I’m curious how their brute force attack can even run - since iOS flips its lid after only a few incorrect attempts...
That’s what GreyKey’s and Cellebrite’s hacks do: they get rid of the flipping lid. It allows a unlimited number brute attempts at guessing the passcode within the interior limited speeds allowed by the Secure Enclave Encryption processor. The delays between attempts are also bypassed. I believe the internal delay is a little over one second between attempts.
Both use a list of most common passcodes to begin with, such as 1234, 4321, the corner numbers, the cross pattern, diagonals plus zero, etc., then move on to known information about the suspect such as birthdays, anniversaries, etc, input by the authorities, then move on to other known patterns people like to use. They then go to brute force.