Help reading EPROM (Intersil IM6654A) and analyze firmware

I now have successfully dumped all 8 2708 EPROMs of my FESTO programming device.
Interpreting that firmware is another thing. I haven’t found any text although the device is able to disassemble and put out the mnemonics.
I’ve checked ASCII, EBCDIC and early IBM encodings (6/8-bit BCD etc) like in Rob Storey’s/Paul Pierce’s FILEUTIL/ FILEBROWS. I think, I’ll make a detailed thread about that later, I also have to recheck the manual and convert to octal words or to 12/14 bits. I found some firmware analyzing tools like BINWALK, but haven’t tested them, yet. Maybe it needs to be converted to Intel Hex or similar or it’s encrypted. I found a converter for BIN files on sourceforge for Siemens Step 5 (but probably not compatibel).

There’s another, single 4K EPROM from Intersil on the lower PCB (left on my photo). IM6654A (CMOS 512x8).
I have the Arduino programmer which can only read (and write) 2708 and MCM68764 as described by Matt Millman.
Programming the Intersil is definitely not possible (Vpp -40 V). But maybe reading?
I’ve read the EPROM datasheets and I think it’s not possible, maybe someone can confirm it. Intersil chips were (also) made by Harris.
The 2708 specs has at Vss -5V and VDD +12 V, so I think that’ll not work.
The MCM68766 has VCC 4.5-5.5 V (AC or DC?). There’s a different PIN assignment but that is changed via a switch as well.

The Intersil EPROM needs 10V as it’s IM6654A (IM6654 needs 5 V).
The DC characteristics: VCC=VDD=4.5-10.5 V
The AC characteristics: 10 V ±5%
I know it’s alternating/direct current, but what is used here when reading? I would say direct.
I haven’t checked the timing. But the main question next to the voltage is the PIN assignment what is almost like the 2708. It’s also a different size.

If possible, I want to use the same programmer and not alter it, in case I want to read or write 2708 again.
Due to the location of the EPROM in the FESTO device, I assume i/o functions (memory cartridge/teletype/tape), so not that important.

Regarding character strings, I’d expect some packed format (like 2 × 6bit). But you’ve probably thought of this, already.
As the I/O utilizes a PDP-8-like processor (if I recall this right), it may well be that this uses a format more common on the PDP-8. (Compare the Small Computer Handbook.)

I just looked at an Intersil data book, I think you’re confusing AC response with AC supply voltage. It looks like you can run that chip just fine on a +5 V supply (the ratings seem to accept any supply from +4.5 to +10.5 V for the A part). The AC characteristics table on the same page that lists 10 V +/- 5% is referring to a DC supply voltage of 10 V exhibiting the AC response/setup/hold/etc. times listed in the table. In other words, for example, at a 10 V DC supply voltage, changing the output enable pins will take a maximum of 60 ns for the AI part. Likewise, you must hold the chip enable line stable for 60 ns before expecting the device to respond according to specifications.

I don’t think you’ll have any trouble reading this part with an Arduino, I don’t know about your specific programmer. My guess is that you can make it work. You can almost certainly do it on a breadboard with a generic Arduino or other 5V-tolerant microprocessor board.

Dumping: Yes, it’s somehow possible. But my skills are limited and I don’t want to spend more money. And I would also need a working code.
So the question was if it’s possible to dump with the existing programmer. So if it can be dumped like a 2708 or MCM68764 or with very few alterations.

An easy to build programmer for 2704 / 2708 / TMS2716 / MCM68764 / MCM68766 EPROMs – Matt's Tech Pages

Firmware: Yes it has a PDP-8 like 12-bit Intersil 6100 CPU.
For disassembling to mnemonics someone obviously needs a printer and that is probably controlled by the single Intersil EPROM. So probably there’s the text. BTW. In the manual is a photo of a printout showing address, binary code, mnemonics and a long text with descriptions of the devices. I haven’t found the way to attribute device names to numbers in the manual.

I found one case of BCD data encoding. It’s a bit complicated, so I have to give some backgrounds.

The bus is 16 bits wide. Bits 16+15: The device can handle 4 types of data: 00 “neutral”, 01 octal, 10 decimal, 11 not used (reserved for code), remaining 14 bits are data.
Every instruction, operand and device has a “functional unit number”.
Most of the programming details are about the CPU card of the main PLC. There are no details about programming this programming device.

