Sony-rcp/docs/pt2-state-map.md

# Sony PT2 Protocol State Map

This document is a working state map for the Sony RCP-TX7 PT2-era control
protocol as currently observed on the bench. It is intentionally more structural
than [pt2-protocol-summary.md](pt2-protocol-summary.md): the goal here is to
show how host inputs appear to move the panel between response families and
contexts.

This is not yet a true finite-state-machine proof. It is a practical model of
what currently seems to change the panel's response surface.

## How To Read This

- `state` means an inferred protocol context, not a confirmed Sony term.
- `stable` means reproduced across multiple clean runs.
- `unstable` means seen more than once or clearly real, but not deterministic.
- `one-shot` means usually group-1 or post-boot only, then gone.

## State Layers

The current evidence suggests the panel behavior is shaped by several layers:

1. physical/link state
2. host-presence / cadence state
3. selector / query context
4. downstream family response surface
5. unknown session-advance / active-control state

We have good evidence for layers 1-4. Layer 5 is still missing.

## Baseline States

### S0: Idle / Not Active

Observed behavior:

- RCP sends repeating heartbeat:
  - `00 00 00 00 80 DA`
- LCD may remain idle or later enter `CONNECT NOT ACT`

Known transitions:

- host traffic can move the panel into parser-visible but still not-active
  states
- CALL and CAM POWER can still emit panel-origin frames here

Confidence: high

### S1: Host Present / Cadence-Held

Observed behavior:

- repeating host heartbeat
  - `00 00 00 00 80 DA`
  can keep the panel out of `CONNECT NOT ACT` while traffic continues
- this does not by itself create reusable reads or a full active session

Known side effects:

- some cadence patterns provoke transient families:
  - `07 80 40 40 30 ED`
  - `07 80 40 60 30 CD`
  - `07 80 C0 40 30 6D`

Confidence: high

## Discovery / Query Surface

### S2: Discovery Query Window

Canonical shape:

```text
00 00 00 00 80 DA
00 00 XX 00 80 checksum
-> 07 80 ...
```

Stable one-shot reads:

- `00 -> A0` -> `07 80 68 40 30 C5`
- `00 -> B0` -> `07 80 6C 40 30 C1`
- `00 -> B5` -> `07 80 6D 20 D8 48`

Properties:

- usually one-shot after boot
- repeating the same query often drains to heartbeat only
- appears to be a readable/capability surface, not an activation handshake

Confidence: high

## Event Path

### S3: Synthetic CALL Event Path

Host stimulus:

```text
00 00 15 80 00 CF
00 00 15 00 00 4F
```

Stable response:

- `07 80 45 20 D0 68`

Sibling seen once:

- `07 80 45 30 D0 78`

Properties:

- physical CALL button not required
- looks like a real event-path branch
- has not led to activation or reusable reads

Confidence: high

## Selector-Like Context Surface

The strongest current "state map" behavior lives here. Certain host-side values
look less like direct commands and more like selector/context entries that open
different downstream response families.

### S4: Context-Opened Selector Space

Current best evidence says the selector surface is opened not by a single magic
byte, but by a small family of host-side context setters.

Observed:

- `A0 + E8` can produce `7A 50 26` family output
- `A0 + EC` tends to produce `7B`-family output
- `90 + E8` produced `7A 50 26`
- `90 + E9` produced `7A 28 D3`
- `90 + EC` produced `7B 50 26`
- `AF + E9` produced `7A 28 D3`
- `AF + EC` produced `7B 50 26`
- `AF + E8` produced the sibling `FA 50 26` family
- bare heartbeat + `E8` produced `7A 50 26`
- bare heartbeat + `E9` produced `7A 28 D3`
- bare heartbeat + `EC` did not open `7B`; it stayed in heartbeat-family
  behavior
- later downstream-behavior tests showed opener choice can also bias which
  sibling family appears at the selector result itself:
  - `90 + E8` produced `7A 58 26`
  - `90 + EC` produced `FB 50 26`
  - `AF + EC` preserved `7B 50 26`

Nuance:

- `A0` is not the only opener.
- `A0` is not sufficient to make every selector deterministic.
- A later control repeat of `A0 + E9` produced heartbeat only, even though
  earlier `A0 + E9` runs produced `07 80 7A 28 D3 5C`.
- `EC` appears stricter than `E8/E9`, because heartbeat alone was enough for
  `E8/E9` but not for `EC`.
- opener choice has a stronger observed effect on branch entry than on
  downstream reply handling

Confidence: high that a context-opener family exists; medium-high on the exact
rules for each selector.

