# Sony PT2 Protocol State Map This document is a working state map for the Sony RCP-TX7 PT2-era control protocol as currently observed on the bench. It is intentionally more structural than [pt2-protocol-summary.md](pt2-protocol-summary.md): the goal here is to show how host inputs appear to move the panel between response families and contexts. This is not yet a true finite-state-machine proof. It is a practical model of what currently seems to change the panel's response surface. ## How To Read This - `state` means an inferred protocol context, not a confirmed Sony term. - `stable` means reproduced across multiple clean runs. - `unstable` means seen more than once or clearly real, but not deterministic. - `one-shot` means usually group-1 or post-boot only, then gone. ## State Layers The current evidence suggests the panel behavior is shaped by several layers: 1. physical/link state 2. host-presence / cadence state 3. selector / query context 4. downstream family response surface 5. unknown session-advance / active-control state We have good evidence for layers 1-4. Layer 5 is still missing. ## Baseline States ### S0: Idle / Not Active Observed behavior: - RCP sends repeating heartbeat: - `00 00 00 00 80 DA` - LCD may remain idle or later enter `CONNECT NOT ACT` Known transitions: - host traffic can move the panel into parser-visible but still not-active states - CALL and CAM POWER can still emit panel-origin frames here Confidence: high ### S1: Host Present / Cadence-Held Observed behavior: - repeating host heartbeat - `00 00 00 00 80 DA` can keep the panel out of `CONNECT NOT ACT` while traffic continues - this does not by itself create reusable reads or a full active session Known side effects: - some cadence patterns provoke transient families: - `07 80 40 40 30 ED` - `07 80 40 60 30 CD` - `07 80 C0 40 30 6D` Confidence: high ## Discovery / Query Surface ### S2: Discovery Query Window Canonical shape: ```text 00 00 00 00 80 DA 00 00 XX 00 80 checksum -> 07 80 ... ``` Stable one-shot reads: - `00 -> A0` -> `07 80 68 40 30 C5` - `00 -> B0` -> `07 80 6C 40 30 C1` - `00 -> B5` -> `07 80 6D 20 D8 48` Properties: - usually one-shot after boot - repeating the same query often drains to heartbeat only - appears to be a readable/capability surface, not an activation handshake Confidence: high ## Event Path ### S3: Synthetic CALL Event Path Host stimulus: ```text 00 00 15 80 00 CF 00 00 15 00 00 4F ``` Stable response: - `07 80 45 20 D0 68` Sibling seen once: - `07 80 45 30 D0 78` Properties: - physical CALL button not required - looks like a real event-path branch - has not led to activation or reusable reads Confidence: high ## Selector-Like Context Surface The strongest current "state map" behavior lives here. Certain host-side values look less like direct commands and more like selector/context entries that open different downstream response families. ### S4: Context-Opened Selector Space Current best evidence says the selector surface is opened not by a single magic byte, but by a small family of host-side context setters. Observed: - `A0 + E8` can produce `7A 50 26` family output - `A0 + EC` tends to produce `7B`-family output - `90 + E8` produced `7A 50 26` - `90 + E9` produced `7A 28 D3` - `90 + EC` produced `7B 50 26` - `AF + E9` produced `7A 28 D3` - `AF + EC` produced `7B 50 26` - `AF + E8` produced the sibling `FA 50 26` family - bare heartbeat + `E8` produced `7A 50 26` - bare heartbeat + `E9` produced `7A 28 D3` - bare heartbeat + `EC` did not open `7B`; it stayed in heartbeat-family behavior - later downstream-behavior tests showed opener choice can also bias which sibling family appears at the selector result itself: - `90 + E8` produced `7A 58 26` - `90 + EC` produced `FB 50 