You're missing the point. They don't need to input a pin. There's no phone involved in the process at all. They image the memory and put it on some server for processing. If there's an intermediary step, like an HSM, it is not difficult for something like the NSA to emulate.
You claim the contents of memory are encrypted with a 4-digit PIN; I'm telling you this is false, they're encrypted with a 256-bit key held inside the HSM [0]. It matters because a 4-digit AES key is indeed trivial to crack but a 256-bit key is not.
I'm not sure you understand what an HSM is. It doesn't help to "emulate" one. An HSM performs cryptographic operations under certain conditions (such as correct PIN entry) using internally stored keys. The whole point is that you can't get the keys out, only use them. If you had another HSM, or a logical model of one, it wouldn't contain the right keys.
Certainly as engineered systems, it's possible for HSMs to contain vulnerabilities, but getting the key out of an HSM is a much more sophisticated task than cracking a keyspace of just 10,000 possibilities. Possible, maybe.
You can't. Crypto is done on a separate piece of silicon and dumping memory or NAND will get you nothing but scrambled bits.
From a cold boot user data is not loaded into memory until a correct pin has been entered once, and since A5 nobody has managed to compromise their bootchain it is not really viable to exploit either.
To break such a system is not impossible, but would require some heroic effort, even nation states would probably resort to some side channel or the proverbial five dollar wrench.
You give the HSM the pin, it returns the key used to encrypt the data, applying the rules to that interaction with you. Emulating the HSM doesn't help since it is that phone's specific HSM with the key it knows that you need to access.
