HTC unlock internalsTue 10 April 2012 by cedric
Since the end of 2011, HTC allows unlocking its Smartphones' bootloaders. Before that, HTC controlled every updates and packages that were installed on their devices. Users can now unlock their device manually in order to install any installation image (commonly called "ROM" in Android jargon) on their Smartphone. This article describes the internal aspects behind this unlock procedure.
The unlock procedure takes place in 2 steps. For each step, the user has to put its mobile phone in bootloader mode (HBOOT) and to execute commands from the computer.
First step consists of asking a blob from the device.
# fastboot oem get_identifier_token
We get a blob that needs to be submitted to the HTC Dev website.
<<<< Identifier Token Start >>>> 6B08571CFA5165E6DD651B61E54C21CA E831316228F61EAD276FA3B5C09D1FF0 427E42252BD24461130468DFAFEC344D F13F5A83AA732CA9678B8AF453EDA69C 319A8C0BF1887C87DDC25B7D7FC16C41 0791099A245FDE2B54AF869E2D3F13F3 5B0F8982C5BA528445ABE98FC580EFAB D735C19C752F679F2C4C5F98E4A1F063 D4D85FFA64FEC3C11CA5971188211502 B3098649EAE32FB28FC5A50DCF20B50F 536BBF0540842672D55E0DD8A2FFA353 3694DFEC8661C2E9CB6D4BD4E3299DE0 B7BC2EC9B63DE42D355C4C49308E9348 543A4FD687245D6284421593D44C3D33 46E6738AFB76248A373D1CC1027095C9 6754DC0CB0686C3FEB6FDA61E64FB308 <<<<< Identifier Token End >>>>>
In return, HTC will send us the "Unlock_code.bin" file by email. The second step consists of using this file to unlock the Smartphone.
# fastboot flash unlocktoken Unlock_code.bin
The phone will be unlocked only if the "Unlock_code.bin" file is valid.
Let us analyse the internal mechanisms. The following values are recovered during the first step.
- IMEI: 123456789012345
- Serial number: SH0CERT12345
- Model ID: PC10*****
- CID: 11111111
- 4 DWORDs (unidentified)
These values are concatenated and padded to get 256 bytes (we will call that "PhoneIDs")
00000000 00 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 |.123456789012345| 00000010 30 53 48 30 43 45 52 54 31 32 33 34 35 50 43 31 |0SH0CERT12345PC1| 00000020 30 2a 2a 2a 2a 2a 31 31 31 31 31 31 31 31 45 01 |0*****11111111E.| 00000030 00 53 12 34 56 78 47 90 41 58 29 7f ad 4a 7f 60 |.S.4VxG.AX)..J.`| 00000040 e1 3c 12 83 5d c0 9c 74 30 a4 79 aa 41 68 58 cb |.<..]..t0.y.AhX.| … 000000f0 1b 21 48 0b f5 15 39 0a a5 26 f2 09 78 c5 e6 b7 |.!H...9..&..x...| 00000100
Then, they are encrypted using the RSA-OAEP encryption scheme with HTCs' public key. The resulting "blob1" is what it figures between the tags <<<<< Identifier Token >>>>> and what should be sent to the HTC Dev website.
The second step consists of validating the "Unlock_code.bin" file.
At first, it verifies the signature by using HTCs' public key.Secondly, it computes the hash value (using SHA2 algorithm) of a shortened version of the "PhoneIDs". This shortened version of the value "PhoneIDs" is the concatenation of IMEI, Serial number, Model ID, CID, and 4 DWORDs, but without the padding.
The resulting hash value is being compared with the hash value that results from the file's signature verification. If they match, the unlock procedure is granted by the mobile device.
Source code for these steps is available in github.
The HTC unlock procedure is quite simple. HTC is the only one to have the private key and can create the "Unlock_code.bin". So they can stop at any time the procedure if they want to. However, if you get an "Unlock_code.bin" for a given device, you will always be able to unlock it.
The unlock procedure will allow "fastboot flash" commands and reduce the security of your devices, since it will be possible to flash a custom recovery and mount your original data partition, so do it at your own risks.
For security reasons, the unlock procedure erases the data partition. Even if an attacker gets a device (protected with a passcode) and ask HTC to provide him this "Unlock_code.bin" file, he will not be able to access original data.