36 KiB
PT2 Protocol Working Notes
This document is the current working model for the serial protocol spoken by the Sony RCP-TX7 panel ROM.
A later RCP manual mentions a "PT2 compatibility mode" for controlling the same CCU family this panel was made for. We are using "PT2" here as a practical label for this six-byte SCI1 protocol model. It is not yet a claim that every field name matches Sony's official PT2 terminology.
Focused companion notes:
- PT2 Copy State Machine
- PT2 Menu State Machine
- PT2 Session Rhythm ROM Trace
- PT2 Continuation Command Trace
- PT2 Report Aftermath ROM Trace
- PT2 Shutter Display Trace
- PT2 Button Report Bench Plan
Current High-Confidence Facts
- The real bench link is
38400 8E1, not38400 8N1. - The ROM uses H8/536 SCI1 through the MAX202 RS232 transceiver.
- Frames are six bytes long.
- The checksum is
0x5A XOR byte0 XOR byte1 XOR byte2 XOR byte3 XOR byte4. - The ROM validates the checksum before normal command dispatch.
- The first byte is decoded as
command = byte0 & 0x07. - Bytes 1 and 2 encode a logical selector.
- Bytes 3 and 4 are a 16-bit value for write-style commands.
- The protocol is stateful. Some commands only work while a continuation/session latch is live.
CONNECT:NOT ACTis recoverable without a power cycle.CONNECT: OKcan be reached on real hardware after using the correct8E1serial format.
Hardware Path
SCI1 is the external serial path:
- H8/536 pin 66,
P95/TXD, goes to MAX202 pin 11. - MAX202 pin 12 goes to H8/536 pin 67,
P96/RXD. - The ROM initializes SCI1 as async 8-bit, even parity, 1 stop.
ROM evidence:
build/rom_decompiled.asm:437:SCI1_SMR = H'24.build/rom_decompiled.asm:438:SCI1_SCR = H'3C.build/rom_decompiled.asm:439:SCI1_BRR = H'07.
Bench implication:
- Use
38400 8E1for all real-device captures and probes. - Old
38400 8N1captures mostly exercised parity/error handling and retry echoes. Do not assign normal protocol meaning to old8N107...frames until they are reproduced under8E1.
Frame Format
Working host/RCP frame layout:
byte0 command byte; ROM uses byte0 & 0x07
byte1 selector page/high bits; byte1.7 is rejected by normal handlers
byte2 selector low byte
byte3 value high byte
byte4 value low byte
byte5 checksum = 0x5A XOR byte0..byte4
Examples:
00 00 00 80 80 5A ; command 0, selector 0x000, value 0x8080
01 00 00 00 00 5B ; command 1, read selector 0x000
04 00 00 80 00 DE ; command 4 shape, selector 0x000, value high 0x80
07 00 00 00 00 5D ; command 7, repeat previous finalized TX frame
Selector Decode
The ROM builds a raw selector from bytes 1 and 2, then maps it through loc_622B.
Known decode:
| byte1 page | byte2 range | selector |
|---|---|---|
| page 0, or pages 4-7 | 00-7F |
0x000 + byte2 |
| page 1 | 00-FF |
0x080 + byte2 |
| page 2 | 00-7F |
0x180 + byte2 |
| page 3 | any | 0x1FF fallback |
| invalid range | any | 0x1FF fallback |
Important caveats:
byte1.7is rejected before normal command handling.- Frames like
01 80 40 ...may look like a selector encoding, but the normal command path rejectsbyte1.7. - Pages 4-7 appear to alias the page-0 path when the low byte is in range.
Checksum
Checksum formula:
checksum = 0x5A
for b in frame[:5]:
checksum ^= b
The ROM path:
- RXI captures bytes into
F868-F86D. - Main-loop processing copies them to
F860-F865. - Physical error latch
FAA4.7is checked before checksum dispatch. - Checksum mismatch enters the retry/error path.
- Valid checksum clears retry counter
FAA6, decodes selector, and dispatches onbyte0 & 0x07.
Key ROM areas:
- RXI/ERI capture:
BB57,BB67. - Validation and checksum:
BBAB-BBF0. - Selector decode call:
BC01 -> 622B. - Command dispatch:
BC08-BC67.
