I'm pretty sure kernel9loader locks the OTP before it jumps to the arm9 binary. so once arm9loaderhax happened, the region has been locked.
3dbrew says Arm9 locks the OTP by writing 0x2 to Sysprot. (
Source)
Protection seems to be from Firm though. Therefore you can possibly still read a locked OTP.
I believe the OTP protection (including Arm9 Locking) is based on the FIRM, which we can manipulate.
We have everything to everything that locks/protects the OTP, therefore we should be able to read it out even on higher firmwares as long as we bypass the protections, which A9LH should let us do, since it's executed before FIRM is loaded, therefore we can patch OTP protection.
The OTP being locked should be possible to prevent as well; even though I don't think that matters for this case. (Staying with the way 2.1 FW can access the OTP. At that point the Arm9 should have locked OTP already.)
I am not a Dev, but this is what I understood from readup and what I am guessing. If this is indeed entirely different please proof your point.
(Also, at the point of A9LH people would already have their OTP, which makes this method of getting the OTP basically useless since it is required to install the requirement for this way. If it is possible.)
Edit: FIRM1 may be completely executed before payload is loaded. I guess that was your point. That would mean it would indeed require writing to the actual FIRM1 partition.
In which case A9LH execution may actually happen after OTP has been locked.
Which would mean, that you would have to install a 2.1 FIRM with payload.