I found a table of character encoding in how to program the display of the CPU card (which has the same style of display like the programming device).
BCD packed (2x4) using the right 8 bits or 12 bits, depending on the data type and position of the display. The display has mainly 4 positions

xx xxxx
xx xxx

The upper right position can only display octal values, the others can display octal and decimal values and special characters.
The table (2 digits, and only for octal/neutral values) showing the combination of left and right digit (0-9, blank, F, _, E). Both values are added giving a 4 digit octal value.
Each display position has a different unit number/instruction. The programming is as usual IF/THEN (then load display pos 3 with octal value xxxx).
There are some examples. Decimal values are loaded directy (another instruction).

Instructions have 6 digits (octal). The left digit is only 0/1 and for in addition, then, else. The 2nd digit (0-7) is the command, check signal 0/1, delete, set, load, with, with address, with decimal. The other 4 digits are the function unit/device/adress/decimal.

At least the PLC has an additional 1-Bit CPU for flags “Merker”, AND, OR, brackets, etc. But the programming device also can input brackets. And check the code for errors, so maybe has another “CPU” as well.

Here is the beginning of EPROM 1

13 3D 18 3F 03 13 07 0D 13 26 13 33 0A 04 08 18 07 20 18 0B 39 0A 28 09 13 15 25 13 3D 03 3F 36 03 06 00 13 07 0D 13 2A 13 28 1A 1E 20 35 15 1A 2C 0F 28 33 0C 0F 05 1A 0C 3F 28 02 1D 24 0B 0A 02 04 13 32 38 3B 30 0A 00 37 20 00 20 34 3A 23 15 23 3E 30 00 24 13 25 30 28 19 30 14 32 13 08 10 0A 1F 3D 1F 23 10 15 11 01 07 11 20 10 11 10

I haven’t found it (in octal) as PDP-8 code. Not sure if code starting at 0. Some chapters and the appendixes are missing on the huge PDF. The device also has to control the keys, display, error handling,… When turning on there’s a self test and search for available memory cartridge and check if a PLC is connected. If both is not present, an error code is given. It has to control the i/o devices (different baud settings). But mainly store and check the code.

I tried to find PDP-8 disassembler or converter tools. I first found d8tape (the 3rd version finally could be compiled, on 32 bit only). Can open .BIN and .RIM files, but my file is not recognized as valid file (missing header/trailer/leader).
I found a very good online emulator, where you can just drag and drop a file without having to import other tapes like an OS, so much easier than SIMH. The file is immediately disassembled, but my file is again not valid. So maybe I have to convert to 12 bit or construct a header.

https://pop.aconit.org/

As it’s unclear where is code, I would need a software crawling for PDP code at every location or even converts to other formats.
I also found special Intersil patches for SIMH, tools and docs on Spare Time Gizmos, SBC6120, emulator WinEight and Windows Tool (not run on modern Windows). I haven’t tested that one, but I doubt that it will work.

http://www.sparetimegizmos.com/Hardware/SBC6120_Builders.htm

On github (mengstr/pdp8-tape2bin) I found the other way, converting a bin/rim tape to plain binary.

The PDP .BIN files are papertape images with a header and are not exactly the same as the plain ROM bin image. I first haven’t found converters (for 12 bit etc.), so I have converted my file to octal via an Hex editor and exported as text. Then I have manually converted it to 12 bit.

The tape2bin from the github has no sources. It’s for converting and burning an EPROM.
It also has another tool (tapedump) which converts my file correctly to 12 bit octal. The tools are for the simple command-line emulator pdp8emu

That has sources and includes a disassembler. The emulator works but needs papertape images. I have manually disassembled the beginning of my file.

Later, I have constructed a header and footer 16x80h each and 2 bytes before the beginning. And now this is a working papertape bin. On the online emulator it disassembles as follow (similar like my attempt).

