pod2g has updated his blog with more details on how the Corona untether actually works. If the deep inner workings of exploits such as this interest you, it's definitely something you'll want to check out.
Using a fuzzer, I found after some hours of work that there's a format string vulnerability in the racoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.
Now you got it, Corona is an anagram of racoon :-) .