aiden/Sony-rcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

run 25

Browse Source
This commit is contained in:
Aiden
2026-05-13 20:00:51 +10:00
parent 81232b44a0
commit e78bb2ed9b
11 changed files with 725 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
captures/rcp-heartbeat-ec-long-spacing.txt Normal file
View File

@@ -0,0 +1,29 @@
Sequence probe: 4 frames x 2 group(s) on COM5 at 38400 8N1
FRAME 1: 00 00 A0 00 80 7A
FRAME 2: 00 00 EC 40 30 C6
FRAME 3: 00 00 00 00 80 DA
FRAME 4: 00 00 00 00 80 DA
BASELINE heartbeat-compatible RX: 24 bytes, offset 0, 4 frames + 0 bytes
BEGIN group 1/2
19:52:09.280 TX group=1 frame=1 len=006 00 00 A0 00 80 7A
19:52:09.280 RX group=1 frame=1 heartbeat-compatible RX: 6 bytes, offset 0, 1 frames + 0 bytes
19:52:09.995 TX group=1 frame=2 len=006 00 00 EC 40 30 C6
19:52:09.995 RX group=1 frame=2 ANOMALY 24 RX bytes; first mismatch at byte 12: got 07, heartbeat offset 0 expected 00
19:52:09.995 RX group=1 frame=2 raw 00 00 00 00 80 DA 00 00 00 00 80 DA 07 80 7B 50 26 D0 07 80 7B 50 26 D0
19:52:10.714 TX group=1 frame=3 len=006 00 00 00 00 80 DA
19:52:10.714 RX group=1 frame=3 ANOMALY 18 RX bytes; first mismatch at byte 0: got 07, heartbeat offset 0 expected 00
19:52:10.714 RX group=1 frame=3 raw 07 80 7B 50 26 D0 00 00 00 00 80 DA 00 00 00 00 80 DA
19:52:11.433 TX group=1 frame=4 len=006 00 00 00 00 80 DA
19:52:11.433 RX group=1 frame=4 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
GROUP 1 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
BEGIN group 2/2
19:52:12.626 TX group=2 frame=1 len=006 00 00 A0 00 80 7A
19:52:12.626 RX group=2 frame=1 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:52:13.343 TX group=2 frame=2 len=006 00 00 EC 40 30 C6
19:52:13.343 RX group=2 frame=2 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:52:14.057 TX group=2 frame=3 len=006 00 00 00 00 80 DA
19:52:14.057 RX group=2 frame=3 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:52:14.775 TX group=2 frame=4 len=006 00 00 00 00 80 DA
19:52:14.775 RX group=2 frame=4 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
GROUP 2 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
Anomalies: 2

24
captures/rcp-heartbeat-ec-no-a0.txt Normal file
View File

@@ -0,0 +1,24 @@
Sequence probe: 3 frames x 2 group(s) on COM5 at 38400 8N1
FRAME 1: 00 00 EC 40 30 C6
FRAME 2: 00 00 00 00 80 DA
FRAME 3: 00 00 00 00 80 DA
BASELINE heartbeat-compatible RX: 24 bytes, offset 0, 4 frames + 0 bytes
BEGIN group 1/2
19:52:37.448 TX group=1 frame=1 len=006 00 00 EC 40 30 C6
19:52:37.448 RX group=1 frame=1 heartbeat-compatible RX: 6 bytes, offset 0, 1 frames + 0 bytes
19:52:37.955 TX group=1 frame=2 len=006 00 00 00 00 80 DA
19:52:37.955 RX group=1 frame=2 ANOMALY 18 RX bytes; first mismatch at byte 6: got 07, heartbeat offset 0 expected 00
19:52:37.955 RX group=1 frame=2 raw 00 00 00 00 80 DA 07 80 C0 40 30 6D 07 80 C0 40 30 6D
19:52:38.491 TX group=1 frame=3 len=006 00 00 00 00 80 DA
19:52:38.491 RX group=1 frame=3 ANOMALY 18 RX bytes; first mismatch at byte 0: got 07, heartbeat offset 0 expected 00
19:52:38.491 RX group=1 frame=3 raw 07 80 C0 40 30 6D 00 00 00 00 80 DA 00 00 00 00 80 DA
GROUP 1 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
BEGIN group 2/2
19:52:39.619 TX group=2 frame=1 len=006 00 00 EC 40 30 C6
19:52:39.619 RX group=2 frame=1 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:52:40.126 TX group=2 frame=2 len=006 00 00 00 00 80 DA
19:52:40.126 RX group=2 frame=2 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:52:40.663 TX group=2 frame=3 len=006 00 00 00 00 80 DA
19:52:40.663 RX group=2 frame=3 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
GROUP 2 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
Anomalies: 2

