I was thinking of doing a paper for grad school on the tiff exploit of iphone 1.1.1 firmware. I was looking for more info on the hack.

I believe the the tiff file made from code similiar to this: http://pastebin.ca/726279
puts a payload like shown here :
http://metasploit.com/svn/framework3...mle/vibrate.rb

this is after the buffer overflow has been achieved.

The payload opens a 2nd AFC interface, that the rest of the jailbreak takes from there.

What I am looking for is more info on the tiff exploit, payload file, and how the 2nd AFC interface is setup.