I spent many dozens of hours losing track of time in #Ghidra (I swear, it's worse than #Factorio)

Until I had figured out the #CAN message handling, signal parsing and where and when which #DTC codes get set.
With that knowledge I could figure out, slowly but surely, what the #startergenerator needs to run.
Even #FBS4 was pretty trivial to circumvent (a single 1 written to the right memory location via #XCP)

And after implementing the ~25 CAN messages in my STM32 code I finally got this today:

So now I have a lot of loose threads to follow, but none of them seems immediately promising:
1) Build own 5-phase motor controller
2) Gain some key CAN logs to reverse engineer the #FBS4 personalization and activation procedure
3) Find a way to read the firmware dump to:
a) rev-eng FBS4
b) understand just enough of FBS4 to patch it out
4) ???

If somebody would be interested in helping me solve that firmware puzzle, I'd be very happy!