Database Info

HTC Boot loader unlocking process (how it's probably done programatically)

I posted this on my website, and thought people here might also appreciate it:
So to start this off, this is not about how to unlock your HTC phones boot loader, it is about what we can infer about the process due to the way to works (for more information on the process, see this). From what it would appear this is some sort of hashing algorithm, upon first look it would most likely be a one way hash of the token passed to them at step 2. However there is also the possibility that this is RSA in reverse.
If it is a hashing algorithm, this seems to be a best case scenario. If it is a hashing algorithm, then each ID will have a different unlock code sent to them obviously. But the real question is how to phone will validate this. Does the phone have the unlock code programmed into the NAND, which would be a very nice solution if it just checks to see if the two codes match. Or does it just have the algorithm to hash the id built in and do that before checking it, which is another decent proposition as if a hacker could get there hand on that and reverse engineer they could set up a 3rd party boot loader unlocker.
If it is RSA in reverse it would actually be much simpler to break the code. We know that the phones processor can only do so much computation which would limit the possibilities for the key used to decrypt what is sent back from the HTC server. We also know that the key would have to be stored on the phone, even if it was just temporarily in order for the phone to be able to unlock the boot loader if that was the case, so it would lend the possibility that the user could dump the information in the NAND and get the decryption key. However unfortunately as we know that won’t help much with RSA as it uses two different keys to encrypt and decrypt, but it is an intriguing thought.
In conclusion there aren’t too many possibilities of how the boot loader is being unlocked by HTC, those are the only ones which I could think of that would fit (however there are likely many more). Thus because of the limited possibilities, it is only a matter of time until the process is reverse engineered allowing users to unlock their boot loader through non-official means, and if it is not able to be reverse engineered, I’d be willing to make a gentleman’s bet that at some point it will get leaked. If anyone would like to rebuttal and tell me why I’m dead wrong I would love to hear it. What are your thoughts on this?

Just a pointer, even with the phones limited processing power as long as its not trying to crack ,generating keys, or encrypting stuff, it would be very easy to use a very long key
Edit: there could also be a chip on the board that checks a hash on the bootloader, if the hash is different (think md5) the bootloader is not the same. However It would not prevent you from doing, rather it would prevent your phone from booting
Lol just shot my own idea out of the sky
Sent from my ADR6300 using XDA App

[Q] Tablet stuck in password screen + recovery mode doesn't work

Hello,
I'm sorry to bother you with an apparently repetitive thread, but I assure it is not.
I've been dealing with this problem for over a year now. Of course there were times that I simply gave up, but every now and then I searched all over the internet (seriously; very resilient, I am) and tried everything. Nothing seems to work.
The issue is: one day I was reading something on Google Reader and the tablet restarted. When it came back, it was in this password screen.
[AS A NEW USER I COULDN'T POST THE IMAGE - please see attachment ending in 41]
Detail: I had never, EVER set any kind of password. I don't do this with any of my devices unless I'm obliged to (as in Windows 8, this big piece of shiite).
So the thing is: I did not set a password, I did not choose to ask for a password in any situation and there isn't a single combination that I haven't tried. The thing doesn't even ask me to stop -- like 'hey, you've tried your 30k input, I think you should stop now'.
Now, for you not to start cursing me, I tried EVERYTHING that is basic and post-basic to fix it. I did wipe the data, I tried flashing another ROM, I did cold boot, factory reset, EasyFlashed, nvflashtf and whatnot. I swear to GoogleGods that I, as a non-expert-but-very-keen-on-technology, could.
Another thing that happens is when I try to enter the recovery mode, after using the nvflash, it doesn't work. The image that appears to me is this one:
[SAME THING -- attachment ending in 38]
Again: I'm not a complete noob. I know how to get into things; all I need is a simple guidance. I'm really sorry if this has been posted before and only I couldn't find it, but I won't be so if someone helps me to get it and solve my problem. I can't stand this anymore -- now it's just a matter of pride.
Thank you all.

