[jerryr]

I just tried disassembling the hex file. Unfortunately, the code protect bits are set (location 0x300008 is 0x00). This means that the ROM from 0x000800 to 0x007FFF will read as zero. And indeed, that entire space is filled with zero. So, I think we're missing much of the actual firmware.

Edit: And the reset vector begins with a branch to location 0x001ACA, which is all zeroes, so I'm pretty sure most of the firmware was not read out due to the code protection.

[Aissen]

From a quick Google Search, a Russian company is offering microcontroller code-dumping services: https://russiansemiresearch.com/en/faq/

I have no idea if this is legit or not. I doubt your law enforcement would let you access their services anyway.

Edit: My guess would be they work with industrialized de-capping + software to dump the memory, like this: https://www.bunniestudios.com/blog/?page_id=40

There are other "chip intelligence" companies in the US, some of which probably have such services. At a different cost.

[captaindiego]

On some of these embedded chips there are methods to glitch the fuses for read protection by messing with the power (a form of fault injection attacks). These used to work a few years back but I haven't heard if they still do.