28
captures/rcp-heartbeat-ec-short-spacing.txt Normal file
View File

@@ -0,0 +1,28 @@
Sequence probe: 4 frames x 2 group(s) on COM5 at 38400 8N1
FRAME 1: 00 00 A0 00 80 7A
FRAME 2: 00 00 EC 40 30 C6
FRAME 3: 00 00 00 00 80 DA
FRAME 4: 00 00 00 00 80 DA
BASELINE heartbeat-compatible RX: 30 bytes, offset 0, 5 frames + 0 bytes
BEGIN group 1/2
19:51:50.126 TX group=1 frame=1 len=006 00 00 A0 00 80 7A
19:51:50.126 RX group=1 frame=1 no RX bytes
19:51:50.500 TX group=1 frame=2 len=006 00 00 EC 40 30 C6
19:51:50.500 RX group=1 frame=2 ANOMALY 6 RX bytes; first mismatch at byte 0: got 07, heartbeat offset 3 expected 00
19:51:50.500 RX group=1 frame=2 raw 07 80 7B 50 26 D0
19:51:50.876 TX group=1 frame=3 len=006 00 00 00 00 80 DA
19:51:50.876 RX group=1 frame=3 no RX bytes
19:51:51.251 TX group=1 frame=4 len=006 00 00 00 00 80 DA
19:51:51.251 RX group=1 frame=4 heartbeat-compatible RX: 13 bytes, offset 0, 2 frames + 1 bytes
GROUP 1 TAIL heartbeat-compatible RX: 23 bytes, offset 1, 3 frames + 5 bytes
BEGIN group 2/2
19:51:52.350 TX group=2 frame=1 len=006 00 00 A0 00 80 7A
19:51:52.350 RX group=2 frame=1 heartbeat-compatible RX: 6 bytes, offset 0, 1 frames + 0 bytes
19:51:52.694 TX group=2 frame=2 len=006 00 00 EC 40 30 C6
19:51:52.694 RX group=2 frame=2 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:51:53.041 TX group=2 frame=3 len=006 00 00 00 00 80 DA
19:51:53.041 RX group=2 frame=3 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:51:53.387 TX group=2 frame=4 len=006 00 00 00 00 80 DA
19:51:53.387 RX group=2 frame=4 heartbeat-compatible RX: 13 bytes, offset 0, 2 frames + 1 bytes
GROUP 2 TAIL heartbeat-compatible RX: 23 bytes, offset 1, 3 frames + 5 bytes
Anomalies: 1

39
captures/rcp-heartbeat-echo-exact-2f95092e.txt Normal file
View File

@@ -0,0 +1,39 @@
Sequence probe: 6 frames x 2 group(s) on COM5 at 38400 8N1
FRAME 1: 00 00 A0 00 80 7A
FRAME 2: 00 00 EC 40 30 C6
FRAME 3: 07 80 7B 50 26 D0
FRAME 4: 07 C0 2F 95 09 2E
FRAME 5: 00 00 00 00 80 DA
FRAME 6: 00 00 00 00 80 DA
BASELINE heartbeat-compatible RX: 24 bytes, offset 0, 4 frames + 0 bytes
BEGIN group 1/2
19:46:41.420 TX group=1 frame=1 len=006 00 00 A0 00 80 7A
19:46:41.420 RX group=1 frame=1 heartbeat-compatible RX: 6 bytes, offset 0, 1 frames + 0 bytes
19:46:41.955 TX group=1 frame=2 len=006 00 00 EC 40 30 C6
19:46:41.955 RX group=1 frame=2 ANOMALY 18 RX bytes; first mismatch at byte 6: got 07, heartbeat offset 0 expected 00
19:46:41.955 RX group=1 frame=2 raw 00 00 00 00 80 DA 07 80 FB 50 26 50 07 80 FB 50 26 50
19:46:42.465 TX group=1 frame=3 len=006 07 80 7B 50 26 D0
19:46:42.465 RX group=1 frame=3 ANOMALY 18 RX bytes; first mismatch at byte 0: got 07, heartbeat offset 0 expected 00
19:46:42.465 RX group=1 frame=3 raw 07 80 FB 50 26 50 00 00 00 00 80 DA 00 00 00 00 80 DA
19:46:43.001 TX group=1 frame=4 len=006 07 C0 2F 95 09 2E
19:46:43.001 RX group=1 frame=4 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:46:43.509 TX group=1 frame=5 len=006 00 00 00 00 80 DA
19:46:43.509 RX group=1 frame=5 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:46:44.044 TX group=1 frame=6 len=006 00 00 00 00 80 DA
19:46:44.044 RX group=1 frame=6 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
GROUP 1 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
BEGIN group 2/2
19:46:45.203 TX group=2 frame=1 len=006 00 00 A0 00 80 7A
19:46:45.203 RX group=2 frame=1 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:46:45.739 TX group=2 frame=2 len=006 00 00 EC 40 30 C6
19:46:45.739 RX group=2 frame=2 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:46:46.245 TX group=2 frame=3 len=006 07 80 7B 50 26 D0
19:46:46.245 RX group=2 frame=3 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:46:46.780 TX group=2 frame=4 len=006 07 C0 2F 95 09 2E
19:46:46.780 RX group=2 frame=4 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:46:47.317 TX group=2 frame=5 len=006 00 00 00 00 80 DA
19:46:47.317 RX group=2 frame=5 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:46:47.824 TX group=2 frame=6 len=006 00 00 00 00 80 DA
19:46:47.824 RX group=2 frame=6 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
GROUP 2 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
Anomalies: 2

