--- a/bootrom.disasm	Thu Apr 25 03:16:17 2013 +0000
+++ b/bootrom.disasm	Thu Apr 25 04:07:10 2013 +0000
@@ -539,13 +539,16 @@
      728:	e28dd004 	add	sp, sp, #4	; 0x4
      72c:	e8bd8ff0 	ldmia	sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc}
 
+; The routine at 0x730 is called from the 0x8b4 routine and handles
+; '<w' commands.
+
      730:	e92d43f0 	stmdb	sp!, {r4, r5, r6, r7, r8, r9, lr}
-     734:	e59f46c8 	ldr	r4, [pc, #1736]	; 0xe04
-     738:	e5d4c018 	ldrb	r12, [r4, #24]
+     734:	e59f46c8 	ldr	r4, =0x800518	; via 0xe04
+     738:	e5d4c018 	ldrb	r12, [r4, #24]	; 800530
      73c:	e35c0001 	cmp	r12, #1	; 0x1
      740:	0a00004a 	beq	0x870
-     744:	e59f56c0 	ldr	r5, [pc, #1728]	; 0xe0c
-     748:	e59f66c8 	ldr	r6, [pc, #1736]	; 0xe18
+     744:	e59f56c0 	ldr	r5, =0x80010C	; via 0xe0c
+     748:	e59f66c8 	ldr	r6, =0x800750	; via 0xe18
      74c:	e3a07000 	mov	r7, #0	; 0x0
      750:	e3a00000 	mov	r0, #0	; 0x0
      754:	e080c005 	add	r12, r0, r5
@@ -582,14 +585,16 @@
      7d0:	e3a03000 	mov	r3, #0	; 0x0
      7d4:	e1520006 	cmp	r2, r6
      7d8:	3a000003 	bcc	0x7ec
-     7dc:	e59fc638 	ldr	r12, [pc, #1592]	; 0xe1c
+     7dc:	e59fc638 	ldr	r12, =0x7F8AF	; via 0xe1c
      7e0:	e08cc006 	add	r12, r12, r6
      7e4:	e152000c 	cmp	r2, r12
      7e8:	9a000001 	bls	0x7f4
+; error: bad load address
      7ec:	e383c001 	orr	r12, r3, #1	; 0x1
      7f0:	e20c30ff 	and	r3, r12, #255	; 0xff
      7f4:	e3530000 	cmp	r3, #0	; 0x0
      7f8:	1a00001d 	bne	0x874
+; address OK
      7fc:	e3a09000 	mov	r9, #0	; 0x0
      800:	e3510000 	cmp	r1, #0	; 0x0
      804:	0a00000b 	beq	0x838
@@ -619,20 +624,26 @@
      864:	e3570000 	cmp	r7, #0	; 0x0
      868:	0affffb9 	beq	0x754
      86c:	ea000000 	b	0x874
+; 800530 flag was set to 01
+; return error 02
      870:	e3a03002 	mov	r3, #2	; 0x2
+; common exit path: good or bad?
      874:	e5c43019 	strb	r3, [r4, #25]
      878:	e3530000 	cmp	r3, #0	; 0x0
-     87c:	0a000008 	beq	0x8a4
+     87c:	0a000008 	beq	0x8a4	; good return
+; nope, bad: send >W
      880:	e3a00004 	mov	r0, #4	; 0x4
      884:	ebfffe2c 	bl	0x13c
+; reset baud rate to 19200
      888:	e5d41008 	ldrb	r1, [r4, #8]
      88c:	e3a00004 	mov	r0, #4	; 0x4
      890:	eb0002d0 	bl	0x13d8
+; var init
      894:	e1a00004 	mov	r0, r4
      898:	ebfffe1f 	bl	0x11c
      89c:	e3a00001 	mov	r0, #1	; 0x1
      8a0:	e8bd83f0 	ldmia	sp!, {r4, r5, r6, r7, r8, r9, pc}
-
+; good return: send >w to host
      8a4:	e3a00003 	mov	r0, #3	; 0x3
      8a8:	ebfffe23 	bl	0x13c
      8ac:	e3a00000 	mov	r0, #0	; 0x0

--- a/bootrom.notes	Thu Apr 25 03:16:17 2013 +0000
+++ b/bootrom.notes	Thu Apr 25 04:07:10 2013 +0000
@@ -48,6 +48,9 @@
 
 <a
 
+Seems to be a reset command that throws everything back to the initial state.
+Does not seem to produce a response.
+
 <b
 
 Followed by 4 bytes, giving a 32-bit value in MSB-first order.  The value is
@@ -101,6 +104,20 @@
 for a single block (both bytes after <w set to 01), the maximum allowed
 payload length is 1015 (0x3F7) bytes.
 
+The checksum of each block is computed as a simple ripple-carry sum
+(in a 32-bit ARM register) of:
+	+ the word-sized payload byte count from the command
+	+ each of the 4 bytes of the load address
+	+ constant 5
+	+ each byte of the payload data
+
+The code then takes a one's complement of the least significant byte
+of the above sum, and adds that (plain ripple-carry addition)
+to the accum in 800528 (a 16-bit variable).
+
+Good response: >w
+Error response: >W <err code byte from 800531>
+
 RAM layout:
 
 800000 7 words:
@@ -155,6 +172,10 @@
 800530: byte indicates validity of the received '<w' command:
 	0 means valid, 1 means something bad
 	init to 0 by 0x11c
+800531: byte error code to return to host as the 3rd (and last) byte
+	of the >W message
+	set to 02 if the 800530 flag was set
+	set to 01 if the 0x730 routine detects bad address
 
 800534: byte initialized to 0x00, then may be set to 1 by the 0xfb4
 	routine if it selects /1 clock mode.