HTC unlock internals

Tue 10 April 2012 by cedric

Since the end of 2011, HTC allows unlocking its Smartphones' bootloaders. Before that, HTC controlled every updates and packages that were installed on their devices. Users can now unlock their device manually in order to install any installation image (commonly called "ROM" in Android jargon) on their Smartphone. This article describes the internal aspects behind this unlock procedure.

Main aspects

The unlock procedure takes place in 2 steps. For each step, the user has to put its mobile phone in bootloader mode (HBOOT) and to execute commands from the computer.

First step consists of asking a blob from the device.

# fastboot oem get_identifier_token

We get a blob that needs to be submitted to the HTC Dev website.

<<<< Identifier Token Start >>>>
6B08571CFA5165E6DD651B61E54C21CA
E831316228F61EAD276FA3B5C09D1FF0
427E42252BD24461130468DFAFEC344D
F13F5A83AA732CA9678B8AF453EDA69C
319A8C0BF1887C87DDC25B7D7FC16C41
0791099A245FDE2B54AF869E2D3F13F3
5B0F8982C5BA528445ABE98FC580EFAB
D735C19C752F679F2C4C5F98E4A1F063
D4D85FFA64FEC3C11CA5971188211502
B3098649EAE32FB28FC5A50DCF20B50F
536BBF0540842672D55E0DD8A2FFA353
3694DFEC8661C2E9CB6D4BD4E3299DE0
B7BC2EC9B63DE42D355C4C49308E9348
543A4FD687245D6284421593D44C3D33
46E6738AFB76248A373D1CC1027095C9
6754DC0CB0686C3FEB6FDA61E64FB308
<<<<< Identifier Token End >>>>>

In return, HTC will send us the "Unlock_code.bin" file by email. The second step consists of using this file to unlock the Smartphone.

# fastboot flash unlocktoken Unlock_code.bin

The phone will be unlocked only if the "Unlock_code.bin" file is valid.

Internals

Let us analyse the internal mechanisms. The following values are recovered during the first step.

  • IMEI: 123456789012345
  • Serial number: SH0CERT12345
  • Model ID: PC10*****
  • CID: 11111111
  • 4 DWORDs (unidentified)

These values are concatenated and padded to get 256 bytes (we will call that "PhoneIDs")

00000000  00 31 32 33 34 35 36 37  38 39 30 31 32 33 34 35  |.123456789012345|
00000010  30 53 48 30 43 45 52 54  31 32 33 34 35 50 43 31  |0SH0CERT12345PC1|
00000020  30 2a 2a 2a 2a 2a 31 31  31 31 31 31 31 31 45 01  |0*****11111111E.|
00000030  00 53 12 34 56 78 47 90  41 58 29 7f ad 4a 7f 60  |.S.4VxG.AX)..J.`|
00000040  e1 3c 12 83 5d c0 9c 74  30 a4 79 aa 41 68 58 cb  |.<..]..t0.y.AhX.|
…
000000f0  1b 21 48 0b f5 15 39 0a  a5 26 f2 09 78 c5 e6 b7  |.!H...9..&..x...|
00000100

Then, they are encrypted using the RSA-OAEP encryption scheme with HTCs' public key. The resulting "blob1" is what it figures between the tags <<<<< Identifier Token >>>>> and what should be sent to the HTC Dev website.

htc_unlock_get_identifier_token.png

The second step consists of validating the "Unlock_code.bin" file.

At first, it verifies the signature by using HTCs' public key.Secondly, it computes the hash value (using SHA2 algorithm) of a shortened version of the "PhoneIDs". This shortened version of the value "PhoneIDs" is the concatenation of IMEI, Serial number, Model ID, CID, and 4 DWORDs, but without the padding.

The resulting hash value is being compared with the hash value that results from the file's signature verification. If they match, the unlock procedure is granted by the mobile device.

htc_unlock_Unlock_code.png

Source code for these steps is available in github.

Conclusion

The HTC unlock procedure is quite simple. HTC is the only one to have the private key and can create the "Unlock_code.bin". So they can stop at any time the procedure if they want to. However, if you get an "Unlock_code.bin" for a given device, you will always be able to unlock it.

The unlock procedure will allow "fastboot flash" commands and reduce the security of your devices, since it will be possible to flash a custom recovery and mount your original data partition, so do it at your own risks.

For security reasons, the unlock procedure erases the data partition. Even if an attacker gets a device (protected with a passcode) and ask HTC to provide him this "Unlock_code.bin" file, he will not be able to access original data.