
    I recently got my hands on a Asus TF700T with a locked boot loader. The official unlock app did not work, so I took a closer look. What I found is that the Asus servers are still up and running, but connection fails due to certificate pinning. And that can be dealt with ;)

    So here are the instructions:
    1. The device must be rooted. KingoRoot (the app) worked for me.

    2. Download the unlock bundle from the link below. I didn't find a way to directly attach files here.

    3. Copy both apks to /system/app, change the permission to 0644
      For this, a remount of the system partition may be needed:
      mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system

      DMClient.apk replaces the original DMClient.apk and DMClient.odex (i.e. you have to rename/move/delete the .odex file)
      The modified unlock app cannot be installed like any other and must be installed that way

    4. Reboot the device. On startup Android shows that one app is optimized (that's DMClient). The unlock app is now installed.

    5. Use the unlock app. Google account does not matter.

    Watch logcat to get some more information on what the unlock app does. On success the device immediately reboots, so redirect adb logcat to a file if you want to keep the log.

    I only tested on a TF700T with WW SKU, V10.6.1.14.10. I assume that other firmware versions work as well.
    The unlock app for TF700T also supports TF201, TF300T, TF300TG, and TF300TL, but a modified DMClient is needed.


    In case something goes wrong and your device gets stuck at the boot screen, this advice may be helpful:

    (thanks @DieAbrissbirne)


    Download links

    Unlock app
    and DMClient for TF700T
    https://leo.pfweb.eu/dl/OaKdx
    • WW_epad-10.6.1.14.10
    • JOP40D.US_epad-10.6.1.14.10-20130801

    DMClient for TF300T
    https://leo.pfweb.eu/dl/vUHnp

    DMClient for TF300TG
    https://leo.pfweb.eu/dl/xphHy


    DMClient for TF201
    https://leo.pfweb.eu/dl/pKvEA
    • WW_epad_10.4.2.17

    ---------------------------------------------------------------------

    Unlock app and DMClient for TF701T
    https://leo.pfweb.eu/dl/2AcpB

    DMClient for ME301T (also seems to work for ME302KL)
    https://leo.pfweb.eu/dl/uiJPN

    First of all thanks a lot for your contribution! I tough that device was good for the trash and now I have hope! I have a TF201, I'm not sure if I did unlock it back then so I'm trying to do it again but faced the same problem as you and found your post, woohoo!

    Followed your step, got the right DMClient for the TF201, got the UnluckV7 included in the same zip as the original DMClient you made, there's no differences in the unlockV7 for different devices right ? Had to root with motochopper tho, but everything worked as you said except I never saw the "optimizing app" after copying DMClient.apk and your unlockV7 and the reboot, correct permissions, no error in the log, the unlock app install correctly but when I run it and try to unlock I get the "unknown error occur" using logcat I can see an SSL error, to me it looks like TLS v1.2 is not supported on my tablet so the DMClient is unable to reach the DMServer which have probably disabled old ssl version for security reason.. The url work when I do it on my desktop.. Any idea on how to fix this ?

    I did a few restore to the latest build I've found on the asus support page so I run WW_epad-10.4.2.18-20121122. did the complet procedure few times just to be sure I haven't miss anything but I can't get it to work.. I'm out of Idea, anyone here want to throw any idea so I can try to fix it and install katkiss ? :p

    Thanks again for your work, these initiative keep this community alive!

    Here's the relevant part of my log when I try to unlock:
    Code:
    W/System.err( 1532): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
    W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)


