Heck, the FBI could also disable writes to the chip, or simply interpose some logic that pretends to write, but actually doesn't (a non-write-through cache :-) ).
That is, if the secrets in question are on that NAND chip.
Heck, there are probably 20 companies with a Silicon Valley zipcode that could do that work, then. And a few in LA. I know people who could do this in their garage (and that's not hyperbole).
That would rather defeat the point of this whole fake political-judicial spin effort. Teh terrorists already destroyed their personal phones that had actual terror secrets. These work phones, which could have been confiscated by San Bernardino County at any time, are vanishingly unlikely to yield months-old information of any sort.
They already retrieved a ton of info from a month or so old iCloud backup. The FBI has a good idea what might be on the phone, but they aren't saying what they already found.
If someone with the necessary equipment were to document the process of attaching the write-blocker an iPhone of the same make and model, and successfully logging in on the 11th try, it could go a huge way towards illustrating to the general public what this case is really about.
Might not be bad exposure for a security startup, either.
They aren't, the key is burned into the chip. You could decap it and try and get at it that way, but that also runs the risk of destroying it and losing all hope of data recovery.
No, all iOS devices have hardware keys. Newer devices have the Secure Enclave which is a separate chip that stores hardware ID and does the actual encrypting/decrypting.
Sure, but if all of the state is on the NAND flash, you can nearly trivially bypass all the retry restrictions with a hardware-level snapshot. There's nothing on the SOC that's persistent. Boom, done, and the FBI is exposed as a pack of idjits. (Of course, this is not about the single phone, and never has been. But let's continue that fiction for the sake of argument).
That is, if the secrets in question are on that NAND chip.