Generally the password is not a part of the encryption key - if it was then changing the password would render the device unreadable and not being able to change passwords is a bad idea.
At some point in the code there must be a "does this password match" function and "all" a hacker has to do is to change this code to always return true. The encryption keys must be on the device somewhere, however a small amount of private persistent memory is common in such devices and it will be stored in there and not accessible to anything other than the control chip itself.