    And full trace:
    Code:
    D/DMServerUnlock( 1532): get DMServer Response retry count = 3
    I/*** Unlock: md5 input( 1532): C860000D6312BCOKAS149159138ac3cb0a971b201587f51251e58b3b4c88f341dm_servernEEd_query_STATe
    I/*** Unlock: request( 1532): https://mdm.asus.com/DMServer/DeviceState?id=HIDDEN&AUTH=HIDDEN&ACTION=get
    D/PowerManagerService(  426): @PowerManagement: 'KEEP_SCREEN_ON_FLAG' releaseWakeLock when screen locked
    W/System.err( 1532): javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
    W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)
    W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:436)
    W/System.err( 1532):     at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:189)
    W/System.err( 1532):     at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:332)
    W/System.err( 1532):     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:375)
    W/System.err( 1532):     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    W/System.err( 1532):     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    W/System.err( 1532):     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    W/System.err( 1532):     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
    W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
    W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
    W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
    W/System.err( 1532):     at android.net.http.AndroidHttpClient.execute(AndroidHttpClient.java:252)
    W/System.err( 1532):     at com.asus.unlock.h.b(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.h.a(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.h.c(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.UnLockActivity.b(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.UnLockActivity.d(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.UnLockActivity.b(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.t.run(Unknown Source)
    W/System.err( 1532):     at java.lang.Thread.run(Thread.java:856)
    W/System.err( 1532): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
    W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)
    W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
    W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:395)
    W/System.err( 1532):     ... 19 more
     
    • Like
    Reactions: erictmc

    Nox17

    New member
    Nov 11, 2011
    3
    0
    Kish
    Hi!

    First of all, thanks for putting the effort to get this working! I also have an old TF700T that I want to start reusing.

    Model: TF700T
    Android: 4.2.1
    Build: JOP40D.US-epad-10.6.1.14.10-20130801

    I've followed the steps you provided, although with small changes. For example I used ES Explorer to copy the files and it already copies the file with the correct permissions. I removed the .odex file completely, based on other comments on this thread. I did see the optimizing app message when re-starting, and I do see the unlock app get installed. Nonetheless the unlock does not work. I see the same error in logcat as Arsenick mentions above.

    Below is my log, and Arsenick's post as well:

    Does anyone have any idea what could we do to fix this?

    Cheers!

    05-08 19:50:25.288 3300-3347/? D/DMServerUnlock: get DMServer Response retry count = 3 05-08 19:50:25.308 3300-3347/? I/*** Unlock: md5 input: 3085a9499d27C7OKAS077169539acc6dfb6c87ad74bda98d4e9d86b749107554dm_servernEEd_query_STATe 05-08 19:50:25.318 3300-3347/? I/*** Unlock: request: https://mdm.asus.com/DMServer/DeviceState?id=3085a9499d27&AUTH=KjIsqAUGTqFY11iAo12KRA&ACTION=get 05-08 19:50:26.588 3300-3347/? W/System.err: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x585d8c48: Failure in SSL library, usually a protocol error 05-08 19:50:26.588 3300-3347/? W/System.err: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x5a8c6c38:0x00000000) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:420) 05-08 19:50:26.588 3300-3347/? W/System.err: at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:190) 05-08 19:50:26.588 3300-3347/? W/System.err: at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:382) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:375) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487) 05-08 19:50:26.588 3300-3347/? W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465) 05-08 19:50:26.588 3300-3347/? W/System.err: at android.net.http.AndroidHttpClient.execute(AndroidHttpClient.java:252) 05-08 19:50:26.588 3300-3347/? W/System.err: at com.asus.unlock.h.b(Unknown Source) 05-08 19:50:26.588 3300-3347/? W/System.err: at com.asus.unlock.h.a(Unknown Source) 05-08 19:50:26.588 3300-3347/? W/System.err: at com.asus.unlock.h.c(Unknown Source) 05-08 19:50:26.598 3300-3347/? W/System.err: at com.asus.unlock.UnLockActivity.b(Unknown Source) 05-08 19:50:26.598 3300-3347/? W/System.err: at com.asus.unlock.UnLockActivity.d(Unknown Source) 05-08 19:50:26.598 3300-3347/? W/System.err: at com.asus.unlock.UnLockActivity.b(Unknown Source) 05-08 19:50:26.598 3300-3347/? W/System.err: at com.asus.unlock.t.run(Unknown Source) 05-08 19:50:26.598 3300-3347/? W/System.err: at java.lang.Thread.run(Thread.java:856) 05-08 19:50:26.598 3300-3347/? W/System.err: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x585d8c48: Failure in SSL library, usually a protocol error

    First of all thanks a lot for your contribution! I tough that device was good for the trash and now I have hope! I have a TF201, I'm not sure if I did unlock it back then so I'm trying to do it again but faced the same problem as you and found your post, woohoo!

