Help with Moto G bootloader unlock keygen (2023)

  • There are no posts matching your filters.

  • 14


    Wouldn't it be nice to have a keygen to unlock the bootloader without obtaining the key from motorola?
    I have been investgating the relationship between the bootloader return code and unlock key and have discovered the following:
    Note: For security I have replaced my IMEI and serial number, all other numbers are real. I'm not sure if anyone else has had a go at this but found nothing on XDA.


    fastboot oem get_unlock_data1A23457698214365#5441383930304242443700585431303332000000#140A858731D55F3B5DF78F0F6BB9EAE32A2B8945#3D372B020F0000000000000000000000

    If I use the # character as a separator I get:



    Line 1: With the exception of the 2nd character 'A' inserted, these characters are my IMEI number re-arranged a little.
    The last 5 pairs of digits are swapped so an IMEI of 123456789123456 converts to 1A23457698214365

    Line 2: Converting this line from hex to ascii gives me TA8900BBD7�XT1032���
    This is serial and model number with a 00 byte as a spacer and 3 filler at the end.

    Line 4: This is my bootloader UID (obtained from 'fastboot getvar uid' command)

    Lines 1&2&4 I suspect have no relationship whatsoever with the unlock key.
    Probably used to validate and log you on the motorola server when you request the unlock key, ultimately serving the purpose of voiding the warranty.

    Line 3: Coincidence? Could this 20 byte string be relative to the 20 byte unlock key via some simple algorithm assuming lazy programming and/or limited space for code in the bootloader hardware? I couldnt tie this number to anything on my phone so I am guessing this code is derived from the unlock code during the 'fastboot oem get_unlock_data' command.

    I tried online with varied IMEI and serials in the code and also using original values but with varied numbers in line 3 but could not get another unlock code. I don't think I can progress without more examples.

    This was my unlock code: W4ZUEO2TZALOGJJWPRMO
    Converted to hex: 57345A55454F32545A414C4F474A4A5750524D4F


    So somehow 140A858731D55F3B5DF78F0F6BB9EAE32A2B8945becomes 57345A55454F32545A414C4F474A4A5750524D4F

    Could possibly involve the UID in the equation but I wouldn't bother if I were writing the bootloader and if so, then why have line 3 anyway?

    I tried, a few sums but now I have a headache so I return to my life assisted by alcohol. Surely the solution has to be simple. Just thought I would post and see if anyone else could pick up from where I left off.

    Have fun.......

    Jan 31, 2014View



    For the moment the program only analyzes and prepare the datas obtained via "$ fastboot oem get_unlock_data".
    A few years ago I studied the cipher cards, but almost nothing. I think we will have to collaborate all of us.
    This is an entertainment that not everyone has time to devote, but if you like you spend one minute.

    Imei used, hash and UID bootloader. Model and serial number in hex ​​line 2 does not use it.
    All data is used except line 2 (Serialnumber and Model) in the page of motorola unlock device.
    I have written some incorrect data and tells me "Your device does not qualify for bootloader unlocking",
    but if I return to write well, tell me if I can unlock. So as you can see in the code of the page



    Uses these 3 values full. My program, for the moment only prepare and presents the data to send.

    Note: in


    i received "Not qualified", but in


    are ok for unlocking.

    Feb 27, 2014View




    danilocps87 said:

    So, we are just wasting time here. There are nothing to do about this... Even if we have sucess with a keygen, our warranty will be void...

    For warranty and for USA and GLOBAL gsm units your probably right but you have to remember there are versions of the moto g that are not allowed to be unlocked by moto like the verizon and the AIO versions and I am sure a working unlock would be very helpful to owners of those units that have no unlock options

    May 3, 2014View




    Izaak99 said:

    Can someone who unlocked and was willing to give out their code also dump their persist, UTAGS, CID and PDS partitions and upload it here?

    The CID partition is where the unlock_data command is getting those hashes (the entire hex strings are taken directly out of there). The PDS and UTAGS partitions are also partitions where the data is specific to the phone (both contain the serial #) and I'm curious if I can find any correlation to someone's unlock code stored somewhere in there. If nothing pans out then it looks like a very painful process to crack.. if the exact algorithm/which keys they are using to hash with the unlock code were known and if its even using that hash in the CID to match, then its very possible to use hashcat to find your key. I just have a feeling (more like hoping) its easier than brute-forcing it out there and its written as a backup somewhere.