26` - `AF + EC` preserved `7B 50 26` Nuance: - `A0` is not the only opener. - `A0` is not sufficient to make every selector deterministic. - A later control repeat of `A0 + E9` produced heartbeat only, even though earlier `A0 + E9` runs produced `07 80 7A 28 D3 5C`. - `EC` appears stricter than `E8/E9`, because heartbeat alone was enough for `E8/E9` but not for `EC`. - opener choice has a stronger observed effect on branch entry than on downstream reply handling Confidence: high that a context-opener family exists; medium-high on the exact rules for each selector. ## `Ex` Selector Neighborhood These are the clearest currently mapped selector-like host entries. | Host-side entry | Typical downstream result | Current read | | --- | --- | --- | | `00 00 E6 40 30 CC` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias | | `00 00 E7 40 30 CD` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias | | `00 00 E8 40 30 C2` | `07 80 7A 50 26 D1` | stable selector into `7A` family | | `00 00 E9 40 30 C3` | `07 80 7A 28 D3 5C` | sibling selector into related `7A` family | | `00 00 EA 40 30 C0` | `07 80 C0 40 30 6D` after later heartbeat | alternate heartbeat-family bias | | `00 00 EB 40 30 C1` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias | | `00 00 EC 40 30 C6` | `07 80 7B 50 26 D0` or `07 80 FB 50 26 50` | selector into mixed sibling family space | Current interpretation: - this is not a flat command block - some `Ex` values bias toward heartbeat-family transients - some open structured `7A` / `7B` / `FB` families Confidence: medium-high ## Parameterized Selector Behavior The latest state/value ladder suggests the selector surface is not just "command byte picks one response family." It appears parameterized. Current best read: - opener command matters - opener `state/value` payload matters - selector command matters - selector `state/value` payload matters Observed examples: - `90 + E8`: - `E8 00 80` -> `7A 40 30` - `E8 20 D0` -> `7A 48 3A` - `E8 40 30` -> `7A 50 26` - `E8 60 30` -> `7A 58 26` - `90 + E9`: - `E9 00 80` -> `7A 20 D8` - `E9 20 D0` -> `7A 24 FD` - `E9 40 30` -> `7A 28 D3` - `E9 60 30` -> `7A 2C D3` - `90 + EC`: - `EC 00 80` -> `FB 40 30` - `EC 20 D0` -> `E4 40 30` - `EC 40 30` -> `FB 50 26` - `EC 60 30` -> `7B 58 26` - off-grid mixed pairs still produced structured families rather than rejection: - `E8 40 D0` -> `7A 50 3A` - `E9 40 D0` -> `7A 28 DD` - `EC 40 D0` -> `FB 50 3A` - `EC 00 30` -> `7B 40 26` That strongly suggests the `state/value` fields are not filler. They likely select a page, subtype, class, or data register within the selector space. It also weakens the idea that only a tiny fixed whitelist of pair codes is accepted; the space appears more compositional than that. ## Family Classification Table This table is a practical aid for reading captures. It separates: - target families: structured families that appear to be intended branch results - sibling families: alternate structured results in the same selector space - fallback families: repeatable collapse/transient outcomes that usually mean context or parameters were not what the branch wanted - heartbeat-only: no useful branch opened | Selector / context area | Target families | Sibling families | Fallback families | Notes | | --- | --- | --- | --- | --- | | `E8` family space | `07 80 7A 50 26 D1`, `07 80 7A 40 30 D7`, `07 80 7A 48 3A D5`, `07 80 7A 58 26 D9`, `07 80 7A 50 3A CD`, `07 80 7A 40 26 C1`, `07 80 7A 58 30 CF` | `07 80 FA 50 26 51`, `07 80 FA 48 26 49` | `07 80 40 40 30 ED`, `07 80 C0 40 30 6D` | `E8` usually lives in the `7A` family; some opener/payload combinations flip it into sibling `FA`. | | `E9` family space | `07 80 7A 28 D3 5C`, `07 80 7A 20 D8 5F`, `07 80 7A 24 FD 7E`, `07 80 7A 