    Followed your step, got the right DMClient for the TF201, got the UnluckV7 included in the same zip as the original DMClient you made, there's no differences in the unlockV7 for different devices right ? Had to root with motochopper tho, but everything worked as you said except I never saw the "optimizing app" after copying DMClient.apk and your unlockV7 and the reboot, correct permissions, no error in the log, the unlock app install correctly but when I run it and try to unlock I get the "unknown error occur" using logcat I can see an SSL error, to me it looks like TLS v1.2 is not supported on my tablet so the DMClient is unable to reach the DMServer which have probably disabled old ssl version for security reason.. The url work when I do it on my desktop.. Any idea on how to fix this ?

    I did a few restore to the latest build I've found on the asus support page so I run WW_epad-10.4.2.18-20121122. did the complet procedure few times just to be sure I haven't miss anything but I can't get it to work.. I'm out of Idea, anyone here want to throw any idea so I can try to fix it and install katkiss ? :p

    Thanks again for your work, these initiative keep this community alive!

    Here's the relevant part of my log when I try to unlock:
    Code:
    W/System.err( 1532): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
    W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)


    And full trace:
    Code:
    D/DMServerUnlock( 1532): get DMServer Response retry count = 3
    I/*** Unlock: md5 input( 1532): C860000D6312BCOKAS149159138ac3cb0a971b201587f51251e58b3b4c88f341dm_servernEEd_query_STATe
    I/*** Unlock: request( 1532): https://mdm.asus.com/DMServer/DeviceState?id=HIDDEN&AUTH=HIDDEN&ACTION=get
    D/PowerManagerService(  426): @PowerManagement: 'KEEP_SCREEN_ON_FLAG' releaseWakeLock when screen locked
    W/System.err( 1532): javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
    W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)
    W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:436)
    W/System.err( 1532):     at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:189)
    W/System.err( 1532):     at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:332)
    W/System.err( 1532):     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:375)
    W/System.err( 1532):     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    W/System.err( 1532):     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    W/System.err( 1532):     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    W/System.err( 1532):     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
    W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
    W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
    W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
    W/System.err( 1532):     at android.net.http.AndroidHttpClient.execute(AndroidHttpClient.java:252)
    W/System.err( 1532):     at com.asus.unlock.h.b(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.h.a(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.h.c(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.UnLockActivity.b(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.UnLockActivity.d(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.UnLockActivity.b(Unknown Source)
    W/System.err( 1532):     at com.asus.unlock.t.run(Unknown Source)
    W/System.err( 1532):     at java.lang.Thread.run(Thread.java:856)
    W/System.err( 1532): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
    W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)
    W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
    W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:395)
    W/System.err( 1532):     ... 19 more
     
    @Nox17 Can you reach any https website in the browser on your tablet ? it appears I'm unable to visit www.asus.com with the default browser.. asus.com support only TLS 1.2 and 1.3. I tried visiting www.badssl.com which seems to support old vulnerable ssl version and I get the same result.. So not sure what's broken here..


    Code:
    W/chromium( 4700): external/chromium/net/http/http_stream_factory_impl_job.cc:865: [0509/194734:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: www.asus.com:443
    E/chromium( 4700): external/chromium/net/socket/ssl_client_socket_openssl.cc:788: [0509/194734:ERROR:ssl_client_socket_openssl.cc(788)] handshake failed; returned -1, SSL error code 1, net_error -107
    E/Tab     ( 4700): onReceivedError -11 https://www.asus.com/ Couldn't establish a secure connection.
    W/browser ( 4700): Console: The page at https://www.asus.com/ displayed insecure content from file:///android_asset/webkit/android-weberror.png.
    W/browser ( 4700):  null:1

