Breaking this discussion off from the EVO root thread, as it's a separate beast entirely..
The fixes are ..
1) ENG hboot. I've tried unsuccessfully to flash just the hboot.img from the engineering RUU, using our custom recovery ... it goes through the motions like it's supposed to (writes hboot.img into a section of the nand, sets a flag in the bootloader, then reboots; then the bootloader finishes the flash and reboots again back to recovery), but it doesn't take effect .. seems as if it's doing some kind of version check and it fails that version check, so it rejects the hboot.img update.
2) reverse engineer the msm_nand_unlock() API by disassembling hboot and seeing what it does to lock/unlock the NAND, then try to do the same thing from Android. In theory, that would allow it to unlock the NAND from userspace.
I haven't given up on either of these options, I just haven't had the time necessary to devote to it yet.
True, but truth be told, there's a separate ENG SPL, which would actually fix the NAND protection by default, if it would flash. But because it's an older release than what came on the phone, it won't let you flash it (even tried with a goldcard, and no go). This version matches the stock version, which means it can be flashed back and forth with no complaints.(Incidentally, if they would have given us engineering SPLs in the I/O phones, it probably would have delayed the root issue on general-release phones a while longer).
Firmware, yes (aka radio). But it's actually the bootloader (aka hboot) that sends a command to the radio to say lock it or unlock it. There's even a linux API in the "mtd" driver to allow an ioctl() call to unlock a NAND ... IF it's supported (the source code we have shows that the msm_nand_unlock() code is missing, thus it's not supported). When booting into Android, hboot says "lock NAND", and when booting to recovery, it says "unlock". When it's locked, you get a "not enough memory" error when trying to do any writes to the /system partition (even after remounting it as read-write).Can you explain NAND protection a bit further, please? Are the changes being overwritten on startup, or are they being blocked before they occur? Is NAND protection being implemented at the firmware level?
The fixes are ..
1) ENG hboot. I've tried unsuccessfully to flash just the hboot.img from the engineering RUU, using our custom recovery ... it goes through the motions like it's supposed to (writes hboot.img into a section of the nand, sets a flag in the bootloader, then reboots; then the bootloader finishes the flash and reboots again back to recovery), but it doesn't take effect .. seems as if it's doing some kind of version check and it fails that version check, so it rejects the hboot.img update.
2) reverse engineer the msm_nand_unlock() API by disassembling hboot and seeing what it does to lock/unlock the NAND, then try to do the same thing from Android. In theory, that would allow it to unlock the NAND from userspace.
I haven't given up on either of these options, I just haven't had the time necessary to devote to it yet.