[Scoundreller]

Sounds like there’s a “branch if equals” step that checks the fuse in the ROM. You can trigger the code to actually perform your read without branching if you glitch the right part of the cycle. Maybe enough current leaks around at 6V triggering a “not broken” value at the fuse, or just skips the instruction pointer change.

My guess is that the e-fuse is checked on every bit-read, so sometimes you don’t get the true value because your glitch isn’t precise enough.

Possibly there’s some randomization in the timing of each read, but there’s a signature current draw before each read that you can use to trigger your glitch.