HTC unlock internals

Tue 10 April 2012 by cedric

Since the end of 2011, HTC allows unlocking its Smartphones' bootloaders. Before that, HTC controlled every updates and packages that were installed on their devices. Users can now unlock their device manually in order to install any installation image (commonly called "ROM" in Android jargon) on their Smartphone. This article describes the internal aspects behind this unlock procedure.

Main aspects

The unlock procedure takes place in 2 steps. For each step, the user has to put its mobile phone in bootloader mode (HBOOT) and to execute commands from the computer.

First step consists of asking a blob from the device.

# fastboot oem get_identifier_token

We get a blob that needs to be submitted to the HTC Dev website.

<<<< Identifier Token Start >>>>
<<<<< Identifier Token End >>>>>

In return, HTC will send us the "Unlock_code.bin" file by email. The second step consists of using this file to unlock the Smartphone.

# fastboot flash unlocktoken Unlock_code.bin

The phone will be unlocked only if the "Unlock_code.bin" file is valid.


Let us analyse the internal mechanisms. The following values are recovered during the first step.

  • IMEI: 123456789012345
  • Serial number: SH0CERT12345
  • Model ID: PC10*****
  • CID: 11111111
  • 4 DWORDs (unidentified)

These values are concatenated and padded to get 256 bytes (we will call that "PhoneIDs")

00000000  00 31 32 33 34 35 36 37  38 39 30 31 32 33 34 35  |.123456789012345|
00000010  30 53 48 30 43 45 52 54  31 32 33 34 35 50 43 31  |0SH0CERT12345PC1|
00000020  30 2a 2a 2a 2a 2a 31 31  31 31 31 31 31 31 45 01  |0*****11111111E.|
00000030  00 53 12 34 56 78 47 90  41 58 29 7f ad 4a 7f 60  |.S.4VxG.AX)..J.`|
00000040  e1 3c 12 83 5d c0 9c 74  30 a4 79 aa 41 68 58 cb  |.<..]..t0.y.AhX.|
000000f0  1b 21 48 0b f5 15 39 0a  a5 26 f2 09 78 c5 e6 b7  |.!H...9..&..x...|

Then, they are encrypted using the RSA-OAEP encryption scheme with HTCs' public key. The resulting "blob1" is what it figures between the tags <<<<< Identifier Token >>>>> and what should be sent to the HTC Dev website.


The second step consists of validating the "Unlock_code.bin" file.

At first, it verifies the signature by using HTCs' public key.Secondly, it computes the hash value (using SHA2 algorithm) of a shortened version of the "PhoneIDs". This shortened version of the value "PhoneIDs" is the concatenation of IMEI, Serial number, Model ID, CID, and 4 DWORDs, but without the padding.

The resulting hash value is being compared with the hash value that results from the file's signature verification. If they match, the unlock procedure is granted by the mobile device.


Source code for these steps is available in github.


The HTC unlock procedure is quite simple. HTC is the only one to have the private key and can create the "Unlock_code.bin". So they can stop at any time the procedure if they want to. However, if you get an "Unlock_code.bin" for a given device, you will always be able to unlock it.

The unlock procedure will allow "fastboot flash" commands and reduce the security of your devices, since it will be possible to flash a custom recovery and mount your original data partition, so do it at your own risks.

For security reasons, the unlock procedure erases the data partition. Even if an attacker gets a device (protected with a passcode) and ask HTC to provide him this "Unlock_code.bin" file, he will not be able to access original data.