00000 2375 S< | a0, ISZ M175
00001 3077 X> | a1, DCA M77
00002 0323 CS | a2, AND M123
00003 0715 GM | a3, AND I M115
00004 2346 S& | a4, ISZ M146
00005 2363 S2 | a5, ISZ M163
00006 1204 JD | a6, TAD M4
00007 1030 HX | a7, TAD M30
00010 0740 G | a10, AND I M140
00011 3013 XK | a11, DCA M13
00012 7112 8J | a12, CLL
00013 5011 (I | a13, JMP .-2
00014 2325 SU | a14, ISZ M125
00015 4523 %S | a15, JMS I C123
00016 7503 <C | a16, OPR 0503
00017 7766 >5 | a17, SMA SZA SNL CLA OSR HLT
00020 0306 CF | a20, AND M106
00021 2307 SG | a21, ISZ M107
00022 1523 MS | a22, TAD I M123
00023 5223 *S | a23, JMP .
00024 5032 (Z | a24, JMP .+6

The first word (2375, address?) and the following code seem not plausible to me. The 7766 at 00017 looks more like an address. The characters are also different than in an Hex editor.

2 of my 8 EPROMs have short empty sections 128 bytes each (FF/3FF), probably bad dumps, the disassembler stops with an error. I have to continue for the rest/replace the empty bytes with NOP. But I think both aren’t code segments. I think data, but not text.
The display table must also be saved somehow. I have to compare it with the manual.

d8tape now works after fixing my file and adding the correct checksum (before the trailer). There first were some issues, I had to change the checksum twice and reconvert the bin with option -b.
The 2 pass disassembly is much better and detects code and data areas etc.
Still hard to analyze.
I also did a single step run on the online emulator and manually wrote down MB and AC contents. The PDP-8 code seems valid. The first subroutine/start of code is at 0712.

The simple pdp8emu should have tracing of runs with disassembly and registers, but it crashed (at least on 64 bit). I also tried SIMH. The disassembly is simple, 1 pass. The run halts after one instruction. But I will continue (trying tracing, starting at other addresses, etc).

Text characters are in octal but I forget that they are 12-bit as well. So ‘A’ is 00 001.
There’s also a different encoding TSS/8 sixbit. I have converted to both but haven’t found any mnemonics.

Tracing in SIMH should work (breakpoints and CPU history), but I found another way. Maybe it helps other PDP-8 fans.
Disassembling and tracing in pdp8emu now works. It previously crashed as the format/opcodes were wrong.
The dumped bin file (regular papertape bin files must have the leader removed) has to be converted to “plain bin” .EEP (eprom) format with pdp8-tape2bin.
I think this “core file” is a variant of Charles Lasner’s .IPL file format as described in the original emulator pdp8e by Douglas W. Jones. There are samples but documentation is very short and I first haven’t checked the source of the original emulator.

My dumped ROM (hex)
13 3D 18 3F 03 13 07 0D 13 26 13 33 0A 04 08 18 …
023 075 030 077 003 023 007 015 … same but octal (16 bit, see instructions below)
2375 3077 0323 … octal 12 bits
FD 04 3F 06 D3 00 CD 01 E6 04 F3 04 84 02 18 02 (.EEP format) the interpreted values are the above octal ones in the emu.

The tracing works with t,amount of instructions, and looks like this (incl descriptions), on left the PC (first values are probably not opcodes)

[0000] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:2375 ISZ @@75   ;Increment operand and skip if zero, Current page @@75
[0001] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:3077 DCA 0077   ;Deposit AC to memory then clear AC, ZP 0077
[0002] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:0323 AND @@23   ;AND operand with AC, Current page @@23
...
[0426] IRQ,DLY,IE=0,0,0 L/AC:1/2060 MQ:0000 IR:3120 DCA 0120   ;Deposit AC to memory then clear AC, ZP 0120
[0427] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:0271 AND @@71   ;AND operand with AC, Current page @@71
[0430] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:6371 GRSF       ;BB08-P: Skip on Receive Flag
[0431] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:4624 JMS I @@24 ;Jump to subroutine Indexed Current page @@24
[2251] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:0000 AND 0000   ;AND operand with AC, ZP 0000 
..

There’s a loop in between around 3 subroutines, around 40 instructions. Maybe checking or waiting for input. I have to check starting at other addresses.
The disassembly is even better than d8tape and has PDP-8/E instructions including the BB08 interface unit.

Now I found in my manual (service functions/system memory of the main PLC, not working on my device), that there are 4 pairs or ROMs. So maybe the data is an alternate mix of 2 ROMs (odd/even).
There are 2 shared memory locations for each ROM pair with (differently stored) date/month and year. I have a sticker of my ROM version date but I haven’t found that value. The year of the 4th pair is at 7776. Would be year 2393 (dec).

