The pathway is obvious- build a signed image that lets you guess unlimited passwords at maximum speed. Apple doesn't have to do it to make it apparent it would work. The avenue is already in use:
As many jailbreakers are familiar, firmware can be loaded via Device Firmware Upgrade (DFU) Mode. Once an iPhone enters DFU mode, it will accept a new firmware image over a USB cable.
The special "backdoor" Apple has access to:
Before any firmware image is loaded by an iPhone, the device first checks whether the firmware has a valid signature from Apple. This signature check is why the FBI cannot load new software onto an iPhone on their own — the FBI does not have the secret keys that Apple uses to sign firmware.
As many jailbreakers are familiar, firmware can be loaded via Device Firmware Upgrade (DFU) Mode. Once an iPhone enters DFU mode, it will accept a new firmware image over a USB cable.
The special "backdoor" Apple has access to:
Before any firmware image is loaded by an iPhone, the device first checks whether the firmware has a valid signature from Apple. This signature check is why the FBI cannot load new software onto an iPhone on their own — the FBI does not have the secret keys that Apple uses to sign firmware.
http://blog.trailofbits.com/2016/02/17/apple-can-comply-with...
As for "the attack firmware could leak"- well, so could the signing keys.