You're right, it won't help to clone the PAL but it might help to mimic its behaviour.
Assuming the schematic is this one
1. The PAL is clocked by the UDS signal, which toggles even if there is no activity on the cartridge port, inputing address bus data to the PAL
2. The PAL outputs will be enabled only during cartridge port readings (ROM Select 3 signal)
Because of 2., a logic analyzer between the ST and the cartridge won't capture the outputs at every UDS cycles, missing a lot of information to help guessing the PAL configuration (I doubt it would be possible with a PAL that big anyway).
But what I found during my experiments with Synthworks dongle almost 2 years ago is that because of 1., the software has to be very specific to access to the dongle using always the same pattern:
- mask all interrupts
- switch a small dongle access routine code with the data at the begining of the RAM (the interrupt vectors table)
- call the routine at the beginning of the RAM with a parameter giving the number of iterations. There are different routines with different initial data
- at each iteration the cartridge port is read but the value is discarded (only the last one is kept) and the address is increased (or decreased, depending on the routine used). There may be up to 64 iterations.
- switch back the dongle access routine code with the data at the begining of the RAM (restoring the interrupts vectors table)
- unmask the interrupts
- use the last value read from the dongle in the protection routine
So I made a software in Omikron inlining those routines' code that writes the last dongle value to disk for each parameter values, making tables.
Then I was able to mimic the dongle in a modified Steem that includes those tables (and writes to trace.txt all accesses to the cartridge port with the number of CPU cycles between them). By using Synthworks under Steem, I can check the trace to see if there are accesses to the dongle that are not covered by the tables.
My goal wasn't to make a clone of the dongle but to run Synthworks in emulator, but maybe the tables can be embbeded in a MCU or programable logic in a cartridge which behaviour would be the same as the original dongle. This wouldn't be an exact copy of the dongle but could be enough to use the protected software.