Do you know the process to make the hidden bootloader are accessible from software? I can't really find anything in the hardware manual about it which is probably intentional or I'm not looking for the right terms.
On V4.04 bootloader, the download to RAM command keeps the hidden addressing mode so a downloaded code should already be able to read the hidden area if V1.00 is same. For other commands the mode is switched to normal addressing, e.g. when reading flash.
I think now I know what controls it and they've intentionally made the setting reserved. In the M16C/64A hardware manual see PDF reader page 694 (document page 661):
Flash Memory Control Register 0 (FMR0), bit 5
In the processor of my one, the M16C/62 hardware manual says (rather than being reserved):
Flash Memory Control Register 0 (FMR0):
bit 5:
0 = boot ROM area (addressing mapped to hidden flash area)
1 = user ROM area (addressing mapped to normal flash area)
If I have some free time, I'll try to write some code to see if I can read out the bootloader VER.4.04 using a downloaded code.
User boot mode - another thing to look at
----------------------------------------------
I've also noticed what ROM2 area is for, it is for user boot mode (for executing customer's own bootloader). I am guessing, V1.00 bootloader doesn't just enter into serial bootloader mode, it first checks some values inside ROM2 area, and if they pass it executes from start of ROM2 instead (address 0x10000).
The checks is described on page 702 (document page 669):
So to boot into user boot mode, flash a program into flash ROM2 area so that it has:
ASCII string "UserBoot" at addresses: 0x13FF0 to 0x13FF7
0x00 at addresses: 0x13FF8 to 0x13FFB
It will never enter serial mode anymore, to revert back simply write 0xFF to those areas in ROM2, or just erase ROM2 area.
This user boot mode could mean RAM will not be overwritten, I assume it doesn't use it and execution is directly from ROM2 area.