RhinoPower Ltd

Jane · Newbie

RE: 76C55 (MH6311) information

Bob · Veteran Member

Wow that is an in dept understanding of how the binary is functioning, the dissembler should come in handy if the eeprom can be pulled from the evo chip.

The way the table’s are set out and there functions are remarkably similar to the newer ecus, Mitsubishi did not stray to far from the mould.

TechSupport · Guru

We aren't the only ones playing with these old chips, I was contacted by someone else who has written a disassembler:

janehacker1.gitbook.io/dsm-ecu/disassembly-from-scratch/things-you-need

Bob · Veteran Member

TechSupport wrote:
EF89 is the firmware version, that will be burnt in as Masked ROM, possibly a bootloader. Did this chip also have a different firmware version on it? I assume that this is a 76e56?

Yes it’s the 76e56.

Where is the firmware version printed?

That die is from an evo 4 or early evo 5 ecu.

The EF89 is interesting can it be used to calculate anything or is it only for reference?

TechSupport · Guru

EF89 is the firmware version, that will be burnt in as Masked ROM, possibly a bootloader. Did this chip also have a different firmware version on it? I assume that this is a 76e56?

Bob · Veteran Member

TechSupport wrote:
That is cool, I'll have a proper look at that when I get the chance. It confirms what I've said for a long time and that is that these are Toshiba chips, the 1993 date is interesting, it means that they had EEPROM devices for quite a long time.

Yeah it’s cool to get it confirmed, I might be able to get some high res pics if needed.

What do you think the “EF89” represents?

TechSupport · Guru

That is cool, I'll have a proper look at that when I get the chance. It confirms what I've said for a long time and that is that these are Toshiba chips, the 1993 date is interesting, it means that they had EEPROM devices for quite a long time.

Bob · Veteran Member

Pictures are not great because I can’t download any thing from the work computers so I took a picture of the screen , but I believe its Confirmed to be ” EF89 M 1993 Toshiba .

Edit the ”M”. Could be a “H”

-- Edited by Bob on Thursday 20th of May 2021 07:45:38 PM

Bob · Veteran Member

76e56f

small pictures of the die and the ecu part number , I should have access to a good microscope over the weekend To get a close up.

Bob · Veteran Member

TechSupport wrote:
I haven't tried it again. I have cleared all my outstanding projects but I'm working away at present, I should be back in a week or two but I don't have a project timescale for the rest of that work. I am minded to have another look at this when I get back.

Oh projects tell me about it, im up to my eye ball’s in trying to figure out tunerpro xdfs and checksums ,coming from learning on flashable ecus has spoiled me.....

There is absolutely no panic on this the only reason I ask is that I never new it was possible to read information off the internal bus of a chip like you have done especially a chip that no one has ever been able to crack.

Cheers BOB.

TechSupport · Guru

I haven't tried it again. I have cleared all my outstanding projects but I'm working away at present, I should be back in a week or two but I don't have a project timescale for the rest of that work. I am minded to have another look at this when I get back.

Bob · Veteran Member

Hi James,I hope you are well.

I was going through my collection of ecus the other day and came across the evo 4 ecu and wondered if you got around to trying your second booster adapter on this ecu as you had got so far with all the ports.

TechSupport · Guru

Bob wrote:
Hi James
just wondering if you ever got around to having a last try at this?

Thanks
BOB

Not yet but I will at some point.

Bob · Veteran Member

Hi James

just wondering if you ever got around to having a last try at this?

Thanks

BOB

TechSupport · Guru

Bob wrote:
TechSupport wrote:
TechSupport wrote:
I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.
Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.
I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.
That’s both good and bad news.
How do you go about solving that one?

The adapter that's giving the issues is the one pictured above, I have another adapter which just has pins that you have to plug on individual wires from the logic analyser, that one is well proven but fiddly to set up. I shall get some proper adapter boards made, I did a design some time back.

Bob · Veteran Member

TechSupport wrote:
TechSupport wrote:
I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.
Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.
I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.

