The 64 KiB flash sector at 0x027F0000 (the last sector of the 2nd flash bank)
contains per-unit factory data, including the IMEI and RF calibration values.
The location of the IMEI record (at offset 0x504) was found back in 2013-07 and
its encryption was figured out in 2013-11, but it took a bit longer to find the
RF calibration data.  But I finally found the latter as well.  Here they are:

Hex offset	Corresponding FFS file in TI's canonical version
----------------------------------------------------------------
072B		/gsm/rf/tx/ramps.900
092B		    checksum byte
092C		/gsm/rf/tx/levels.900
09AC		    checksum byte
09AD		/gsm/rf/tx/calchan.900
0A2D		    checksum byte
0A2E		/gsm/rf/tx/ramps.1800
0C2E		    checksum byte
0C2F		/gsm/rf/tx/levels.1800
0CAF		    checksum byte
0CB0		/gsm/rf/tx/calchan.1800
0D30		    checksum byte
0D31		/gsm/rf/tx/ramps.1900
0F31		    checksum byte
0F32		/gsm/rf/tx/levels.1900
0FB2		    checksum byte
0FB3		/gsm/rf/tx/calchan.1900
1033		    checksum byte

10AF		/gsm/rf/rx/agcparams.900
10D7		    checksum byte
10D8		/gsm/rf/rx/calchan.900
10E0		    checksum byte
10E1		/gsm/rf/rx/agcparams.1800
1109		    checksum byte
110A		/gsm/rf/rx/calchan.1800
1112		    checksum byte
1113		/gsm/rf/rx/agcparams.1900
113B		    checksum byte
113C		/gsm/rf/rx/calchan.1900
1144		    checksum byte

Each calibration record is followed by a checksum byte.  It is a simple ripple-
carry sum of all bytes in the preceding record.  Note that this checksum byte
is always 0 for the ramps records, as each correctly-formed ramp adds up to 128
(0x80), and the array has an even number of ramps in total.

The following still remain to be located:

/gsm/rf/afcdac
/gsm/rf/afcparams

I don't expect major difficulty in finding them; I just haven't got around to
studying this part of the calibration system yet.