There are no posts matching your filters.
14
Scramble
Wouldn't it be nice to have a keygen to unlock the bootloader without obtaining the key from motorola?
I have been investgating the relationship between the bootloader return code and unlock key and have discovered the following:
Note: For security I have replaced my IMEI and serial number, all other numbers are real. I'm not sure if anyone else has had a go at this but found nothing on XDA.
Code:
fastboot oem get_unlock_data1A23457698214365#5441383930304242443700585431303332000000#140A858731D55F3B5DF78F0F6BB9EAE32A2B8945#3D372B020F0000000000000000000000If I use the # character as a separator I get:
Code:
1A234576982143655441383930304242443700585431303332000000140A858731D55F3B5DF78F0F6BB9EAE32A2B89453D372B020F0000000000000000000000Line 1: With the exception of the 2nd character 'A' inserted, these characters are my IMEI number re-arranged a little.
The last 5 pairs of digits are swapped so an IMEI of 123456789123456 converts to 1A23457698214365
Line 2: Converting this line from hex to ascii gives me TA8900BBD7�XT1032���
This is serial and model number with a 00 byte as a spacer and 3 filler at the end.
Line 4: This is my bootloader UID (obtained from 'fastboot getvar uid' command)
Lines 1&2&4 I suspect have no relationship whatsoever with the unlock key.
Probably used to validate and log you on the motorola server when you request the unlock key, ultimately serving the purpose of voiding the warranty.
Line 3: Coincidence? Could this 20 byte string be relative to the 20 byte unlock key via some simple algorithm assuming lazy programming and/or limited space for code in the bootloader hardware? I couldnt tie this number to anything on my phone so I am guessing this code is derived from the unlock code during the 'fastboot oem get_unlock_data' command.
I tried online with varied IMEI and serials in the code and also using original values but with varied numbers in line 3 but could not get another unlock code. I don't think I can progress without more examples.
This was my unlock code: W4ZUEO2TZALOGJJWPRMO
Converted to hex: 57345A55454F32545A414C4F474A4A5750524D4F
Code:
So somehow 140A858731D55F3B5DF78F0F6BB9EAE32A2B8945becomes 57345A55454F32545A414C4F474A4A5750524D4FCould possibly involve the UID in the equation but I wouldn't bother if I were writing the bootloader and if so, then why have line 3 anyway?
I tried, a few sums but now I have a headache so I return to my life assisted by alcohol. Surely the solution has to be simple. Just thought I would post and see if anyone else could pick up from where I left off.
Have fun.......
Jan 31, 2014View
5
vientodearena
For the moment the program only analyzes and prepare the datas obtained via "$ fastboot oem get_unlock_data".
A few years ago I studied the cipher cards, but almost nothing. I think we will have to collaborate all of us.
This is an entertainment that not everyone has time to devote, but if you like you spend one minute.
Imei used, hash and UID bootloader. Model and serial number in hex line 2 does not use it.
All data is used except line 2 (Serialnumber and Model) in the page of motorola unlock device.
I have written some incorrect data and tells me "Your device does not qualify for bootloader unlocking",
but if I return to write well, tell me if I can unlock. So as you can see in the code of the page
Code:
type:"POST",url:"/cc/productRegistration/verifyPhone/"+phoneSN+"/"+phonePUID+'/'+phoneHash+'/'...Uses these 3 values full. My program, for the moment only prepare and presents the data to send.
Note: in
Code:
https://motorola-global-portal-pt.custhelp.com/cc/productRegistration/verifyPhone/phoneSN(IMEI)/phonePUID/phoneHASHi received "Not qualified", but in
Code:
https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-bare ok for unlocking.
Feb 27, 2014View
4
A
adm1jtg
danilocps87 said:
So, we are just wasting time here. There are nothing to do about this... Even if we have sucess with a keygen, our warranty will be void...
For warranty and for USA and GLOBAL gsm units your probably right but you have to remember there are versions of the moto g that are not allowed to be unlocked by moto like the verizon and the AIO versions and I am sure a working unlock would be very helpful to owners of those units that have no unlock options
May 3, 2014View
4
S
sprockkets
Izaak99 said:
Can someone who unlocked and was willing to give out their code also dump their persist, UTAGS, CID and PDS partitions and upload it here?
The CID partition is where the unlock_data command is getting those hashes (the entire hex strings are taken directly out of there). The PDS and UTAGS partitions are also partitions where the data is specific to the phone (both contain the serial #) and I'm curious if I can find any correlation to someone's unlock code stored somewhere in there. If nothing pans out then it looks like a very painful process to crack.. if the exact algorithm/which keys they are using to hash with the unlock code were known and if its even using that hash in the CID to match, then its very possible to use hashcat to find your key. I just have a feeling (more like hoping) its easier than brute-forcing it out there and its written as a backup somewhere.
