Yeah, HBOOT runs "on the metal" (no operating system beneath). Now as far as I understand there are two possible scenarios and we don't know for sure which one is implemented.
1. HBOOT sends "unlock" commands directly to the memory controller before booting the kernel. If this was the case, we'd have to modify the kernel to send more "unlock" commands after it has been booted.
2. HBOOT tells the Radio what to unlock via RPC and only Radio can talk to the memory controller. If this was the case, we may not only need to find a way of RPCing the Radio from within Android, but also a way of making it believe that we are HBOOT.
Case 1 is the "good case" and it's the case for e. g. the HTC Vision, where the NAND lock has already been broken, so I hope it's the case for the WFS as well.
Case 2 is much much worse, since the Radio could actually make use of cryptography to ensure that the HBOOT is authentic before fulfilling its requests. I think we'd be pretty much doomed if that was the case and there probably wouldn't be a way of breaking security other than xtc-clip or faking the signature of a patched HBOOT (which is infeasible when implemented correctly and private keys not leaked) or directly programmiing the chip via JTAG.