I am trying to find out if the eFuse reset is plausible, or if there is another explanation for the chinese eng phones.
If you look at this TI patent PDF linked on
http://www.freepatentsonline.com/8112618.html, there is a very detailed description of how eFuses can be set in different steps of the production process (and other good info on boot validation!). It refers to a (much) older OMAP161x but I assume it has not changed significantly for new devices.
The document describes several initial eFuse settings ("embodiments") to suit different production processes and models. Devices can be produced in such a way that they are initially GP (no security) or initially HS (high security). In some embodiments the device type cannot be changed later, in others it can be changed by blowing efuses. There are many variations - read there for all the details.
The description suggests that some devices could leave the factory with different initial eFuse settings - maybe by intention because they are produced for a specific customer/market, maybe due to production mistake or simply because their security component is defective but they don't want to trash the devices.
About GP vs. HS mode, based on the reported omapinfo outputs I think we can conclude that all Defys are in HS mode, even the chinese unlocked eng phones and Otto.BR's eng phone (right? STATE=205). This is consistent with appearing as "SE Flash" (Secure + Engineering?). Looks like we can exclude GP mode devices, they don't seem to exist for Defy.
About engineering mode, to recap, the Motorola bootloaders (mbmloader, mbm) check the PROD and ENG fuse settings to determine if the phone should start in engineering mode, bypassing the normal security checks. Normal Defys consistenly have both PROD and ENG fuses set (=locked) whereas chinese eng phones have only ENG fuse set (=engineering).
Now, finally (this is getting long, sorry
) I see two possible explanations of how the chinese phones were turned into engineering mode:
- The ENG phones were normal locked devices before they went to service, then came back with eFuses reset. This would prove that some way exists to reset eFuses and that we can dig deeper into what the service did and how. That would be great news but we have no confirmation that this is the case.
- The chinese ENG phones are from a special batch of production with originally all-zero eFuses, maybe for special customer/market or by accident. Since they would have all zero eFuses, they can be turned into ENG phones by blowing the single eFuse bit. This would be bad news as glycosis noted as we can't "unblow" eFuses.
So how can we find out?
If the unlock process is reproducible, i.e. if it is possible for someone to decide to go to Motorola service and have a good chance of phone getting unlocked, he/she could dump SWRV (ideally all of sec.ko output plus full dump of internal mmcblk) just before going to service, then again just after coming from service. The values of SWRV before/after should allow us to tell if eFuse reset is plausible or not.
Perhaps is there a chinese speaker here who could help and ask on mfunz if someone would be willing to dump, get unlock, dump again and share the dumps?