Tricky part is finding a bug in the firmware after release. If locked out, then can't update the stuff in the warehouses. Would need to scrap all parts in inventory, potentially costing hundreds if not thousands of dollars.
The logical thing to do, then, is making the firmware unaccesible once it's been used by the final user. Adding a fuse that breaks once the 5V from the user computer are sensed for the first time, for example.
How do you define "user computer"? We run a bazillion tests on our stuff during manufacturing. Stuff is plugged in/out of Windows boxes over and over on the manufacturing line.
It's hard to tell where that "last step" might be. Boxing? Shrink wrapping? Delivery to Amazon's warehouses?
Our ASICs have efuses to disable insecure firmware changes. (Need insecure fw updates during fw development.) During dev we wind up having to scrap parts because we blew the fuse prematurely.