34
captures/rcp-heartbeat-echo-exact-fb502650.txt Normal file
View File

@@ -0,0 +1,34 @@
Sequence probe: 5 frames x 2 group(s) on COM5 at 38400 8N1
FRAME 1: 00 00 A0 00 80 7A
FRAME 2: 00 00 EC 40 30 C6
FRAME 3: 07 80 FB 50 26 50
FRAME 4: 00 00 00 00 80 DA
FRAME 5: 00 00 00 00 80 DA
BASELINE heartbeat-compatible RX: 24 bytes, offset 0, 4 frames + 0 bytes
BEGIN group 1/2
19:52:54.838 TX group=1 frame=1 len=006 00 00 A0 00 80 7A
19:52:54.838 RX group=1 frame=1 no RX bytes
19:52:55.344 TX group=1 frame=2 len=006 00 00 EC 40 30 C6
19:52:55.344 RX group=1 frame=2 ANOMALY 18 RX bytes; first mismatch at byte 6: got 07, heartbeat offset 0 expected 00
19:52:55.344 RX group=1 frame=2 raw 00 00 00 00 80 DA 07 80 7B 50 26 D0 07 80 7B 50 26 D0
19:52:55.882 TX group=1 frame=3 len=006 07 80 FB 50 26 50
19:52:55.882 RX group=1 frame=3 ANOMALY 18 RX bytes; first mismatch at byte 0: got 07, heartbeat offset 0 expected 00
19:52:55.882 RX group=1 frame=3 raw 07 80 7B 50 26 D0 00 00 00 00 80 DA 00 00 00 00 80 DA
19:52:56.389 TX group=1 frame=4 len=006 00 00 00 00 80 DA
19:52:56.389 RX group=1 frame=4 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:52:56.926 TX group=1 frame=5 len=006 00 00 00 00 80 DA
19:52:56.926 RX group=1 frame=5 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
GROUP 1 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
BEGIN group 2/2
19:52:58.054 TX group=2 frame=1 len=006 00 00 A0 00 80 7A
19:52:58.054 RX group=2 frame=1 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:52:58.559 TX group=2 frame=2 len=006 00 00 EC 40 30 C6
19:52:58.559 RX group=2 frame=2 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:52:59.095 TX group=2 frame=3 len=006 07 80 FB 50 26 50
19:52:59.095 RX group=2 frame=3 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:52:59.630 TX group=2 frame=4 len=006 00 00 00 00 80 DA
19:52:59.630 RX group=2 frame=4 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:53:00.137 TX group=2 frame=5 len=006 00 00 00 00 80 DA
19:53:00.137 RX group=2 frame=5 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
GROUP 2 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
Anomalies: 2

