Because the MCPX loads the CB, and the CB contains decrypted vectors, some engineers reconstruct the ROM by analyzing the encrypted CB headers and using known plaintext attacks. This is unreliable but software-only.