Recently bought this phone, and took an interest in flashing custom ROMs on it.
Though sadly, it was not possible due to:
1. SPL security check
- Dumped from device, opened in a hex editor and saw some strings about hash and magic (VLR MAGIC) being checked before booting the second bootloader.
2. Second Bootloader U-boot security check
- Same process and again there's some hash and magic checking, aside from the usual strings seen from u-boot.
The second bootloader and the boot image both contain a SPRD-SECUREFLAG header at base 0x0 of size 1024 bytes with some kind of encrypted hash(?), before the actual binary contents, android magic, etc.
I've found the related source-code for the u-boot, looked through it and saw that there is an RSA Encryption whenever binaries get flashed, though the last update of the source was at 2014 (and Spreadtrum probably closed it from public since I can't find any, aside from cloned ones in github), and the device release was 2015.
The bootloader is factory unlocked (?) or just a string hardcoded in the bootloader to show it is, and Huawei's unlock service is useless anyway for this device since the code for getting the Product ID does not work, and there is no "oem unlock" string anywhere in the u-boot binary.
I've been trying to find other devices with the same specifications and chip (and unsecured/unlockable bootloader) to try their PAC format ROM but not a single one actually flashed completely (UART error after FDL1 download) with the SPRD flashtool.
I'll post screenshots if needed.