Dude_

Nicely written article that seems to omit the OBVIOUS. NAND mirroring only replaces the data on the phone. All of the security is located in the Processor, this according to Apple's documentation. So while you may be able to save the data after the try and wipe process, this process does nothing to restore the phone access functionally. From what I understand once the 10 try counter reaches 10 the phone will always wipe data from the phone even if a successful passkey is entered via the GUI. Restoring the phone access is what decrypts the data without knowing what the encryption key is. Altering the processor has its own hazards given that there are hash signed certificates that insure that only authorized and unaltered code is executed. Apple's security white paper states that the security features are stored in the boot ROM with keys burnt into the ROM at the factory. Much of this information is also stated in court documents provided by the FBI. Then there's the very simply question;    NAND mirroring is such a simple process that it boggles ones mind to think that the FBI hasn't thought of doing this given that the San Bernardino phone is not the first phone the FBI has that they can't unlock. BTW, court documents state that the iOS is 9, not 8, but the phone processor does not have a secure enclave. A secure enclave only makes the processor more secure, not the data on the NAND chip.

The process that seems to be most viable is the delayering of the processor to expose the encryption key and the key itself might be encrypted. The problem; you get one shot. The FBI has also mentioned the Israeli firm Cellebrite, a well recognized firm that has developed software to hack other iphones without altering the phone in any way. The OS noted by the FBI in court documents is iOS4.