- Find a new iBoot exploit - This will allow us to decrypt the platform iBoot and other firmware files in it's IPSW, as well as dump the bootrom to examine.
- Find a new bootrom exploit - After we have the bootrom dumped, we must look for a way to make SecureROM run our patched LLB.
Apple added a new tag to the img3 format called ECID. The ECID is unique to each phone, and is being sigchecked. So no downgrades unless you have a dump of your unique old firmware's img3. Therefore, iBoot exploits won't be so useful for tethered JBs, because such exploits will be closed in new FWs. 
Geohot's iBoot Exploit
An undisclosed exploit has been discovered by geohot in the 7A341 firmware.  With the help of this exploit, the hardware AES engine has been used to decrypt the the KBAG sections of each of the iPhone2,1 7A341 images. The exploit has also been used to dump the S5L8920 Bootrom.