From the Judge's request and Tim Cook's response, it looks like the updated OS with the backdoor would no longer wait after each passcode try, and would allow inputting a passcode through WiFi. That allows remotely bruteforcing the passcode.
I would guess that that passcode encrypts the phone, which is why they can't decrypt it.
There's probably more to it (otherwise, they could copy the encrypted data elsewhere to bruteforce it, in which case it would all be a show from the FBI and their real target is other phones).
I'll agree that the ability to update the firmware without the phone being unlocked is poor design on Apple's part. Given the security flaws they've had in the past, this one seems genuine.
You make a very good point: why do they even need to update the firmware? Surely, just cloning the phone's encrypted memory should be possible? (I have no knowledge of hardware at all, but I would have thought that the data is stored on a memory chip somewhere in a phone, and it should(?) be possible to copy the data from that chip to process it offline?)
In some of the other threads on this topic there were very many explanations why that is not possible.
At root of it is that even with a flash memory image, brute-forcing AES-256 is impossible. And the key is key fused into the processor and no software or firmware can read it directly.
I would guess that that passcode encrypts the phone, which is why they can't decrypt it.
There's probably more to it (otherwise, they could copy the encrypted data elsewhere to bruteforce it, in which case it would all be a show from the FBI and their real target is other phones).
I'll agree that the ability to update the firmware without the phone being unlocked is poor design on Apple's part. Given the security flaws they've had in the past, this one seems genuine.