After setting back the EPROMS in my device, I have again checked it. (No checksum errors of bad dumps).
It’s possible to input lines of code (function keys or octal) without having errors displayed.
But I can’t read (or move) the memory contents later (due to the missing RAM cartridge).
I found schematics of the connectors but there are many parts on the cartridge, so that is impossible to be identified with a self-built one.
Import via teletype or cassette is according the manual not possible without RAM, probably same as export/ printing (line by line).
Test and simulation functions only work with the main PLC. Like for testing a single device attached to the PLC. Maybe my device is mainly used for that purpose.

Wow, you dived quite deep into this with some perserverance. It looks like you could make at least some sense of this. However, what are we supposed to understand of time travelling code from 2393? John Titor to the help!
(I guess, the good news is that we are not going to fall for the great filter for another 371 years. )

Yes, I don’t give up early (I’m German). I try to learn as much as possible for my purchased items.
The manual is detailed, but some parts are still unclear, especially of the main PLC or disassembling to printer and what is stored where and how.
I think I will study the code for some more few weeks. I’m still at the beginning.

Today I’ve started to check for differences between PDP-8 and original 6100 code (SBC6120 sources) before continuing the PDP-8 disassembly.
I still assume the more important code (I/O) on the undumped Intersil EPROM.
It’s still unclear what is on the 8 EPROMs. Maybe just keyboard and display handling.
Error handling must also be stored somewhere like when entering a wrong operand on instruction xy.
I assume that some few instructions are only stored on the CPU card of the PLC. But probably mostly the same code on both. Also unclear is the 2nd 1-Bit CPU and that code. Maybe I have this as well.

I have studied some sample files with source codes like the CHEKMO Chess game to find out how data and texts are stored on a PDP-8. There’s only one character stored in a 12-bit word. I wonder about the waste of space (the other byte could be used for underline or blink, but rarely used)
The online emulator prints out character representations (unlike the other disassemblers), so the text can be read on the right column vertically.

On Stack Exchange, I even found 5 different ways of storing texts. interesting is the 3/2 packing (3 chars per 2 words)

I could even think of some more like byte order reversal, compression/encryption, look-up tables, etc. So there are ~10.

There should have been special Hex editors for paper tapes, but I haven’t found any.
Octal is nothing special but 12 bit and then 6 bit and other types.
Maybe I will code a converter myself.

I have checked again my file but still couldn’t find any text. I bet, it’s on the single undumped EPROM.
I detected some data sections, maybe for the LCD output, but needs more investigation.

I could make a simulator for my device, but for an exact emulation, especially for the main PLC, there are still many questions, eg. the 14-bit registers, 2nd 1-bit CPU, i/o etc.

I also found a demo IDE for Siemens Simatic S5/S7 with automatic conversion of instructions and symbolic diagram tree and vice versa. So you can draw the block diagram “Kontaktplan” same like on my Festo, and the instructions are shown. Very complex and hard to use.

Octal and 12-bit computing is very interesting.

Don’t forget RADIX 50 packing, That is 3 letters
" ABCDEFEGHIJKLMNOPQRTSUVWXYZ0123456789$_,"
packed per 16 bits or 2 letters and a flag for 12 bits.

I strongly recommend sticking to octal, because this how people thought and how it is in any documentation. And 12 is just 14 (as in 0000…7777), anyways.

Yes of course in octal. I think all Hex editors are called like this even when not using Hex values.
(I sometimes have to convert to hex though to find something in my EPROM hex dumps. And the device can handle decimal values (although they are stored as octal). Some values are packed as BCD. So there must be conversions.)

Thanks for RADIX 50. According Wikipedia it was not used on PDP-8.
There are also several other 6-bit encodings like several BCD, SCUOZE, Transcode, FIELDATA and maybe more (most are unlikely though). I have checked almost all of them but still no result.

I found some interesting data sections. Like 53 words. The 2nd byte is always 00. Word 54 is 1234.

4600
4600
3600
1200
0200
2200
…
But there are just 45 instructions. I have to check how many error codes and the like there are to check out what data might be. Conversion to magnetic (audio) tape must also be stored somewhere.

As I haven’t found useful text or data and I read, that on the PLC dates/checksums are stored in paired ROMs, I now have byte merged my 8 ROMs into 4 pairs (with epromhexxer), so alternate bytes from ROMs 1+2, 3+4 etc (low&/hi, odd even). Now I have a new code, which looks (much) more plausible for several reasons.