39
captures/rcp-heartbeat-echo-host-2f9509.txt Normal file
View File

@@ -0,0 +1,39 @@
Sequence probe: 6 frames x 2 group(s) on COM5 at 38400 8N1
FRAME 1: 00 00 A0 00 80 7A
FRAME 2: 00 00 EC 40 30 C6
FRAME 3: 07 80 7B 50 26 D0
FRAME 4: 00 00 2F 95 09 E9
FRAME 5: 00 00 00 00 80 DA
FRAME 6: 00 00 00 00 80 DA
BASELINE heartbeat-compatible RX: 24 bytes, offset 0, 4 frames + 0 bytes
BEGIN group 1/2
19:47:26.176 TX group=1 frame=1 len=006 00 00 A0 00 80 7A
19:47:26.176 RX group=1 frame=1 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:47:26.683 TX group=1 frame=2 len=006 00 00 EC 40 30 C6
19:47:26.683 RX group=1 frame=2 ANOMALY 18 RX bytes; first mismatch at byte 0: got 07, heartbeat offset 3 expected 00
19:47:26.683 RX group=1 frame=2 raw 07 80 FB 50 26 50 07 80 FB 50 26 50 07 80 FB 50 26 50
19:47:27.223 TX group=1 frame=3 len=006 07 80 7B 50 26 D0
19:47:27.223 RX group=1 frame=3 ANOMALY 18 RX bytes; first mismatch at byte 0: got 07, heartbeat offset 0 expected 00
19:47:27.223 RX group=1 frame=3 raw 07 80 FB 50 26 50 00 00 00 00 80 DA 00 00 00 00 80 DA
19:47:27.729 TX group=1 frame=4 len=006 00 00 2F 95 09 E9
19:47:27.729 RX group=1 frame=4 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:47:28.266 TX group=1 frame=5 len=006 00 00 00 00 80 DA
19:47:28.266 RX group=1 frame=5 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:47:28.801 TX group=1 frame=6 len=006 00 00 00 00 80 DA
19:47:28.801 RX group=1 frame=6 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
GROUP 1 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
BEGIN group 2/2
19:47:29.930 TX group=2 frame=1 len=006 00 00 A0 00 80 7A
19:47:29.930 RX group=2 frame=1 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:47:30.437 TX group=2 frame=2 len=006 00 00 EC 40 30 C6
19:47:30.437 RX group=2 frame=2 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:47:30.972 TX group=2 frame=3 len=006 07 80 7B 50 26 D0
19:47:30.972 RX group=2 frame=3 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:47:31.479 TX group=2 frame=4 len=006 00 00 2F 95 09 E9
19:47:31.479 RX group=2 frame=4 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:47:32.016 TX group=2 frame=5 len=006 00 00 00 00 80 DA
19:47:32.016 RX group=2 frame=5 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:47:32.522 TX group=2 frame=6 len=006 00 00 00 00 80 DA
19:47:32.522 RX group=2 frame=6 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
GROUP 2 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
Anomalies: 2

33
captures/rcp-heartbeat-echo-host-fb5026.txt Normal file
View File

@@ -0,0 +1,33 @@
Sequence probe: 5 frames x 2 group(s) on COM5 at 38400 8N1
FRAME 1: 00 00 A0 00 80 7A
FRAME 2: 00 00 EC 40 30 C6
FRAME 3: 00 00 FB 50 26 D7
FRAME 4: 00 00 00 00 80 DA
FRAME 5: 00 00 00 00 80 DA
BASELINE heartbeat-compatible RX: 30 bytes, offset 0, 5 frames + 0 bytes
BEGIN group 1/2
19:53:11.629 TX group=1 frame=1 len=006 00 00 A0 00 80 7A
19:53:11.629 RX group=1 frame=1 no RX bytes
19:53:12.165 TX group=1 frame=2 len=006 00 00 EC 40 30 C6
19:53:12.165 RX group=1 frame=2 ANOMALY 6 RX bytes; first mismatch at byte 0: got 07, heartbeat offset 3 expected 00
19:53:12.165 RX group=1 frame=2 raw 07 80 7B 50 26 D0
19:53:12.673 TX group=1 frame=3 len=006 00 00 FB 50 26 D7
19:53:12.673 RX group=1 frame=3 heartbeat-compatible RX: 6 bytes, offset 0, 1 frames + 0 bytes
19:53:13.210 TX group=1 frame=4 len=006 00 00 00 00 80 DA
19:53:13.210 RX group=1 frame=4 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:53:13.743 TX group=1 frame=5 len=006 00 00 00 00 80 DA
19:53:13.743 RX group=1 frame=5 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
GROUP 1 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
BEGIN group 2/2
19:53:14.874 TX group=2 frame=1 len=006 00 00 A0 00 80 7A
19:53:14.874 RX group=2 frame=1 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:53:15.412 TX group=2 frame=2 len=006 00 00 EC 40 30 C6
19:53:15.412 RX group=2 frame=2 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
19:53:15.918 TX group=2 frame=3 len=006 00 00 FB 50 26 D7
19:53:15.918 RX group=2 frame=3 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:53:16.424 TX group=2 frame=4 len=006 00 00 00 00 80 DA
19:53:16.424 RX group=2 frame=4 heartbeat-compatible RX: 12 bytes, offset 0, 2 frames + 0 bytes
19:53:16.960 TX group=2 frame=5 len=006 00 00 00 00 80 DA
19:53:16.960 RX group=2 frame=5 heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
GROUP 2 TAIL heartbeat-compatible RX: 18 bytes, offset 0, 3 frames + 0 bytes
Anomalies: 1

3
docs/README.md
View File

@@ -18,6 +18,9 @@ service information, diagrams, related devices, and compatibility notes.
and practical notes for repair/protocol reverse engineering.
- [Discovery Notes](discovery-notes.md) - hands-on bench observations kept
separate from manual-derived facts.
- [PT2 State Map](pt2-state-map.md) - working protocol-state map showing current
selector/context branches, downstream response families, and likely state
transitions.
## High-Value Starting Points

