Minus 0x400

From The Apple Wiki

This was the first openly available exploit found in Bootloader 3.9

Credit

iPhone Dev Team

Exploit

The first 0x400 bytes aren't written until the signature verifies. So start writing 0x400 bytes earlier :-)