The first thing I noticed was the testpoints behind the batteries, easily accessible even when the device itself was fully assembled. I did manage to find out that a single line was spat out in serial on these testpoints, but that was it, so I proceeded opening up the device.
After a bit of fiddling around, I found out that my first guess actually was
correct: the serial port was indeed on the testpoints that were behind the batteries.
It just didn't work because another pin had to be pulled low for it all to work:
When the pin marked 'tin' is pulled low, a complete Linux bootlog can be seen, ending in a login prompt. I didn't had the password, but the bootloader was accessible too and by changing a few kernel commandline options I could bypass the login prompt and change the root password. The phone was mine!