aiden/Sony-rcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new run

Browse Source
This commit is contained in:
Aiden
2026-05-14 00:58:14 +10:00
parent 861b16118c
commit 2ab54be5ec
44 changed files with 3012 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

459
docs/discovery-notes.md
View File

@@ -8033,3 +8033,462 @@ Best current read:
- `CAM POWER` still looks much more like an **outbound panel-origin operator
event** than a wake/session negotiation hook.
- `CALL` remains the more protocol-interesting operator event family.
### DIP Switch Experiment Ladder
Current known baseline:
- all 8 DIP positions are currently **off**
- switches are grouped as:
- `S2` = 4 positions
- `S3` = 4 positions
- together they likely feed MCU pins `43-50`
Goal:
- determine whether the DIP switches change the panel's startup personality,
serial behavior, or wake/session behavior
### Safety / Method
Use this method for every DIP test:
1. Photograph the current DIP positions before changing anything.
2. Change **one switch only**.
3. Reassemble only as much as needed for safe power-on.
4. Power up the panel.
5. Observe behavior **before connecting serial**.
6. Then run the normal serial baseline checks.
7. Power down fully before changing the next switch.
8. Return to the all-off baseline between non-adjacent tests.
Record for each run:
- exact DIP pattern
- LCD startup text
- whether the active light changes
- whether `CONNECT NOT ACT` appears, and when
- whether idle heartbeat is still `00 00 00 00 80 DA`
- whether known probes still behave the same:
- `A0`
- `A0 -> 90`
- `A0 -> AF`
- any new button behavior in idle state
- any complete silence / obvious baud or protocol change
### Naming Convention
Use a simple notation in notes/logs:
- baseline = `S2=0000 S3=0000`
- example single change:
- `S2=1000 S3=0000`
If physical numbering is unclear, first pick one fixed convention and stick to
it:
- `S2-1` .. `S2-4`
- `S3-1` .. `S3-4`
### Phase 1: Single-Bit Sweep
Goal:
- find out whether any single DIP bit has an obvious effect on startup,
protocol, or front-panel behavior
Run these eight tests, always starting from all-off baseline:
1. `S2-1` on, all others off
2. `S2-2` on, all others off
3. `S2-3` on, all others off
4. `S2-4` on, all others off
5. `S3-1` on, all others off
6. `S3-2` on, all others off
7. `S3-3` on, all others off
8. `S3-4` on, all others off
For each test:
- power-cycle
- watch LCD/startup state
- check for idle heartbeat
- try one minimal probe set:
- idle listen
- `A0`
- `A0 -> 90`
- `A0 -> AF`
What would count as a hit:
- panel boots into a different visible mode
- panel no longer shows `CONNECT NOT ACT`
- heartbeat changes or disappears
- known startup families change:
- `64 40 30`
- `0D 04 AB`
- `0D 04 EB`
- `E4 40 30`
- buttons become active in idle
### Phase 2: Group Identity Test
Only do this after Phase 1.
Goal:
- see whether one whole DIP bank behaves like an address nibble or mode nibble
Run these four tests:
1. all `S2` on, `S3` all off
2. all `S2` off, all `S3` on
3. all `S2` on, all `S3` on
4. return to all-off baseline and confirm behavior is restored
What this can reveal:
- one bank may control personality while the other controls address
- one bank may do nothing while the other changes the panel sharply
- all-on may expose service/test behavior that single-bit changes do not
### Phase 3: Follow-Up Only If A Bit Matters
If Phase 1 reveals a promising bit, branch carefully:
1. repeat that same switch setting twice to confirm reproducibility
2. test neighboring bits in the same bank
3. test that bit plus one neighboring bit
4. compare:
- startup text
- heartbeat
- `A0 -> 90`
- `A0 -> AF`
- `E8` / `EC` selector behavior
### Good First Serial Checks Per DIP Setting
Keep the serial side small at first.
Recommended order:
1. idle listen only
2. repeating heartbeat only
3. `A0`
4. `A0 -> 90`
5. `A0 -> AF`
Only if something changes meaningfully, then test:
- `E8`
- `E9`
- `EC`
- CALL synthetic trigger
### Strong Cautions
- Do not change multiple unknown DIP bits at once in the first pass.
- Do not assume `ON` means logic high; it may actually pull the line low.
- Some switches may only be sampled at cold boot, not warm reset.
- A strange setting may stop normal serial output entirely; that is still a
useful result.
- If one setting produces a dramatically different boot state, stop and record
it before going wider.
### DIP Phase 1 Results
Practical visible result:
- Most single-bit DIP settings looked the same on the panel.
- User-reported visible exception:
- the **first DIP-switch setting** briefly showed a small cursor on the LCD
for a few seconds
- Otherwise, no single-bit setting visibly woke the panel or cleared
`CONNECT NOT ACT`.