192
docs/discovery-notes.md
View File

@@ -5362,3 +5362,195 @@ Best current follow-up:
- test exact and host-shaped handling of `07 C0 2F 95 09 2E`
- optionally compare whether exact `EC -> 7B` echo is timing-sensitive, since
the host-shaped mirror path did not reach the same family
### HE18: Exact Echo Of `07 C0 2F 95 09 2E`
Recreate the `EC -> 7B` exact-echo branch, then immediately send the new
`2F 95 09` family frame back exactly as seen.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 A0 00 80 7A" --frame "00 00 EC 40 30 C6" --frame "07 80 7B 50 26 D0" --frame "07 C0 2F 95 09 2E" --frame "00 00 00 00 80 DA" --frame "00 00 00 00 80 DA" --repeat 2 --frame-interval 0.20 --read-after-frame 0.30 --read-after-group 0.8 --log captures/rcp-heartbeat-echo-exact-2f95092e.txt
```
### HE19: Host-Shaped Mirror Of `07 C0 2F 95 09 2E`
Host-shaped checksum for `00 00 2F 95 09 ??` is `E9`.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 A0 00 80 7A" --frame "00 00 EC 40 30 C6" --frame "07 80 7B 50 26 D0" --frame "00 00 2F 95 09 E9" --frame "00 00 00 00 80 DA" --frame "00 00 00 00 80 DA" --repeat 2 --frame-interval 0.20 --read-after-frame 0.30 --read-after-group 0.8 --log captures/rcp-heartbeat-echo-host-2f9509.txt
```
What would count as a hit:
- any non-heartbeat response after the exact or host-shaped `2F 95 09` frame
- a repeat of `07 C0 2F 95 09 2E`
- any fresh family after the `2F` stage that suggests a real chained exchange
- any sign that the `EC -> 7B -> 2F` path is the closest thing yet to a proper
request/response ladder
### 2026-05-13 `2F` Mirror Result
Captures:
- `captures/rcp-heartbeat-echo-exact-2f95092e.txt`
- `captures/rcp-heartbeat-echo-host-2f9509.txt`
Result summary:
- These runs did **not** extend the `EC -> 7B -> 2F` path into a stable next
stage.
- Instead, group 1 shifted the `EC` selector response itself into a new sibling
family:
- `07 80 FB 50 26 50`
- That happened in both runs, before the `2F` follow-up frame was even sent.
- After that:
- exact `07 C0 2F 95 09 2E` produced only heartbeat
- host-shaped `00 00 2F 95 09 E9` also produced only heartbeat
- Group 2 was heartbeat-only in both tests.
Observed group-1 shape:
| Step | Exact-echo run | Host-mirror run |
| --- | --- | --- |
| `00 00 EC 40 30 C6` | `07 80 FB 50 26 50` x2 | `07 80 FB 50 26 50` x3 |
| `07 80 7B 50 26 D0` | heartbeat only | heartbeat only |
| `2F` follow-up | heartbeat only | heartbeat only |
Interpretation:
- We did **not** get a reproducible chained reply to the `2F` stage.
- The more important finding is that the `EC` branch itself is context-sensitive
and can emit at least two sibling downstream families:
- `07 80 7B 50 26 D0`
- `07 80 FB 50 26 50`
- That makes the `EC` branch look more like a selector into a family space than
a strict linear ladder.
- `07 C0 2F 95 09 2E` is still real from the earlier run, but these follow-ups
did not confirm it as the next stable step in an ongoing exchange.
Best current model:
- We are getting closer to a *structured* understanding of the RCP:
certain host-side `Ex` values reliably push it into specific response
families.
- But we are **not yet** at a stable "conversation" where the panel is clearly
accepting our last reply and moving to the next deterministic turn.
- Right now the strongest evidence is for:
- selector-like host entries (`E8`, `E9`, `EC`)
- family-specific downstream responses (`7A`, `7B`, `FB`)
- occasional exact-echo sensitivity on some branches
- but not a fully reproducible multi-turn protocol ladder yet
### HE20: `EC` Timing / Context Split
Try to separate whether `EC` chooses `7B` vs `FB` because of timing around the
selector step, or because of the deeper branch context.
#### HE20a: `EC` With Shorter Spacing
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 A0 00 80 7A" --frame "00 00 EC 40 30 C6" --frame "00 00 00 00 80 DA" --frame "00 00 00 00 80 DA" --repeat 2 --frame-interval 0.10 --read-after-frame 0.25 --read-after-group 0.8 --log captures/rcp-heartbeat-ec-short-spacing.txt
```
