As of late I have a bit of free time and am looking forward to a relaxing distraction of my peculiar taste in pastimes of disassembling ROMs of vintage equipment.

As fate would have it, my friend [Eric]@EricHertz has recently come into possession of a vintage typewriter of sorts -- The AlphaSmart Pro.  (He finds the best junque!)

This device is a typewriter of sorts.  I was created by some former Apple guys in the early 1990's and targeted the education market.  The gist is simple:  a portable keyboard with integrated LCD into which you can type documents. 

Note 'document' means text only.  Then you can connect it to a desktop-class computer, and it will emulate a keyboard, and dump the text out.

Apparently it was popular with some, the product went through several iterations, and the company was eventually acquired, and the product retired.  I won't bore you with more history that you can find for yourself; e.g.:

https://en.wikipedia.org/wiki/AlphaSmart

Anyway, [Eric] mentioned having opened the device, and that the ROM was socketed, so I plead with him to dump it and send me the result.  He had his own stuff to do, but happily he found time to indulge me.

This unit uses a 68HC11xx processor.  I have never worked with this processor myself, so this will add a little fun to the mix.

First step is getting datasheets.  The programming model looks particularly simple.  It's a typical 8-bit device with a 64KiB address space.  Reset vector is at the top of address space, so the ROM dump almost surely maps up there.  The ROM dump is 8KiB, so for now I'm going to assume it all maps to E000 - FFFF.  (Banking is a possibility, but I'm going to disregard that until proven otherwise.)

The processor had many variants, and the 'xx' I labelled indicates that I do not know yet which variation this processor is.  Photos of the board are seemingly rare and too low res for me to make out the suffix, and I haven't found it called out in things like wikipedia, etc.  The variant is important especially with this device because things like mapping of internal RAM are different across the product line.  For now I'm going to guess it is a ROM-less version like the E0, since there is a big 'ol EPROM right next to it.  This assumption may change as I start to dig in.

The RAM has large markings, so I can see it is a Toshiba TCS551001BPL-85, so that's 128KiB static RAM.  That's way bigger than the address space, so surely that is banked in some way.  I'm not too worried about figuring that out now because disassembly will start to provide clues.  Normally, my friend [Eric] would buzz out the board and other things since he has the actual unit, but he's busy with other things right now, so I will hobble on.

The LCD is some 4x40(?), I'll punt on those details for now.  I am going to assume the keyboard is some garden variety matrix done in software until I can figure out otherwise.  There are two ports:  one is PS/2 and the other is ADB.  These are a quirky form of data transfer to a PC where the unit pretends to be a keyboard and simply dumps the contained documents as a series of keystrokes to the PC.  lol!

I converted the Intel Hex to binary so I can whizz through it in a hex editor to get a quick lay of the land before getting into actual disassembly.

I can see at the end of the binary there is a block of 0x01's, which I presume are padding, and ending with a series of 16-bit ints, so I'm pretty sure those are the interrupt vectors.  The last is the reset vector, and it is 0xe000, so this tends to confirm my suspicion that the ROM is not banked (if unbanked, it would map in at 0xe000).

I also found a text string 'This is the RAM valid signatur2'.  This is interesting because it suggests that there is a routine somewhere that whizzes through all the RAM and computes a checksum.  And if it whizzes through all the RAM, then it must do all the relevant bank switching as well.  Because this will be a simple routine of linear access and accumulate, it will be easy to disassemble, and so will probably make it easy to figure out the banking scheme.  So this is an early target of interest.

OK, time to fire up the disassembler.  You can get by with disassembly to a text file that you then annotate -- and I do that sometimes with exotic processors -- but it really helps to have a nice disassembler that propagates symbol references and comments.  It's difficult to stress how much more productive you will be with just those two features.

I am using an old copy of IDA Pro.  It has 6811 support.  It's ruinously expensive commercial software, though, so I can't give you a copy, alas.  I will publish the textual disassembly, however.  Aside:  I have been meaning to try Ghidra for some time now, since it's free, and this would be a great opportunity, but I'm going to push that activity out yet once again.  But if I make some headway, I may revisit that decision to kick those tires separately.