That’s both good and bad news.

How do you go about solving that one?

TechSupport · Guru

TechSupport wrote:
I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.
Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.

I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.

TechSupport · Guru

I don't know anything about the JECs parts, I've never dealt with one. That other chip looks like it says NFC, that may have been a fab house, the D number could be a Denso part number.

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.
I can see the internal memory contents on the bus when I execute a reset from my external memory so if all else fails that is a vulnerability that I can exploit that to read out the internal memory.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.

-- Edited by TechSupport on Wednesday 3rd of June 2020 06:36:25 PM

Bob · Veteran Member

Main ic: A12-212-602 labeled as jecs but I believe it to be Mitsubishi or nec.

second io chip (smaller chip) : A12-281001 labeled as jecs but a quick google brought up someone who had de-capped one and found it labeled nec D29501

TechSupport · Guru

Bob wrote:

Off topic a bit,
I have been having a play with a micra k11 board and have come to the conclusion that the chip may be OTP as well, however there is external headers which i believe nistune do a board for.
How does the odd and even boards work? Is there 2 separate busses, one for odd and the other for even addressing ?

I'm not familiar with the Nistune boards, from what I understood they just place the processor into an external memory mode. In some applications people have used two chips to get enough memory, they are usually split high memory and low memory by usng the MSBs as the chip selects but it could be done as odd/even by using the LSB as the chip selects. What processor is it?

Bob · Veteran Member

If it we’re easy every man and his dog would be doing it 😂.

Great news that you’re still at it.

Off topic a bit,

I have been having a play with a micra k11 board and have come to the conclusion that the chip may be OTP as well, however there is external headers which i believe nistune do a board for.

How does the odd and even boards work? Is there 2 separate busses, one for odd and the other for even addressing ?

TechSupport wrote:
I suspect that the problem with Mode 0 is that it runs in extended multiplexed configuration and this board is configured for non-multiplexed extended operation. So I think that I've proved that Mode 0 works but I need a board like my old ROMReader board that I used on the smaller devices.

Edit: I'm beginning to think that Mode 0 is partially disabled - the reset vector is picked up correctly from the external memory but the code doesn't run, it looks like internal code is present on the bus and appears to run correctly. I will investigate some more tomorrow.

-- Edited by TechSupport on Tuesday 2nd of June 2020 08:04:25 PM

TechSupport · Guru

I suspect that the problem with Mode 0 is that it runs in extended multiplexed configuration and this board is configured for non-multiplexed extended operation. So I think that I've proved that Mode 0 works but I need a board like my old ROMReader board that I used on the smaller devices.

Edit: I'm beginning to think that Mode 0 is partially disabled - the reset vector is picked up correctly from the external memory but the code doesn't run, it looks like internal code is present on the bus and appears to run correctly. I will investigate some more tomorrow.

-- Edited by TechSupport on Tuesday 2nd of June 2020 08:04:25 PM

TechSupport · Guru

I gave Mode 0 a try a few weeks and had no success, I'm looking at it again now and I made a mistake with the configuration. I do now seem to have it running in Mode 0 but its not running correctly.
If there is already code in the area that I'm trying to run code in then it will all be corrupted.

-- Edited by TechSupport on Tuesday 2nd of June 2020 05:33:22 PM

Bob · Veteran Member

TechSupport wrote:
Bob wrote:

Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?
Is there anything I can be testing?

That depends on how boot mode works, it could be a simple signal that when present causes the code to jump to a bootloader routine. This weekend I'm going to try and put the MH6311 into mode 0 and see if that works, that will be the real test to see if this is a feasible project.

Looking forward to the result regardless of the outcome as it will either put this ecu to bed or open up another one to play with.

TechSupport · Guru

Bob wrote:

Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?
Is there anything I can be testing?

That depends on how boot mode works, it could be a simple signal that when present causes the code to jump to a bootloader routine. This weekend I'm going to try and put the MH6311 into mode 0 and see if that works, that will be the real test to see if this is a feasible project.

