S5L8922

This is the processor used in the iPod touch 3G.

iBoot

 * usb_control_msg(0x21, 2) Exploit - Works up to iOS 3.1.2

Bootrom
Geohot has made use of his previously undisclosed bootrom exploit in limera1n. It is also implemented in Chronic Dev's greenpois0n. Source code for Greenpois0n can be found here: https://github.com/Chronic-Dev/syringe

Kernel

 * BPF STX Kernel Write Exploit - Works up to iOS 3.1.3
 * IOSurface Kernel Exploit - Works up to iOS 4.0
 * Packet Filter Kernel Exploit - Works up to iOS 4.2b3
 * HFS Legacy Volume Name Stack Buffer Overflow - Works up to iOS 4.2.1
 * ndrv_setspec Integer Overflow - Works on iOS 4.3.1 / 4.3.2 / 4.3.3

Userland

 * MobileBackup Copy Exploit - Works up to iOS 3.1.3
 * Malformed CFF Vulnerability - Works up to iOS 4.0
 * T1 Font Integer Overflow - Works up to iOS 4.3.3

Information
The load address is at 0x41000000 (same as the S5L8920).

Boot Chain
Bootrom->LLB->iBoot->Kernel->System Software

The entire boot chain (except the bootrom) resides on the NAND flash (instead of part of it on NOR flash as in earlier devices). This is the only main difference from the S5L8920 used in the iPhone 3GS.