Set odm production mode from 0x00000001 to 0x00000000 and we have what we want. How?
Well that isnt as easy as expected..
Somewhere during boot there is a check if we are in production mode or not. If we are in production mode then all locks are set. If we arent in production mode all locks are off and we have s-off.
Then we remove the check and its done. We know that the flag can be set in the fuse directory. However it requires a kernel patch, the write protection can be turned of for that section.
Where to find it?
Look at nv-tegra git, there is bootloader source and try to find it (probably htc renamed it)
If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode