Many years ago, folks figured out how to crack firmware and find embedded keys. Since then, there have been many technological advances, like secure enclaves, private/public key workflows, attestation systems, etc. to avoid this exact thing.

Hopefully, the Rabbit folks spec’d a hardware TPM or secure-enclave as part of their design, otherwise no amount of firmware updating or key rotation will help.

There’s a well-established industry of Android crackers and this sort of beating will keep happening until morale improves.