Command Model
The biggest protocol lesson is that the command set has two modes:
- Initial dispatcher: active while
FAA2 == 0. - Continuation dispatcher: active while
FAA2 != 0.
That means command numbers are not globally meaningful. Command 4, 5, and 6 are continuation-path commands, not normal idle commands.
| Command | Path | Current meaning | Response |
|---|---|---|---|
0x00 |
initial | Set primary/current value, queue selector processing | Immediate 0x04 echo-style response |
0x01 |
initial | Read primary value table | Immediate 0x04 readback response |
0x02 |
initial | Quiet clear/no-op style command | No immediate response seen in ROM |
0x04 |
continuation | Set/update value without immediate response | Usually no immediate response |
0x05 |
continuation | ACK/session-clear/pending handling | Usually no immediate response |
0x06 |
continuation | Set secondary value table | Usually no immediate response |
0x07 |
both | Retransmit previous finalized TX frame | Repeats last TX frame |
Command Details
Command 0: Initial Set Value
Path: BC69.
Conditions:
- Valid checksum.
FAA2 == 0.byte1.7 == 0.
Effects:
- Writes value into
E000 + 2*selector. - Writes value into
E800 + 2*selector. - Sets dirty flag bit 7 in
EC00 + selector. - Calls
BE70, which appends the selector into theF970selector-processing queue. - Sends an immediate
0x04response throughBA26.
Selector-zero special case:
- For selector
0x000, the low byte is forced to0x80. - This makes selector-zero writes look like
xx80, not arbitraryxxLL.
Important candidate:
00 00 00 80 80 5A ; selector 0 = 0x8080, strongest CONNECT OK seed
Command 1: Read Value
Path: BCD7.
Effects:
- Reads
E000 + 2*selector. - Stages a
0x04response. - Clears
FAA2.7.
Useful readback examples:
01 00 00 00 00 5B ; read selector 0x000
01 00 40 00 00 1B ; read selector 0x040
01 01 76 00 00 2C ; read selector 0x0F6
Bench implication:
- Command 1 verifies table state.
- It is not an ACK and does not enter continuation handling.
- Command 7 after command 1 can repeat the last finalized readback.
Command 2: Initial Clear/No-Op Candidate
Path: BD04.
Effects:
- Clears
FAA2.7. - Returns without staging an obvious response.
Meaning is still unclear. Treat it as a quiet/session-control candidate, not as a data write.
Command 4: Continuation Set Value
Path: BD0E.
Conditions:
- Valid checksum.
FAA2 != 0.- Command bit 2 set.
byte1.7 == 0.
Effects:
- Writes value into
E000 + 2*selector. - Selector zero also updates
E800. - Nonzero selectors set dirty flag bit 7 in
EC00 + selector. - Can mirror/persist mapped nonzero selectors through the
F400/EEPROM path whenF76E.7allows it. - If
FAA2.3was set by a queued report, command 4 can advanceF9B5to consume that report. - Clears
FAA3andFAA2before exit.
Known CONNECT test frames:
04 00 00 40 00 1E
04 00 00 80 00 DE
04 00 00 C0 00 9E
ROM caveat:
- A standalone command 4 from a truly idle
FAA2 == 0state should not reachBD0E. - Bench evidence now proves the panel can still recover from
CONNECT:NOT ACTwithout power cycling, so visibleNOT ACTis not equivalent to "all serial continuation state is impossible".
Command 5: Continuation ACK/Clear Candidate
Path: BD80.
Conditions:
- Continuation path only.
Effects:
- Usually no immediate response.
- Selectors
0x006C,0x006D, and0x006EcallBE70. - If
F731.7is set, selectors0x006B,0x0096,0x0097,0x00C6, and0x00F8clearF731.7/F790.7. - If
FAA2.3was set by a queued report, command 5 can advanceF9B5. - Clears
FAA3andFAA2before exit.
Bench implication:
- Command 5 is not a generic always-live ACK.
- It only has ACK-like meaning when the continuation latch is live.
Command 6: Continuation Secondary Set
Path: BDDB.
