The Pocket Dockit interface is just a TTL serial connection attached to (I think) the other UART on the processor, although I've no idea whether it's inverted or not. It's probably really easy to reverse engineer and spoof, with some basic electronics skills and a logic analyser. I know if anyone's investigated it.
It'd theoretically be possible to exploit bugs in the emailer software, if there are any, to break into the stock firmware that way even on a PBL 5.1 system. That'd be a hellish amount of work, though.