*sigh*
when i said complicated i really meant it. please don't mind if you don't understand everything of my mails. they are also for documentation for future devs (those who have to take over when i become insane from all of this :)
after looking into your logs in detail i noticed, that the PR registers are not the problem (they are all 0, which indicates no read/write protection). the real problem is the FRAP register. in there the host can grant other flash masters access to the flash (the host is not the only one with (write) access to the flash: the GbE controller and the embedded controller (ME) can access it too). the second half of FRAP indicates the rights of those host itself. it is initialized on startup with the values stored in the descriptor. the other masters can grant the host access to their regions afterwards. this part of FRAP is read/only even if FLOCKDN=0, hence your board is not better off than any other board with locked regions. that means there is no way to access the whole flash on your board until we can unlock the ME region (by telling the ME to grant the host access to its section, which wont happen soon). sorry for the encouraging first mail.
recap: - FRAP indicates host access to all other regions and is always read-only (even with FLOCKDN=0). it can be changed by other masters (this is what we want to achieve eventually). - FRAP also can be used to grant access to the BIOS range to the other masters. this can be prohibited by FLOCKDN=1. - FREG* defines the addresses of the regions above (r/o, filled from the descriptor on startup) - PR* is an additional access control mechanism independent from FRAP/FREG*, constrained by FLOCKDN=1.