[nostalgk]

My speculation is that it maybe tries to crack the hashed value and input that to the phone instead, rather than interfacing with the password screen.

in other words: the encryption/wipe code may be a function of the password screen, but the phone may accept a hashed key as a valid unlock attempt through a different interface that does not contribute to the failed attempts limit.

[mem0r1]

Of course it is highly unlikely that it interfaces with the password screen. My point is that if you could extract a hash from the secure enclave it would make much more sense to brute force it on a powerful external cluster. However this seems not to be possible as the decryption is only possible inside the secure enclave element unique to the device, thus decryption attempts have to be done on the the device itself, GrayKey seems to have managed to circumvent the wrong attempts counter and/or the triggering of subsequent protection mechanisms.