[Drago]

Yep, there is also a “timer” function built in (in a addition to “ten tries & erase” function) that the FBI wanted disabled...after each passcode attempt it adds time so that after several attempts it becomes impractical to attempt a “brute force”. Also, I am pretty sure the San Bernardino Co. iPhone in question was a 5c...I believe that the 6 & 6s have stronger “anti-brute force” built into the hardware whereas the “anti-brute force”in the 5c is software based?

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

[Swordmaker]

Yep, there is also a “timer” function built in (in a addition to “ten tries & erase” function) that the FBI wanted disabled...after each passcode attempt it adds time so that after several attempts it becomes impractical to attempt a “brute force”. Also, I am pretty sure the San Bernardino Co. iPhone in question was a 5c...I believe that the 6 & 6s have stronger “anti-brute force” built into the hardware whereas the “anti-brute force”in the 5c is software based?

No, it also was hardware based, but just not as hardened as the later Secure Element. The A6 processor had a specialized Encryption Engine (EE) processor inside it that handled all of this that was as secure as they could make it four years ago when it was designed. They included in there the Unique Device ID and also an unreadable EEPROM where the one-way HASH would be stored which was constructed by an algorithm inside the EE that each time the passcode recalculates the one-way HASH and then a comparison is made to give a go-no go response for unlocking the device. Thus the passcode itself is undiscoverable by any outside probing.

As I posted in an earlier thread on theoretical ways to hack the iPhone, if the a potential hacker could safely read the data inside the EE, recovering both the one-way HASH and the algorithm that creates it without erasing the EEPROM in the process, it should be possible to make a matrix of all possible one-way hash results from all 10,000 passcodes possible from a four digit numeric input. All the hacker would then have to do is match the stored HASH with one of the 10,000 hashes, see which passcode generated it, and Voilá, you have found the four digit passcode for the iPhone. Enter it, and the hacker has successfully unlocked the iPhone!

The key to this is "SAFELY" reading the EEPROM and the algorithm. I suspect the Israeli company has found a way to safely read those data on the A6's Encryption Engine without damaging those volatile data in the process. They have taken this long to perfect it to the point they are wiling to attempt it on the subject device, which they only can have one stab at.