Presumably they needed to remove, reprogram, and re-install the flash chip so that they could access the private key in that specific device's CPU or TPM. (Probably a TrustZone 'enclave'.) Without the key stored in the original CPU, the device wouldn't be recognized as a valid Echo and wouldn't be given the ability to control nearby devices.
This is a illustrative hack -- it shows that the device is pretty well locked down, and not (easily) remotely vulnerable. But the difficult problem of unbroken chain of trust remains. In this case they trusted "already installed" software.
Biting the hand that feeds IT
