- Find a new iBoot exploit every time a new firmware is out.
- Find a way to bypass the ECID checks.
- Find another bootrom exploit, which code execution is more trivial with. (Pwnage 2.0-like)
Apple added a new tag to the img3 format called ECID. The ECID is unique to each phone, and is being sigchecked. So Apple could block downgrades once newer firmware becomes available, unless you have a dump of your unique old firmware's img3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered JBs, because such exploits will be closed in new FWs. .
The issue with this is that, even with 24kpwn still in bootrom, an iBoot exploit is still needed to actually flash the 24kpwned LLB. If Apple uses this ECID stuff to block downgrades, then a new iBoot exploit will be needed whenever they fix the last, so that 24kpwn can be applied. This is because Apple could choose to not let you upload an older / exploitable iBEC / iBoot / iBSS to the device. 3GS owners can save a file which contains the signature of an iBSS for 3.0GM containing their ECID, using http://purplera1n.com/ should Apple try to block this in the future.
There are two possible methods to jailbreak which use the same iBoot exploit discovered independently by Geohot and the iPhone Dev Team. In order to jailbreak, you can use redsn0w by the iPhone Dev Team or purplera1n by Geohot. These currently work only on firmware version 3.0 (12/7/09).