aiden/Sony-rcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

run 16

Browse Source
This commit is contained in:
Aiden
2026-05-13 18:12:41 +10:00
parent 890a70f2cc
commit a33fea718d
20 changed files with 763 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

268
docs/discovery-notes.md
View File

@@ -3609,3 +3609,271 @@ Interpretation:
- Best current model: these are legitimate outer-table queries whose returned
payload can still depend on selector context, prior sequence, or exactly when
in the panel's internal state machine they are sampled.
## Host Identity / Capability Exchange Lead Ladder
Goal:
- Test whether the CCU is expected to identify itself before asking for
capability/state blocks.
- Separate "query selector/page" behavior from "host identity/session setup"
behavior.
- Check whether a short query burst behaves more like a capability poll than a
single one-shot request.
Tooling:
- Use `scripts/serial_sequence_probe.py` for fixed multi-frame sequences where
the canonical primer stays constant and only later frames vary.
- Use `scripts/serial_primer_candidate_sweep.py` when only a simple
`primer -> candidate` pair is needed.
### Test HI1: Prefix Variation On A Stable Query
Keep the known-good primer fixed and vary only the prefix bytes of the `A0`
query frame. If the response changes, the host prefix bytes may carry CCU
identity, addressing, or mode information rather than being ignored padding.
Power-cycle before each run.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 A0 00 80 7A" --read-after-frame 1.2 --log captures/rcp-hostid-prefix-0000-a0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 80 A0 00 80 FA" --read-after-frame 1.2 --log captures/rcp-hostid-prefix-0080-a0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "80 00 A0 00 80 FA" --read-after-frame 1.2 --log captures/rcp-hostid-prefix-8000-a0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "07 80 A0 00 80 FD" --read-after-frame 1.2 --log captures/rcp-hostid-prefix-0780-a0.txt
```
What to watch for:
- Same `A0` block as baseline: prefix bytes probably are not the missing host
identity on their own.
- Different structured block: prefix bytes likely select host identity, page,
or role.
- Heartbeat only: that prefix pair may be invalid or reserved.
### Test HI2: State/Value Variation On A Stable Query
Keep the canonical prefix and command byte, but vary the state/value fields on
the `A0` query. This checks whether the host is supposed to present status or
capability bits in fields that we have mostly left at `00 80`.
Power-cycle before each run.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 A0 00 80 7A" --read-after-frame 1.2 --log captures/rcp-hostid-a0-0080.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 A0 20 D0 0A" --read-after-frame 1.2 --log captures/rcp-hostid-a0-20d0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 A0 40 30 8A" --read-after-frame 1.2 --log captures/rcp-hostid-a0-4030.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 A0 60 30 AA" --read-after-frame 1.2 --log captures/rcp-hostid-a0-6030.txt
```
What to watch for:
- Same `A0` block every time: host state/value fields may be ignored here.
- Different block family or different returned value bytes: these fields may be
host-presented capability/status bits.
- LCD/LED changes without a different serial block: possible session-state side
effect rather than a simple table read.
### Test HI3: Primer -> Host-Announce -> Query
Try likely selector/identity-looking bytes as a middle frame before the stable
`A0` query. This is the direct "CCU says who it is first" test.
Power-cycle before each run.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 90 00 80 4A" --frame "00 00 A0 00 80 7A" --read-after-frame 1.0 --log captures/rcp-hostid-announce-90-then-a0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 9F 00 80 45" --frame "00 00 A0 00 80 7A" --read-after-frame 1.0 --log captures/rcp-hostid-announce-9f-then-a0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 AF 00 80 75" --frame "00 00 A0 00 80 7A" --read-after-frame 1.0 --log captures/rcp-hostid-announce-af-then-a0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 B7 00 80 6D" --frame "00 00 A0 00 80 7A" --read-after-frame 1.0 --log captures/rcp-hostid-announce-b7-then-a0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 BB 00 80 61" --frame "00 00 A0 00 80 7A" --read-after-frame 1.0 --log captures/rcp-hostid-announce-bb-then-a0.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 FF 00 80 25" --frame "00 00 A0 00 80 7A" --read-after-frame 1.0 --log captures/rcp-hostid-announce-ff-then-a0.txt
```
What to watch for:
- Middle frame gets heartbeat only, third frame still returns plain `A0` block:
the announce byte probably is not sufficient.
