Step 1: Root

TODO, in the meantime, find info on how to do this elsewhere.

Step 2: Retrieve data

Once you're rooted, retrieve a dump of the bml5 block device and store it somewhere, say your SD card. It's only 9mb in size. From a terminal on the phone (as root) run type:

cat /dev/block/bml5 >/storage/sdcard0/bml5.img

Step 3: Search the dump

Search through the dump (ideally in a hex editor on a computer). You're looking for (in hex):

FF FF FF FF 30 30 30 30 30 30 30 30

NOTE: 30h is '0'.

You should see four 8 digit numbers when you find the spot. The first one is your unlock code. This MAY be around offset 0x001CC40A.

Valid HTML 4.01 Transitional