#### HE20b: `EC` With Longer Spacing
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 A0 00 80 7A" --frame "00 00 EC 40 30 C6" --frame "00 00 00 00 80 DA" --frame "00 00 00 00 80 DA" --repeat 2 --frame-interval 0.35 --read-after-frame 0.35 --read-after-group 0.8 --log captures/rcp-heartbeat-ec-long-spacing.txt
```
#### HE20c: `EC` Without Leading `A0`
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 EC 40 30 C6" --frame "00 00 00 00 80 DA" --frame "00 00 00 00 80 DA" --repeat 2 --frame-interval 0.20 --read-after-frame 0.30 --read-after-group 0.8 --log captures/rcp-heartbeat-ec-no-a0.txt
```
What would count as a hit:
- one setup consistently yielding `07 80 7B 50 26 D0`
- another setup consistently yielding `07 80 FB 50 26 50`
- evidence that leading `A0` is part of the selector context rather than just a
neutral primer
### HE21: Exact Echo Of `07 80 FB 50 26 50`
If `FB` is a real sibling branch, exact echoing it may show whether it behaves
more like `7B` or like the inert `7A` families.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 A0 00 80 7A" --frame "00 00 EC 40 30 C6" --frame "07 80 FB 50 26 50" --frame "00 00 00 00 80 DA" --frame "00 00 00 00 80 DA" --repeat 2 --frame-interval 0.20 --read-after-frame 0.30 --read-after-group 0.8 --log captures/rcp-heartbeat-echo-exact-fb502650.txt
```
### HE22: Host-Shaped Mirror Of `07 80 FB 50 26 50`
Host-shaped checksum for `00 00 FB 50 26 ??` is `D7`.
```powershell
python scripts/serial_sequence_probe.py --port COM5 --prompt --frame "00 00 A0 00 80 7A" --frame "00 00 EC 40 30 C6" --frame "00 00 FB 50 26 D7" --frame "00 00 00 00 80 DA" --frame "00 00 00 00 80 DA" --repeat 2 --frame-interval 0.20 --read-after-frame 0.30 --read-after-group 0.8 --log captures/rcp-heartbeat-echo-host-fb5026.txt
```
What would count as a hit:
- any non-heartbeat response after exact or host-shaped `FB`
- crossover from `FB` into `2F`, `7B`, or another fresh family
- evidence that `FB` is a meaningful downstream branch rather than just a
selector-side variant
### 2026-05-13 `EC` Timing And `FB` Result
Captures:
- `captures/rcp-heartbeat-ec-short-spacing.txt`
- `captures/rcp-heartbeat-ec-long-spacing.txt`
- `captures/rcp-heartbeat-ec-no-a0.txt`
- `captures/rcp-heartbeat-echo-exact-fb502650.txt`
- `captures/rcp-heartbeat-echo-host-fb5026.txt`
#### HE20: Timing / Context Split
Observed outcomes:
| Setup | Group-1 result |
| --- | --- |
| short spacing (`0.10 s`) | `07 80 7B 50 26 D0` |
| long spacing (`0.35 s`) | `07 80 7B 50 26 D0` |
| no leading `A0` | `07 80 C0 40 30 6D` |
Interpretation:
- The `A0` lead-in matters a lot for the `EC` branch.
- With `A0` present, both short and long spacing still favored
`07 80 7B 50 26 D0`.
- Without `A0`, `EC` collapsed back into the known heartbeat-family transient
`07 80 C0 40 30 6D`.
- So the best current read is that `A0` is part of the selector context for the
`EC -> 7B/FB` family space, not just a neutral primer.
- Timing still may matter for `7B` vs `FB`, but this batch says context matters
more strongly than spacing in the tested range.
#### HE21 / HE22: `FB` Echo Handling
Observed outcomes:
| Setup | Group-1 result |
| --- | --- |
| exact `07 80 FB 50 26 50` | `EC` again produced `07 80 7B 50 26 D0`; exact `FB` echo produced no new family |
| host-shaped `00 00 FB 50 26 D7` | `EC` produced `07 80 7B 50 26 D0`; host-shaped `FB` mirror produced no new family |
Interpretation:
- `FB` did not behave like a meaningful next-turn reply target.
- Both exact and host-shaped `FB` handling fell flat after the `EC` selector
produced a `7B` response in these runs.
- That weakens the idea that `FB` is a stable downstream branch command. It now
looks more like a sibling family observation that can appear on the `EC`
branch, but not something the panel predictably wants answered.
Best current `EC` model:
- `A0 + EC` can open a selector-like family space.
- In that family space:
- `7B` is the most stable downstream response so far
- `FB` is real, but less stable and not yet actionable
- without `A0`, `EC` falls back toward heartbeat-family behavior
- This is closer to a controlled state map than where we started, but it is
still not a stable multi-turn "conversation" ladder.

