88F3BDF8 aAndroidBoot DCB "ANDROID-BOOT!",0
88F3BE06 DCB 0, 0
88F3BE08 var_unlocked DCD 0
88F3BE0C var_tampered DCD 0
88F3BE10 var_reset_cnt DCD 0
Above is the layout of the partition table start; this is a copy from memory.
From what I can see this phone has no real fuses. If you compare the CPU-IDs
which is a number stored at offset 0xDC from base 0x80000930 you have:
00 79 50 E1 CMP R0, R0,LSL#18 "8260a-3"
00 79 10 E1 TST R0, R0,LSL#18 "8260a-1"
Now this might be a coincidence but these numbers also decode as the above ARM
instructions so my guess is that the processor might just have 2 versions of
masked ROM code and they distinguish between them with the comparrison of an
instruction from this ROM (the primary boot).
The "unlocked" variable is a plain flash location. So any method which will write
a non-zero value at offset 0x10 from the flash partition table will unlock your
phone. The "tampered" variable which only has a meaning in RAM is set when the
phone is locked and the kernel doesn't have or doesn't pass the X509 certificate
First possible way to unlock the device is by using this loophole which allows
any phone to boot from an unsigned kernel via the UART_DM protocol. This phone
has a booloader based on lk. (L)ittle (K)ernel based Android bootloader
and when you issue the command 'fastboot boot some.img' you are actually sending
the image via the USB line (UART_DM) and the bootloader happily runs it but
sets the tampered variable. Now if one makes an image and copies just the subroutines
from the leaked fw which do the "oem unlock" and makes a "kernel" image out
of it (with abootimg utility) then runs it with the fastboot command it will
mark the partition as unlocked.
If one wants to trace what the phone is doing at early stages the stock bootloader
also accepts the "oem debug on/off' command which will toogle logging messages in
the misc partition.
This unlock can only happen at the bootloader stage because by the time you have
booted the kernel (or the recovery which is also a kernel) you cannot see the
partition table anymore, just the partitions.
The second obvious mode to unlock the phone is via JTAG. When the phone is
manufactured the flash is blank. The flash is an eMMC device which is a chip
that has both a controller and a flash memory in it which conforms to JEDEC
specifications. So all the JTAG capable devices on the board must be daisy chained
to a JTAG connector. Using a JTAG programmer an knowing the eMMC type one should be
able to read and write any location of the flash. Write a 1 at offset 0x10 and you
What I said here are just ideas for others to explore. I only have an unlocked "-3"
phone so I don't plan to go any further.