The tool you linked to actually requires an SEM.

Also, you cannot "desolder" the secure enclave and hook it up to a "mirroring" device. That attack requires the NAND to be encapsulated in a desolder-able memory chip that supports reading out state. Not the case with a secure enclave.

The NAND is encapsulated in a desolderable memory chip that supports reading out state. There's an anti-replay counter, but supposedly that's just stored in another external NOR flash chip with the Secure Element having no onboard flash storage at all - the process Apple builds their chips on doesn't support on-chip flash memory even if they wanted it.

Interesting. What's your source? Apple's whitepaper suggests otherwise, to my reading:

"The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing."[1]

What this says to me is that while rewritable data storage is indeed kept in regular commodity flash memory chips, it's all encrypted by a unique device-specific key that is somehow burned into the secure enclave. So that one little secret kept inside the enclave would allow it to store everything else off-chip.

[1] https://www.apple.com/business/docs/iOS_Security_Guide.pdf

That unique device-specific key provides no protection against replay attacks. So in practice, the newer Apple devices don't appear to provide any more protection against an attacker with physical access than the one that the FBI just cracked - they should be able to get everything they were demanding in their warrant without Apple's help on any iPhone.

Maybe I don't understand what you mean by "replay attack" in this context, but the secure enclave does in fact provide protection against brute forcing passcodes. It is detailed in Apple's security whitepaper (see p12). Basically, you have to give the passcode to the secure enclave to get the data decryption key which is derived from the device-specific key contained therein. And the enclave enforces time delays between wrong guesses.

If you can envision a procedure for hacking around this I would love to hear it.

Nanoprobes do not require an SEM to function, the SEM is only used to setup the probes initially. SEM probing is different SEM probing works because when the circuit is active the electrons emitted from the SEM will pile on the gates to balance out the charge. Noneporbes hookup wires directly to the components and can measure voltage and capacitance to gain the exact state, this is effectively hooking up an oscilloscope on transistor/logic gate level. These probes are constantly used in the industry during development and can read anything in the silicon, and it doesn't matter if you store the secrets in NAND or any type of NVRAM or build some unique deterministic array for each chip (which Apple obviously won't do since int will require a unique stencil for each processor which will make a single A7 chip cost as much as a jet). If you have access to the silicon there is nothing anyone can do, taking out the private key from a FIPS certified hardware token that isn't vulnerably to side channel attacks can cost as little as 10,000 dollars depending on the ASIC in question. Infact to some extent the secure enclave can make physical attacks easier since you know what to focus on and you do not have to reverse engineer the entire SOC but rather a single component.

Today pretty much anyone can buy a probing station[0] these range from several 1000's of dollars for very basic IC's (such as ones used on cheap smart cards) to 100,000's or millions of dollars for something that can probe say any modern CPU/SOC.

Probing stations are used by chip manufacturers and designers and quite often they are also used in the post production QA process where completed packages will be depackaged and inspected using probes. This isn't "rocket science" there are plenty of people trained to operate such devices and the NSA is more than capable of hiring engineers from the semi-conductor industry and contracting the most advanced probes out there to look into any chip they want. Heck the NSA could easily afford cryonic probes which allow you to cool down the IC to very low temperatures this isn't only required to fully probe certain IC's that could easily be fried without sufficient cooling but also to execute cryonic attacks in which you cool down specific parts of your IC to a very specific temperature one for example that could allow the IC to read from it's memory but write operations would fail in this case for example it might enable a party to attack the secure enclave which will generate keys but will be unable to store the failed attempts counter in it's own private memory.

[0]https://en.wikipedia.org/wiki/Mechanical_probe_station

Apple isn't magic, I know you like to think it is, but you really don't seem to grasp just how many types of physical attacks are there on IC's.