## M68HC711D3 BootROM Program Listing

By Joseph Haas, ke0ff 11/26/2013

joeh-at-rollanet-det-org

I recently had need for the bootrom listing of the HC711D3 processor. After scouring the internet and finding only a few tantalizing references to same, I decided to simply download the ROM code from one of the D3 parts I have and disassemble it. By hand.

This is normally a daunting task, but it was aided greatly by several happy coincidences. First, there are a number of HC11 variants with bootrom listings that are available. Furthermore, the fact that the bootrom differences between variants are generally minor, and that the boot ROM is comprised of less than 255 bytes of code, all combined to make the process quite manageable.

Of course, being an operation that entails a great deal of human involvement means that it must be taken with a grain of salt. Still, I believe that this effort is as error-free as I can reasonably make it and I offer this listing to the internet on the slim chance that it might help someone, somewhere, who might need to have a quick gander at what is going on inside the D3 when it enters boot mode.

Bon Appétit!

```
************
                    * BOOTLOADER FIRMWARE FOR 68HC711D3
                   * Dis-assembled by Joe Haas, keOff, 11-25-2013 from ROM
                    * code downloaded from:
                               P/N: XC68HC711D3
                           mask ID: IEQC9239
                   * Comments reconstructed from listings presented in
                    * Freescale document# EB422.
                    * This code was carefully hand-dis-assembled and checked
                    * for accuracy, but may yet contain isolated transcription *
                    * errors. As such, this code listing should be considered *
                    * as reference data only.
                    * Note: All timing specs are based on Eclk = 2.00 MHz
                    * Features of this bootloader are. . .
                    * Auto baud select between 7812.5 and 1200 (8 MHz)
                    * 0 - 192 byte variable length download
                    * Jump to EPROM at $F000 if 1st input byte = $00
                    * PROGRAM - Utility subroutine to program EPROM
                    * UPLOAD - Utility subroutine to dump memory to host
                    * Rev I.D. at $BFD1 = $42 ("B")
                    * Mask I.D. at $BFD4 = $71D3
                    ************
                    * Revision B
                    * Changes from previous revisions unknown
                    * HC711D3 REG EQUATES
0008
                   PORTD
                          EQU
                   TCNT EQU $0E
SPCR EQU $28
000E
0028
                   * BIT EQUATES FOR SPCR
0020
                   DWOM
                          EQU $20
                   TCNT EQU $0E
TOC1 EQU $16
TFLG1 EQU $23
000E
0016
0023
                   * BIT EQUATES FOR TFLG1
0800
                   OCF1 EQU $80
002B
                   BAUD EQU $2B
                   SCCR1 EQU $2C
SCCR2 EQU $2D
002C
002D
                   * BIT EQUATES FOR SCCR2
0008
                   TE EQU $08
                   RE
0004
                           EQU
                   SCSR EOU $2E
002E
                   * BIT EQUATES FOR SCSR
                   TDRE EQU $80
RDRF EQU $20
0.800
0020
                   SCDR EQU $2F
PPROG EQU $3B
003B
                                    $3B
                   * BIT EQUATES FOR PPROG
0020
                   ELAT EQU $20
0001
                   EPGM
                           EQU
                                    $01
                    * MEMORY CONFIGURATION EQUATES
F000
                   EPRMSTR EOU
                                   SECO
                                                            Start of EPROM
                   EPRMEND EQU $FFFF
                                                           End of EPROM
7777
                   RAMSTR EQU $0040
RAMEND EQU $00FF
0040
                                                           Start of RAM
                                                           End of RAM
00FF
                   * DELAY CONSTANTS
                   DELAYS EQU
                                                           Delay at slow baud
                   DELAYF EQU
021B
                                   539
                                                           Delay at fast baud
1068
                   PROGDEL EOU 4200
                                                            2.1 ms prog delay
```

