OK, so I'm nearly certain that 0x8400 in mmcblk0p3 is the S-OFF bit, as was discussed a while back (page ~80 or so). I believe I found the tampered flag and the unlocked bootloader flag too. By dumping my partitions, then unlocking for the first time, dumping again, relocking, and dumping a third time. I then hashed all the dumps and compared them. Then I compared the images where the hashes that didn't match.
0x8400 is '00' on the two S-OFF devices we have dumps from, and it's '03' from every other phone I've checked, regardless of if it's locked, unlocked, or re-locked. '0' and '3' are consistant with the 'fastboot oem writesecurityflag' command too.
Everything else, on every partition, is either inconsistent on devices of similar security status, or it changes from lock to unlock to relock.
To reiterate what was said earlier in this thread in the interest of organization, I've tried dd'ing a modified version mmcblk0p3 and it seems to complete successfully, but you can pull it again immediately afterwards and it's unchanged. I tried "cat mmcblk0p3.img > /dev/block/mmcblk0p3", which either froze or powered off my phone at some point in the process, but that didn't work either.
The permissions of /dev/block/mmcblk0p3 is BRW------ root.root, but I tried chmod'ing it 777, but that didn't help anything.
Do we know anything else about mmcblk0p3? What else is contained within it? It's a big file 130mb. If we can determine when the device is expecting it to be modified, maybe we can take advantage and modify it ourselves.
Billy