This happened to me on my SL101 after I flashed a ROM of some sort. I used ADB commands to push the stock ROM back to it and to push another Recovery to it. Mine was in worse shape, Recovery loop, and then I finally got it to where yours currently is. My physical nor on screen keyboard would even work. Look up some ADB commands, perhaps you already know them, and attempt to either push the stock ROM or a new Recovery blob back to it.
D

DatDude123 said:
Look up some ADB commands, perhaps you already know them, and attempt to either push the stock ROM or a new Recovery blob back to it.
D
Click to expand...
Click to collapse
Yeah, well, y'know, I'm not at this level yet, but I'll dig into ADB and stuff.
I tried to use this sometime in the past, but my computer was so bad back then that I had to give up to keep my sanity. Now I've got a fairly good one (very good, considering the few things I use it for), however much less time.
Tonight is the night, though. I'll study as much as I can and I'll fix this ****. Any tip you may remember now would be useful.
Thanks.

I'm struggling with something even before I start: there's no way I can get access to the system and turn the USB Debugging on.

I know I'm not getting much attention, but I won't give up. Please just do not accuse me of spamming; I'm just a desperate geek that has been kept away from his toy.
Alright, after the childish speech, here's the latest update: I cannot use de ADB thing because there's no way I can turn on the USB debugging mode.
Or is there? The latest news is that I can get access to some system files through the ASUS File Manager (turns out it still reads the MicroSD Card, even though I could not update the device this way). So, technicians, is there a way to hack into this beast? Fu ck, I don't even know how to call it anymore.
There isn't much I can do with this File Manager. Mostly visualize the folders and rename this and that (which is the only thing I reckon might be useful).
Jesus, I'm sleepy, I can't even write properly anymore. Please someone help me. It can't be that hard.

maycondimas said:
I know I'm not getting much attention, but I won't give up. Please just do not accuse me of spamming; I'm just a desperate geek that has been kept away from his toy.
Alright, after the childish speech, here's the latest update: I cannot use de ADB thing because there's no way I can turn on the USB debugging mode.
Or is there? The latest news is that I can get access to some system files through the ASUS File Manager (turns out it still reads the MicroSD Card, even though I could not update the device this way). So, technicians, is there a way to hack into this beast? Fu ck, I don't even know how to call it anymore.
There isn't much I can do with this File Manager. Mostly visualize the folders and rename this and that (which is the only thing I reckon might be useful).
Jesus, I'm sleepy, I can't even write properly anymore. Please someone help me. It can't be that hard.
Click to expand...
Click to collapse
For some reason i thought you were on th sl101(slider) so i didnt comment. So heres the deal, any fix is going to be data destructive(nothing you can do at this point as even if you manage to pull data from the tablet, it will be encripted) You need Easyflasher(dev section) follow the instructios there (basically donwloading stock firmware from asus and by using nvflash in apx mode it will re-partition storage, and upload the stock firmware to the tf101)
If you hit any problems, post them here and ill help you further
Edit: just read you post more, if you tried easyflaher and it didnt work, please post the details of what you tried within easyflasher.
Its a strange issue, if it happend to me and id tried the things you already have, this is what id try:
-Flashing ubuntu from the dev section(i known very little about how nvflash works but it maybe only re-partitioning certain partitions, ubuntu i would imagine would require a full re-partitioning)
-alternativly (or on top of the previous idea) use one of the ubuntu installers(OLiFE on ubuntu worked the best for me, but franks tools/ newer software based on franks tools should work fine) and flash the Prime! rom on its own.
If these dont work, your last resort is asus - but thats a long shot lol

