As mentioned in decle's excellent entry on Dumping the TMS1100, some TMS1000 series chips obfuscated the ROM code by always asserting the high-bit in each instruction byte. In those chips the test mode only allows extraction of a partial ROM.

Interestingly, the patent to which decle referred also highlights that you can selectively execute the code on the TMS1000 series chips. Due to the specific details of the TMS1000 series instruction set, all bytes which really do have the high-bit set are branch or call instructions.

This means that if we execute the unknown instruction and we end up somewhere unexpected (i.e. the program counter is out of order) then the instruction really was a branch or call, and the high-bit really was set. If we end up at the very next instruction, it was (probably) not a jump.

I've updated decle's Arduino code to support this inference and automatically execute instructions to identify jumps as it dumps the ROM. I've also included a few more heuristics that help deobfuscate some of the more tricky corner cases; of which there are quite a few. The curious can check out the code for more details.

You can download your own copy here.

To accurately indicate any potentially incorrect instructions, the code puts a question mark (?) after any suspect bytes in the output. For the vast majority of instructions this will not apply and the heuristics mean that many of the suspect bytes will be correct, even if marked. For example, the code correctly dumps the complete known ROM of the Microcomputer Trainer despite being uncertain about 39 (of the 2048) instructions. If you don't want the question marks in the output they can be turned off.

#define WARN 0

However, if you are going to try and use the ROM in an emulator, or inspect a disassembled version line-by-line, having the question marks gives an indication of where to look if something goes awry.

You can use the revised code to dump the ROM from both the Science Fair Microcomputer Trainer, and the Gakken FX R-165 (if you're willing to take a soldering iron to your vintage computer). The code may work for other TMS1000 series chips, but is untested. I've also updated it to (hopefully) dump the ROM from the TMS1600 in the Busch Microtronic 2090. Michael recently discovered his Microtronic ROM is not obfuscated, but it did require a few small tweaks which my edits (should) handle.

To get started, I recommend watching decle's informative clocking video. This will help you ensure you can control the TMS chip. Taking control of the clock is an important first step. Here, decle uses a sped up Blink sketch.

For most chips you'll also need to build the inverting amplifiers, as shown in decle's log entry.

As noted in the entry, I was able to get my Science Fair to dump the ROM at just 6V, but not all chips will work at such a low voltage. Using 6V does mean that, as long as you use the voltage divider on pin O7 to protect your Arduino, you can avoid the extra circuitry. This does require that you uninvert the high/low signals, but I provide a define statement that you can use to (un)swap the logic levels.

#define INVERT 0

If you're having trouble, or want a more detailed overview, then I've made a video showing how to check that all the signal levels are appropriate for the TMS chip. Note that I am using inverted logic here (I have set the above code to 1), as I am using the inverting amplifiers.

Finally, if you're looking to dump the TMS1600 you need to hold R8 high, instead of R6/R10, and you'll need to set the chapter size to four, as it has twice the ROM of the TMS1100.

#define CHAPTERS 4 

As Michael discovered, the TMS1600 also has slightly different timing requirements; but this should already be handled by the LOAD_WAIT and LOAD_HIGH constants. This aspect of the code is untested though, so your milage may vary and you may need to make your own modifications.

Good luck, and happy ROM dumping!