Bob · Veteran Member

TechSupport wrote:
Pin 79 is just a 12V digital input.
Pin 62 is bi-directional comms, which you would expect for K-Line, and goes to pin68 and 67 on the processor which is known to be the serial port on the MH6311, so that's good.
Pin 56 I have as a RX line which is also connected to pin 67 on the processor.

The two 165s are cascaded and work as a serial in (from the processor), parallel out shift register to drive a bunch of digital outputs.

Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?

TechSupport · Guru

Pin 79 is just a 12V digital input.
Pin 62 is bi-directional comms, which you would expect for K-Line, and goes to pin68 and 67 on the processor which is known to be the serial port on the MH6311, so that's good.
Pin 56 I have as a RX line which is also connected to pin 67 on the processor.

The two 165s are cascaded and work as a serial in (from the processor), parallel out shift register to drive a bunch of digital outputs.

Bob · Veteran Member

TechSupport wrote:
Bob wrote:

i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?
Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.
i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan
The E310A is a level translator, it converts the signals from 12V to 5V and from 5V to 12V. One of the inputs has two outputs, one of which is inverted, and that input is usually used for cam or crank. I have the pinout mostly defined, I will try and find that, for the 12V inputs you can just put a low frequency square wave on the ECU input and check the pins to see where the 5V output is, fro memory the threshold voltage is around 7V. The other way you need to force the processor into reset and then inject a 5V signal through a resistor and then look for the 12V output.
I had a look at 62, which I think is the K-line, I have 51 as the immobiliser pin, 56 is shown as unused? I would think they are using the shift registers to implement the serial port, there is most likely only one in the processor. Its an old trick that seems to have made a bit of a come back on some modern processors.
Is the Mitsubishi protocol described anywhere? if you know that then that makes reverse engineering the software much easier.

A lot of good info here as I’m currently working on the cam and crank on the h8 and am confused at finding the crank signal invert on 2 pins.

TechSupport · Guru

Something else to play with.

I've added the E310A pinout to this thread:

https://rhinopower.activeboard.com/t43171026/analysing-and-testing-the-8v-tracker-sidekick-and-vitara-ecu/

I have a scrap board that I will hack about to see if I can pair up the remaining five sets of pins.

Bob · Veteran Member

As you follow pin 79 take a look at my board for reference and you can see all the components are fitted.

Bob · Veteran Member

It’s definitely pins 56 which goes to obd2 pin 1

k line is pin 62 and goes to obd2 pin 7.

ill attach a picture below.

you will see pin 79 mentioned in the ecu pin out and that is used for putting the ecu into programming mode in evo 5/6/7 .

if you follow pin 79 circuit you will see it is missing all the components going back to both the mh63 and the e310a on the evo 4 ecu however if you take a close look at my Ralliart tuned ecu you will see all of the components are fitted to my board.

Bob · Veteran Member

Mut commands.

https://evoecu.logic.net/index.php?title=MUT_Commands&diff=839&oldid=838

Bob · Veteran Member

Mut protocol

https://evoecu.logic.net/wiki/MUT_Protocol

TechSupport · Guru

Bob wrote:

i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?
Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.
i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan

The E310A is a level translator, it converts the signals from 12V to 5V and from 5V to 12V. One of the inputs has two outputs, one of which is inverted, and that input is usually used for cam or crank. I have the pinout mostly defined, I will try and find that, for the 12V inputs you can just put a low frequency square wave on the ECU input and check the pins to see where the 5V output is, fro memory the threshold voltage is around 7V. The other way you need to force the processor into reset and then inject a 5V signal through a resistor and then look for the 12V output.

I had a look at 62, which I think is the K-line, I have 51 as the immobiliser pin, 56 is shown as unused? I would think they are using the shift registers to implement the serial port, there is most likely only one in the processor. Its an old trick that seems to have made a bit of a come back on some modern processors.