FYI, there are some interesting strings just by dumping that fastboot partition:
0123456789abcdef0123456789ABCDEF<null>
token "%s" is found. Replace it with "%s".
dbval_read_partition
Malloc for DBVC: db_len %x failed!
No CID partition found!
failed to read CID 1st part of block for partition %s
Dlmot_sst_oem_lock_handler
mot_sst_validate_hash_password
%02X%02X%02X%02X%02X%02X%02X%02X#%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X#%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X#%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X
%s: temp buffer malloc failure!
%s: hash_ptr malloc failure!
%s: hash calculation faliure!
%s: hash calculation failure!
hash at offset i: %02d : %02x does not match
Error while unlocking device
mot_sst_validate_token: Token header incorrect
mot_sst_validate_token: Format version incorrect
mot_sst_validate_token: Length incorrect
mot_sst_validate_token: Binding information incorrect
mot_sst_validate_token: Unable to validate token integrity
mot_sst_validate_token: Token integrity invalid
unlock failed in sst oem unlock handler %02x
unlock data invalid!
Cannot provide unlock data
Cannot provide unlock data!
general failure in sst oem unlock handler %02x
General system failure! %02x
Unlock completed! Wait to reboot
General Unlock failure!
unlock failed in sst oem unlock handler
Done Setup my special MOT SST values
mot_sst_create_token: Unable to retrieve PUID
mot_sst_create_token: Unable to retrieve FUID
mot_sst_create_token: Getting PSV
mot_sst_create_token: Unable to retrieve PSV
mot_sst_create_token: Generate token code
mot_sst_create_token: token code generated!
mot_sst_create_token: Writing token
mot_sst_create_token: Unable to generate token code
create_token status: %d
mot_sst_create_token: Creating token
mot_sst_create_token: Getting flash uid
mot_sst_oem_lock_handler: invalid state
mot_sst_oem_lock_handler: load and validate failed
%s failure to delete or create token
mot_sst_pal_gen_aes_cmac: START
Success generating cmac
FAIL generating cmac
%s: failed to freeze utags: %d
ERROR: Cannot write device info
ERROR: out of memory
ERROR: Cannot read device info
ERROR: Device info corrupted
failed to thaw utags from partition "%s", error: %d
failed to load utags from secondary storage
generating empty utags in memory
dbval_validate_generic_datablock - Check Cert Chain
dbval_validate_generic_datablock - Check DB Signature
dbval_db_validate_gen_hdr - Check Type
dbval_db_validate_gen_hdr - Read Processor UID
dbval_db_validate_gen_hdr - Read Flash UID
dbval_db_validate_gen_hdr - PAL UID
dbval_db_validate_gen_hdr - DB UID
dbval_db_validate_gen_hdr - Success
dbval_db_validate_gen_hdr - Flash UID Length returned INVALID, must be 16 bytes
dbval_db_validate_gen_hdr - Processor UID Length returned INVALID, must be 16 bytes
I'm not understanding if you successfully got that information. But here is why this is probably a dead end.
Technically it shouldn't be possible to do this because those memory locations are protected by ARM Trusted Zone. Not even kernel root can grab them. Only the bootloader has the privilege to do this, and I doubt that function was put in.
The unlock key isn't stored on the phone. The unlock key gets hashed with the information on the phone and the result must match what is in that partition. So even if you got that value, it wouldn't do you any good.
Don't take my word for it, take Dan Rosenberg's who hacked the bootloader the first time:
"As a result, there is no way for a user to generate his or her own valid unlock token without either breaking RSA to violate the integrity of the CID partition, or by performing a pre-image attack against SHA-1, both of which are computationally infeasible in a reasonable amount of time.
Jun 14, 2014View
4
P
PuLKit4xd
[DEPRECEATED] Random key generator for Linux (Code included) and Windows as well
I have just created a Random key generator based on the keys listed in the Google document. I have included the CPP file in the archive itself, my coding is not so good, i tried my best to explain.
The program will work on any platform. It works on the basis of some facts which may be false:-
1. The first and last 2 elements are always character
2. At most 3 integers are there in the key.
I do not guarantee that this will work as it is entirely luck. I will still love to see a keygen though. This is all i could do! Please improve it if you can and i feel at least 10-15 examples are needed for a perfect keygen.
The attachment consists of cpp file, a script, an executable, and a information file.
To start put your device in fastboot mode and just execute the script inside the folder as a root or using sudo otherwise fastboot will not recognize your device.
FOR LINUX
Code:
sudo /bootul.shFOR WINDOWS
Code:
KeygenRun.batUPDATE: Just made some changes in the program as script was not working and same set of numbers were being generated again and again, Please download.
UPDATE 2: As per the request i have compiled it for Windows as well. There is a separate archive which has a file KeygenRun.bat which should be Run after the device is put on fastboot mode. Copy the content to your fastboot folder. Just Shift+Right-click in the fastboot folder and open command prompt and type KeygenRun.bat. It will start running fastboot commands.
Aug 17, 2014View