Dual Boot Exploit

Credit
iPhone Dev Team

Exploit
The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTunes update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.

Defeating Countermeasures
In 1.1.1, a routine called "check_for_suspicious_partitions" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat; "/sbin/launchd" to check the existance of the file. The iPhone Dev Team got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat; does not follow symlinks, this workaround worked great.

Why it no longer works
There are two reasons that it no longer works

Booting
In firmware 2.0 beta 4 and beyond, iBoot no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.

lstat;
The "check_for_suspicious_partitions" routine now uses lstat; instead of stat; meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat; instead of stat;