Weird. Strange that this would still be a thing. Not like the device was cheap to purchase.
The two java applets that control this are...
Typing "cmd -l" in shell...and you can see that both services are running....starting with oem_lock....sending a few service calls...you'll come to see that it points to persistent.data.block......and sending a few more service calls....you'll see that it points to GMS...Play Services...because that's the only package that has any OEM reading and/or managing capabilities....the only problem is...finding a hole...big enough to... overwrite (like what DirtyPipe did) a read only system file....or somehow repacking an OTA with a patched init_boot.img and see where it can go...and if all fails....I'm going to say DirtyCred (pending PoC release)...should be good enough to pop a root shell...but only if....u don't continue to keep updating your firmware....the older...the better....but as i don't follow the source code or patches that Google releases...it's very hard to tell when they would patch Dirty Cred....or if it's already patched fully on their new baby...the Pixel 7 Pro. But I'm hopeful to keep hammering it out. It's just right now with work and the holidays...my time is super limited and right now...I'm split with both this phone and the S22 Ultra S908U. The S22 Ultra is where I'm advancing pretty good and day by day....it's coming closer to another way in or another level of privilege. But best believe once I'm in the s22....it should be pretty easy...pulling the packages for oem_block and persistent.data.block (s22 falls under same umbrella) and learning how it works and what makes it stay in place.
***Anyone know any Magisk devs...no not John Wu? Got a couple logs...maybe someone can interpret and help me out to figure what I'm reading and what's missing***