BF4B: 20 CB

```
*************
BF00
                           ORG
                                   $BF00
                    *************
                    ^{\star} The next two instruction locations provide a predictable ^{\star}
                    ^{\star} set of addresses to call PROGRAM and UPLOAD even if the ^{\star}
                    * routines change size in future versions.
BF00: 7E BF10
                   PROGRAM JMP PRGROUT
                    ************
                    * UPLOAD - Utility subroutine to send data from
                    * inside the MCU to the host via the SCI interface.
                    * Prior to calling UPLOAD set baud rate, turn on SCI
                    * and set Y=first address to upload.
                    * Bootloader leaves baud set, SCI enabled, and
                    * Y pointing at EPROM start ($D0000) so these default
                    * values do not have to be changed typically.
                    * Consecutive locations are sent via SCI in an
                    * infinite loop. Reset stops the upload process.
BF03: 18A6 00
                  UPLOAD LDAA
                                   0,Y
                                                           get data to send
                                                          wait for tx ready send data
                   BRCLR SCSR, TDRE, *
BF06: 13 2E 80 FC
                           STAA
                                    SCDR
BF0A: 97 2F
BF0C: 1808
                            INY
                                                           next address
BF0E: 20 F3
                                   UPTIOAD
                            BRA
                                                           loop (forever)...
                    **************
                    * PROGRAM - Utility subroutine to program EPROM.
                    * Prior to calling PROGRAM set baud rate, turn on SCI
                    * set X=2ms prog delay constant, and set Y=first
                    * address to program. SP must point to RAM.
                    * Bootloader leaves baud set, SCI enabled, X=4200
                    * and Y pointing at EPROM start ($D000) so these
                    * default values don't have to be changed typically.
                    * Delay constant in X should be equivalent to 2 ms
                    * at 2.1 MHz X=4200; at 1 MHz X=2000.
                    * At external voltage source is required for EPROM
                    * programming.
                    * This routine uses 2 bytes of stack space
                    * Routine does not return. Reset to exit.
BF10: 13 2E 80 FC PRGROUT BRCLR
                                  SCSR, TDRE, *
                                                           wait for tx ready
BF14: 86 FF
                  LDAA #$FF
STAA SCDR
                                    #$FF
                                                           send $ff to host to start
BF16: 97 2F
BF18: 13 2E 20 FC WAIT1 BRCLR SCSR,RDRF,*
                                                           wait for eprom data
                          LDAB SCDR
CMPB 0,Y
BEQ DONEIT
BF1C: D6 2F
                                                           already programmed?
BF1E: 18E1 00
BF21: 27 1D
                                                           yes, skip pgm steps
                           LDAA
BF23: 86 20
                                                           put eprom in latch mode
                                   #ELAT
                                   PPROG
BF25: 97 3B
                           STAA
STAB
BF27: 18E7 00
                                    0.Y
                                                           store data
                          LDAA
BF2A: 86 21
                                   #ELAT+PGM
                                                           put eprom in pgm mode
                          STAA
BF2C: 97 3B
                                   PPROG
BF2E: 3C
                            PSHX
BF2F: 8F
                           XGDX
                                                           get 2.1 ms delay const in D
BF30: 38
                          PULX
                                                           keep delay in X
                          ADDD TCNT
STD TOC1
LDAA #OC1F
BF31: D3 0E
BF33: DD 16
                                                           set 2.1 ms time delay
                           LDAA
BF35: 86 80
                                                      pre-clear flag
wait for delay to expire
turn off pgm voltage
wait for tx ready
BF37: 97 23
                          STAA
                                   TFLG1
                   BRCLR TFLG1,OC1F
CLR PPROG
BF39: 13 23 80 FC
                                    TFLG1,OC1F,*
BF3D: 7F 003B
                                  SCSR, TDRE, *
BF40: 13 2E 80 FC DONEIT BRCLR
                                                          get EPROM byte
BF44: 18A6 00
                          LDAA 0,Y
BF47: 97 2F
                            STAA
                                    SCDR
                                                           and send to host
BF49: 1808
                                                           go to next eprom location
                            INY
                                   WAIT1
```