## `Ex` Selector Neighborhood

These are the clearest currently mapped selector-like host entries.

| Host-side entry | Typical downstream result | Current read |
| --- | --- | --- |
| `00 00 E6 40 30 CC` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias |
| `00 00 E7 40 30 CD` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias |
| `00 00 E8 40 30 C2` | `07 80 7A 50 26 D1` | stable selector into `7A` family |
| `00 00 E9 40 30 C3` | `07 80 7A 28 D3 5C` | sibling selector into related `7A` family |
| `00 00 EA 40 30 C0` | `07 80 C0 40 30 6D` after later heartbeat | alternate heartbeat-family bias |
| `00 00 EB 40 30 C1` | `07 80 40 40 30 ED` after later heartbeat | heartbeat-family bias |
| `00 00 EC 40 30 C6` | `07 80 7B 50 26 D0` or `07 80 FB 50 26 50` | selector into mixed sibling family space |

Current interpretation:

- this is not a flat command block
- some `Ex` values bias toward heartbeat-family transients
- some open structured `7A` / `7B` / `FB` families

Confidence: medium-high

## Parameterized Selector Behavior

The latest state/value ladder suggests the selector surface is not just
"command byte picks one response family." It appears parameterized.

Current best read:

- opener command matters
- opener `state/value` payload matters
- selector command matters
- selector `state/value` payload matters

Observed examples:

- `90 + E8`:
  - `E8 00 80` -> `7A 40 30`
  - `E8 20 D0` -> `7A 48 3A`
  - `E8 40 30` -> `7A 50 26`
  - `E8 60 30` -> `7A 58 26`
- `90 + E9`:
  - `E9 00 80` -> `7A 20 D8`
  - `E9 20 D0` -> `7A 24 FD`
  - `E9 40 30` -> `7A 28 D3`
  - `E9 60 30` -> `7A 2C D3`
- `90 + EC`:
  - `EC 00 80` -> `FB 40 30`
  - `EC 20 D0` -> `E4 40 30`
  - `EC 40 30` -> `FB 50 26`
  - `EC 60 30` -> `7B 58 26`
- off-grid mixed pairs still produced structured families rather than rejection:
  - `E8 40 D0` -> `7A 50 3A`
  - `E9 40 D0` -> `7A 28 DD`
  - `EC 40 D0` -> `FB 50 3A`
  - `EC 00 30` -> `7B 40 26`

That strongly suggests the `state/value` fields are not filler. They likely
select a page, subtype, class, or data register within the selector space.
It also weakens the idea that only a tiny fixed whitelist of pair codes is
accepted; the space appears more compositional than that.

## Family Classification Table

This table is a practical aid for reading captures. It separates:

- target families: structured families that appear to be intended branch results
- sibling families: alternate structured results in the same selector space
- fallback families: repeatable collapse/transient outcomes that usually mean
  context or parameters were not what the branch wanted
- heartbeat-only: no useful branch opened

| Selector / context area | Target families | Sibling families | Fallback families | Notes |
| --- | --- | --- | --- | --- |
| `E8` family space | `07 80 7A 50 26 D1`, `07 80 7A 40 30 D7`, `07 80 7A 48 3A D5`, `07 80 7A 58 26 D9`, `07 80 7A 50 3A CD`, `07 80 7A 40 26 C1`, `07 80 7A 58 30 CF` | `07 80 FA 50 26 51`, `07 80 FA 48 26 49` | `07 80 40 40 30 ED`, `07 80 C0 40 30 6D` | `E8` usually lives in the `7A` family; some opener/payload combinations flip it into sibling `FA`. |
| `E9` family space | `07 80 7A 28 D3 5C`, `07 80 7A 20 D8 5F`, `07 80 7A 24 FD 7E`, `07 80 7A 2C D3 58`, `07 80 7A 20 D3 54`, `07 80 7A 24 D3 50`, `07 80 7A 28 DD 52`, `07 80 7A 2C D8 53` | none clearly separated yet | `07 80 40 40 30 ED` | `E9` has been the most internally consistent: it stays in `7A` while the trailing bytes move with parameters. |
| `EC` family space | `07 80 7B 50 26 D0`, `07 80 7B 58 26 D8`, `07 80 7B 40 26 C0`, `07 80 7B 4C 26 CC`, `07 80 7B 58 30 CE` | `07 80 FB 50 26 50`, `07 80 FB 40 30 56`, `07 80 FB 50 3A 4C`, `07 80 E4 40 30 49`, `07 C0 2F 95 09 2E` | `07 80 C0 40 30 6D`, `07 80 40 40 30 ED` | `EC` is the richest and touchiest branch. It can land in `7B`, `FB`, or `E4` families depending on context and payload. |
| Heartbeat-context transients | none | none | `07 80 40 40 30 ED`, `07 80 40 60 30 CD`, `07 80 C0 40 30 6D` | These show up when traffic shape or context is recognized but does not open the intended structured branch. |
| Query/discovery surface | `07 80 68 40 30 C5`, `07 80 6C 40 30 C1`, `07 80 6D 20 D8 48` | `07 80 E8 40 30 45` and related context-sensitive variants | heartbeat-only after one-shot window is spent | This area still looks more like one-shot readable blocks than selector-space family behavior. |