- Middle frame changes the later `A0` response: strong evidence for a
host-identity/selector stage.
- Middle frame alone produces a new block: it may itself be a readable
capability/identity query rather than a pure host announce.
### Test HI4: Capability-Poll Block
Send a short family of related queries as if a CCU is polling multiple
capability blocks in one startup pass. This checks whether the panel expects a
cluster of reads instead of one isolated query.
Power-cycle before each run.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 A0 00 80 7A" --frame "00 00 A1 00 80 7B" --frame "00 00 A4 00 80 7E" --frame "00 00 A5 00 80 7F" --read-after-frame 0.8 --log captures/rcp-hostid-capblock-a-family.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 B0 00 80 6A" --frame "00 00 B1 00 80 6B" --frame "00 00 B8 00 80 62" --frame "00 00 BC 00 80 66" --read-after-frame 0.8 --log captures/rcp-hostid-capblock-b-family.txt
```
What to watch for:
- Only the first query in the block responds: the one-shot model still dominates.
- Later queries also respond once the family is polled as a burst: this would be
a major new lead toward CCU-style startup behavior.
- A later query changes the LCD or LEDs even if the first one looks ordinary:
still worth treating as a lead.
### Test HI5: Repeated Poll Group
Repeat the same short poll group with a gap, to test whether the panel wants
periodic polling or whether only the first startup block matters.
Power-cycle before each run.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 B0 00 80 6A" --frame "00 00 B1 00 80 6B" --repeat 3 --repeat-interval 1.5 --read-after-frame 0.8 --read-after-group 0.8 --log captures/rcp-hostid-repeat-b0-b1.txt
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 00 00 80 DA" --frame "00 00 A0 00 80 7A" --repeat 3 --repeat-interval 1.5 --read-after-frame 1.0 --read-after-group 0.8 --log captures/rcp-hostid-repeat-a0.txt
```
What to watch for:
- Only group 1 responds: startup window or latch behavior still dominates.
- Later groups begin to respond too: periodic polling may be part of the
expected CCU session.
- A later group changes visible state even with similar serial output: possible
session-timer or keepalive behavior.
Recommended order:
1. `HI3` because it most directly tests the "CCU identifies itself first"
hypothesis.
2. `HI4` because a capability-poll burst is a plausible Sony startup pattern.
3. `HI1` and `HI2` if the first two stay flat and we need to isolate which host
fields matter.
### 2026-05-13 Host Identity / Capability Result
Captures:
- `captures/rcp-hostid-prefix-0000-a0.txt`
- `captures/rcp-hostid-prefix-0080-a0.txt`
- `captures/rcp-hostid-prefix-8000-a0.txt`
- `captures/rcp-hostid-a0-0080.txt`
- `captures/rcp-hostid-a0-20d0.txt`
- `captures/rcp-hostid-a0-4030.txt`
- `captures/rcp-hostid-a0-6030.txt`
- `captures/rcp-hostid-announce-90-then-a0.txt`
- `captures/rcp-hostid-announce-9f-then-a0.txt`
- `captures/rcp-hostid-announce-af-then-a0.txt`
- `captures/rcp-hostid-announce-b7-then-a0.txt`
- `captures/rcp-hostid-announce-bb-then-a0.txt`
- `captures/rcp-hostid-announce-ff-then-a0.txt`
- `captures/rcp-hostid-capblock-a-family.txt`
- `captures/rcp-hostid-capblock-b-family.txt`
- `captures/rcp-hostid-repeat-a0.txt`
- `captures/rcp-hostid-repeat-b0-b1.txt`
Not run / no capture present:
- `captures/rcp-hostid-prefix-0780-a0.txt`
#### HI1: Prefix Variation On `A0`
Observed result:
| Query frame after primer | Result |
| --- | --- |
| `00 00 A0 00 80 7A` | conflicting captures: one run returned `07 80 E8 40 30 45`, another returned `07 80 68 40 30 C5` |
| `00 80 A0 00 80 FA` | heartbeat only |
| `80 00 A0 00 80 FA` | heartbeat only |
| `07 80 A0 00 80 FD` | not run |
Read:
- Nonzero host prefix bytes did not help. The tested `00 80` and `80 00`
prefixes suppressed the `A0` response entirely.
