Originally Posted by cellzealot
There are 3 types of Motorola OMAP devices.
S= Secured : a stock production locked bootloader
SE= Secure Engineering : an engineering model that has a signed and secure bootloader that does not perform any other checks on kernel or other components above the bootloader.
For all intents and purposes this is the same as an unlocked bootloader. The OG Droid is an SE device.
NS= Non Secured: a fully open device with no checks performed and no eFuses set or blown on the OMAP chip itself.
It is the mbmloader that contains the encrypted signatures, not the bootloader itself. On dual core devices, the bootloader is the same for all three types and the firmware files contain both NS and HS versions of the mbmloader. There is a separate bootloader that allows flashing of the mbmloader and that checks the ro.secure status of the device and flashes the right mbmloader. Then the bootloader is flashed and the rest of the partitions are subsequently flashed.
Sorry, but except the listing, it's completely wrong.
Indeed, there are three types of devices:
S - Secure (Omap in HS mode)
SE - Secure Engineering (Omap in HS mode) - no sig. checks except mbmloader + BP
NS - Non Secured (Omap in EMU mode) - no sig. checks except part of BP (mbmloader is signed with CSST key)
OG droid is a S device, OG Droid bootloader doesn't perform security checks at all, only mbmloader is checked by OMAP BootROM.
Even NS have secure part of BP, completely unsecure devices use GP mode for OMAP etc.
S and SE devices share mbmloader and mbm; NS devices have special mbmloader and in most cases mbm too (dunno to be honest, how is it with RAZR, certainly all OMAP3 devices have special NS mbm, just as I use on my Milestone).
"ro.secure" status is used by android, and completely unrelated here. It's whether the OMAP is in HS or EMU mode.
The "allow-mbmloader-flashing" mbm is mbm that allows mbmloader flashing and nothing else. There is also another bootloader to recover the device from USB.
mbmloader doesn't contain any signatures except it's own, this is normal chain of trust. mbmloader checks mbm, loads it, which checks the rest.
Anyway, on RAZR the mbm tells "Device is LOCKED / UNLOCKED: Status code: x
x = 0; locked and not unlockable or never been unlocked
x = 1; unlocked (w/o signature checks, except part of the bp)
x = 2; unlockable device, which has been relocked
x = 3; unlockable device, which has been unlocked (signature checks over mbm, mbmloader and cdt + bp)