Working rule of thumb:

- if the family is `7A`, `7B`, `FB`, `FA`, or `E4`, you are probably still in a
  meaningful selector/result space
- if the family is `40`/`C0` after a branch attempt, you probably hit a
  fallback/transient outcome
- if you only get heartbeat, the branch likely did not open or the one-shot
  window was already gone

## Downstream Family Branches

### B1: `E8 -> 7A 50 26`

Stable branch:

```text
00 00 A0 00 80 7A
00 00 E8 40 30 C2
-> 07 80 7A 50 26 D1
```

What we know:

- reproducible in group 1
- exact echo of `07 80 7A 50 26 D1` did not advance state
- host-shaped mirror of `7A 50 26` did not advance state
- opened by more than one context:
  - `A0`
  - `90`
  - bare heartbeat
- `AF` has at least once shifted this branch to sibling `FA 50 26 51`
- `90` has at least once shifted this branch to sibling `7A 58 26 D9`

Read:

- `E8` is the active selector
- `7A 50 26 D1` is a downstream family response, not yet a meaningful next host
  turn
- context affects which sibling family `E8` opens

Confidence: medium-high

### B2: `E9 -> 7A 28 D3`

Stable branch:

```text
00 00 A0 00 80 7A
00 00 E9 40 30 C3
-> 07 80 7A 28 D3 5C
```

What we know:

- reproducible in group 1
- exact and host-shaped replies to `7A 28 D3 5C` did not advance state
- without `A0`, `E9` fell back to `07 80 40 40 30 ED`
- with `A0`, a later control repeat returned only heartbeat, so this branch is
  less deterministic than `E8`
- also opened by:
  - `90`
  - `AF`
  - bare heartbeat

Read:

- `E9` looks like a sibling selector to `E8`
- payload differences may represent page/class selection rather than random
  drift
- `E9` appears more timing- or state-sensitive than `E8`

Confidence: medium

### B3: `EC -> 7B / FB`

Observed branch space:

```text
00 00 A0 00 80 7A
00 00 EC 40 30 C6
-> 07 80 7B 50 26 D0
or
-> 07 80 FB 50 26 50
```

Important details:

- without leading `A0`, `EC` fell back to `07 80 C0 40 30 6D`
- `90` and `AF` also opened `7B 50 26`
- bare heartbeat alone did not
- short and long spacing with `A0` still favored `07 80 7B 50 26 D0`
- exact `7B` echo once produced:
  - `07 C0 2F 95 09 2E`
- later `2F` follow-ups did not create a stable next stage
- exact and host-shaped `FB` handling did not create a stable next stage

Read:

- `EC` is the most stateful selector branch seen so far
- `EC` needs a stronger context class than plain heartbeat
- `7B` is the most stable downstream family on this branch
- `FB` is real but currently looks like a sibling observation, not a clear reply
  target
- opener choice can bias `EC` between `7B` and `FB`

Confidence: medium

## Current Transition Sketch

```text
S0 idle/not-active
  -> host heartbeat cadence
S1 host-present/cadence-held
  -> one-shot discovery query surface
S2 discovery/query window
  -> selector/context entry
S4 A0-contexted selector space
    -> E8 -> B1 (7A / FA family space)
    -> E9 -> B2 (7A 28 D3 family)
    -> EC -> B3 (7B / FB family space)
    -> E6/E7/EB -> heartbeat-family transient
    -> EA / no-A0-EC -> C0-family transient
```

What is still missing:

- the transition from any of these branches into a stable active/session state
- a deterministic multi-turn reply ladder
- evidence that the downstream family frames are actually prompts the host is
  expected to answer, rather than readable blocks with no immediate follow-up
- evidence that even page-matched exact echoes are meaningful next-turn host
  replies; current tests still collapsed to heartbeat

## What Feels Stable Right Now

- RS-232 electrical layer and 6-byte frame model
- idle heartbeat behavior
- `CONNECT NOT ACT` not being identical to active/inactive protocol state
- one-shot discovery surface
- CALL synthetic event path
- `Ex` neighborhood acting like a selector-like surface
- `A0` mattering as branch context on at least `EC`

## What Still Feels Slippery

- exact conditions that choose `7B` vs `FB` on `EC`
- whether `E8/E9/EC` are true page selectors, class selectors, or partial
  capability requests
- whether any downstream family reply is actually something the host is expected
  to answer
- how this selector space relates to the real session activation handshake

## Best Next Uses Of This Map

This map is meant to help us ask sharper questions, for example:

- does `A0` act as selector context on `E8` and `E9`, not just `EC`?
- do nearby `Ex` values continue the family strip?
- do host `state/value` bytes on `A0` or `Ex` shift the selected family?
- is there a separate session-maintenance stream that must coexist with these
  selector reads?