The ECU in the 2GNT / Avenger / Sebring / Stratus / Cirrus / Breeze / Neon and almost every other passenger car Chrysler made from 1996 to 2005 is an SBEC3. It's powered by a Motorola M68HC16Z2 or Z3 chip, with 2KB (Z2) or 4KB (Z3) of RAM. MOst early models appear to be 16.7MHz, but the chip can run as fast as 25MHz in later variants.

The flash chip is a 256KB M28F200 or one of the many electrically compatible variants. These were originally a TI chip, I think. The one I have is a SGS-Thompson.

The ECU requires a 12V+ signal on the SCI RX line at power-on to enter bootstrap mode. In the 2G, SCI RX is in the 12-pin diagnostic port next the the OBD2 plug, and SCI TX is in the OBD2 plug itself. These are pins 65 and 75 on the 80pin ECU harness (and may be the same across all years, I'm not sure - I've only checked 98 & 99 which are the same anyway). When 12v+ is applied to SCIRX at power-on, the processor sees CSBOOT asserted and switches to an alternate set of boot parameters. RAM is assigned to 0x00000 address (instead of 0xF8000 in normal operation) and the Masked ROM module is exposed at 0XE0000. it is 8KB long, and burned into the processor during manufacture. The code appears to have been written by Unique Design Systems in 1994 (there's a copyright string in the binary). This code defines the expected requests and responses while operating in bootstrap mode. It also negotiates baud rate based on a magic byte. Preferred rate is 62500 baud (normal speed is 7800).

Bootstrap sequence goes like:
TX 7F
RX 06 (speed is now 62500)
TX 24 D0 27 C1 (give me a security seed)
RX 26 D0 67 C1 XX XX (here, have a seed)
Solve the seed
TX 24 D0 27 C2 XX XX (seed solution)
RX 26 D0 67 C2 1F (Solution accepted)

The ECU then waits for a privileged command. The code required to initialize the ECU doesn't exist in the ECU itself and has to be supplied from an external source. The one I wrote is here: https://github.com/dino2gnt/SBECBootLoader

4C 01 00 XX XX starts the process to upload a bootloader to the ECU, where XX XX is the end address, e.g the size of the bootloader image + 256 bytes (because it starts at 0x100). When the image is completely send, 47 01 00 tells the bootstrap code to JMP to 0x100 and execute the code there. If the transition is successful, we echo back 47 01 00 22. Now the ECU is running your bootstrap code.

The "stock" bootstrap process uses a small bootloader to provide initialization and a running environment, but itself contains no functionality. It relies on small binary "workers" that are uploaded separately to do the real work, for example to read back, erase and rewrite the firmware, or to reset the VIN, or to fetch the part number.

I wrote a small kernel that can initialize the ECU and dump the firmware from the flash chip. Here's a manual '99 Eclipse ECU firmware:
https://nawdu.de/files/bins/05293190AC.bin
And one from my '97 manual Talon:
https://nawdu.de/files/bins/05293013AC.bin

Reprogramming requires providing +20V on SCI RX, which overcomes an internal Zener diode to switch on an SMT power regulator chip, which provides the +12V reprogramming voltage to the flash chip controller. In Chrysler's patent docs, they lay out requirements for fast < 1mS switching times and fast voltage stabilizations for the supply voltage, but I think it's all nonsense. I'm providing power with a 24V DC PoE injector turned down to 20V with a Chinesium buck converter board and switching it with an honest to god mechanical relay board from Amazon off the UART's rts pin. It works ¯\_(ツ)_/¯

Here's the processor datasheet:
https://www.2gnt.com/documents/DarkOne_MC68HC16Z4UM.pdf

The flash chip datasheet:
https://www.2gnt.com/documents/DarkOne_flash-chip-datasheet-2.pdf

The CPU16 reference manual:
https://www.2gnt.com/documents/DarkOne_CPU16RM-1.pdf

Added support for writing to the internal simulated EEPROM:

$ ./ecuwriter.py --debug True --write-vin True --read-vin True
Using device /dev/ttyUSB0 at 62500 baud, 8N1
Applying 20V+ to SCI RX.  Ready? y/n: n
Provide a new 17 character VIN and press Enter:1B3EJ46X4WN322751
vinBytes:314233454a34365834574e333232373531ff
          Command:  5500623142
Expected response:  56006231423142
Received response:  56006231423142
          Command:  5500643345
Expected response:  56006433453345
Received response:  56006433453345
          Command:  5500664a34
Expected response:  5600664a344a34
Received response:  5600664a344a34
          Command:  5500683658
Expected response:  56006836583658
Received response:  56006836583658
          Command:  55006a3457
Expected response:  56006a34573457
Received response:  56006a34573457
          Command:  55006c4e33
Expected response:  56006c4e334e33
Received response:  56006c4e334e33
          Command:  55006e3232
Expected response:  56006e32323232
Received response:  56006e32323232
          Command:  5500703735
Expected response:  56007037353735
Received response:  56007037353735
          Command:  55007231ff
Expected response:  56007231ff31ff
Received response:  56007231ff31ff
Wrote VIN  1B3EJ46X4WN322751 to EEPROM.  Read VIN back to verify.
Sending command:  500062
Sending command:  500064
Sending command:  500066
Sending command:  500068
Sending command:  50006a
Sending command:  50006c
Sending command:  50006e
Sending command:  500070
Sending command:  500072
Vehicle Identification Number from EEPROM:  1B3EJ46X4WN322751

holy shit, you've been busy! massive improvements in ECU tech I see! :)

it's slowed down in the past coupe months as I have been busy with other projects and life stuff, but there has been more progress on the ECU front in the last ~1.5 years than there have been in the previous 20 combined.

Originally posted by DarkOne
there has been more progress on the ECU front in the last ~1.5 years than there have been in the previous 20 combined.

I noticed! I'm reading through all that now. Lots of ECU related acronyms and information I'm not aware of, but I'll eventually learn it. Amazing achievement Dino, major props man!