Is the Mitsubishi protocol described anywhere? if you know that then that makes reverse engineering the software much easier.

Bob · Veteran Member

TechSupport wrote:
I haven't had a lot of time to work on this over the last week. I did take a look at the EVO4 ECU (MH6371), the power pins map to the MH6311, the analogue pins look to be in the right place, the E clock is present and there is activity on the R/W pin so that all looks good. I traced out the circuitry for the crank and cam inputs and the ignition and injector drivers. I'm hoping they will map to the timer pins on the MH6311 but I haven't succeeded in getting the output compare channels to work yet, there must be enable bits somewhere but its not obvious from the code; I've been through setting registers to FFh, which normally works, but so far no success.

i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan

TechSupport · Guru

I haven't had a lot of time to work on this over the last week. I did take a look at the EVO4 ECU (MH6371), the power pins map to the MH6311, the analogue pins look to be in the right place, the E clock is present and there is activity on the R/W pin so that all looks good. I traced out the circuitry for the crank and cam inputs and the ignition and injector drivers. I'm hoping they will map to the timer pins on the MH6311 but I haven't succeeded in getting the output compare channels to work yet, there must be enable bits somewhere but its not obvious from the code; I've been through setting registers to FFh, which normally works, but so far no success.

TechSupport · Guru

You would need to write to a page select bit/register to switch between pages, there is no such operation in any of the source code that I've looked at. It can be achieved manually with external memory and external address select lines but there is no need because all the code fits within the 64k 16-bit address range - on the pre-OBD2 ECUs it fits well within an 8K space.

Bob · Veteran Member

Looking at the code how would you know if it was paged or not is there a giveaway or a tell tale?

TechSupport · Guru

Bob wrote:
A lot of time gone into that I can see.

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;
(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B
L2402
L26B7
L2BBD)

The memory isn't paged, its a straight 64k linear address space; it could be an error in the disassembly or an external interface.
I'm trying to build up a reasonable understanding of how the chip works to create a basic datasheet for reference. When I get the other ECU the plan is to pull the processor from it and swap it onto this board and see what can be done with it. Hopefully, if it can be read, the memopry map will be similar. Before that I will attempt to pull the internal code from this chip.

Bob · Veteran Member

Also I’d like to ask what is the next step once you have identified as much as possible, like are you looking for something in particular at the moment or going for a complete map?

Bob · Veteran Member

A lot of time gone into that I can see.

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

TechSupport · Guru

I did some more hunting through the code - found a timer module, nowhere near the normal registers, my first thought was that it was external but it clearly maps to the interrupt vectors. This is my summary of the registers, looks like one 16-bit timer with at least eight output compares and at least five input captures:

; Timer module - internal or external ?????
; suspect external in 100-pin port expander
;
L080F  ; OC? - add a number and store
L0810  ; init then all in intvec9 OC? - add a number store here
L0811  ; init then all in intvec8 - fetched and stored, also load 113 add 323 store here
L0812  ; init then all in intvec10
L0813  ; init then load, add store here, also intvec6
L0814  ; init then load, add store here, also intvec5
L0815  ; init then intvec4, load 815 add 1FE0, store 815
L0816  ; init then load, add and store , controls PORT3 bits, also intvec3
L081F  ; written twice to 00h
L0820  ; written twice to E0h
L0821  ; 16-bit write twice to 00h
L0823  ; 16-bit write twice to 00h
L0825  ; 16-bit write twice to 00h
L0827  ; 16-bit write twice to 00h
L082D  ; 16-bit timer
L082E  ; read once in init and overwritten
L082F  ; read once in init and overwritten
L0830  ; read once in init and overwritten
L0831  ; read once in init and overwritten
L0833  ; 16-bit read in intvec15 and stored L000A bit0 selects interrupt??
L0834  ; 16-bit read in intvec16 and stored, L000A bit1 selects interrupt??
L0835  ; 16-bit read in intvec13 and stored, L000A bit2 selects interrupt??
L0837  ; 16-bit read in intvec12 and stored, L000A bit3 is toggled = edge??
L0839  ; 16-bit read in intvec11 and stored, L000A bit4 is toggled = edge??
L083A  ; read once in init
;

Edit:

L082D confirmed as a free-running 16-bit timer.

