diff --git a/asm/fx@3.10/%003.txt b/asm/fx@3.10/%003.txt
index b9b07ba..2819859 100644
--- a/asm/fx@3.10/%003.txt
+++ b/asm/fx@3.10/%003.txt
@@ -11,6 +11,8 @@ Conclusions:
     remain mapped all the time.
   * %016 is the System ERROR popup; I haven't disassembled it yet, but I found
     the "System ERROR!!" string in it so no doubt is possible.
+  * The subroutine at <80011238> loads to TLB a value of PTEH with ASID=0, so
+    ASID is probably staying at 0 all the time.
 
 Discovered RAM memory:
   0x8800c944: u32[] ADDIN_PAGE_TABLE
@@ -18,6 +20,11 @@ Discovered RAM memory:
     -> Entries with NULL are considered invalid.
     -> Other values are masked & 0x1fffffff and put to PTEL; clearly, these are
        the matching physical addresses.
+  0x8800d144: u32 NEXT_TLB_EVICTION
+    Number of the next TLB entry to be evicted on a TLB miss. This varies
+    between 0 and 53 only, making sure that entries 54..63 remain in the TLB at
+    all times. According to experience, this covers RAM mappings and the 4k
+    page mapping NULL to ROM.
 
 <%003 vbr_tlb_exception>
  @PTEH @TEA  Address that generated the TLB miss
@@ -110,3 +117,73 @@ Discovered RAM memory:
  8001143a:  4f26   lds.l   @r15+, pr
  8001143c:  000b   rts
  8001143e:  6ef6   mov.l   @r15+, r14
+
+#---
+
+<80011238>
+ @r4  VPN to be updated
+ @r5  Corresponding physical address
+ @r6  Low bits of PTEL (=108 when called from %003)
+
+ Stack> || r15 (r6) (r5) (r4)
+
+ # r14 = ff000000 (MMU register base)
+ # r3 = a0000000 (random address for cache invalidation)
+ # MMUCR = (MMUCR & ffff03ff) | (NEXT_TLB_EVICTION << 8); this replace URC with
+ # the chosen NEXT_TLB_EVICTION entry to control eviction.
+ 80011238:  2fe6   mov.l   r14, @-r15
+ 8001123a:  7ff4   add     #-12, r15
+ 8001123c:  d7a1   mov.l   0x8800d144, r7
+ 8001123e:  eeff   mov     #-1, r14
+ 80011240:  4e18   shll8   r14
+ 80011242:  d3a1   mov.l   0xffff03ff, r3
+ 80011244:  4e28   shll16  r14
+ 80011246:  1f62   mov.l   r6, @(8,r15)
+ 80011248:  2f42   mov.l   r4, @r15
+ 8001124a:  52e4   mov.l   @(16,r14), r2
+ 8001124c:  6172   mov.l   @r7, r1
+ 8001124e:  2239   and     r3, r2
+ 80011250:  e3a0   mov     #-96, r3
+ 80011252:  4118   shll8   r1
+ 80011254:  1f51   mov.l   r5, @(4,r15)
+ 80011256:  4108   shll2   r1
+ 80011258:  4318   shll8   r3
+ 8001125a:  221b   or      r1, r2
+ 8001125c:  1e24   mov.l   r2, @(16,r14)
+ 8001125e:  4328   shll16  r3
+
+ # Invalidate instruction cache; load to TLB with
+ # -> PTEH=r4 (ASID implicitly 0)
+ # -> PTEL=r5|r6|0x110; when r6=108, this gives r5|0x17c:
+ #    WT=0:    Copy-back mode
+ #    SH=0:    Not shared (we're single process anyway)
+ #    C=D=V=1: Cacheable, Dirty, Valid
+ #    PR=3:    All rings can read and write
+ #    SZ=1:    Page is 4k
+ 80011260:  03e3   icbi    @r3
+ 80011262:  2e42   mov.l   r4, @r14
+ 80011264:  e744   mov     #68, r7
+ 80011266:  4708   shll2   r7
+ 80011268:  256b   or      r6, r5
+ 8001126a:  257b   or      r7, r5
+ 8001126c:  1e51   mov.l   r5, @(4,r14)
+ 8001126e:  0038   ldtlb
+ 80011270:  0009   nop
+ 80011272:  0009   nop
+ 80011274:  0009   nop
+
+ # Invalidate instruction cache again; increment NEXT_TLB_EVICTION modulo 54
+ # and leave.
+ 80011276:  d193   mov.l   0x8800d144, r1
+ 80011278:  03e3   icbi    @r3
+ 8001127a:  ee36   mov     #54, r14
+ 8001127c:  6212   mov.l   @r1, r2
+ 8001127e:  32e3   cmp/ge  r14, r2
+ 80011280:  8901   bt      <80011286>
+ 80011282:  a001   bra     <80011288>
+ 80011284:  7201   add     #1, r2
+ 80011286:  e200   mov     #0, r2
+ 80011288:  2122   mov.l   r2, @r1
+ 8001128a:  7f0c   add     #12, r15
+ 8001128c:  000b   rts
+ 8001128e:  6ef6   mov.l   @r15+, r14