    Code:
    W/chromium( 4700): external/chromium/net/http/http_stream_factory_impl_job.cc:865: [0509/201240:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: www.badssl.com:443
    E/chromium( 4700): external/chromium/net/socket/ssl_client_socket_openssl.cc:788: [0509/201240:ERROR:ssl_client_socket_openssl.cc(788)] handshake failed; returned -1, SSL error code 1, net_error -107
    E/Tab     ( 4700): onReceivedError -11 https://www.badssl.com/ Couldn't establish a secure connection.
    W/browser ( 4700): Console: The page at https://www.badssl.com/ displayed insecure content from file:///android_asset/webkit/android-weberror.png.
    W/browser ( 4700):  null:1


    Using an old version of chrome I can visit them.. https://androidapksfree.com/chrome/...old/chrome-39-0-2171-93-2171093-apk-download/


    So I'm not an expert at all but it look to me it's related to our version of webview..
     

    Top Liked Posts

    • There are no posts matching your filters.
    • 1
      I recently got my hands on a Asus TF700T with a locked boot loader. The official unlock app did not work, so I took a closer look. What I found is that the Asus servers are still up and running, but connection fails due to certificate pinning. And that can be dealt with ;)

      So here are the instructions:
      1. The device must be rooted. KingoRoot (the app) worked for me.

      2. Download the unlock bundle from the link below. I didn't find a way to directly attach files here.

      3. Copy both apks to /system/app, change the permission to 0644
        For this, a remount of the system partition may be needed:
        mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system

        DMClient.apk replaces the original DMClient.apk and DMClient.odex (i.e. you have to rename/move/delete the .odex file)
        The modified unlock app cannot be installed like any other and must be installed that way

      4. Reboot the device. On startup Android shows that one app is optimized (that's DMClient). The unlock app is now installed.

      5. Use the unlock app. Google account does not matter.

      Watch logcat to get some more information on what the unlock app does. On success the device immediately reboots, so redirect adb logcat to a file if you want to keep the log.

      I only tested on a TF700T with WW SKU, V10.6.1.14.10. I assume that other firmware versions work as well.
      The unlock app for TF700T also supports TF201, TF300T, TF300TG, and TF300TL, but a modified DMClient is needed.


      In case something goes wrong and your device gets stuck at the boot screen, this advice may be helpful:

      (thanks @DieAbrissbirne)


      Download links

      Unlock app
      and DMClient for TF700T
      https://leo.pfweb.eu/dl/OaKdx
      • WW_epad-10.6.1.14.10
      • JOP40D.US_epad-10.6.1.14.10-20130801

      DMClient for TF300T
      https://leo.pfweb.eu/dl/vUHnp

      DMClient for TF300TG
      https://leo.pfweb.eu/dl/xphHy


      DMClient for TF201
      https://leo.pfweb.eu/dl/pKvEA
      • WW_epad_10.4.2.17

      ---------------------------------------------------------------------

      Unlock app and DMClient for TF701T
      https://leo.pfweb.eu/dl/2AcpB

      DMClient for ME301T (also seems to work for ME302KL)
      https://leo.pfweb.eu/dl/uiJPN

      First of all thanks a lot for your contribution! I tough that device was good for the trash and now I have hope! I have a TF201, I'm not sure if I did unlock it back then so I'm trying to do it again but faced the same problem as you and found your post, woohoo!

      Followed your step, got the right DMClient for the TF201, got the UnluckV7 included in the same zip as the original DMClient you made, there's no differences in the unlockV7 for different devices right ? Had to root with motochopper tho, but everything worked as you said except I never saw the "optimizing app" after copying DMClient.apk and your unlockV7 and the reboot, correct permissions, no error in the log, the unlock app install correctly but when I run it and try to unlock I get the "unknown error occur" using logcat I can see an SSL error, to me it looks like TLS v1.2 is not supported on my tablet so the DMClient is unable to reach the DMServer which have probably disabled old ssl version for security reason.. The url work when I do it on my desktop.. Any idea on how to fix this ?