I don’t have the empty sections (FFFF, but xxFF), assumed to be bad dumps, and so there are no errors. d8tape now prints all code, around twice as much code and data than before. The first word is now the start address, confirmed to be true on a trace run.

I still haven’t found mnemonics as text but still assume them on the undumped ROM.
The online emulator still showing errors on these ROM sections although replaced with NOPs and set to model 8/E and more RAM.

I have made a custom character set in Hex editor “010” to display the correct Sixbit character set representations instead of ASCII.
The output surprisingy can’t be exported.

For better reading and saving, I wrote some code for converting and extracting just characters A-Z (no need for converting hex to octal and sixbit, just add 64 to a character’s value and make sure to just read values from 01-26 before).

Export to printer (teletype) starts with /S. I found that followed by @@ on the new file (at 1165). I found that once on my old file (at 0373) but without link to that (yet tested on the incomplete online emu). As my device doesn’t display text (except F, E) I have to focus more on data regions.

I found some details about the system test of the main PLC (RAM test, ROM test, checksums, error codes etc). Maybe my device also have a system test, but I haven’t found checksums or date/year at the end as described.
As said, the device is for programming and testing the PLC and not itself.

I found a better Hex-Editor (here on a video in thread about the NABU (Cable) PC) called xvi32.
It shows much more characters on the right ASCII part, so better for finding text and also due to the matrix lines. And you can easily change the character set. That also changes the HEX values and so can be saved.

I found on my original file some few interesting texts.
.,+DAY BAL9,8 NICK … But that is all probably a coincidence. Some interesting strings:

/UW2@@@6D<<00000A111AACHBBBBDDDDD9PP… H=/IYIYIYIY K/" "
VI=Y>00>>Y;I>+I A 0843 HINQRSUVWXYZ\ ()*+,/0189?ABC

5 times 0 could be the space for the address. The rest could be the output on the LCD display which has 2+2, 4 and 5 digits.
The empty sections of 64 bytes each could be the leader and trailer of the papertape.

I previously also have checked more emulators.
The MAC-OS emulator has a GUI and terminal windows included. But I think doesn’t know all special instructions.
On SIMH I could disassemble and export the values as characters (2 values in columns for each word).
I also have checked WINEIGHT and could make a step run. Instructions and memory locations are different. Later, some i/O instructions are illegal.
And I have tested the SBC6120 tools (needs a 32-bit Windows). 2 original DEC papertape files could be disassembled. Other original ones and mine couldn’t. I’ve tried with and without leader.

I will continue for some days but probably I have to give up soon.

On the manual I found a command to disable syntax checking when entering instructions via the numpad. F->5->1. This is the only function directly working on the programming device.
All other functions are for i/o /needs external devices or the PLC.

WinEight can be set to CPU PDP-8 or 6120. It boots a .bin file (needs leader) running at 200. But it directly did a HLT on my original file. Same for running at other locations. Loading a papertape needs renaming the extension to .PTP.
On my paired file it runs smoothly. At 200 there are 8 instructions. Then there’s a loop (40-47) reading in much data, I think beginning with 1727, 4103, 4000. Some few are above 7000 so probably RAM locations. I have to check that data.

I think, I made some important progress.
First, the Intersil EEPROM is way too small to have the full software. I think 256 or 512 words on the A version. And at a closer look, the TTY and audio connectors are connected to the other, upper board. The lower board is only for the 2 large connectors to the PLC plus the RAM cartridge. So probably just for controlling those.
It still could contain encryptions for the other EPROMs but it’s unlikely. Maybe it also contains checksums. Probably not worth for a dump.

At a closer look of the 8 EPROMs, the beginning of #4 and #8 contain the empty bytes (FF). So the only way to have them at the same location when merging, is to merge 2 pairs of 4 EPROMs. So 2x 4KB with odd/even contents. So my recent assumption was probably right. The daughter board also have many solderings between ROM 4+5, so I think there’s the border.

So I have byte and also word merged ROMs 1-4 against 5-8. With and without removing the empty bytes. Makes 4 combinations. Removing the empty bytes would result in different locations on the (important) 2nd half.

I have checked all 4 combinations on pdp8emu (as it’s easier and don’t need header, trailer and checksums, but convert to EEP), then disassembling and do trace runs.

The byte merged ROM results in a short loop, without changing the values in 10,000s of instructions. It’s possible, if waiting for input. The problem is, I’m not sure about the starting address. (Usually it’s at 200, I checked that and at 0).

