I posted the IPSF hack reference code on my blog a couple days ago. Here is what is needed to turn this into an unlock.
I can't find any RSA library that will compile with the baseband toolchain. The writers of the virginisor have more experience with the WinARM stuff then me; maybe they can get one to compile. I believe all the program has to do is write the spoofed token to seczone+0x400 and write a virgin lock state. Then after upgrading the baseband to 1.1.3's baseband, run at+clck="PN",0,"00000000". They are reports around the forums of this fixing IPSF unlocks; I believe this is because the lockstate table generated by IPSF never really matched the true unlocked lockstate table. Why not use the phones built in function. It should detect the decrypted token and write unlocked lockstates.
This program should also back up the seczone first, so the token can be retrieved in case we ever find an NCK generation method.