2C D3 58`, `07 80 7A 20 D3 54`, `07 80 7A 24 D3 50`, `07 80 7A 28 DD 52`, `07 80 7A 2C D8 53` | none clearly separated yet | `07 80 40 40 30 ED` | `E9` has been the most internally consistent: it stays in `7A` while the trailing bytes move with parameters. | | `EC` family space | `07 80 7B 50 26 D0`, `07 80 7B 58 26 D8`, `07 80 7B 40 26 C0`, `07 80 7B 4C 26 CC`, `07 80 7B 58 30 CE` | `07 80 FB 50 26 50`, `07 80 FB 40 30 56`, `07 80 FB 50 3A 4C`, `07 80 E4 40 30 49`, `07 C0 2F 95 09 2E` | `07 80 C0 40 30 6D`, `07 80 40 40 30 ED` | `EC` is the richest and touchiest branch. It can land in `7B`, `FB`, or `E4` families depending on context and payload. | | Heartbeat-context transients | none | none | `07 80 40 40 30 ED`, `07 80 40 60 30 CD`, `07 80 C0 40 30 6D` | These show up when traffic shape or context is recognized but does not open the intended structured branch. | | Query/discovery surface | `07 80 68 40 30 C5`, `07 80 6C 40 30 C1`, `07 80 6D 20 D8 48` | `07 80 E8 40 30 45` and related context-sensitive variants | heartbeat-only after one-shot window is spent | This area still looks more like one-shot readable blocks than selector-space family behavior. | Working rule of thumb: - if the family is `7A`, `7B`, `FB`, `FA`, or `E4`, you are probably still in a meaningful selector/result space - if the family is `40`/`C0` after a branch attempt, you probably hit a fallback/transient outcome - if you only get heartbeat, the branch likely did not open or the one-shot window was already gone ## Downstream Family Branches ### B1: `E8 -> 7A 50 26` Stable branch: ```text 00 00 A0 00 80 7A 00 00 E8 40 30 C2 -> 07 80 7A 50 26 D1 ``` What we know: - reproducible in group 1 - exact echo of `07 80 7A 50 26 D1` did not advance state - host-shaped mirror of `7A 50 26` did not advance state - opened by more than one context: - `A0` - `90` - bare heartbeat - `AF` has at least once shifted this branch to sibling `FA 50 26 51` - `90` has at least once shifted this branch to sibling `7A 58 26 D9` Read: - `E8` is the active selector - `7A 50 26 D1` is a downstream family response, not yet a meaningful next host turn - context affects which sibling family `E8` opens Confidence: medium-high ### B2: `E9 -> 7A 28 D3` Stable branch: ```text 00 00 A0 00 80 7A 00 00 E9 40 30 C3 -> 07 80 7A 28 D3 5C ``` What we know: - reproducible in group 1 - exact and host-shaped replies to `7A 28 D3 5C` did not advance state - without `A0`, `E9` fell back to `07 80 40 40 30 ED` - with `A0`, a later control repeat returned only heartbeat, so this branch is less deterministic than `E8` - also opened by: - `90` - `AF` - bare heartbeat Read: - `E9` looks like a sibling selector to `E8` - payload differences may represent page/class selection rather than random drift - `E9` appears more timing- or state-sensitive than `E8` Confidence: medium ### B3: `EC -> 7B / FB` Observed branch space: ```text 00 00 A0 00 80 7A 00 00 EC 40 30 C6 -> 07 80 7B 50 26 D0 or -> 07 80 FB 50 26 50 ``` Important details: - without leading `A0`, `EC` fell back to `07 80 C0 40 30 6D` - `90` and `AF` also opened `7B 50 26` - bare heartbeat alone did not - short and long spacing with `A0` still favored `07 80 7B 50 26 D0` - exact `7B` echo once produced: - `07 C0 2F 95 09 2E` - later `2F` follow-ups did not create a stable next stage - exact and host-shaped `FB` handling did not create a stable next stage Read: - `EC` is the most stateful selector branch seen so far - `EC` needs a stronger context class than plain heartbeat - `7B` is the most stable downstream family on this branch - `FB` is real but currently looks like a sibling observation, not a clear reply target - opener choice can bias `EC` between `7B` and `FB` Confidence: medium ## Current Transition