I had also thought about this, but this is much harder to pull off, since
1. You need a lot of instructions in sequence to succeed, enough that the chance that all succeed is very very small (recall that there's only about a 5% chance we execute an instruction correctly, if for example there are 10 instructions you need to execute, the chance is 0.05*10). If you write to a wrong location because an instruction didn't execute, you lose a byte of the flash.
2. Before writing to flash, you need to stabilize the clock of the chip (this is also done with 8051 instructions). For this, you need to wait until a register value changes. This is feasible, but an additional hurdle.
Glitching a write instruction is a little dangerous. But if you have many chips to try or can live with an incomplete, possibly corrupted dump, feel free to do it.
Well, the exploit could be perfected on the device that can be reset first. I understand that writing a wrong address can have unattended consequences, but the read cycle should come first, and glitching likely affects the address decoding circuitry (as opposed to the SRAM registers), so it's probably hard to miss.
I understand wanting to play it self though.
One thing comes to my mind though: each board likely needs slightly different timings.
1. You need a lot of instructions in sequence to succeed, enough that the chance that all succeed is very very small (recall that there's only about a 5% chance we execute an instruction correctly, if for example there are 10 instructions you need to execute, the chance is 0.05*10). If you write to a wrong location because an instruction didn't execute, you lose a byte of the flash.
2. Before writing to flash, you need to stabilize the clock of the chip (this is also done with 8051 instructions). For this, you need to wait until a register value changes. This is feasible, but an additional hurdle.