--- a/bootrom.notes	Sun Apr 21 21:48:50 2013 +0000
+++ b/bootrom.notes	Wed Apr 24 19:32:45 2013 +0000
@@ -28,6 +28,34 @@
   as if nIBOOT were high) and causes the watchdog timer to go off, resetting
   the ARM core and causing it to execute the external nCS0 reset vector.
 
+UART protocol
+
+The external host initiates every operation by sending a command to the
+Calypso target running the boot ROM code.  Every command begins with '<' and
+a lowercase ASCII letter; just the initial '<' is sufficient to interrupt
+the flash image autoboot.  The external host shound send these commands at
+19200 baud, 8N1, and the boot ROM will intuit whether the Calypso is being
+clocked with 13 or 26 MHz by trying the two possible clocking setups
+alternately, with the UART baud rate registers set to /42 in both cases,
+until a clean '<' is received.
+
+Commands:
+
+<a
+
+<b
+
+Followed by 4 bytes, giving a 32-bit value in MSB-first order.  The value is
+written to 800538, and the 0x2c8 function returns code 6.
+
+<c
+
+<i
+
+<p
+
+<w
+
 RAM layout:
 
 800000 7 words:
@@ -40,7 +68,8 @@
 800038:	The helper routine for transferring control to type 1 flash images
 	is copied to and run here.
 800100:	the last word of the above routine
-800104: word initialized to 0x0001D4C0
+800104: word initialized to 0x0001D4C0 - tells the 0x2c8 routine
+	how long to wait for a character
 800108: byte initialized to 0x01
 
 800520: byte variable filled every time the 0xfb4 routine is called
@@ -48,8 +77,12 @@
 800524: byte variable filled every time the 0xfb4 routine is called
 	filled with a copy of 800534
 
+80052C: byte following the '<c' command is extended to a half-word and
+	written here
+
 800534: byte initialized to 0x00, then may be set to 1 by the 0xfb4
 	routine if it selects /1 clock mode.
+800538: word holds the argument of the '<b' command
 
 8005C0: appears to be the intended low address (bottom) of the stack
 80074C: top of the stack (initial value loaded into SP)