MON51 protocol
This describes parts of the protocol used by MON51, as found by reverse engineering.
All numbers are hexadecimal.
Handshake
When the response differs, restart the handshake.
- Send 11
- Receive FF
- Send 11
- Receive 00
Commands
Commands follow this general structure:
- 1 byte: type
- data
- 1 byte: checksum
The checksum is correct if the 8 bit sum of all bytes is 00.
02: Write memory
- 1 byte: memory type
- 2 bytes: address (high low)
- 1 byte: length
- data
Response: Same as 0E 00 01 (?)
04: Read memory
- 1 byte: memory type
- 2 bytes: address (high low)
- 1 byte: length
Memory types
00 returns the program counter. Address and length appear to be ignored.
01 is the indirect memory.
02 is the external memory.
03 appears to return all zeroes.
04 is the direct memory. (internal, sfr)
05 is the code memory.
06 is unknown.
07 and higher appear to be test/debug sequences from mon51, multiplying a number by 2 each address.
06: Unknown
03 80 00 00 00
Response: 06 00
08: Get registers
08 00: Run up to
01 05 (start addr) 05 (end addr)
Response: 06 00 plus run, recover with resync
08 01: Get registers
01 00 00 00 00 00 00 (unknown)
Response: 02 A B R0-R7 DPTR PC C1 00 00 00 SP? 00
0C: Step into
Response: unknown
0E: ?
0E 00: Get instruction?
01
Response: 06 00
0E 02: ?
01
Response: 06 00
10: ??
10 01: set to run?
Response: 06 00
10 02: activate/break?
Response: 06 00
1B: stop
Handshake required after sending stop
Responses
02: Data follows
Only data bytes. Has checksum.
06: OK?
Often seen with 00 followed by the string V3.0 in ASCII, but it seems to be different after running.