This entry has been cut, click to read on.
The "unlocked" variable is a plain flash location. So any method which will write a non-zero value at offset 0x10 from the flash partition table will unlock your phone. The "tampered" variable which only has a meaning in RAM is set when the phone is locked and the kernel doesn't have or doesn't pass the X509 certificate check.
Unlocking is performed by using a loophole which allows any phone to boot from an unsigned kernel via the UART_DM protocol. This phone has a booloader based on lk. (L)ittle (K)ernel based Android bootloader and when you issue the command 'fastboot boot some.img' you are actually sending the image via the USB line (UART_DM) and the bootloader happily runs it but sets the tampered variable. Now if one makes an image and copies just the subroutines from the leaked fw which do the "oem unlock" and makes a "kernel" image out of it (with abootimg utility) then runs it with the fastboot command it will mark the partition as unlocked.