Господа Поляки поделились трезвой мыслью )))
"I studied the bootloader (HS11 module) a bit, found that first 16k of maincode (located at 10080) is decrypted with some 8-byte block cipher algo using some 8-byte key at 10060 (or it's just an initialization vector?), then entire maincode (start at 10080, size at 10004, first 16k decrypted) is decompressed with LZMA.
For Solomendit's much easier - entire maincode is decrypted throught simple table-driven byte replace (table is in bootloader), then decompressed with LZMA."
Ищем шифровалку или таблицу в буте...
Кстати, они же подтверждают "You can't brick M3602-based device, this CPU has a small BootROM with serial port loader inside, so upgrade tool works in any case (verified)." Думаю аналогично и 3606 )))