- The plain `00 00` prefix remains the only confirmed working host prefix for
`A0`, although the returned block still varies across runs.
#### HI2: State/Value Variation On `A0`
Observed result:
| Query frame after primer | Observed RCP response |
| --- | --- |
| `00 00 A0 00 80 7A` | `07 80 68 40 30 C5` repeated |
| `00 00 A0 20 D0 0A` | `07 80 E8 48 3A 47` repeated |
| `00 00 A0 40 30 8A` | `07 80 68 58 26 CB` repeated |
| `00 00 A0 60 30 AA` | `07 80 68 58 26 CB` repeated |
Read:
- This is the strongest new lead in the set.
- The `A0` response is not fixed: the host `state/value` fields clearly affect
the returned block.
- That strongly supports the idea that these fields are carrying host-presented
status, selector, or capability information, not just filler.
#### HI3: Primer -> Host-Announce -> `A0`
Observed result:
| Sequence | Middle-frame result | Later `A0` result |
| --- | --- | --- |
| `00 -> 90 -> A0` | `07 80 64 40 30 C9` repeated | no clean `A0`; only one more `07 80 64 40 30 C9` then heartbeat |
| `00 -> 9F -> A0` | heartbeat only after `9F` | heartbeat only after `A0`; a prior anomaly `07 80 40 40 30 ED` appeared immediately after the primer |
| `00 -> AF -> A0` | `07 80 0D 04 AB 7F` visible with a leading heartbeat fragment | heartbeat only after `A0` |
| `00 -> B7 -> A0` | `07 80 1B 08 D6 18` repeated | heartbeat only after `A0` |
| `00 -> BB -> A0` | `07 80 37 10 2C D6` repeated | no clean `A0`; only one more `07 80 37 10 2C D6` then heartbeat |
| `00 -> FF -> A0` | heartbeat only | heartbeat only |
Read:
- The "announce" bytes behaved more like readable/query commands than like a
host identity banner the panel accepts and then builds on.
- In most runs, the middle frame consumed the one-shot response opportunity and
the following `A0` did not produce its own block.
- So far this argues against a simple three-step handshake of
`primer -> host identity -> query`.
#### HI4: Capability-Poll Block
Observed result:
| Block | Result |
| --- | --- |
| `00 -> A0 -> A1 -> A4 -> A5` | only `A0` responded (`07 80 68 40 30 C5`); `A1`, `A4`, and `A5` were heartbeat only |
| `00 -> B0 -> B1 -> B8 -> BC` | only `B0` responded (`07 80 EC 40 30 41` with a leading heartbeat fragment); `B1`, `B8`, and `BC` were heartbeat only |
Read:
- A burst of related readable queries did not unlock later responses in the same
startup pass.
- The one-shot model still dominates: first successful readable query responds,
later ones in the burst are suppressed.
#### HI5: Repeated Poll Group
Observed result:
| Repeated group | Result |
| --- | --- |
| `00 -> A0`, repeated 3 times | only group 1 produced `07 80 68 40 30 C5`; groups 2 and 3 were heartbeat only |
| `00 -> B0 -> B1`, repeated 3 times | only group 1 `B0` produced a response; later groups were heartbeat only and `B1` never responded |
Read:
- Periodic polling without a power cycle did not open a sustained session.
- The panel still behaves like it offers one early readable response block, then
falls back to heartbeat-only behavior.
Overall interpretation:
- The cleanest new evidence is that host `state/value` fields matter a lot for
at least the `A0` family.
- The tested nonzero prefixes do not look like a missing CCU identity by
themselves.
- Candidate "announce" bytes mostly act like ordinary readable/query selectors,
not like a reusable host identity stage.
- Capability-poll bursts and repeated poll groups did not create a multi-query
session.
- Best current model: the startup exchange probably does involve host-presented
status or selector bits, but the currently tested sequences still land in a
one-shot query regime rather than an active maintained session.