      I did a few restore to the latest build I've found on the asus support page so I run WW_epad-10.4.2.18-20121122. did the complet procedure few times just to be sure I haven't miss anything but I can't get it to work.. I'm out of Idea, anyone here want to throw any idea so I can try to fix it and install katkiss ? :p

      Thanks again for your work, these initiative keep this community alive!

      Here's the relevant part of my log when I try to unlock:
      Code:
      W/System.err( 1532): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
      W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)


      And full trace:
      Code:
      D/DMServerUnlock( 1532): get DMServer Response retry count = 3
      I/*** Unlock: md5 input( 1532): C860000D6312BCOKAS149159138ac3cb0a971b201587f51251e58b3b4c88f341dm_servernEEd_query_STATe
      I/*** Unlock: request( 1532): https://mdm.asus.com/DMServer/DeviceState?id=HIDDEN&AUTH=HIDDEN&ACTION=get
      D/PowerManagerService(  426): @PowerManagement: 'KEEP_SCREEN_ON_FLAG' releaseWakeLock when screen locked
      W/System.err( 1532): javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
      W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)
      W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:436)
      W/System.err( 1532):     at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:189)
      W/System.err( 1532):     at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:332)
      W/System.err( 1532):     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:375)
      W/System.err( 1532):     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
      W/System.err( 1532):     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
      W/System.err( 1532):     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
      W/System.err( 1532):     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
      W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
      W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
      W/System.err( 1532):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
      W/System.err( 1532):     at android.net.http.AndroidHttpClient.execute(AndroidHttpClient.java:252)
      W/System.err( 1532):     at com.asus.unlock.h.b(Unknown Source)
      W/System.err( 1532):     at com.asus.unlock.h.a(Unknown Source)
      W/System.err( 1532):     at com.asus.unlock.h.c(Unknown Source)
      W/System.err( 1532):     at com.asus.unlock.UnLockActivity.b(Unknown Source)
      W/System.err( 1532):     at com.asus.unlock.UnLockActivity.d(Unknown Source)
      W/System.err( 1532):     at com.asus.unlock.UnLockActivity.b(Unknown Source)
      W/System.err( 1532):     at com.asus.unlock.t.run(Unknown Source)
      W/System.err( 1532):     at java.lang.Thread.run(Thread.java:856)
      W/System.err( 1532): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5b5128c0: Failure in SSL library, usually a protocol error
      W/System.err( 1532): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x41a707de:0x00000000)
      W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
      W/System.err( 1532):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:395)
      W/System.err( 1532):     ... 19 more
      1
      Apparently, Asus has updated the servers and older protocols are no longer supported. See

      I think there are two possible solutions:
      1. Change the apps and the firmware to support at least TLS 1.2. This is not an easy task.
      2. Use a MITM setup to downgrade the connection to an older SSL version for the unlock. Something like this:

        The certificate won't cause problems as the verification is deactivated in the modified versions.
        This is probably the more realistic way to go.
      1
      @d.l.i.w Thanks a lot for having a look.

      I also thought of trying to run some MITM setup. Just did not have the time yet. I was also wondering if it could have been that ASUS updated their certificates, but good to know the modified version ignores that.

      @Arsenick A bit of a late reply, but I did check on my tablet and indeed with the stock browser I can't access the asus page. Chrome works, and there TLS 1.2 is used. On my PC chrome uses TLS 1.3. So just like d.l.i.w pointed out Asus does not support older versions anymore.

      On the weekend I will try to do a test for a MITM setup, see if that works. If anyone has any success, let me know!