More plausible is the word merged one. Short loop as well but with many changed values. And values above 7000 (possible RAM location). I have added a header and checked it on d8tape (2 pass, more mnemonics and descriptions).
There are new instructions (PDP-8E) like set teleprinter flag and set reader punch interrupt enable, but very early.

I still have to check the data contents, addresses, and run the files on WINEIGHT and other emus (special 6100 mnemonics). And check on a Hexeditor for possible texts, mnemonics, tables or else.

I’m very confident to now have the correct ROM combination.
Maybe the last chance (unless I find a PDP-8 or FESTO expert or more documents).
According the manual, the deviced is prepared to understand ASCII. Maybe that are the 2 empty red connectors for.

I now consider again dumping.
My Arduino with shield and the code can handle 2704 which has the same mem size.
So I have to first figure out the different pin assignment and other characteristics.
Later, I would also have to change the code for different timing settings.
For a 2704 without or with other shields someone needs (for reading) +5V (VCC), +external exact +12V (VDD) and -5V (VBB/VEE).
Latter one has to be enabled first and disabled last. So it’s easier to use my shield. The Intersil is different.

Pins 1-12 are the same

12 GND/VSS (0V)
22 GND/VSS (2704), Intersil E2 chip enable 2, latched by E1 (different on 6653)
21 VBB/VEE -5V, Intersil S Chip select
20 /CS WE +4.2V, Intersil E1 Chip enable 1 (different on 6653)

VDD 2704: +12 V, Intersil usually tied to VSS , range of that is 4.5-10.5 V (same pin 19).

Datasheet: Data remains valid until either E1 or S returns to high. Can I choose one? Different voltages. I thought E1 and E2 are the same.

I don’t need all pins like VPP for reading.
But 1x CS on the one side and CS+2xCE on the other side?
I haven’t found a voltage for CS on the Intersil.
And what about VDD? 12V, max 20V (for reading ?) vs 10.5 ±10% (reading). Maybe possible/better with lower or higher temperature?
Do the 2704 need both GND? 2708 is slightly different.

Is there a better and easier dumping software (Arduino Mega) where someone can change the timing settings or even has the exact PROM? Or at least a sketch? On the WIN software, I can’t change any setting for reading. And the source is complicated. Do I have to change the AVR and Arduino sources with definitions as well?
The logic settings are also unclear/unknown. !CS=High (2704), later in code (other shield) it says low. VSS=Low. Intersil unknown.

Can someone please explain?

I now have read that the Intersil just has +5 V (for reading).
As it’s different to a 2704 (VBB -5V, VDD +12V), I think I can’t read it like that, so I decided to better use the Arduino without the shield.

Maybe read as a 2732 which has CE and OE (but not VDD), both set to low.

The Harris datasheet is a bit better, sharper and not about a 6653.
There’s also an example to be wired to a CPU, I think an 8086

https://deramp.com/downloads/mfe_archive/050-Component%20Specifications/Harris/Harris%20IM6654.pdf

E1 is tied to ALE, so CS (same pin as 2704)
S is tied to PSEN so OE. (2704 doesn’t have OE)
E2 is tied to CPU pin 22 Ready.
VDD =VCC +5V

I don’t know what pin Ready is on Arduino. GND? NC?

I also need a good sample for a sketch.
I found very few Arduino sketches on github and on the arduino forum for EPROM reading. The best I’ve found yet is from Charles Baetsen.

