Minus 0x400

This was the first openly available exploit found in Bootloader 3.9

Credit
iPhone Dev Team

Exploit
The first 0x400 bytes aren't written until the signature verifies. So start writing 0x400 bytes earlier :-)