      Cheers.
      Let us know how it goes with the mitm, not to discourage you but I'm on my third day on this track using mitmproxy and so far I just confirmed Asus did certificate pinning in their stuff so wathever I tried, there's problem :p As far as I know, mitmproxy should be the right tool for this like described here. As you'll see in the next error, SNI is not set by our device, so I had to force insecure mode, which seems to fail because of the cert pinning..

      mitmproxy config:
      mode: transparent
      showhost: true
      ssl_insecure: false

      Code:
      192.168.8.197:57514: clientconnect
      192.168.8.197:57514: Cannot establish TLS with 123.51.152.19:443 (sni: None): TlsException('Cannot validate certificate hostname without SNI')
      192.168.8.197:57514: clientdisconnect
      -----
      mitmproxy config:
      mode: transparent
      showhost: true
      ssl_insecure: true

      Code:
      :ffff:192.168.8.197:37327: Certificate verification error for None: ("hostname 'no-hostname' doesn't match either of '*.asus.com', 'asus.com'",)
      ::ffff:192.168.XXXXXX:37327: Ignoring server verification error, continuing with connection
      192.168.XXXXXX:37327: Client Handshake failed. The client may not trust the proxy's certificate for ('123.51.152.19', 443).


      @d.l.i.w the hack you did seems to workaround the original certificate pinning issue, how did you do that ? Any idea why it would not work right now with mitmproxy ?

      So far I've tried:
      - Restore latest tf201 ww firmware, no root no modification to dmclient, multiple mitmproxy setup, user trusted key, added key directly to the system cacert to no avail
      - Tried the original hack + mitmproxy in regular and transparent mode, with and without ssl_insecure enabled, same result

      Thei weirdest part is using the stock browser, I get the same error when I try to visit https://badssl.com so there's no certificate pinning on this... I'm a bit lost

      they replied to my ticket today, saying how to enable TLS 1.2 on Android by installing Chrome and enabling in the option, so I tried to stay polite with my reply and started from scratch with the detail of the problem... It's not gonna be easy, I have to pass thru the 1st and probably second level of helpdesk to get an engineer who will understand what I'm saying but let's not forget those devices are almost 10years old so they'll probably throw the towel wayyy before... Let's have some hope. Maybe you guy's can open support issue too so they might see there's more people with this problem.

      Just tried to bypass the pinning with Justtrustme, Android-SSL-TrustKiller and SSLUnpinning to no avail.

      I've extracted the apk and looking at the smali code, I'm in unknown land!
      1
      See https://forum.xda-developers.com/t/howto-unlock-tf700t-in-2020.4157143/post-84819987
      This is the minimal amount of changes you need to make.

      As far as I remember, mitmproxy (mitmweb) worked in transparent mode with default settings back then when I tested the unlock for my device. I simply created a wifi hotspot and routed all traffic through mitmproxy.

      Thanks a lot for taking time to help again! I already tried those step with mitmproxy. I cleared user data + reinstalled a fresh firmware from bootstrap and I realized in the dalvik cache there was this file "/data/dalvik-cache/[email protected]@[email protected]" which is your apk installed in my previous attempts...

      So I'm a bit confused and I'm starting to question myself on the different tests I've done.. I've always though deleting user data+ firmware reinstall started with a fresh system but it doesn't look like that, which could explain all the problem I'm having with certificate in webview and the default browser...

      I should be doing something wrong when I reinstall, I need to do this corectly before trying anything else, any suggestion anyone ? How can I restore my tf201 reinstalling firmware but be sure nothing I could have changed, files, folders, permissions etc.. has been left behind ?

      For others you can try to follow this post: https://forum.xda-developers.com/t/...al-fix-mine-is-unlocked.1764917/post-71796522 The unlock tool in this repo is what have almost worked for me today, I'm stuck with ssl error but with this package it crashed later in the process so something's working in there, maybe I'm the only one with my exact issue, let me know if this work. Seems our problem can come not only from asus server but maybe rma/sn problems, therE's details in the thread about sdcard too, I'm just too tired and stubborn to let my tf201 die so close but I'm starting to loose faith!
    • 4
      I recently got my hands on a Asus TF700T with a locked boot loader. The official unlock app did not work, so I took a closer look. What I found is that the Asus servers are still up and running, but connection fails due to certificate pinning. And that can be dealt with ;)

      So here are the instructions:
      1. The device must be rooted. KingoRoot (the app) worked for me.

