[Matt3o12_]

Do you have any source for that information? I am very interested in that as well but couldn't find any information regarding that so far.

I have always thought (though without any source) that they re-flashed the iPhone by putting it into the DFU mode (and tricking the iPhone bootloader into accepting their key) and then just brute force the key.

[ghostly_s]

There is no scenario which allows re-flashing a device from DFU while retaining user data. This only appears to work in typical user scenarios because iCloud or iTunes creates a backup from the unencrypted device as a first step before flashing it.