Both of these checks seem to rely on the device playing along nicely. During the setup process it can just pretend to be empty, and completely ignore the uploaded firmware. Similarly, the warning sign depends on the device to show it - which the article mentioned was patched out by the attacker.