This document describes how to dump the internal ROM from Hitachi H8/300, HD6301Y0, and HD6301X0 microcontrollers.  It is an extension of
my work dumping HD6301Y0 and HD6301X0 from here: www.seanriddle.com/hd6301y0

After dumping HD6301Y0s from multiple chess computers, hap asked me to look at H8/300 chips.  I read the datasheets and the basic models
are very similar to HD6301Y0, so I adapted my hardware and software and tested it out on an H8/300 from a chess computer bought from ebay.
After a little work I was able to get the ROM to dump, and I found 2 more H8/300s in devices I had previously bought or been sent.  There are
many different families of H8/300; I modified my design to make it work on all the ones that I've seen, but it's possible that some other
families do not have the same pins that I'm using, or will not dump using the same tricks.

The PICBASIC PRO HD6301Y0 dumper was modified to be menu based.  When run, it presents several options.  Two of them are used to dump HD6301Y0s and HD6301X0s,
and two are used to dump different H8/300s; H8/323 and H8/325 use a slightly different method than H8/328, H8/329, and H8/3214.

After a menu item is chosen, the program will start sending signals to the microcontroller to glitch it into dump its internal ROM.  The bytes will be displayed
in ASCII.  If the microcontroller doesn't respond, the PIC will restart and try again.

The EPROM (I used a 2716) now contains the HD6301Y0 dumping code in the first 256 bytes and the H8/300 dumping code in the next 256 bytes.  Three
signals from the PIC are used to select which 256-byte bank is selected.

00-7f: 80

80: 7907 8040  mov.w   #h'8040, r7	stack pointer $8040
84: 7901 ff07  mov.w   #h'ff07, r1	r1=$ff07
88: 7902 0001  mov.w   #h'0001, r2	r2=$0001

8c: 6a82 ffb2  mov.b   r2h, @h'ffb2	p1dr=0
90: 6a82 ffba  mov.b   r2h, @h'ffba	p5dr=0
94: 6a82 ffbb  mov.b   r2h, @h'ffbb	p6dr=0

98: 6a81 ffb0  mov.b   r1h, @h'ffb0	p1ddr=ff
9c: 6a81 ffb9  mov.b   r1h, @h'ffb9	p6ddr=ff
a0: 6a89 ffb8  mov.b   r1l, @h'ffb8	p5ddr=07

a4: 7903 0000  mov.w   #h'0000, r3	r3=0
a8: 683c       mov.b   @r3, r4l		r4l=rom[r3]
aa: 6a8c ffbb  mov.b   r4l, @h'ffbb	p6dr=data; in some chips, p6 only has 7 bits
ae: 4a04       bpl     h'00b4		skip if high bit = 0
b0: fc04       mov.b   #h'04, r4l	shifted high bit=1
b2: 4002       bt      h'00b6		skip
b4: fc00       mov.b   #h'00, r4l	shifted high bit=0
b6: 6a8c ffba  mov.b   r4l, @h'ffba	p5dr=shifted high bit

ba: cc01       or.b    #h'01, r4l	turn on flag bit
bc: 6a8c ffba  mov.b   r4l, @h'ffba	p5dr=shifted high bit, flag=1
c0: ecfe       and.b   #h'fe, r4l	turn off flag bit
c2: 6a8c ffba  mov.b   r4l, @h'ffba	p5dr=shifted high bit, flag=0

c6: 0923       add.w   r2, r3		r3=r3+1
c8: 46de       bne     h'00a8		loop until r3=$0000

ca: 5a00 8080  jmp     h'8080		start over

ce-ff: 80