The ECU in the 2GNT / Avenger / Sebring / Stratus / Cirrus / Breeze / Neon and almost every other passenger car Chrysler made from 1996 to 2005 is an SBEC3. It's powered by a Motorola M68HC16Z2 or Z3 chip, with 2KB (Z2) or 4KB (Z3) of RAM. MOst early models appear to be 16.7MHz, but the chip can run as fast as 25MHz in later variants.

The flash chip is a 256KB M28F200 or one of the many electrically compatible variants. These were originally a TI chip, I think. The one I have is a SGS-Thompson.

The ECU requires a 12V+ signal on the SCI RX line at power-on to enter bootstrap mode. In the 2G, SCI RX is in the 12-pin diagnostic port next the the OBD2 plug, and SCI TX is in the OBD2 plug itself. These are pins 65 and 75 on the 80pin ECU harness (and may be the same across all years, I'm not sure - I've only checked 98 & 99 which are the same anyway). When 12v+ is applied to SCIRX at power-on, the processor sees CSBOOT asserted and switches to an alternate set of boot parameters. RAM is assigned to 0x00000 address (instead of 0xF8000 in normal operation) and the Masked ROM module is exposed at 0XE0000. it is 8KB long, and burned into the processor during manufacture. The code appears to have been written by Unique Design Systems in 1994 (there's a copyright string in the binary). This code defines the expected requests and responses while operating in bootstrap mode. It also negotiates baud rate based on a magic byte. Preferred rate is 62500 baud (normal speed is 7800).

Bootstrap sequence goes like:
TX 7F
RX 06 (speed is now 62500)
TX 24 D0 27 C1 (give me a security seed)
RX 26 D0 67 C1 XX XX (here, have a seed)
Solve the seed
TX 24 D0 27 C2 XX XX (seed solution)
RX 26 D0 67 C2 1F (Solution accepted)

The ECU then waits for a privileged command. The code required to initialize the ECU doesn't exist in the ECU itself and has to be supplied from an external source. The one I wrote is here: https://github.com/dino2gnt/SBECBootLoader

4C 01 00 XX XX starts the process to upload a bootloader to the ECU, where XX XX is the end address, e.g the size of the bootloader image + 256 bytes (because it starts at 0x100). When the image is completely send, 47 01 00 tells the bootstrap code to JMP to 0x100 and execute the code there. If the transition is successful, we echo back 47 01 00 22. Now the ECU is running your bootstrap code.

The "stock" bootstrap process uses a small bootloader to provide initialization and a running environment, but itself contains no functionality. It relies on small binary "workers" that are uploaded separately to do the real work, for example to read back, erase and rewrite the firmware, or to reset the VIN, or to fetch the part number.

I wrote a small kernel that can initialize the ECU and dump the firmware from the flash chip. Here's a manual '99 Eclipse ECU firmware:
https://nawdu.de/files/bins/05293190AC.bin
And one from my '97 manual Talon:
https://nawdu.de/files/bins/05293013AC.bin

Reprogramming requires providing +20V on SCI RX, which overcomes an internal Zener diode to switch on an SMT power regulator chip, which provides the +12V reprogramming voltage to the flash chip controller. In Chrysler's patent docs, they lay out requirements for fast < 1mS switching times and fast voltage stabilizations for the supply voltage, but I think it's all nonsense. I'm providing power with a 24V DC PoE injector turned down to 20V with a Chinesium buck converter board and switching it with an honest to god mechanical relay board from Amazon off the UART's rts pin. It works ¯\_(ツ)_/¯

Here's the processor datasheet:
https://www.2gnt.com/documents/DarkOne_MC68HC16Z4UM.pdf

The flash chip datasheet:
https://www.2gnt.com/documents/DarkOne_flash-chip-datasheet-2.pdf

The CPU16 reference manual:
https://www.2gnt.com/documents/DarkOne_CPU16RM-1.pdf