"So far no one has demonstrated a fully working hardware-based NAND mirroring attack on iPhone 5c. Therefore, this paper is aimed at demonstrating the feasibility of such a process."After disassembling the iPhone and removing the NAND chip, the researcher wired the chip to a connector and verified he could eavesdrop on all NAND communication. That process was not easy. Skorobogatov encountered several signal integrity issues that prevented the phone from properly booting. He addressed those problems using hardware-based solutions, such as by inserting small termination resistors on all signal lines. Once he confirmed that everything was working, the researcher captured all of the NAND chip's commands so that he could properly write its contents to a backup NAND chip.
"Once the phone is powered up and the screen is slid the passcode can be entered six times until the delay of one minute is introduced again. Then the process of mirroring from backup can be repeated again and again until the correct passcode is found. On average each cycle of mirroring for six passcode attempts takes 90 seconds. Hence, a full scan of all possible 4-digit passcodes will take about 40 hours or less than two days."You can view a demonstration of the method below: https://www.youtube.com/watch?v=tM66GWrwbsY Okay, so if this method could work on an iPhone 5c, why didn't the FBI try it? Matthew Green, a computer science professor and cryptographer at Johns Hopkin University, thinks the FBI might have been deterred by the possibility of damaging the terrorist's data beyond repair. As quoted by WIRED magazine:
"Everyone I know who was trying it couldn’t get past the fact that it required incredible soldering abilities. You could fry the chip."As of this writing, the FBI has not yet commented on Skorobogatov's research.