TODO, in the meantime, find info on how to do this elsewhere.
Once you're rooted, retrieve a dump of the bml5 block device and store it somewhere, say your SD card. It's only 9mb in size. From a terminal on the phone (as root) run type:
cat /dev/block/bml5 >/storage/sdcard0/bml5.img
Search through the dump (ideally in a hex editor on a computer). You're looking for (in hex):
FF FF FF FF 30 30 30 30 30 30 30 30
NOTE: 30h is '0'.
You should see four 8 digit numbers when you find the spot. The first one is your unlock code. This MAY be around offset 0x001CC40A.