dd operation not permitted, how to escape sandbox?

I don't have a sacrificial computer to test this on, but I think you're running into the System Integrity Protection feature in El Capitan. Mostly, what SIP does is prevent you (even as root) from modifying system areas of the disk (/System, /sbin, /bin/ most of /usr, etc), messing with system processes, loading improperly signed kexts, etc. But in order to enforce that protection of system folders, it also prevents raw writes to the device the system volume is on. Yes, even if you're root (that's the point -- it's to limit the damage from malware that gets root access).

I think this limit won't apply in recovery mode. Hold Command-R as the computer starts, and it'll boot from a hidden emergency partition. Open Terminal (it's under the Utilities menu), and try the dd from there. dd might not exist on the recovery system (it's pretty minimal), but you can use /Volumes/Macintosh\ HD/bin/dd instead. You won't need sudo, you're already root.

If that doesn't work, try disabling SIP with csrutil disable, then rebooting normally (see Apple's doc on configuring SIP). Then, when you're done, I'd recommend reenabling it -- it's a useful security feature.