Serial result:
- The DIP switches are **not** inert.
- They do not appear to change the basic heartbeat personality dramatically, but
they **do** affect which startup-beacon family opens.
Stable observations across most tested single-bit settings:
- idle heartbeat remained present
- plain `A0` remained heartbeat-compatible only
- `A0 -> AF` usually still opened:
- `07 80 0D 04 AB 7F`
- `A0 -> 90` usually still opened:
- `07 80 64 40 30 C9`
Important exceptions:
#### `S2-1`
- user saw a temporary small LCD cursor
- `A0 -> 90` still opened:
- `07 80 64 40 30 C9`
- but `A0 -> AF` went flat:
- no RX in the recorded run
- heartbeat-only stimulus produced:
- `07 80 C0 40 30 6D`
Read:
- `S2-1` appears to change startup/UI behavior and may suppress or disturb the
`AF`-family startup branch.
#### `S2-3`
- `A0 -> 90` collapsed to heartbeat-only
- `A0 -> AF` still opened:
- `07 80 0D 04 AB 7F`
- heartbeat-only stimulus produced:
- `07 80 40 40 30 ED`
Read:
- `S2-3` appears to suppress the `90`/`64` startup-beacon branch while leaving
the `AF`/`AB` side alive.
#### `S3-1`
- `A0 -> 90` opened a **different** startup family:
- `07 80 E4 40 30 49`
instead of the more common:
- `07 80 64 40 30 C9`
- `A0 -> AF` still opened:
- `07 80 0D 04 AB 7F`
- heartbeat-only stimulus produced:
- `07 80 40 40 30 ED`
Read:
- `S3-1` is the clearest proof so far that the DIP bank can steer the panel
into a different startup-family page rather than merely changing noise or
timing.
#### Other tested single-bit positions
Settings that still looked broadly "normal" in the first pass:
- `S2-2`
- `S2-4`
- `S3-3`
- `S3-4`
These generally preserved:
- `A0 -> 90` -> `07 80 64 40 30 C9`
- `A0 -> AF` -> `07 80 0D 04 AB 7F`
Heartbeat-only transients varied by setting:
- `S2-2`, `S2-3`, `S2-4`, `S3-1`, `S3-3` tended toward:
- `07 80 40 40 30 ED`
- `S2-1`, `S3-2`, `S3-4` tended toward:
- `07 80 C0 40 30 6D`
Missing / not-found logs:
- `captures/dip-s3-1-a0.txt`
- `captures/dip-s3-2-a0-90.txt`
So the current first-pass read should stay slightly cautious around those two
cases.
### DIP Phase 1 Read
Best current interpretation:
- the DIP switches likely do participate in **panel personality / startup mode
selection**
- they do **not** appear to erase or obviously reconfigure the panel in a
catastrophic way during normal testing
- they can bias:
- whether the `90` startup branch opens
- which `90` family appears (`64` vs `E4`)
- whether the `AF` branch survives cleanly
Most important next follow-ups:
1. repeat `S3-1` to confirm the `E4` startup-family shift
2. repeat `S2-3` to confirm suppression of the `90` branch
3. repeat `S2-1` to confirm suppression/instability of the `AF` branch and the
brief LCD cursor
### HE34: Broad "Dot The I's" Command Sweep
Goal:
- run a broad automated sweep of many checksum-valid commands
- log any response that is not explainable as ordinary heartbeat traffic
- do one "clean conscience" pass so we can say we really checked the space
Why this is worth doing:
- we now know the startup-family surface is real and DIP-sensitive
- but we still have not done one final broad, automation-first pass with the
current tools and classifier
Recommended order:
1. all-off DIP baseline
2. optional repeat under `S3-1` because it opens the `E4` startup family
3. optional repeat under `S2-3` because it suppresses the `90` branch
#### HE34a: Cold direct sweep, all-off baseline
This tests all command bytes `0x00-0xFF` in the observed host frame shape:
- prefix: `00 00`
- state/value: `00 80`
The script:
- logs heartbeat-compatible windows quietly
- logs any anomaly explicitly
- pauses on anomaly so you can power-cycle and continue
```powershell
python scripts/serial_direct_response_sweep.py --port COM5 --prefix1s 0x00 --prefix2s 0x00 --commands 0x00-0xFF --states 0x00 --values 0x80 --settle 3.0 --after-each 0.8 --after 2.0 --pause-on-anomaly --log captures/he34-direct-alloff-00-80.txt
```
#### HE34b: Cold direct sweep, `S3-1` active
Same sweep, but under the DIP setting that shifted the startup-family page from
`64` to `E4`.
