init: Issue a wipe on boot if trade-in mode was active.

This modifies first-stage init to check for /metadata/tradeinmode/wipe
as soon as /metadata is mounted. If the file exists, we issue a request
to the bootloader to reboot to recovery and wipe /data. Since this also
wipes /metadata, the wipe indicator will be removed too.

In case some kind of failure happens in recovery, this also implements a
quick-and-dirty counter mechanism to fallback to the recovery menu.

Bug: 307713521
Test: touch /metadata/tradeinmode/wipe && adb reboot
Change-Id: I2d05903cadcdadf9c05f6736454db790a9e6b5bb