I've started to compile a register map available here: http://www.rhinopower.org/76xxx/docs/76C55_Register_Map.txt

-- Edited by TechSupport on Tuesday 21st of April 2020 08:36:52 PM

TechSupport · Guru

Bob wrote:

You must have quite a bit of experience to be able to figure out how to go about setting up a rig like that, Do you do much of that type of work for a day job ?
Also how come you use eprom and not eeprom chips ?

Back in the old days we had to write assembly code and debug with a logic analyser, I did a fair bit. I quite enjoy playing with these old chips, they are so simple. An Aurix, which is typically used in a modern ECU has around 1000 registers just for the timer module! At least with the LA you can do real time code tracing and code mods so its still superior to an Arduino!

The original boards were EPROMs, I did use the old 27SF EEPROMS a few years back but you can only get poor quality counterfeits these days from places like AliExpress, sometimes they work but for how long is anyone's guess. I have in the past modified a board to take a 28HC256 EEPROM but they are expensive now. Its cheap to use the emulator and then just burn a 27C EPROM when you're done.

The MH6311 is a bit of a surprise, I didn't find any timers, there must be some but they can't be free-running timers like in the other chips. Looking at the code there may be another port, it would have to be on the port expander, its got 100-pins so there is plenty of space.

Bob · Veteran Member

That looks like fantastic work.

You must have quite a bit of experience to be able to figure out how to go about setting up a rig like that, Do you do much of that type of work for a day job ?

Also how come you use eprom and not eeprom chips ?

TechSupport · Guru

In order to view the code execution you have to have the processor running in external mode, the TCU that I am using has an EPROM stock. I am using an Intronix Logicport LA, you need 24 channels for address and data plus a few spares for logging pin changes or serial port data. Its been very reliably, I used it an awful lot for 10 years or so.
I made a crude adapter from veroboard as a temporary solution (also about 10 years ago!) - individual probes are too time consuming to set up.

I also have a Moates Ostrich 2 emulator again, which I have used lot for 27C256 emulation, it should work with the 512 so I need to get that running so I can do real time code changes which will speed things up considerably.

The DSM TCU:

MD759132 PCB

A screen capture of the Logicport software and the test software listing:

Logicport software

Bob · Veteran Member

So let me get this right.
If a pin is set to read as an input you can actually access the data on the internal upper and lower buses?
Does this hold true for all ic’s ?
what kind of logic analyser are you using, as I seen then on eBay for as little as 50 quid?

TechSupport wrote:
Its usually on the sticker on the front, the non-flash OTP devices can still be read, if the flash version supports mode 0 then it will be possible to read it n the same way.
I have a logic analyser on the bus, for input pins the code just reads the ports and copies them to RAM locations, on a read the data is exposed on the bus, then I just inject a signal onto the pin to cause it to change state; for output pins I just toggle the output and then look for the pin.
I will look for the higher order ports next, the code is different to that on the MH6211 so they may not be in the same locations.

Bob · Veteran Member

I would not expect you to be out of pocket mate.
I have an evo 4 one here that I don’t care about that I’ll send you if that’s the road you want to go down, or if you have already bought the evo 5 ecu then just sent me your PayPal or the like and I’ll reimburse you in full.

Things to be aware of is that only very early evo 5 had the metal case ecu it then changed to the plastic case ecu which was the h8 based processor.

That link to the colt ecu looks identical to an evo4/early evo5 ecu, as they were all maf based cars.

Thanks for your work so far it is greatly appreciated.