```powershell
python scripts/serial_direct_response_sweep.py --port COM5 --prefix1s 0x00 --prefix2s 0x00 --commands 0x00-0xFF --states 0x00 --values 0x80 --settle 3.0 --after-each 0.8 --after 2.0 --pause-on-anomaly --log captures/he34-direct-s3-1-00-80.txt
```
#### HE34c: Cold direct sweep, `S2-3` active
Same sweep, but under the DIP setting that suppressed the `90` branch in the
first pass.
```powershell
python scripts/serial_direct_response_sweep.py --port COM5 --prefix1s 0x00 --prefix2s 0x00 --commands 0x00-0xFF --states 0x00 --values 0x80 --settle 3.0 --after-each 0.8 --after 2.0 --pause-on-anomaly --log captures/he34-direct-s2-3-00-80.txt
```
#### Optional HE34d: Smaller second pass with alternate state/value
If the first pass looks too flat, do a smaller alternate parameter pass:
- commands: `0x00-0xFF`
- state/value: `20 D0`
```powershell
python scripts/serial_direct_response_sweep.py --port COM5 --prefix1s 0x00 --prefix2s 0x00 --commands 0x00-0xFF --states 0x20 --values 0xD0 --settle 3.0 --after-each 0.8 --after 2.0 --pause-on-anomaly --log captures/he34-direct-alloff-20-d0.txt
```
Read:
- a broad sweep like this is not expected to magically wake the panel
- what it *can* do is reveal:
- overlooked command families
- DIP-sensitive outliers
- whether the current known families are really the whole visible surface
### HE34 Initial Result: Broad `20 D0` Sweep
Run observed:
- capture file present:
- `captures/he34-direct-alloff-20-d0-no-pwr.txt`
Important panel-side observation:
- unlike the more ordinary broad sweeps, `CONNECT NOT ACT` reportedly **did not
appear after the first anomaly**
- instead, the panel stayed out of that state until much later in the run
- on the latest run, the user interrupted with `Ctrl+C` when
`CONNECT NOT ACT` finally came on screen near the end
That makes this run interesting even before looking at the anomaly bytes:
- the sustained `state/value = 20 D0` traffic appears to hold the panel out of
the inactive timeout state longer than the simpler baseline sweeps
#### Serial anomaly found so far
The first repeatable anomaly in the `20 D0` sweep occurred at:
- command `0x01`
Observed family:
- `07 80 40 24 DD 64`
Example raw window:
- `00 00 00 80 DA 07 80 40 24 DD 64 07 80 40 24 DD 64 07 80 40 24 DD 64 07 80 40 24 DD 64`
Repeated later as:
- `07 80 40 24 DD 64`
repeated four times without the leading heartbeat fragment
Read:
- this is a **new `0x40`-family sibling**
- it is not the older fallback/transient:
- `07 80 40 40 30 ED`
- and it is not the `C0 40 30 6D` branch either
Best current interpretation:
- `20 D0` is not just "another payload pair"
- under a broad sustained sweep, it appears to:
- expose at least one new structured `0x40`-family page
- and also change the panel's timeout / inactive-screen behavior
This does **not** prove wake-up or active session, but it does make `20 D0`
look more session-like than the simpler `00 80` broad sweeps.
Best next follow-up from this result:
1. confirm `cmd=0x01, state/value=20 D0` directly in a short targeted test
2. compare `cmd=0x00`, `0x01`, `0x02`, `0x03` under `20 D0`
3. compare whether repeating only `00 00 01 20 D0 AB` delays `CONNECT NOT ACT`
the same way the broader sweep did
### HE34 Completion Cross-Check
For completion's sake, the three HE34 captures do **not** all carry the same
weight:
- `captures/he34-direct-alloff-00-80.txt`
- this is the **completed** baseline sweep
- it ran through the full `0x00-0xFF` command range
- it ended cleanly with:
- `FINAL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes`
- `Anomalies: 112`
- `captures/he34-direct-alloff-00-80-no-pwr.txt`
- this is an **interrupted partial rerun**
- it reproduced the first known baseline anomaly at `cmd=0x01`:
- `07 80 40 20 D8 65`
- but it should not be treated as the authoritative baseline map
- `captures/he34-direct-alloff-20-d0-no-pwr.txt`
- this is also an **interrupted** run
- but it is still important because it reproduced a distinct first anomaly:
- `07 80 40 24 DD 64`
- and the panel-side timeout behavior was observably different
That gives the HE34 branch a cleaner interpretation:
- `00 80` already yields a **broad structured response map**, not just a couple
of isolated hits
- so `20 D0` is interesting **not because it is the only state/value pair that
produces anomalies**
- it is interesting because:
- its first mapped `0x40`-family response differs from the baseline
- and the panel reportedly stayed out of `CONNECT NOT ACT` much longer during
the run
So the right next question is:
- not "does `20 D0` produce any anomalies at all?"
- but "does `20 D0` represent a more session-like variant of the same broad
command surface?"