Unlocking the -1 based CPUs of Acer Cloudmobile S500
- 88F3BDF8 aAndroidBoot DCB "ANDROID-BOOT!",0
- 88F3BE06 DCB 0, 0
- 88F3BE08 var_unlocked DCD 0
- 88F3BE0C var_tampered DCD 0
- 88F3BE10 var_reset_cnt DCD 0
Above is the layout of the partition table start; this is a copy from memory. From what I can see this phone has no real fuses. If you compare the CPU-IDs which is a number stored at offset 0xDC from base 0x80000930 you have:
- 00 79 50 E1 CMP R0, R0,LSL#18 "8260a-3"
- 00 79 10 E1 TST R0, R0,LSL#18 "8260a-1"
Now this might be a coincidence but these numbers also decode as the above ARM instructions so my guess is that the processor might just have 2 versions of masked ROM code and they distinguish between them with the comparrison of an instruction from this ROM (the primary boot).
The "unlocked" variable is a plain flash location. So any method which will write a non-zero value at offset 0x10 from the flash partition table will unlock your phone. The "tampered" variable which only has a meaning in RAM is set when the phone is locked and the kernel doesn't have or doesn't pass the X509 certificate check.
Unlocking is performed by using a loophole which allows any phone to boot from an unsigned kernel via the UART_DM protocol. This phone has a booloader based on lk. (L)ittle (K)ernel based Android bootloader and when you issue the command 'fastboot boot some.img' you are actually sending the image via the USB line (UART_DM) and the bootloader happily runs it but sets the tampered variable. Now if one makes an image and copies just the subroutines from the leaked fw which do the "oem unlock" and makes a "kernel" image out of it (with abootimg utility) then runs it with the fastboot command it will mark the partition as unlocked.