MooglyGuy/6805_p3_dumping.txt Secret

## 6805_p3_dumping.txt
Mask 6805p2 or p6 parts are dumpable using the NUM mode and a logic
analyzer.
If the parts are EXACTLY mc6805p2 or p6 (NOT HCMOS parts like mc68hc05p2
etc, and NOT mc6805p4):
* attach vcc to pin 3
* attach gnd to pin 1
* attach an 0.1uf bypass cap between vcc and gnd pins above
* wire a NOP opcode ($9d) on port A using 1k resistors to vcc and gnd
* connect a ~1Mhz 5v clock oscillator to pin 4
* tie pin 5 to gnd (NOTE: if the device is mask programmed to use an R/C
clock, switch the 1mhz 5v clock oscillator to pin 5 instead of pin 4?)
* connect logic analyzer(a saleae or saleae clone 16 line usb logic
analyzer will work, I believe) to port B, and tie the clock input of the
analyzer to the clock oscillator on pin 4 (or 5 if you hooked it there)
* tie TIMER (pin 7) to VCC/5v thru a 1k resistor
* tie /RESET (pin 28) to VCC/5v thru a 1k resistor
* tie /INT (pin 2) to VCC/5v thru a 1k resistor
* tie NUM (pin 6) to VCC/5v thru a 1k resistor
* assert /RESET by pulsing it low briefly, this isn't always necessary...
the device will constantly spew its ROM contents out the port B pins,
interleaved with the low 8 bits of the current address.

It will start at address=(0x9d9d&0x7FF)=0x59D and will spit out:
(address+0) & 0xFF
data@address
(address+0) & 0xFF
data@address
(address+1) & 0xFF
data@address+1
(address+1) & 0xFF
data@address+1
(address+2) & 0xFF
data@address+2
... etc, it will continue past 0x7ff and wrap to 0x000 and continue forever.

For eprom MC68705P3/P5 parts the pinout is slightly different,
do the same circuit, except pin 6 is not NUM but VPP instead (also
should be tied to vcc thru a 1k resistor) but you need one more connection:
tie pin 8 (PC0) to 12v (or really anything between about 7.5v to 12v)
thru a 1k resistor, this will force the part into NUM mode.
This will not usually dump protected MC68705P5 parts, but should dump
all MC68705P3 parts.

68705p3/p5 (and maybe 6805p4?) parts:
                           +--------\_/--------+
       GND =   VSS(GND) -- |  1             28 | <- /RESET  = +5v 1KOhm (briefly ground to reset)
 +5v 1KOhm =       /INT -> |  2             27 | <> PA7     = +5v 1KOhm \
       +5v =        VCC -- |  3         M   26 | <> PA6     = GND 1KOhm  \
  1MHz CLK =      EXTAL -> |  4         C   25 | <> PA5     = GND 1KOhm   \
       GND =       XTAL -> |  5         6   24 | <> PA4     = +5v 1KOhm    \_ == $9D == 'NOP'
 +5v 1KOhm =        VPP -- |  6         8   23 | <> PA3     = +5v 1KOhm    /
 +5v 1KOhm = TIMER/BOOT -> |  7         7   22 | <> PA2     = +5v 1KOhm   /
     +12v* =  (NUM) PC0 <> |  8         0   21 | <> PA1     = GND 1KOhm  /
     N/C** =        PC1 <> |  9         5   20 | <> PA0     = +5v 1KOhm /
     N/C** =        PC2 <> | 10         P   19 | <> PB7     = DataOut7
     N/C** =        PC3 <> | 11         x   18 | <> PB6     = DataOut6
  DataOut0 =        PB0 <> | 12             17 | <> PB5     = DataOut5
  DataOut1 =        PB1 <> | 13             16 | <> PB4     = DataOut4
  DataOut2 =        PB2 <> | 14             15 | <> PB3     = DataOut3
                           +-------------------+
  * this works anywhere from around 7.5VDC to upwards of 12VDC
  ** These are output pins while in NUM, unknown purpose (likely high
address bits multiplexed with something else)
  ~0.1uF bypass cap needed between pins 1 and 3
  resistors on PA<7:0> force opcode $9D = NOP

6805p2 and p6 parts:
                           +--------\_/--------+
       GND =   VSS(GND) -- |  1             28 | <- /RESET  = +5v 1KOhm (briefly ground to reset)
 +5v 1KOhm =       /INT -> |  2             27 | <> PA7     = +5v 1KOhm \
       +5v =        VCC -- |  3         M   26 | <> PA6     = GND 1KOhm  \
  1MHz CLK =      EXTAL -> |  4         C   25 | <> PA5     = GND 1KOhm   \
       GND =       XTAL -> |  5         6   24 | <> PA4     = +5v 1KOhm    \_ == $9D == 'NOP'
 +5v 1KOhm =        NUM -> |  6         8   23 | <> PA3     = +5v 1KOhm    /
 +5v 1KOhm =      TIMER -> |  7         0   22 | <> PA2     = +5v 1KOhm   /
       N/C =        PC0 <> |  8         5   21 | <> PA1     = GND 1KOhm  /
     N/C** =        PC1 <> |  9         P   20 | <> PA0     = +5v 1KOhm /
     N/C** =        PC2 <> | 10       (2/6) 19 | <> PB7     = DataOut7
     N/C** =        PC3 <> | 11             18 | <> PB6     = DataOut6
  DataOut0 =        PB0 <> | 12             17 | <> PB5     = DataOut5
  DataOut1 =        PB1 <> | 13             16 | <> PB4     = DataOut4
  DataOut2 =        PB2 <> | 14             15 | <> PB3     = DataOut3
                           +-------------------+


NOW:

for 40-pin mc6805R3 parts, NUM is pretty much exactly the same, with an
opcode hardwired on port A and the logic analyzer connected to port B,
and assert the NUM pin.

for 40-pin mc6805R6 parts *I BELIEVE* num is activated by pulling pin
PC7 (NOT PC0) to 12v through a resistor but I could be wrong.

for any other parts and all HCMOS 68HC05xx parts, consult the datasheet
and/or use a bp-1200 or similar programmer which has built in support to
do the NUM thing for almost all of these parts.

The bpmmicro bp-1200 and 1400 and 1600 and etc series of programmers can
dump all of these parts as long as they are not protected, but they will
zero out the bootrom/selftest rom area in the resulting dumps, so you
may need to 'play games' with tying PA7 pin bent sideways from chip to
VCC while dumping on a bp programmer in order to get the bootrom out.
	Mask 6805p2 or p6 parts are dumpable using the NUM mode and a logic
	analyzer.
	If the parts are EXACTLY mc6805p2 or p6 (NOT HCMOS parts like mc68hc05p2
	etc, and NOT mc6805p4):
	* attach vcc to pin 3
	* attach gnd to pin 1
	* attach an 0.1uf bypass cap between vcc and gnd pins above
	* wire a NOP opcode ($9d) on port A using 1k resistors to vcc and gnd
	* connect a ~1Mhz 5v clock oscillator to pin 4
	* tie pin 5 to gnd (NOTE: if the device is mask programmed to use an R/C
	clock, switch the 1mhz 5v clock oscillator to pin 5 instead of pin 4?)
	* connect logic analyzer(a saleae or saleae clone 16 line usb logic
	analyzer will work, I believe) to port B, and tie the clock input of the
	analyzer to the clock oscillator on pin 4 (or 5 if you hooked it there)
	* tie TIMER (pin 7) to VCC/5v thru a 1k resistor
	* tie /RESET (pin 28) to VCC/5v thru a 1k resistor
	* tie /INT (pin 2) to VCC/5v thru a 1k resistor
	* tie NUM (pin 6) to VCC/5v thru a 1k resistor
	* assert /RESET by pulsing it low briefly, this isn't always necessary...
	the device will constantly spew its ROM contents out the port B pins,
	interleaved with the low 8 bits of the current address.

	It will start at address=(0x9d9d&0x7FF)=0x59D and will spit out:
	(address+0) & 0xFF
	data@address
	(address+0) & 0xFF
	data@address
	(address+1) & 0xFF
	data@address+1
	(address+1) & 0xFF
	data@address+1
	(address+2) & 0xFF
	data@address+2
	... etc, it will continue past 0x7ff and wrap to 0x000 and continue forever.

	For eprom MC68705P3/P5 parts the pinout is slightly different,
	do the same circuit, except pin 6 is not NUM but VPP instead (also
	should be tied to vcc thru a 1k resistor) but you need one more connection:
	tie pin 8 (PC0) to 12v (or really anything between about 7.5v to 12v)
	thru a 1k resistor, this will force the part into NUM mode.
	This will not usually dump protected MC68705P5 parts, but should dump
	all MC68705P3 parts.

	68705p3/p5 (and maybe 6805p4?) parts:
	+--------\_/--------+
	GND = VSS(GND) -- \| 1 28 \| <- /RESET = +5v 1KOhm (briefly ground to reset)
	+5v 1KOhm = /INT -> \| 2 27 \| <> PA7 = +5v 1KOhm \
	+5v = VCC -- \| 3 M 26 \| <> PA6 = GND 1KOhm \
	1MHz CLK = EXTAL -> \| 4 C 25 \| <> PA5 = GND 1KOhm \
	GND = XTAL -> \| 5 6 24 \| <> PA4 = +5v 1KOhm \_ == $9D == 'NOP'
	+5v 1KOhm = VPP -- \| 6 8 23 \| <> PA3 = +5v 1KOhm /
	+5v 1KOhm = TIMER/BOOT -> \| 7 7 22 \| <> PA2 = +5v 1KOhm /
	+12v* = (NUM) PC0 <> \| 8 0 21 \| <> PA1 = GND 1KOhm /
	N/C** = PC1 <> \| 9 5 20 \| <> PA0 = +5v 1KOhm /
	N/C** = PC2 <> \| 10 P 19 \| <> PB7 = DataOut7
	N/C** = PC3 <> \| 11 x 18 \| <> PB6 = DataOut6
	DataOut0 = PB0 <> \| 12 17 \| <> PB5 = DataOut5
	DataOut1 = PB1 <> \| 13 16 \| <> PB4 = DataOut4
	DataOut2 = PB2 <> \| 14 15 \| <> PB3 = DataOut3
	+-------------------+
	* this works anywhere from around 7.5VDC to upwards of 12VDC
	** These are output pins while in NUM, unknown purpose (likely high
	address bits multiplexed with something else)
	~0.1uF bypass cap needed between pins 1 and 3
	resistors on PA<7:0> force opcode $9D = NOP

	6805p2 and p6 parts:
	+--------\_/--------+
	GND = VSS(GND) -- \| 1 28 \| <- /RESET = +5v 1KOhm (briefly ground to reset)
	+5v 1KOhm = /INT -> \| 2 27 \| <> PA7 = +5v 1KOhm \
	+5v = VCC -- \| 3 M 26 \| <> PA6 = GND 1KOhm \
	1MHz CLK = EXTAL -> \| 4 C 25 \| <> PA5 = GND 1KOhm \
	GND = XTAL -> \| 5 6 24 \| <> PA4 = +5v 1KOhm \_ == $9D == 'NOP'
	+5v 1KOhm = NUM -> \| 6 8 23 \| <> PA3 = +5v 1KOhm /
	+5v 1KOhm = TIMER -> \| 7 0 22 \| <> PA2 = +5v 1KOhm /
	N/C = PC0 <> \| 8 5 21 \| <> PA1 = GND 1KOhm /
	N/C** = PC1 <> \| 9 P 20 \| <> PA0 = +5v 1KOhm /
	N/C** = PC2 <> \| 10 (2/6) 19 \| <> PB7 = DataOut7
	N/C** = PC3 <> \| 11 18 \| <> PB6 = DataOut6
	DataOut0 = PB0 <> \| 12 17 \| <> PB5 = DataOut5
	DataOut1 = PB1 <> \| 13 16 \| <> PB4 = DataOut4
	DataOut2 = PB2 <> \| 14 15 \| <> PB3 = DataOut3
	+-------------------+


	NOW:

	for 40-pin mc6805R3 parts, NUM is pretty much exactly the same, with an
	opcode hardwired on port A and the logic analyzer connected to port B,
	and assert the NUM pin.

	for 40-pin mc6805R6 parts I BELIEVE num is activated by pulling pin
	PC7 (NOT PC0) to 12v through a resistor but I could be wrong.

	for any other parts and all HCMOS 68HC05xx parts, consult the datasheet
	and/or use a bp-1200 or similar programmer which has built in support to
	do the NUM thing for almost all of these parts.

	The bpmmicro bp-1200 and 1400 and 1600 and etc series of programmers can
	dump all of these parts as long as they are not protected, but they will
	zero out the bootrom/selftest rom area in the resulting dumps, so you
	may need to 'play games' with tying PA7 pin bent sideways from chip to
	VCC while dumping on a bp programmer in order to get the bootrom out.