Is there any reason we wouldn't be able to use AT commands to directly force the radio to set itself S-OFF?
I've found these, and they apply to most any phone I suppose, but specifically to the X-GOLD XMM6260 in the international One X+.
is documentation of the chip itself.
is a guide on how to talk to the chip.
is just a run down of the HBOOT analysis of the HTC G2 aka Vision. However, it does have a few gems, like the AT command to set the radio S-OFF, "AT@SIMLOCK=7,0".
I'm going to look at this further, but does anyone know if the S-OFF flag is controlled by the Tegra 3 chipset (i.e. the processor) or the radio?
I remember the gfree S-OFF exploit for the Desire Z, where in it sent the commands to the radio to reboot itself without rebooting the phone, and it would come back up without write protection enabled, so you could force it to set itself S-OFF. My point being, the exploit we're looking for should have very little to do with the Tegra chipset, and much more to do with the radio chipset. (Assuming I'm right, and please tell me if I'm not.)