//  Chip Pin          Arduino | 1702A  |  2704  2708  2716  2732  2764  27128  27256 27512 PLA   8316A  6830A  2102   2101
//    1                  49   |   --   |   --    --    --    --    VPP   VPP   VPP   A15   FE    --
//    2                  48   |   --   |   --    --    --    --    A12   A12   A12   A12   I07   --
//    3      1           47   |   A02  |   A07   A07   A07   A07   A07   A07   A07   A07   I06   A07    GND
//    4      2   1       46   |   A01  |   A06   A06   A06   A06   A06   A06   A06   A06   I05   A08    D0            A03
//    5      3   2       45   |   A00  |   A05   A05   A05   A05   A05   A05   A05   A05   I04   A09    D1            A02
//    6      4   3       44   |   D0   |   A04   A04   A04   A04   A04   A04   A04   A04   I03   A10    D2            A01
//    7      5   4   1   43   |   D1   |   A03   A03   A03   A03   A03   A03   A03   A03   I02   A00    D3      A06   A00
//    8      6   5   2   42   |   D2   |   A02   A02   A02   A02   A02   A02   A02   A02   I01   A01    D4      A05   A05  
//    9      7   6   3   41   |   D3   |   A01   A01   A01   A01   A01   A01   A01   A01   I00   A02    D5      RW    A06
//    10     8   7   4   40   |   D4   |   A00   A00   A00   A00   A00   A00   A00   A00   F7    A03    D6      A01   A07
//    11     9   8   5   39   |   D5   |   D0    D0    D0    D0    D0    D0    D0    D0    F6    A04    D7      A02   GND
//    12    10   9   6   38   |   D6   |   D1    D1    D1    D1    D1    D1    D1    D1    F5    A05    CS0     A03   DI1
//    13    11  10   7   37   |   D7   |   D2    D2    D2    D2    D2    D2    D2    D2    F4    A06    CS1     A04   DO1
//    14    12  11   8   36   |   VCC  |   GND   GND   GND   GND   GND   GND   GND   GND   GND   GND    VCC     A00   DI2
//    15    13  12   9   35   |   PRM  |   D3    D3    D3    D3    D3    D3    D3    D3    F3    CS3    CS2     GND   DO2
//    16    14  13  10   34   |   !CS  |   D4    D4    D4    D4    D4    D4    D4    D4    F2    CS2    CS3     VCC   DI3
//    17    15  14  11   33   |   VBB  |   D5    D5    D5    D5    D5    D5    D5    D5    F1    CS1    A09     DI    DO3
//    18    16  15  12   32   |   VGG  |   D6    D6    D6    D6    D6    D6    D6    D6    F0    D7     A08     DO    DI4
//    19    17  16  13   31   |   A07  |   D7    D7    D7    D7    D7    D7    D7    D7    !CE   D6     A07     !CE   DO4
//    20    18  17  14   30   |   A06  |   PRM   PRM   PRM   !CE  !CE    !CE   !CE   !CE   I15   D5     A06     A09   CE2
//    21    19  18  15   29   |   A05  |   VDD   VDD   A10   A10   A10   A10   A10   A10   I14   D4     A05     A08   OD
//    22    20  19  16   28   |   A04  |   !CS   !CS   !CS   !OE   !OE   !OE   !OE   !OE   I13   D3     A04     A07   !CE1
//    23    21  20       27   |   A03  |   VBB   VBB   VPP   A11   A11   A11   A11   A11   I12   D2     A03           RW
//    24    22  21       26   |   VCC2 |   VSS   A09   A09   A09   A09   A09   A09   A09   I11   D1     A02           A04
//    25    23  22       25   |   VCC3 |   A08   A08   A08   A08   A08   A08   A08   A08   I10   D0     A01           VCC
//    26    24           24   |   VDD  |   VCC   VCC   VCC   VCC   NC    A13   A13   A13   I09   VCC    A00
//    27                 23   |   --   |   --    --    --    --    !P    !P    A14   A14   I08   --
//    28                 22   |   --   |   --    --    --    --    VCC   VCC   VCC   VCC   VCC   --

// To read 2704/2708 chips, Vcc=+5, VDD=+12, VBB=-5, !CS=HIGH, PRM either HIGH or LOW, VSS = LOW. Need RB-0505D and RB-0512S installed.
// TO read 2716 chips, PRM = LOW, !CS =LOW, VPP= HIGH, VCC=5
// To read other 27* chips, !OE, !CE is set to LOW, and !P (if present) is HIGH

Any help is appreciated.

I finally dared to dump since 2 days.
It worked, but the output is not correct (timing issues).

So I have 2xCE and 1x CS. 1 CE also has another function.
The output has many FF and 00.
When removing these, I got 80 bytes. Not sure if this is garbage or correct parts. Not octal instructions.

I tried different delays (at different locations) and could reduce mainly the 00s.

One cycle takes 62.5 ns. Accessing memory uses 2 cycles. EEPROM 4 cycles + another instructions.
So the Arduino with usual code is too slow.
There are maybe some ways
direct port controlling, using assembler code, using a scope, using external ICs, …
Maybe analog ports? I searched a lot.
But maybe the code is not correct. Almost all sketches have their own shields with more parts.