FI2 is encoded using AES, no chances to bruteforce key...
Assuming they didn't mess up in some way. It is certainly possible that a firmware update will be no help. It is also possible that it will give a useful clue. (yes, that wouldn't be strictly bruit force, but being able to apply more computer power to the problem can help)
Factory mode could be entered using USB command, but it's needs investigation.
Do you know this, or is it speculation. My observation is that factory mode switches the USB to a different configuration.
First problem - we don't know USB command and needs to find it out, and second - we will need to exit factory mode somehow...
If such a USB command exists in non-factory mode, you should be able to find it by disassembling ROM from existing cameras.
Exiting factory mode shouldn't be a problem once you have code running, there's an eventproc for that (ClearFactoryMode worked on my a540, and exists in recent dryos cameras), and failing, with a ROM dump you can find the correct location in ROM to write to clear it off.
There is also the SCRIPT disk system for canons builtin scripting which might be worth investigating. It is encoded AFAIK, but it's possible that they neglected to update it. Canon script should be able to execute event procs, which would be enough to get a ROM dump. If that fails, it's a good candidate for buffer overflows. See the LoadScript eventproc and references to A/autotest.m