As far as I can see, it is my understanding that Tech2 can perform a programmed subroutine program to write a code in a particular location to pair or unpair the unit, given that the data within the particular location is known, but if the data is not known, then the program will simply not run. (why Tech2 cannot retrospectively depair)
This means that Tech2 and subsequently any CAN interrogation are not directly reading the memory locations which is why we are all struggling. I do not think that the Code could actually be read by CAN intervention anyway. The CAN reads the data held elsewhere on the main processor, loaded from the Code eeprom as far as I can tell.
A few thoughts on how I could see us progressing forward.
It would prove usefull beyond anything else, is to depair a known good working NCDC and screen froma vehicle, and take a memory dump from them both. Reprogram them back to the car, and take a memory dump again. From that we can probably work out the data locations within the dump and this would then allow us to reprogram the data accordingly. From this we could potentially recover 99% of all secondhand units, providing of course that the data is only held within one component.
It would also prove usefull to exchange the code IC from a working head unit or screen into a "Secondhand" head unit or screen to see if they then power up correctly. This would then confirm that the codes are contained within a single component inside, and not held within multiple IC`s within a unit, as is becoming more commonplace.
Once that has been done, we can then look towards the possibility of reprograming the unit so that it would work in a new vehicle WITHOUT the need for Tech2 intervention at all.