BRA

loop,

00

```
***********
                        * Main bootloader starts here out of reset.
                         * Initializes SCI for 7812.5 baud, issues a break and
                         ^{\star} waits for a response. $FF at 7812.5 or 1200 baud will ^{\star}
                         * initiate dowload sequence to MCU RAM. Download is at
                         * either 7812.5, or 1200 (if $FF was sent at any rate
                        * slower than about 7000 baud, the download will be at
                        * 1200 baud). After 192 bytes, or a pause of greater than *
* 5.12ms, the code loads Y with a timing constant, X with *
                         * $F000, and jumps to start of RAM.
                        * A response of \$00 causes a JMP to \$F000.
BF50: 14 28 20
                      BEGIN LDS
                                            #RAMEND
                                                                        set stack
                                BSET SPCR, DWOM
LDD #$A20C
STAA BAUD
STAB SCCR2
BF53: CC A20C
BF56: 97 2B
                                                                        set BAUD = 7812.5
BF58: D7 2D
                                                                        set SCCR2 = RE+TE
                             STD TOC1
BSET SCCR2,SBK
BRSET PORTD,RXD,*
BCLR SCCR2,SBK
BRCLR SCSR,RDRF,*
LDAA SCDR
NOTZERO
                                                                       set fast baud delay
BF5A: CC 021B
                                 LDD
                                           #DELAYF
                                                                     (5.12ms @ E=2MHz)
send break
watch for RXD low
BF5D: DD 16
BF5F: 14 2D 01
BF62: 12 08 01 FC
BF66: 15 2D 01
                                            SCSR, RDRF, *
BF69: 13 2E 20 FC
                                                                        wait for rcv data
BF6D: 96 2F
                                                                        get rcv data
                                 BNE NOTZERO
JMP EPRMSTR
                                                                        no break rcvd,
BF6F: 26 03
BF71: 7E F000
                                                                        break rcvd, jmp to EPROM
BF74: 81 FF NOTZERO CMPA #$FF was $ff rcvd?
BF76: 27 08 BEQ BAUDOK yes,
BF78: 14 2B 33 BSET BAUD, SCP1+SCP0+SCR1+SCRO set 1200 baud
BF7B: CC 0DB0 LDD #DELAYS set slow baud
                                                                        set slow baud delay (33.29ms)
B7BE: DD 16 STD TOC1
BF80: 18CE 0040 BAUDOK LDY #RAMSTR
BF84: DE 16 WAIL LDX TOC1
BF86: 12 2E 20 09 WTLOOP BRSET SCSR, RDRF, NEWONE
                                 STD
                                                                         set start of RAM
                                                                         dly count (19\sim\sim = 9.5us/loop)
                                                                         ~6 got data,
                                  DEX
                                                                         ~3 decrement delay loop count
BF8A: 09
BF8B: 01
                                  NOP
                                                                         ~2 { run these idle instr
                                                                         ~2 { to establish delay
BF8C: 01
                                  NOP
                      BRN NOWHERE
NOWHERE BNE WILOOP
BF8D: 21 00
                                                                         ~3 { increment
                                                                         \sim 3 loop until X = 0
BF8F: 26 F5
BF91: 20 OF
                                  BRA
                                            STAR
                                                                        timeout, quit loop
                       NEWONE LDAA SCDR
STAA 0,Y
BF93: 96 2F
                                                                        get rcv data
                                                                        put in RAM
BF95: 18A7 00
                                  STAA
BF98: 97 2F
                                                                         echo to host
                                            SCDR
BF9A: 18 08
                                 INY
                                                                        next RAM location
                                           #RAMEND+1
WAIL
                                                                         is last?
BF9C: 188C 0100
                                  CPY
                                  BNE
BFA0: 26 E2
                                                                         no, keep looping
                      STAR LDX #PROGDEL
LDY #EPRMSTR
JMP RAMSTR
BFA2: CE 1068
BFA5: 18CE F000
                                                                       set EPROM delay const
                                             #EPRMSTR
                                                                         set start of EPROM
BFA9: 7E 0040
                                                                         jump to RAM
                        **********
                        * block fill unused bytes with 0's
BFAC: 00 00 00 00 00 00
                                BSZ
                                           $BFD1-*
        00 00 00 00 00 00
        00 00 00 00 00 00
        00 00 00 00 00 00
        00 00 00 00 00 00
        00 00 00 00 00 00
```

|       |       | *****                    | *****     | *****   | ******          | ******   |
|-------|-------|--------------------------|-----------|---------|-----------------|----------|
|       |       | * 711D3 Bootrom revision |           |         |                 |          |
| BFD1: | 42    |                          | FCC       | "B"     |                 |          |
|       |       |                          |           |         |                 |          |
|       |       |                          |           |         | ******          | ******   |
|       |       | * Mask s                 |           |         | EPROM parts)    |          |
| BFD2: | 0000  |                          | FDB       | \$0000  |                 |          |
|       |       | *****                    | *****     | *****   | *****           | *****    |
|       |       | * 711D3                  | ID - used | to dete | ermine MCU type |          |
| BFD4: | 71D3  |                          |           | \$71D3  |                 |          |
|       |       |                          |           |         |                 |          |
|       |       |                          |           |         | ******          |          |
|       |       | * 711D3                  | _         |         | RAM jump table  | -        |
| BFD6: |       |                          |           | \$00C4  |                 | SCI      |
| BFD8: |       |                          |           | \$00C7  |                 | SPI      |
| BFDA: |       |                          |           | \$00CA  |                 | PAI edge |
| BFDC: |       |                          |           | \$00CD  |                 | PAIOF    |
| BFDE: |       |                          |           | \$00D0  |                 | TOF      |
| BFE0: |       |                          |           | \$00D3  |                 | TOC5/IC4 |
| BFE2: |       |                          |           | \$00D6  |                 | TOC4     |
| BFE4: |       |                          |           | \$00D9  |                 | TOC3     |
| BFE6: |       |                          | FDB       | \$00DC  |                 | TOC2     |
| BFE8: |       |                          | FDB       | \$00DF  |                 | TOC1     |
| BFEA: |       |                          | FDB       | \$00E2  |                 | TIC3     |
| BFEC: |       |                          | FDB       | \$00E5  |                 | TIC2     |
| BFEE: |       |                          | FDB       | \$00E8  |                 | TIC1     |
| BFF0: |       |                          | FDB       | \$00EB  |                 | RTI      |
| BFF2: |       |                          | FDB       | \$00EE  |                 | IRQ      |
| BFF4: |       |                          | FDB       | \$00F1  |                 | XIRQ     |
| BFF6: |       |                          | FDB       | \$00F4  |                 | SWI      |
| BFF8: |       |                          | FDB       | \$00F7  |                 | ILLOP    |
| BFFA: |       |                          | FDB       | \$00FA  |                 | COPF     |
| BFFC: |       |                          | FDB       | \$00FD  |                 | CMON     |
| BFFE: | BF'4D |                          | FDB       | \$BF4D  |                 | RESET    |
|       |       |                          | END       |         |                 |          |

## 711D3 bootrom S-record listing: