I haven't tried to dump a TMS1000 yet, but if I recall correctly, Kevin only got the low 7 bits when he did it. His idea to dump those and the Rev E TMS1100s is to execute each instruction and then shift out the program counter to see if it is the next value from the LFSR (which means not a call/branch, so the high bit was not set) or if it is the low 6 bits from the opcode (which means the high bit was set). That would likely get most opcodes, leaving only the oddball instances where the code jumps to the next byte in the LFSR sequence, in the same page or another page. Jumping to the next byte in the same page is unlikely (maybe a NOP?), but jumping to the next byte in another page seems fairly likely (there are only 64 bytes in a page), so we'd have to sort those out via emulation.
I got Kevin's idea working; I shift in a chapter, page and address, then let the chip execute the instruction at that location, then shift out the program counter. I tested it on 8 TMS1100 rev B chips that Kevin had electronically dumped, and on 8 TMS1100 rev E chips that I had visually dumped, and it correctly flagged the bytes with bit 7 set. It also worked on Ranger's Super Blockbuster TMS1100 rev G die. It appears to have worked on 3 TMS1000s that I have, although I don't have visual dumps of those to compare to.
I wasn't able to dump the output O PLAs from rev E TMS1100s before, but I'll try those again, as well as the TMS1000s.
