aiden/Sony-rcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

run 4

Browse Source
This commit is contained in:
Aiden
2026-05-14 01:44:35 +10:00
parent d7e79e3899
commit d169cc4c39
10 changed files with 561 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

254
docs/discovery-notes.md
View File

@@ -9195,3 +9195,257 @@ That means the next most 1990s-looking hypothesis is probably:
- a **small recurring scan set** for the maintained background layer
- plus some separate startup/beacon/identity pages
- rather than one giant ordered status loop by itself
### HE38: Broad Semi-Awake State Hunter
Goal: broaden outward from the known `20 D0` low-command surface and look for
other command regions that keep the panel in the same clear / semi-awake state,
even if they do not fully wake it.
This is intentionally a **state-hunting** pass, not just an anomaly-hunting one.
The useful observations are:
- whether the LCD stays clear / non-`CONNECT NOT ACT`
- whether a run only holds that state for group 1, or for the whole script
- whether any new structured families appear
#### HE38a: broaden low-band sweep `0x20-0x3F @ 20 D0`
```powershell
python scripts/serial_direct_response_sweep.py --port COM5 --prefix1s 0x00 --prefix2s 0x00 --commands 0x20-0x3F --states 0x20 --values 0xD0 --settle 3.0 --after-each 0.8 --after 2.0 --pause-on-anomaly --log captures/he38-direct-20d0-cmd20-3f.txt
```
Purpose:
- check whether the semi-awake surface extends past `0x1F`
- keep the same state/value pair that has worked best so far
#### HE38b: broaden low-band sweep `0x40-0x5F @ 20 D0`
```powershell
python scripts/serial_direct_response_sweep.py --port COM5 --prefix1s 0x00 --prefix2s 0x00 --commands 0x40-0x5F --states 0x20 --values 0xD0 --settle 3.0 --after-each 0.8 --after 2.0 --pause-on-anomaly --log captures/he38-direct-20d0-cmd40-5f.txt
```
Purpose:
- look for a second semi-awake band elsewhere in command space
#### HE38c: baseline control `0x20-0x3F @ 00 80`
```powershell
python scripts/serial_direct_response_sweep.py --port COM5 --prefix1s 0x00 --prefix2s 0x00 --commands 0x20-0x3F --states 0x00 --values 0x80 --settle 3.0 --after-each 0.8 --after 2.0 --pause-on-anomaly --log captures/he38-direct-0080-cmd20-3f-control.txt
```
Purpose:
- compare the same command region under the older baseline payload
- separate "command region effect" from "`20 D0` payload effect"
#### HE38d: alternate promising payload `0x20-0x3F @ 40 30`
```powershell
python scripts/serial_direct_response_sweep.py --port COM5 --prefix1s 0x00 --prefix2s 0x00 --commands 0x20-0x3F --states 0x40 --values 0x30 --settle 3.0 --after-each 0.8 --after 2.0 --pause-on-anomaly --log captures/he38-direct-4030-cmd20-3f.txt
```
Purpose:
- test whether this "holds panel clear" effect is unique to `20 D0`
- `40 30` is the other payload pair most worth cross-checking here
#### HE38e: semi-awake candidate repeat check
If any HE38 sweep appears to hold the panel clear for most of the run, repeat
just the first good-looking candidate frame on its own:
```powershell
python scripts/serial_probe_response.py --port COM5 --tx-frame "<candidate frame>" --repeat 30 --interval 0.60 --delay 3 --after 3 --frame-size 0 --log captures/he38-repeat-<candidate>.txt
```
Use this only for candidates that look good both:
- serially, and
- on the LCD/panel state
#### Recommended order
1. `HE38a` `0x20-0x3F @ 20 D0`
2. `HE38c` baseline control `0x20-0x3F @ 00 80`
3. `HE38b` `0x40-0x5F @ 20 D0`
4. `HE38d` `0x20-0x3F @ 40 30`
5. `HE38e` repeat any good-looking candidates
Interpretation guide:
- if `20 D0` keeps finding wider semi-awake bands while `00 80` does not, then
the payload pair is doing real mode/session work
- if `0x20-0x3F` behaves like `0x00-0x1F`, then we are looking at a much larger
maintained surface than we first thought
- if only a few sparse candidates hold the panel clear, then the maintained
background layer may be a selected subset rather than a continuous command map
### HE38 Result: No-Pause Semi-Awake Hunting
Additional uninterrupted capture files present:
- `captures/he38-direct-20d0-cmd20-3f-nopause.txt`
- `captures/he38-direct-0080-cmd20-3f-control-nopause.txt`
- `captures/he38-direct-20d0-cmd40-5f-nopause.txt`
Panel-side observation:
- these uninterrupted reruns were stopped manually at roughly the point where
the panel lost its "alive"/clear state
That means these runs are useful primarily as **semi-awake duration probes**, not
