[jd007]

The San Bernardino case involved an older device though, the 5C (which came out in 2013), which did not have the dedicated security module (Secure Enclave) at all.

As far as I know, there is no confirmation on whether Apple (or anyone) could flash new firmware to the Secure Enclave, without the user passcode, without wiping data on the phone. This info is strangely missing from the official iOS Security Guide document. If anyone has more info on this please share.

There are some (unsubstantiated IMO) claims by people online (e.g. https://blog.trailofbits.com/2016/02/17/apple-can-comply-wit...), and a series of Tweets with an ex-Apple security engineer (https://twitter.com/JohnHedge/status/699882614212075520), but nothing official. SEP firmware definitely can be upgraded without a key wipe (as confirmed by the Tweets as well as regular usage of iOS), but it's unsure if can be done without the user passcode. iOS does prompt the user for passcode when performing OS updates (which is also the delivery mechanism for Secure Enclave firmware upgrades). I don't know whether this is a UX-level security check only or actually hardware level required step.

[derefr]

This isn't proof, but food for speculation: Given that you have to disable the iCloud "Find My Device" feature on an iPhone as part of the steps Apple requires to be willing to take a device for recycling, I would assume that that setting being on prevents them from doing any automatic wiping/updating of your phone without your passcode, even in DFU mode. (For, surely, if they had the capability, they'd simply use it at the recycling centre, and thereby streamline the recycling workflow.)

[jdironman]

I highly doubt they would put those methods in the hands of people working at recycling centers. I feel like if, and that's a big if, they have that kind of capabilities it would be reserved for special case uses. I mean really special case uses.

[derefr]

Keep in mind that "recycling centre" here refers to an intake channel at their own factories; and that the firmware side of the recycling process isn't done by a technician themselves, but by a specialized "sanitizer" unit that the tech plugs the phone into. (Picture a disk degausser, but with a slot for a phone rather than a hard disk. Something heavy enough that you can't simply walk away with one!)

Is it hard to believe that, if iOS devices had a mode "deeper than DFU" that enabled control over the SEP firmware, that such machines would be implemented in terms of that mode?

And I mean, it's not like I'm making this idea up. This sort of "secret hardware-level handshake between recycling/repair machines and production devices, to put said devices back into a lowest-level firmware flashing mode that bypasses all user protections" was discovered to exist on the Nintendo 3DS, and was turned into a permanent jailbreak method for those. It might be an industry-wide practice. (It's hard to tell, because even on a rooted device, you can't just "dump" the ASICs and scan them for a backdoor handshake.)

[mseebach]

A device that can launder stolen phones regardless of security settings is still something to keep in limited circulation, even if you can't pick it up and walk away with it.