Great writeup.
I haven't seen products that use geofences to verify debug flags. Would it be possible to spoof this using a fake GPS e.g. with SDR?
Sure, GPS SDR Sim[1] works just fine. You will want to be in an RF chamber of some kind not only to prevent the terminal from seeing natural GPS signals, but also to prevent you from screwing up the GPS in nearby satnav systems. Also because broadcasting on those bands on public airwaves is illegal as a private citizen.
Of course putting your satellite antenna inside of a RF chamber also prevents it from working, so this may not be a viable long term strategy. Plus the terminal is undoubtedly using the GPS coordinates to calculate the antenna steering profile so you won't be able to lock on if your GPS is wrong. But since all they want to do is enable access to dump the firmware this probably isn't an issue.