as complete command maps.
#### `0x20-0x3F @ 20 D0`
Observed before manual stop:
- `0x21` -> `07 80 48 24 DD 6C`
Read:
- the patterned `20 D0` surface definitely extends upward into the `0x20` band
- this is consistent with the earlier low-band `4x 24 DD 6x` family structure
#### `0x20-0x3F @ 00 80` control
Observed before manual stop:
- `0x29` -> `07 80 4A 20 D8 6F`
Read:
- the same command region is still live under baseline `00 80`
- but the family shape stays on the older `20 D8` style rather than the newer
`24 DD` style
#### `0x40-0x5F @ 20 D0`
Observed before manual stop:
- `0x41` -> `07 80 50 24 DD 74`
- `0x42` -> repeated `07 80 50 24 DD 74`
- `0x43` -> `07 80 50 24 DD 74`
Read:
- this is the strongest new semi-awake lead from HE38
- the `0x40` command band under `20 D0` appears to open a neighboring
`0x50 24 DD 74` family
- and it did so early enough in the run to matter before manual stop
Current best interpretation after HE38:
- `20 D0` remains the more interesting semi-awake payload
- not because baseline `00 80` is dead, but because `20 D0` keeps shifting the
family surface into coherent `24 DD`-style siblings
- the semi-awake-maintenance surface is now plausibly broader than just the
original low band:
- `0x00-0x1F`
- `0x20-0x3F`
- and likely at least part of `0x40-0x5F`
The best next narrow branch is now:
- treat `0x41-0x43 @ 20 D0` as a new maintained-background candidate set
- and compare that `0x50 24 DD 74` behavior against the earlier `0x40 24 DD 64`
/ `0x48 24 DD 6C` bands
### HE38 Cross-Check: What The Paused Runs Still Taught Us
The paused HE38 runs are not the right source for "how long did the panel stay
alive?", but they were still very useful for **family mapping**.
#### `0x20-0x3F @ 20 D0` family structure
The paused run shows a very clean patterned surface:
- `0x21` -> `07 80 48 24 DD 6C`
- `0x25` -> `07 80 49 24 DD 6D`
- `0x29` -> `07 80 4A 24 DD 6E`
- `0x2D` -> `07 80 4B 24 DD 6F`
- `0x31` -> `07 80 4C 24 DD 68`
- `0x35` -> `07 80 4D 24 DD 69`
- `0x39` -> `07 80 4E 24 DD 6A`
- `0x3D` -> `07 80 4F 24 DD 6B`
Interleaved sibling families also appear:
- `0x23` -> `07 80 24 12 97 7C`
- `0x2B` -> `07 80 25 12 17 FD`
- `0x33` -> `07 80 26 12 97 7E`
- `0x3B` -> `07 80 27 12 17 FF`
- `0x27` -> `07 80 12 09 D7 11`
- `0x37` -> `07 80 13 09 D7 10`
So this is not just "some activity in the `0x20` band"; it is a strongly
ordered mapped surface.
#### `0x40-0x5F @ 20 D0` family structure
The paused run also maps a second coherent band:
- `0x41` -> `07 80 50 24 DD 74`
- `0x45` -> `07 80 51 24 DD 75`
- `0x49` -> `07 80 52 24 DD 76`
- `0x4D` -> `07 80 53 24 DD 77`
- `0x59` -> `07 80 56 24 DD 72`
- `0x5D` -> `07 80 57 24 DD 73`
That is the strongest evidence yet that the `.. 24 DD ..` surface spans
multiple command bands, not just the original low region.
#### `0x20-0x3F @ 00 80` control structure
The baseline payload maps the same general region, but with the older family
style:
- `0x29` -> `07 80 4A 20 D8 6F`
- `0x2D` -> `07 80 4B 20 D8 6E`
- `0x31` -> `07 80 4C 20 D8 69`
- `0x35` -> `07 80 4D 20 D8 68`
- `0x39` -> `07 80 4E 20 D8 6B`
- `0x3D` -> `07 80 4F 20 D8 6A`
with interleaved siblings like:
- `0x33` -> `07 80 26 10 2C C7`
- `0x3B` -> `07 80 27 10 2C C6`
That reinforces the idea that `20 D0` is not inventing a new command region
from scratch; it is shifting an existing mapped surface into a different family
space.
#### `0x20-0x3F @ 40 30` alternate-payload structure
The `40 30` paused run gives a third aligned surface:
- `0x21` -> `07 80 48 28 D3 6E`
- `0x25` -> `07 80 49 28 D3 6F`
- `0x29` -> `07 80 4A 28 D3 6C`
- `0x2D` -> `07 80 4B 28 D3 6D`
- `0x31` -> `07 80 4C 28 D3 6A`
- `0x35` -> `07 80 4D 28 D3 6B`
- `0x39` -> `07 80 4E 28 D3 68`
- `0x3D` -> `07 80 4F 28 D3 69`
with matching interleaved families:
- `0x23` -> `07 80 24 14 4A A7`
- `0x2B` -> `07 80 25 14 0A E6`
- `0x33` -> `07 80 26 14 CA 25`
- `0x3B` -> `07 80 27 14 8A 64`
- `0x27` -> `07 80 12 0A 6A AF`
- `0x37` -> `07 80 13 0A EA 2E`
Current read after including the paused runs:
- the command surface is looking increasingly like a **mapped lattice**
- the command byte selects a row/slot
- the host payload pair (`00 80`, `20 D0`, `40 30`) shifts the response family
across parallel surfaces
- so the "semi-awake" question is probably about which of these surfaces is the
right maintained background class, not about whether the map exists at all