14
docs/pt2-protocol-summary.md
View File

@@ -243,6 +243,7 @@ confirmed Sony definition.
| `07 80 7A 28 D3 5C` | host-shaped `E9` neighbor, group 1 | low-medium | nearby distinct `7A`-family response; suggests an `E8`/`E9` selector neighborhood |
| `07 80 7B 50 26 D0` | host-shaped `EC` neighbor, group 1 | low-medium | new sibling family suggesting the `Ex` region is a selector-like strip |
| `07 C0 2F 95 09 2E` | exact echo of `07 80 7B 50 26 D0`, group 1 | low-medium | possible second-stage family on the `EC -> 7B` branch |
| `07 80 FB 50 26 50` | `EC` branch during later `2F` follow-up tests, group 1 | low-medium | sibling downstream family on the `EC` branch; reinforces selector/family behavior |
Current caution:
@@ -276,6 +277,14 @@ Current caution:
- `EC` is now the first branch where the exact downstream echo looks more
meaningful than the host-shaped mirror: exact `07 80 7B 50 26 D0` produced
`07 C0 2F 95 09 2E`, while host-shaped `00 00 7B 50 26 57` did not.
- Follow-up `2F` mirror tests did not extend that into a stable chained
exchange; instead, the `EC` selector response itself drifted into the sibling
family `07 80 FB 50 26 50`.
- Additional `EC` timing/context tests suggest the leading `A0` is part of the
branch context: with `A0` present, `EC` tends toward `07 80 7B 50 26 D0`; without
`A0`, `EC` fell back to `07 80 C0 40 30 6D`.
- Exact and host-shaped handling of `07 80 FB 50 26 50` did not yield a stable
next-stage response.
## What We Know
@@ -310,6 +319,11 @@ Current caution:
related `7A` / `7B` downstream families.
- The `EC -> 7B` path is currently the strongest sign that some downstream
exact echoes may matter, even though most earlier `7A`-family echoes did not.
- Overall, the evidence is getting stronger for selector-like host entries that
open related response families, but weaker for a fully reproducible multi-turn
"conversation" state.
- At least on the `EC` branch, `A0` now looks more like part of the selection
context than a purely generic primer.
## What We Do Not Know