    FYI, there are some interesting strings just by dumping that fastboot partition:

    token "%s" is found. Replace it with "%s".
    Malloc for DBVC: db_len %x failed!
    No CID partition found!
    failed to read CID 1st part of block for partition %s
    %s: temp buffer malloc failure!
    %s: hash_ptr malloc failure!
    %s: hash calculation faliure!
    %s: hash calculation failure!
    hash at offset i: %02d : %02x does not match
    Error while unlocking device
    mot_sst_validate_token: Token header incorrect
    mot_sst_validate_token: Format version incorrect
    mot_sst_validate_token: Length incorrect
    mot_sst_validate_token: Binding information incorrect
    mot_sst_validate_token: Unable to validate token integrity
    mot_sst_validate_token: Token integrity invalid
    unlock failed in sst oem unlock handler %02x
    unlock data invalid!
    Cannot provide unlock data
    Cannot provide unlock data!
    general failure in sst oem unlock handler %02x
    General system failure! %02x
    Unlock completed! Wait to reboot
    General Unlock failure!
    unlock failed in sst oem unlock handler
    Done Setup my special MOT SST values
    mot_sst_create_token: Unable to retrieve PUID
    mot_sst_create_token: Unable to retrieve FUID
    mot_sst_create_token: Getting PSV
    mot_sst_create_token: Unable to retrieve PSV
    mot_sst_create_token: Generate token code
    mot_sst_create_token: token code generated!
    mot_sst_create_token: Writing token
    mot_sst_create_token: Unable to generate token code
    create_token status: %d
    mot_sst_create_token: Creating token
    mot_sst_create_token: Getting flash uid
    mot_sst_oem_lock_handler: invalid state
    mot_sst_oem_lock_handler: load and validate failed
    %s failure to delete or create token
    mot_sst_pal_gen_aes_cmac: START
    Success generating cmac
    FAIL generating cmac
    %s: failed to freeze utags: %d
    ERROR: Cannot write device info
    ERROR: out of memory
    ERROR: Cannot read device info
    ERROR: Device info corrupted
    failed to thaw utags from partition "%s", error: %d
    failed to load utags from secondary storage
    generating empty utags in memory
    dbval_validate_generic_datablock - Check Cert Chain
    dbval_validate_generic_datablock - Check DB Signature
    dbval_db_validate_gen_hdr - Check Type
    dbval_db_validate_gen_hdr - Read Processor UID
    dbval_db_validate_gen_hdr - Read Flash UID
    dbval_db_validate_gen_hdr - PAL UID
    dbval_db_validate_gen_hdr - DB UID
    dbval_db_validate_gen_hdr - Success
    dbval_db_validate_gen_hdr - Flash UID Length returned INVALID, must be 16 bytes
    dbval_db_validate_gen_hdr - Processor UID Length returned INVALID, must be 16 bytes

    I'm not understanding if you successfully got that information. But here is why this is probably a dead end.

    Technically it shouldn't be possible to do this because those memory locations are protected by ARM Trusted Zone. Not even kernel root can grab them. Only the bootloader has the privilege to do this, and I doubt that function was put in.

    The unlock key isn't stored on the phone. The unlock key gets hashed with the information on the phone and the result must match what is in that partition. So even if you got that value, it wouldn't do you any good.

    Don't take my word for it, take Dan Rosenberg's who hacked the bootloader the first time:

    "As a result, there is no way for a user to generate his or her own valid unlock token without either breaking RSA to violate the integrity of the CID partition, or by performing a pre-image attack against SHA-1, both of which are computationally infeasible in a reasonable amount of time.

    Jun 14, 2014View




    [DEPRECEATED] Random key generator for Linux (Code included) and Windows as well

    I have just created a Random key generator based on the keys listed in the Google document. I have included the CPP file in the archive itself, my coding is not so good, i tried my best to explain.

    I made script for Linux since i don't have any idea how to easily do it on windows while

    The program will work on any platform. It works on the basis of some facts which may be false:-

    1. The first and last 2 elements are always character
    2. At most 3 integers are there in the key.

    I do not guarantee that this will work as it is entirely luck. I will still love to see a keygen though. This is all i could do! Please improve it if you can and i feel at least 10-15 examples are needed for a perfect keygen.
    The attachment consists of cpp file, a script, an executable, and a information file.

    To start put your device in fastboot mode and just execute the script inside the folder as a root or using sudo otherwise fastboot will not recognize your device.



    sudo /




    UPDATE: Just made some changes in the program as script was not working and same set of numbers were being generated again and again, Please download.

    UPDATE 2: As per the request i have compiled it for Windows as well. There is a separate archive which has a file KeygenRun.bat which should be Run after the device is put on fastboot mode. Copy the content to your fastboot folder. Just Shift+Right-click in the fastboot folder and open command prompt and type KeygenRun.bat. It will start running fastboot commands.

    Aug 17, 2014View

  • Top Articles
    Latest Posts
    Article information

    Author: Lilliana Bartoletti

    Last Updated: 01/02/2023

    Views: 5547

    Rating: 4.2 / 5 (53 voted)

    Reviews: 92% of readers found this page helpful

    Author information

    Name: Lilliana Bartoletti

    Birthday: 1999-11-18

    Address: 58866 Tricia Spurs, North Melvinberg, HI 91346-3774

    Phone: +50616620367928

    Job: Real-Estate Liaison

    Hobby: Graffiti, Astronomy, Handball, Magic, Origami, Fashion, Foreign language learning

    Introduction: My name is Lilliana Bartoletti, I am a adventurous, pleasant, shiny, beautiful, handsome, zealous, tasty person who loves writing and wants to share my knowledge and understanding with you.