TechSupport wrote:

I found an EVO5 ECU that should have the MH6371 processor and it was cheap so I don't mind if I accidently wreck it. It should be identical to this one:

https://forum.carlabimmo.com/viewtopic.php?t=14895

TechSupport · Guru

I found an EVO5 ECU that should have the MH6371 processor and it was cheap so I don't mind if I accidently wreck it. It should be identical to this one:

https://forum.carlabimmo.com/viewtopic.php?t=14895

TechSupport · Guru

I've been looking at how the registers are initialised and used, some are already known and tested, there are some differences between this device and the other devices. I don't have a code tag so I'll put it in a quote:

;;------------------- Registers -------------------------------------
; In all other devices user RAM starts at 40h
; thise looks the same - 40 is not directly initialised;
P1DDR equ 0x00
P2DDR equ 0x01
PORT1 equ 0x02
PORT2 equ 0x03
P3DDR equ 0x04
P4DDR equ 0x05
PORT3 equ 0x06
PORT4 equ 0x07
;
; 8 to E are TMR1 in all other devices
L0008 equ 0x08  ; T1CSR1
L0009 equ 0x09  ; TMR1H
L000A equ 0x0A  ; TMR1L
L000B equ 0x0B  ; T1OCR1H
L000C equ 0x0C  ; OCR1L
L000D equ 0x0D  ; ICR1H
L000E equ 0x0E  ; ICR1L
;
; F is P3 CSR in all other devices
L000F equ 0x0F
;
SCIRMC equ 0x10
SCSR equ 0x11
RXD  equ 0x12
TXD  equ 0x13
; 14 is RAMCR in all other disassembled
;
L0014
;
P5DDR equ 0x15
PORT5 equ 0x16
;
; MH6211 18 to 1E is timer1/2
L0017    ; initialised to 0x0E
L0018    ; initialised to 0x0E
L0019    ; 8-bit, initialised to 0x0E
L001A    ; 8-bit, initialised to 0x0E
;
; 1F,20,21 are connected - from line C2D0,
; in MH6211 1F and 20 are PORT6 and
; 20,21 are unused in EE88 code
;
L001F    ; 8-bit, initialised to 0x00 or 0x01 - bitfield
L0020    ; only bit5 is read
L0021    ; 8-bit write, 8/16-bit read
;
L0023    ; timer for SCI?
L0024    ; 8-bit, written to 3F in SCI code
;
; 26,27 are both read at start of interrupt vector 2
L0026    ; 8-bit, r/w could be RTI CR
L0027
;    ; 8-bit, r/w could be RTI
; 29,30 is TMR2 in MH6211
L0028    ; init as double #$2800
L0029    ; 8-bit written twice to 00h
L002A    ; 8-bit written twice to 00h (not in same place as L0029)
L002B    ; 8-bit written 00 or 1F
L002C    ; 8-bit written to 00 or FF
;
; possible DDR init P6DDR, P7DDR?
L002D    ; 16-bit written once in DDR routine as #$C123
; possible port init PORT6, PORT7?
L002F    ; init as double in Port routine - 8-bit bitfield
L0030    ; 8-bit bitfield
;
L0031    ; 8-bit bitfield init as 01
L0032    ; init as 00, no further r/w
L0033    ; init as 11, no further r/w
L0034    ; written as 16-bit 8001 or 0001, written as 8-bit from maths
;
ADCCR1 equ 0x38
ADCCR2 equ 0x39
ADCRES equ 0x3D
;
L003E    ; init as 22, no further r/w

so the easy things to look for next are the two possible ports at 2F and 30 and also to look at the possible timer locations, looking for continually incrementing values.

TechSupport · Guru

Its usually on the sticker on the front, the non-flash OTP devices can still be read, if the flash version supports mode 0 then it will be possible to read it n the same way.
I have a logic analyser on the bus, for input pins the code just reads the ports and copies them to RAM locations, on a read the data is exposed on the bus, then I just inject a signal onto the pin to cause it to change state; for output pins I just toggle the output and then look for the pin.
I will look for the higher order ports next, the code is different to that on the MH6211 so they may not be in the same locations.