290
docs/pt2-state-map.md Normal file
View File

@@ -0,0 +1,290 @@
# Sony PT2 Protocol State Map
This document is a working state map for the Sony RCP-TX7 PT2-era control
protocol as currently observed on the bench. It is intentionally more structural
than [pt2-protocol-summary.md](pt2-protocol-summary.md): the goal here is to
show how host inputs appear to move the panel between response families and
contexts.
This is not yet a true finite-state-machine proof. It is a practical model of
what currently seems to change the panel's response surface.
## How To Read This
- `state` means an inferred protocol context, not a confirmed Sony term.
- `stable` means reproduced across multiple clean runs.
- `unstable` means seen more than once or clearly real, but not deterministic.
- `one-shot` means usually group-1 or post-boot only, then gone.
## State Layers
The current evidence suggests the panel behavior is shaped by several layers:
1. physical/link state
2. host-presence / cadence state
3. selector / query context
4. downstream family response surface
5. unknown session-advance / active-control state
We have good evidence for layers 1-4. Layer 5 is still missing.
## Baseline States
### S0: Idle / Not Active
Observed behavior:
- RCP sends repeating heartbeat:
- `00 00 00 00 80 DA`
- LCD may remain idle or later enter `CONNECT NOT ACT`
Known transitions:
- host traffic can move the panel into parser-visible but still not-active
states
- CALL and CAM POWER can still emit panel-origin frames here
Confidence: high
### S1: Host Present / Cadence-Held
Observed behavior:
- repeating host heartbeat
- `00 00 00 00 80 DA`
can keep the panel out of `CONNECT NOT ACT` while traffic continues
- this does not by itself create reusable reads or a full active session
Known side effects:
- some cadence patterns provoke transient families:
- `07 80 40 40 30 ED`
- `07 80 40 60 30 CD`
- `07 80 C0 40 30 6D`
Confidence: high
## Discovery / Query Surface
### S2: Discovery Query Window
Canonical shape:
```text
00 00 00 00 80 DA
00 00 XX 00 80 checksum
-> 07 80 ...
```
Stable one-shot reads:
- `00 -> A0` -> `07 80 68 40 30 C5`
- `00 -> B0` -> `07 80 6C 40 30 C1`
- `00 -> B5` -> `07 80 6D 20 D8 48`
Properties:
- usually one-shot after boot
- repeating the same query often drains to heartbeat only
- appears to be a readable/capability surface, not an activation handshake
Confidence: high
## Event Path
### S3: Synthetic CALL Event Path
Host stimulus:
```text
00 00 15 80 00 CF
00 00 15 00 00 4F
```
Stable response:
- `07 80 45 20 D0 68`
Sibling seen once:
- `07 80 45 30 D0 78`
Properties:
- physical CALL button not required
- looks like a real event-path branch
- has not led to activation or reusable reads
Confidence: high
## Selector-Like Context Surface
The strongest current "state map" behavior lives here. Certain host-side values
look less like direct commands and more like selector/context entries that open
different downstream response families.
### S4: `A0`-Contexted Selector Space
Current best evidence says `A0` is not always just a neutral primer. On at
least the `EC` branch, it appears to be part of the context that opens the
family space.
Observed:
- `A0 + EC` tends to produce `7B`-family output
- `EC` without leading `A0` falls back to `07 80 C0 40 30 6D`
Confidence: medium-high
## `Ex` Selector Neighborhood
These are the clearest currently mapped selector-like host entries.
| Host-side entry | Typical downstream result | Current read |
| --- | --- | --- |
| `00 00 E6 40 30 CC` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias |
| `00 00 E7 40 30 CD` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias |
| `00 00 E8 40 30 C2` | `07 80 7A 50 26 D1` | stable selector into `7A` family |
| `00 00 E9 40 30 C3` | `07 80 7A 28 D3 5C` | sibling selector into related `7A` family |
| `00 00 EA 40 30 C0` | `07 80 C0 40 30 6D` after later heartbeat | alternate heartbeat-family bias |
| `00 00 EB 40 30 C1` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias |
| `00 00 EC 40 30 C6` | `07 80 7B 50 26 D0` or `07 80 FB 50 26 50` | selector into mixed sibling family space |
Current interpretation:
- this is not a flat command block
- some `Ex` values bias toward heartbeat-family transients
- some open structured `7A` / `7B` / `FB` families
Confidence: medium-high
## Downstream Family Branches
### B1: `E8 -> 7A 50 26`
Stable branch:
```text
00 00 A0 00 80 7A
00 00 E8 40 30 C2
-> 07 80 7A 50 26 D1
```
What we know:
- reproducible in group 1
- exact echo of `07 80 7A 50 26 D1` did not advance state
- host-shaped mirror of `7A 50 26` did not advance state
Read:
- `E8` is the active selector
- `7A 50 26 D1` is a downstream family response, not yet a meaningful next host
turn
Confidence: medium-high
### B2: `E9 -> 7A 28 D3`
Stable branch:
```text
00 00 A0 00 80 7A
00 00 E9 40 30 C3
-> 07 80 7A 28 D3 5C
```
What we know:
- reproducible in group 1
- exact and host-shaped replies to `7A 28 D3 5C` did not advance state
Read:
- `E9` looks like a sibling selector to `E8`
- payload differences may represent page/class selection rather than random
drift
Confidence: medium
### B3: `EC -> 7B / FB`
Observed branch space:
```text
00 00 A0 00 80 7A
00 00 EC 40 30 C6
-> 07 80 7B 50 26 D0
or
-> 07 80 FB 50 26 50
```
Important details:
- without leading `A0`, `EC` fell back to `07 80 C0 40 30 6D`
- short and long spacing with `A0` still favored `07 80 7B 50 26 D0`
- exact `7B` echo once produced:
- `07 C0 2F 95 09 2E`
- later `2F` follow-ups did not create a stable next stage
- exact and host-shaped `FB` handling did not create a stable next stage
Read:
- `EC` is the most stateful selector branch seen so far
- `A0` seems to be part of its selection context
- `7B` is the most stable downstream family on this branch
- `FB` is real but currently looks like a sibling observation, not a clear reply
target
Confidence: medium
## Current Transition Sketch
```text
S0 idle/not-active
-> host heartbeat cadence
S1 host-present/cadence-held
-> one-shot discovery query surface
S2 discovery/query window
-> selector/context entry
S4 A0-contexted selector space
-> E8 -> B1 (7A 50 26 family)
-> E9 -> B2 (7A 28 D3 family)
-> EC -> B3 (7B / FB family)
-> E6/E7/EB -> heartbeat-family transient
-> EA / no-A0-EC -> C0-family transient
```
What is still missing:
- the transition from any of these branches into a stable active/session state
- a deterministic multi-turn reply ladder
## What Feels Stable Right Now
- RS-232 electrical layer and 6-byte frame model
- idle heartbeat behavior
- `CONNECT NOT ACT` not being identical to active/inactive protocol state
- one-shot discovery surface
- CALL synthetic event path
- `Ex` neighborhood acting like a selector-like surface
- `A0` mattering as branch context on at least `EC`
## What Still Feels Slippery
- exact conditions that choose `7B` vs `FB` on `EC`
- whether `E8/E9/EC` are true page selectors, class selectors, or partial
capability requests
- whether any downstream family reply is actually something the host is expected
to answer
- how this selector space relates to the real session activation handshake
## Best Next Uses Of This Map
This map is meant to help us ask sharper questions, for example:
- does `A0` act as selector context on `E8` and `E9`, not just `EC`?
- do nearby `Ex` values continue the family strip?
- do host `state/value` bytes on `A0` or `Ex` shift the selected family?
- is there a separate session-maintenance stream that must coexist with these
selector reads?