      2. Download the unlock bundle from the link below. I didn't find a way to directly attach files here.

      3. Copy both apks to /system/app, change the permission to 0644
        For this, a remount of the system partition may be needed:
        mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system

        DMClient.apk replaces the original DMClient.apk and DMClient.odex (i.e. you have to rename/move/delete the .odex file)
        The modified unlock app cannot be installed like any other and must be installed that way

      4. Reboot the device. On startup Android shows that one app is optimized (that's DMClient). The unlock app is now installed.

      5. Use the unlock app. Google account does not matter.

      Watch logcat to get some more information on what the unlock app does. On success the device immediately reboots, so redirect adb logcat to a file if you want to keep the log.

      I only tested on a TF700T with WW SKU, V10.6.1.14.10. I assume that other firmware versions work as well.
      The unlock app for TF700T also supports TF201, TF300T, TF300TG, and TF300TL, but a modified DMClient is needed.


      In case something goes wrong and your device gets stuck at the boot screen, this advice may be helpful:

      (thanks @DieAbrissbirne)


      Download links

      Unlock app
      and DMClient for TF700T
      https://leo.pfweb.eu/dl/OaKdx
      • WW_epad-10.6.1.14.10
      • JOP40D.US_epad-10.6.1.14.10-20130801

      DMClient for TF300T
      https://leo.pfweb.eu/dl/vUHnp

      DMClient for TF300TG
      https://leo.pfweb.eu/dl/xphHy


      DMClient for TF201
      https://leo.pfweb.eu/dl/pKvEA
      • WW_epad_10.4.2.17

      ---------------------------------------------------------------------

      Unlock app and DMClient for TF701T
      https://leo.pfweb.eu/dl/2AcpB

      DMClient for ME301T (also seems to work for ME302KL)
      https://leo.pfweb.eu/dl/uiJPN
      1
      just wanted to say i was able to successfully follow these instructions on a TF300T
      1
      Hello all and thanks a lot @d.l.i.w !!!

      Just wanted to let you know that it finally worked for me (TF700T). I followed instructions in first post, but :

      1) Kingo ROOT had to be older version (4.4.3, from https://kingo-root.en.uptodown.com/android/versions)
      2) Had to apply the trick from post-83766179 (mount -o remount,rw /system /system) in adb to move the files and change permissions
      3) It worked with the files from post-84126441 AND with DMClient.odex deleted from /system/app before rebooting. Before that, the unlocking app failed. So I don't know if it's the different bundle files or the fact that I deleted DMClient.odex. Try all :)

      By the way, after that I installed the Katkiss ROM, which works very nicely and was even able to install on it microg, so I have ms-teams working for my daughter...
      1
      Hello. After the device is rooted, install the ESfile explorer and enable the root explorer option in it. You copy the files to /system/app/. By removing or renaming DMClient.apk and DMClient.odex beforehand. You change the attributes in the file properties item when viewing the directory in the ESfile explorer. Sorry for my English - wrote through a translator.
      1
      I would be interested in learning your process for generating the firmware-specific apk... do you have a video of your steps?
      I have a tf701t that shows the same issue when using the "official" Unlock App (Network Failure due to Certificate Issues) and would like to generate a patched APK that allows the unlock without the error...

      A few pointers would be enough to get me going.

      Thank you in advance.
      You have to modify both the unlock app and the firmware. In the case of the TF700T, the latter only involved DMClient.apk, but that may be different for other devices.

      There is no magic involved. Any tutorial that deals with the analysis and modification of Java bytecode can serve as a starting point. The difficult part is to understand the whole thing and patch it in the right places. That very much depends on the actual code, so I can't give you general step-by-step instructions.

      That being said, I have already briefly looked at the unlock app for the TF701T. Some of it looks familiar to the TF700T, so chances are good that I'll stay motivated to take it apart.

      @d.l.i.w
      can you help me?
      With no further information, it is difficult to guess what happened. If you have deleted some necessary system app, your could try to restore the original firmware. There are certainly many others on this forum who can help you with this far better than I could do.
    Our Apps
    Get our official app!
    The best way to access XDA on your phone
    Nav Gestures
    Add swipe gestures to any Android
    One Handed Mode
    Eases uses one hand with your phone