maycondimas said:
I know I'm not getting much attention, but I won't give up. Please just do not accuse me of spamming; I'm just a desperate geek that has been kept away from his toy.
Alright, after the childish speech, here's the latest update: I cannot use de ADB thing because there's no way I can turn on the USB debugging mode.
Or is there? The latest news is that I can get access to some system files through the ASUS File Manager (turns out it still reads the MicroSD Card, even though I could not update the device this way). So, technicians, is there a way to hack into this beast? Fu ck, I don't even know how to call it anymore.
There isn't much I can do with this File Manager. Mostly visualize the folders and rename this and that (which is the only thing I reckon might be useful).
Jesus, I'm sleepy, I can't even write properly anymore. Please someone help me. It can't be that hard.
Click to expand...
Click to collapse
If you can't get into anything, but you can enter APX Mode, but NVFlash doesn't work, then I'm not sure anything will as NVFlash completey deletes and recreates all the partitions on the drive
So unless you have been unlucky and downloaded a bad version of an NVFlash ROM....
I know you say you have used NVFlash but I`ll stick this here anyway
The way I restore is:
Connect tablet to PC and make sure the tablet is turned off (Make sure it is the only USB device connected other than keyboard/mouse)
Hold Volume Up + Power for a few seconds until you hear the USB connect sound on the PC, release the buttons, you are in APX mode
Install APX drivers if you have not already
Now extract this
http://www.xdafileserver.nl/Files/Asus/Asus%20Transformer%20(TF101)/STOCK%20ROMS/ICS%20.27/NVFLASH_ICS_9.2.1.27_WW_NOROOT.7z
And run "download.bat"
I think you should see some text appear on the tablet screen, and progress will be shown in the command prompt window on the PC
Wait for it to complete 100%
Its been a while so I can't remember if the tablet will reboot on its own or if you need to hold power for 30 seconds to get out of APX mode
Either way, make sure it is completely finished and reboot the tablet
Only thing I can remember going wrong with NVFlash was the first time I rebooted after a sucessful boot, it would hang on a black screen
Just hold power for 30 seconds and then power on normally, done, if it has worked you have your tablet back, if not, I think its a hardware issue > see asus

Im very keen to get this fixed/ find the issue as uptil now I thought the tf101 was virtually software invincible, you need to pay attention to what the nvflash process says, the one thing I can think of as to why nvflash didn't work is it can't write over encrypted partitions although that would make no sense why it wouldn't.

Just a suggestion... make sure you're not docked. Some people report issues when nvflashing while docked (I can't replicate those issues except with the Tubuntu tool).

Is there a solution?
I also have an error! see picture

Performing data recovery or boot fix on Asus Memopad 10" FHD?

Unit: ASUS Memopad 10" FHD
OS: I believe it's on 4.4, I don't use it so I'm not 100%
Intel Bay Trail Model
Droidboot Bootloader
Hard-reset button for "Recovery"
The tablet is stuck such that it only loads up to the logo and stays there. I can still power it off by holding power, but it does not progress into the operating system. I can get into droidboot.
My mother has not backed anything up on it, and I'm sure she'd like to get her data off, so here's my predicament and the tools available to me:
1. I do have fastboot access through my PC. No MTP or USB storage I've managed thus far.
2. I very briefly managed to get ADB access, but the tablet does not have debugging enabled and have not managed to get into it again
3. I have some knowledge of rooting, this tablet does apparently have it, but I'm concerned as to whether a data wipe will be required.
Preserving the OS is unimportant if I can get the data off, that's the important stuff. I'm sure all the tablet needs is a factory restore, but I've avoided that for obvious reasons. Now, something that may make this more awkward is that I *very* briefly started the factory restore by accident (tapped one too many on vol and confirmed), but terminated it ASAP. Not sure what may have happened, but this could impact things.
Is there perhaps some sort of update.zip I could flash that is just a data backup script to a microsd card? Just a thought. I have no idea if this is even doable, or how to write the script if it was.
Thank you kindly for any assistance! Sadly, this tablet has been troublesome since day 1 (screen flickers during boot and freezes), but on the whole it's worked OK, given that an item on clearance that had prior been $240 for only $129.

seems like i hard brick'd my K1

So i reverted my K1 back to 5.1 since i was never able to get rid of the lags and battery drains with marshmallow. Everything went fine, but my sdcard wasn't recognized anymore, most likely since i used it as adopted storage in MM. So what i tried is to repartition it via adb. Sadly, and because i'm a dumb**** sometimes, i erased /dev/block/mmcblk0, which seems to be not the sdcard but the internal memory. So for now, after a restart, the tablet won't even go to fastboot mode, screen stays completely black. Is there any way of recovering it, e.g. booting from a usb device?

What does your PC say under device manager when you plug in?

Most certainly gone. The official kill switch for recalled tablets also works by erasing some of the partitions of mmcblk0.

Rackers said:
What does your PC say under device manager when you plug in?
Click to expand...
Click to collapse
i only get in running in APX mode. So as far as i read, there might be some way using nvflash to recover it, but i wasn't able to find further information about that. As there seems to be no windows driver, i connected it on my Linux System and it shows up as "NVidia device" there.