Effects:
- Writes value into
E400 + 2*selector. - Sets dirty flag bit 6 in
EC00 + selector. - Can advance queued-report state when
FAA2.3is live. - Clears
FAA3andFAA2.
Command 7: Repeat Previous TX
Path: BE05.
Effects:
- Copies the previous finalized TX frame back into staging.
- Sends it again through
BA26. - Works from initial and continuation paths.
Bench implication:
- Command 7 is useful as a "what did you last finalize?" probe.
- It does not prove a hidden continuation token by itself.
RCP Transmit Frames
The TX side uses the same six-byte checksum model.
TX staging:
F850-F854: staging bytes.F858-F85C: finalized bytes.F85D: computed checksum.BA26: finalizes and starts SCI1 TX.- TXI sends bytes 1-5 after the first TDR write.
Known RCP-origin frames:
| Frame | Confidence | Current meaning |
|---|---|---|
00 00 00 00 80 DA |
high | idle heartbeat / selector-zero report |
00 00 07 80 00 DD |
medium-high | observed CAM POWER button/report candidate |
00 00 15 80 00 CF |
medium-high | observed CALL on/report candidate |
00 00 15 00 00 4F |
medium-high | observed CALL off/report candidate |
02 00 02 00 00 5A |
medium | emulator CONNECT OK path response candidate |
Heartbeat:
- Idle frame:
00 00 00 00 80 DA. - Observed cadence: about 700 ms.
- ROM path:
loc_4067enqueues selector 0,loc_BAF2/BB08dequeues it,BB1C/BB20/BB2Bstages TX bytes,BA26emits the frame. - FRT2 timing model:
TCR=H'02,OCRA=H'7A12, modeled as a 100 ms tick at 10 MHz;F9C4=0x07gives about 700 ms post-send heartbeat delay.
Retry/Error 07 Frames
07... frames are easy to misread.
The ROM can generate a 0x07 retry/error echo when:
- A physical RX error occurs, or
- A checksum mismatch occurs, and
FAA5.7is set, and- Retry count
FAA6is below two.
Path:
BE29retry gate.BE4DstagesF850=0x07.F851-F854copy hostRX[1:4].BA26sends it.
Bench implication:
- A visible
07...frame is not automatically a normal status report or ACK. - Old
8N1captures produced many misleading07...frames because parity errors exercised this path.
Table Model
The ROM behaves like a selector-indexed state machine. The CCU likely seeds values, and the RCP updates LCD/lamp/control behavior from those values.
| Table | Range | Role |
|---|---|---|
| Primary value table | E000-E3FF |
Command 0/4 writes, command 1 reads |
| Secondary value table | E400-E7FF |
Command 6 writes |
| Current/report table | E800-EBFF |
Used when RCP builds outbound report frames |
| Dirty/flag table | EC00-EFFF |
Per-selector flags, bit7 for primary writes, bit6 for secondary writes |
| EEPROM/shadow | F400-F4FF |
Optional mapped persistence/config surface |
Important details:
- Selector zero is special in command 0 and command 4.
- Command 0 writes both
E000andE800. - Command 4 writes
E800only for selector zero in the current ROM evidence. BAF2readsE800 + 2*selectorwhen building autonomous RCP reports.BE70/F970is a selector-processing queue.3E54/F870is a separate serial-visible report queue.
Do not mix up:
F970: "process this selector internally".F870: "send this selector/report over serial".
State And Queues
Important RAM/state bytes:
| Address | Working name | Meaning |
|---|---|---|
FAA2.7 |
RX command in progress | Set on initial parse, cleared on exits |
FAA2.3 |
queued report continuation needed | Set after autonomous report send |
FAA3.7 |
pending resend mask | Set after queued report send |
FAA4.7 |
RX physical error latch | Set by SCI1 ERI |
FAA5.7 |
RX session gate | Set while F9C5 is alive after complete RX |
FAA6 |
retry counter | Limits retry/error echoes |
F9C1 |
inter-byte timeout | Reloaded on RXI |
F9C3 |
RX byte count | Counts up to six |
F9C4 |
heartbeat/report cadence gate | Controls idle heartbeat enqueue |
F9C5 |
RX/session timeout | Loaded with 0x14 after full RX frame |
F9B0/F9B5 |
serial report queue cursors | Drive F870/BAF2 |
F9B4/F9B9 |
selector-processing queue cursors | Drive F970/2806 |
Session expiry:
- A complete six-byte RX frame loads
F9C5=0x14. - FRT2 decrements
F9C5. - When
F9C5reaches zero,loc_3FEFcan clear queues/session state. - If
FAA5.7was set, expiry callsloc_400C. loc_400Cclears connection/session RAM and refreshes inactive display state.
