I doubt that the aesengine is used for generating the password.
I assume that when the emmc is locked the AES enging is unusable.
In that case it would also be very hard for the gateway-team to do an unlock.
The password can also depend on the serialnumber of the 3ds or it may be just a common key
It also can be a random key which makes an unlock very hard. ( only bruteforce )
I doubt it to be a random password, as GW stated (condensed and paraphrased) "If you should brick legit, we'll unbrick. Please also send a NAND dump if possible." -> they can unlock without the dump, but it's more complicated for them or they just want the ability to fix corruption type bricks, too.
If it is a console specific non random password that can be generated even from a locked device there aren't that many options, as NAND content for example would be a no go.
Strongest contender in my opinion would be the CID (the unique eMMC serial number), as it's available even on locked devices and you get it in the eMMC startup sequence anyways (some other tempers speculated it to be the CID too if i remember correctly).
And yeah: you can't use the AES system on a bricked 3DS, as you can't execute code on it (at least I'm not aware of some kind of NAND independent recovery mode).
But you can use the AES engine of an unbricked 3DS, you could even set up an automatic unlocking station: microcontroller based tool reads bricks eMMC status (and perhaps console specific information), sends data to working 3DS running custom AES crunch code (e.g. via IR based UART), working 3DS sends AES result back to microcontroller, microcontroller does the unlock.
Still that would be way more difficult than simply doing a force erase and flashing the dump back.
edit: Easiest possibility would be a fixed, open, console independent password though.
So let's keep or fingers crossed for that one.