There exists a flash tool (nvflash) for this case, but it needs a code that is unique to each device. Your only option seems to be to contact NV. Maybe they will restore your mmc for a reasonable fee.

after a few chats with NVidia support, i RMAd the tablet and they sent me a replacement without issuing any fees. I mus admit, that's pretty cool and unexpected service. Now i'll just have to make a descision whether to keep my Mediapad M2 which i bought as a replacement or the K1. :\

Unbrick Your Kill-Switched Nvidia Shield | Live Updates To Follow

My device just got bricked. It was part of the recall and I had removed TegraOTA long ago. Today, after a few weeks of testing out CM13, I decided to go back to stock, remembered to flash the NoMoreOTA zip file but for some reason, it didn't stick. My device started downloading an update which I failed to get suspicious at, then shut down and hasn't come back online since.
This is far more than the frustration of losing a device and its data. It's a scary thought that NVidia has the ability to so utterly control our devices from a distance, with very little that can be done to prevent it if you're an average user. Remember that fuss when Amazon used DRM in their EBooks to remotely delete them from the computers of customers that legally purchased and should've had full rights to the content? This is inexcusable, and we must work to find a fix and pressure NVidia into giving up this disturbing practice.
Here are a basic list of resources I'm researching that have potential, I'll be posting as stream-of-consciousness and these links will also be here for reference when I reboot into Linux for some of the more advanced stuff. I can't make any promises, but stay tuned, this might just work!
Resources
Main XDA discussion RE kill switch
An old method that worked on the first variation of the kill switch (doesn't help anymore, since now the kill switch directly attacks the bootloader)
More discussion on the topic:
https://forum.xda-developers.com/shield-tablet/help/shield-tablet-stuck-apx-mode-black-t3074446
So far:
Bootloader is corrupted. Device is showing as APX.
Step one, therefore: Download APX drivers.
I found these for the Note 7, weren't easy to come across.
Slight issue with signature verification. You need to reboot into advanced settings and disable device driver signature verification.
http://www.howtogeek.com/167723/how...8.1-so-that-you-can-install-unsigned-drivers/​
To use NVFlash, we need the device's SKB. Most forum members seem to agree that's virtually impossible without a leak from NVidia themselves, but those same people also claim the same issue with getting an APX driver for the Shield, so maybe it can be done. A hopeful post on the matter:
[GUIDE] Recovering Recovery/Obtaining SKB
Below link looks promising, need to obtain blob from stock rom. Guy claims he has the blob file, but we still need the SBK:
https://www.reddit.com/r/theNvidiaS...shield_tablet_bricked_at_1114_pm_est/cu2kudk/
This might help:
SBCalc - Generate your SBK (v1.1)
https://forum.xda-developers.com/showthread.php?t=1927818
What is NVFlash and what are SBKs?
http://www.androidroot.mobi/pages/the-inner-workings-of-secure-boot-key-and-nvflash/
More unresolved threads on this topic:
https://forum.xda-developers.com/shield-tablet/help/shield-tablet-stuck-apx-mode-black-t3074446
https://forum.xda-developers.com/shield-tablet/general/recover-y01-battery-shield-tablet-t3199153/
Lives Updates To Come

You cant repair kill switched NST, because tegraOta attack bootloader at low level and btld is pernamently corrupted.

Also Since Nvidia Tegra Note 7 SBK key is not used its an ODM key system. So they are heading into the wrong bush. only Nvidia knows the ODM key. But good luck.

Hey ReckoningForce,
Really hope you find a way, been searching for hours myself.
Driving me mad as i was bloody stupid enough to turn my should have been recalled device one without turning off the WiFi first, so unfortunately in the same boat as yourself.
Please update this thread if you get anything working!
Thanks again mate

hI, I HAVE A SHIELD 2017 with boot unlocked , but after downgrade from 9.1 to 8 (7.2.3) are in permanent loop:
1 message about risk unlock
2 logo nvidia
3 coloured cirlcle of anroid running
After get print on display "android" it loop into nvidia logo and repeat again infinitely those steps: HDMI recognize them as "Shield"
if i put a keyboard on usb port and i try to boot into fastboot/recovery ( A+B+PWRON) dont
do anymore loop but are stucked into run coloured cirvcles on screen : HDMI recognize them as "PB1"
Also un usb service port it recognize it as MTP USB device
does exist any possibility to get recovery or fastboot mode or i need to throw it out?