This explains why random traffic tends to settle back to CONNECT:NOT ACT.
CONNECT State
CONNECT strings are built through the LCD driver, not received as literal serial text.
Known LCD path:
FAF0-FAFF line buffer -> 3ECC -> 3F28 -> 3F40 -> F200/F201 LCD ports
ROM/emulator findings:
- Boot/no-active-session display can show
CONNECT:NOT ACT. - Direct emulator entry at
loc_2CB9withE000[0]=0x8080andF730=0reachesCONNECT: OK. - Queued selector-zero path reaches OK when:
F970[0]=0F9B9=0F9B4=1E000[0]=0x8080F730=0
- Selector zero dispatches through the
28A6jump table into the CONNECT handler window.
Bench findings:
- Correct
8E1serial format made the CONNECT path work on real hardware. - Real hardware can recover from
CONNECT:NOT ACTtoCONNECT: OKwithout a power cycle. - Successful active-looking state included:
CONNECT: OK- CAM POWER lamp illuminated
- numeric readouts illuminated as
----
- Matrix tests show that cadence matters:
40 -> 80 -> C0with 10 ms, 50 ms, or 150 ms inter-frame gaps stayed atCONNECT:NOT ACTafter a fresh power-cycle test.- The same order with 700 ms and 1.5 s inter-frame gaps produced
CONNECT: OKbefore falling back toCONNECT:NOT ACT. - At 700 ms gaps, no single frame worked by itself.
- At 700 ms gaps, every tested two-frame pair worked:
40 -> 80,80 -> C0, and40 -> C0. - A repeated identical pair also worked:
80 -> 80at about 700 ms produced eight02 00 02 00 00 5AOK-path responses, then heartbeat traffic resumed. - The no-power-cycle recovery test from an already visible
CONNECT:NOT ACTstate produced repeated02 00 02 00 00 5AOK-path responses, then returned to heartbeat traffic.
Current interpretation:
CONNECT:NOT ACTis a normal no-active-session/cleared-state display, not a terminal latch.CONNECT: OKis table/state driven, probably selector-zero active/connect state.0x8080at selector zero is the strongest known active/connect value.- The panel likely expects the CCU to consume/ACK report-queue frames and keep seeding or refreshing state after entering OK.
- The working fake-CCU sequence is probably not "three frames as fast as possible"; it appears to need CCU-like cadence or a live session window, roughly on the heartbeat/report timescale.
- A single selector-zero continuation-shaped frame is insufficient in the current tests; two selector-zero writes at the working cadence are enough. They do not need to carry different values, because
80 -> 80also worked.
ROM report-source update:
- The active
02/01 ...frames seen during CONNECT OK attempts are best modeled asF870 -> BAF2 -> BA26report-queue transmissions. BAF2dequeues a report word, encodes the first three TX bytes, reads the payload fromE800 + 2*selector, andBA26appends the0x5AXOR checksum.- After sending a queued report, the ROM sets
FAA2.3andFAA3.7; command4,5, or6can then consume/advance the report only while that continuation latch is live. - The emitted report does not appear to encode a required ACK selector. The ROM consume test is
FAA2.3, so a generic command-5 continuation ACK such as05 00 40 00 00 1Fis the cleanest report-cursor consume candidate. - Low commands
0/1/2during the report wait can clear the continuation latch and re-enter initial dispatch, but they do not advanceF9B5. Command7retransmits and also does not advanceF9B5. - Emulator testing now supports the reactive ACK model: waiting for a finished RCP report frame, then sending
05 00 40 00 00 1F, repeatedly advancedF9B5, clearedFAA2/FAA3, and kept the emulated LCD atCONNECT: OK. - This makes a reactive fake-CCU test more valuable than another blind fixed-delay matrix: recover to OK, wait for the first active report, then send one candidate continuation/ACK frame.