Sketch ```text S0 idle/not-active -> host heartbeat cadence S1 host-present/cadence-held -> one-shot discovery query surface S2 discovery/query window -> selector/context entry S4 A0-contexted selector space -> E8 -> B1 (7A / FA family space) -> E9 -> B2 (7A 28 D3 family) -> EC -> B3 (7B / FB family space) -> E6/E7/EB -> heartbeat-family transient -> EA / no-A0-EC -> C0-family transient ``` What is still missing: - the transition from any of these branches into a stable active/session state - a deterministic multi-turn reply ladder - evidence that the downstream family frames are actually prompts the host is expected to answer, rather than readable blocks with no immediate follow-up - evidence that even page-matched exact echoes are meaningful next-turn host replies; current tests still collapsed to heartbeat ## What Feels Stable Right Now - RS-232 electrical layer and 6-byte frame model - idle heartbeat behavior - `CONNECT NOT ACT` not being identical to active/inactive protocol state - one-shot discovery surface - CALL synthetic event path - `Ex` neighborhood acting like a selector-like surface - `A0` mattering as branch context on at least `EC` ## What Still Feels Slippery - exact conditions that choose `7B` vs `FB` on `EC` - whether `E8/E9/EC` are true page selectors, class selectors, or partial capability requests - whether any downstream family reply is actually something the host is expected to answer - how this selector space relates to the real session activation handshake ## HE29 Host-Fed Branches The HE29 fan-out did not visibly wake the panel, but it did produce two new structured RCP families when certain **host-shaped family/status frames** were sent directly: | Host stimulus | RCP result | Read | | --- | --- | --- | | `00 00 7A 50 26 56` | `07 80 2F 95 C9 AE` | direct family-feed branch; meaningful but one-shot | | `00 00 40 40 30 6A` | `07 80 D0 50 26 7B` | base-status-family branch; meaningful but one-shot | What this suggests: - not every interesting family is only a passive response/readback block - some host-origin family-shaped frames can still stimulate deeper structured responses - but even these branches did **not** create a stable active session or visible panel wake-up So, on the state map, these look like: - additional **host-fed branch entries** - not yet evidence of the missing full conversation/session ladder ## HE30 Family Surfaces HE30 suggests those HE29 host-fed branches are not isolated one-offs. They now look like two small **parameterized surfaces**: | Host-side family | Observed RCP-side family variants | Read | | --- | --- | --- | | `7A ...` | `2F 95 C9`, `2F 65 F2`, `2F 95 52` | likely a host-fed `7A` -> `2F` mapping surface | | `40/50 ...` | `50 78 26`, `50 50 26`, `50 58 26`, `D4 50 26` | likely a host-fed base-status mapping surface | Examples: - `00 00 7A 50 26 56` -> `07 80 2F 95 C9 AE` - `00 00 7A 58 26 5E` -> `07 80 2F 65 F2 65` - `00 00 7A 50 3A 4A` -> `07 80 2F 95 52 35` - `00 00 40 40 30 6A` -> `07 80 50 78 26 D3` or `07 80 50 50 26 FB` - `00 00 50 40 30 7A` -> `07 80 D4 50 26 7F` - `00 00 40 60 30 4A` -> `07 80 50 58 26 F3` What this means on the map: - some host-fed families are acting like **query/page selectors** into deeper response spaces - those spaces are still one-shot and context-sensitive - and they still do not by themselves imply a stable active session ## Best Next Uses Of This Map This map is meant to help us ask sharper questions, for example: - does `A0` act as selector context on `E8` and `E9`, not just `EC`? - do nearby `Ex` values continue the family strip? - do host `state/value` bytes on `A0` or `Ex` shift the selected family? - is there a separate session-maintenance stream that must coexist with these selector reads?