how to calculate ?
Flash starts up in User Configuration mode, and the Boot ROM decides whether to lock the controller using the passwords from the UCBs or leave it unlocked, based on the HWCFG pin configuration. I strongly suspect this mechanism is vulnerable to hardware glitching attacks (in old TC before AudoMAX, it was vulnerable to a trivial static voltage glitch where if you didn't give the Flash controller enough voltage it just wouldn't lock). But, I haven't bothered to try one yet against newer Tricore or Aurix.
You don't calculate the Flash passwords on newer Bosch or any Continental ECUs; you need to read the passwords out from Flash itself like crystal_imprezav points out. The passwords are now generated randomly during ECU manufacturing and burned into the OTP area of Flash. In Bosch, they are protected with a silly MCU ID based scrambling algorithm. In Continental they are just in plain text.
Regardless, you need to be able to read Flash to extract them. This is done by finding an exploit in the software running on the ECU, since Flash is already unlocked at boot by the Boot ROM if the ECU is not in BSL mode.
These exploits are ECU software specific (not processor related) and have a wide range. Anything from simple read access left active in the Application Software (CCP, DynamicallyDefineLocalIdentifier, development sessions with ReadMemoryByAddress, etc.) to more complex compromises in the supplier service tool (TSW) or the manufacturer reflashing routines in the customer bootloader, like in
https://github.com/bri3d/Simos18_SBOOT . Once you have the passwords they are trivial to send to the Flash controller per the Infineon documentation:
https://github.com/bri3d/TC1791_CAN_BSL/blob/main/Bootloader_2/src/FLASH.c#L10 .
