It's encrypted against an effectively random 128 bit AES key. Unlimited time is not enough.

The method I'm thinking of is:

1. Get a dump of the encrypted data.

2. Try to probe the hardware, potentially destroying it.

3. If the probe works, we're done. If not, put the encrypted data dump onto a fresh iPhone and repeat from step 2.

This way, you effectively get unlimited shots at an otherwise risky hardware probe.

If the encryption key didn't depend on the hardware this would work. Even the iPhone 5C that the recent court case is about relies on the hardware keeping a key secret and it doesn't contain the secure enclave. For an iPhone 5C, the encryption key is derived from the pin and a unique ID for the phone that the CPU itself can't read. The only thing that the application processor can do is perform some crypto instructions using the key, there isn't an operation that would just put the key into memory or a register that you can read from. Even if you have root and the phone in front of you with the password, there's nothing you can do short of decapping it to try to identify that key.

Unless there is weakness in the PRNG/RNG that creates the fused key in the secure enclave itself. Which is not out of question. I am not sure why FBI didn't ask apple politely how these keys are generated in the first place.

That seems excessively unlikely to me. The phone itself wouldn't have anything to seed a PRNG with, so the random number would need to come from an embedded hardware generator or a dedicated random number device in the factory, and both of those options would have huge amounts of engineering oversight.