Candidate CCU Seed Values
These are syntactically valid host frames produced from ROM table mining. Use them as candidate fake-CCU state seeds, not as final protocol truth.
| Selector | Candidate value | Frame | Why it matters |
|---|---|---|---|
0x000 |
0x8080 |
00 00 00 80 80 5A |
strongest CONNECT OK seed |
0x003 |
0x8000 |
00 00 03 80 00 D9 |
ROM default enabled bit candidate |
0x040 |
0xFFFF |
00 00 40 FF FF 1A |
ROM default all-ones/status block candidate |
0x040 |
0x4030 |
00 00 40 40 30 6A |
bench-touched 0x40 family value |
0x0F6 |
0x2000 |
00 01 76 20 00 0D |
loc_48FA tests E1EC.13 and can enqueue report 0x00F6 |
Readbacks:
01 00 00 00 00 5B ; selector 0x000
01 00 03 00 00 58 ; selector 0x003
01 00 40 00 00 1B ; selector 0x040
01 01 76 00 00 2C ; selector 0x0F6
Observed Button/Panel Reports
Before the protocol format was corrected, the RCP appeared to emit only a few report families by itself:
00 00 00 00 80 DA ; heartbeat
00 00 07 80 00 DD ; CAM POWER candidate
00 00 15 80 00 CF ; CALL on candidate
00 00 15 00 00 4F ; CALL off candidate
Current interpretation:
- The RCP can report some panel events.
- Many other controls probably need CCU-provided state before they become reportable or meaningful.
- The CCU likely streams display/lamp/readout state to the RCP, while the RCP reports operator changes back.
EEPROM And Board Config
The P9 bus is not the external PT2 serial link. It is a bit-banged EEPROM/config path:
- H8 pin 62,
P91, reaches X24164 pin 6SCL. - H8 pin 68,
P97, reaches shared X24164 pin 5SDA.
ROM findings:
loc_40BBchecksP7DR.7andF402 == H'6B6Fbefore deciding whether to default EEPROM/shadow tables.loc_4103writes ROM default words throughBFE0.loc_41D2reads sixteen 8-byte records intoF7B0-F82F.- Command 4 can persist mapped serial table writes when
F76E.7is set.
Current interpretation:
- EEPROM stores panel/config/default state.
- It can affect startup and option behavior.
- After the
8E1discovery, EEPROM is less likely to be the fundamental reason CONNECT failed, but it can still influence which selectors/features are active.
Known Useful Bench Commands
Minimal CONNECT sequence runner:
.\.venv\Scripts\python.exe scripts\bench_connect_lcd_sequence.py --port COM5 --relay-port COM6 --parity E --prompt-screen
Recover from CONNECT:NOT ACT without power cycling:
.\.venv\Scripts\python.exe scripts\bench_connect_lcd_sequence.py --port COM5 --relay-port COM6 --no-power-cycle --parity E --prompt-before-send --prompt-screen --post-sequence-read 10 --log captures\connect-notact-to-ok.txt
Run the reproducibility/minimization matrix:
.\.venv\Scripts\python.exe scripts\connect_ok_matrix.py --suite minimal --parity E --prompt-observation --result-json captures\connect-ok-minimal-result.json
Test timing/cadence:
.\.venv\Scripts\python.exe scripts\connect_ok_matrix.py --suite gap --parity E --prompt-observation --result-json captures\connect-ok-gap-result.json
Test whether OK is held:
.\.venv\Scripts\python.exe scripts\connect_ok_matrix.py --suite hold --parity E --prompt-observation --result-json captures\connect-ok-hold-result.json
Sweep strong continuation/ACK candidates after recovering to CONNECT: OK:
.\.venv\Scripts\python.exe scripts\connect_ok_advance_sweep.py --suite core --parity E --prompt-observation --result-json captures\connect-ok-advance-core-result.json
Candidate suites:
core:05 00 40 00 00 1Fpure command-5 report-consume candidate, then04 00 00 80 00 DEselector-zero refresh/consume candidate.special: command-50x006C/0x006D/0x006E, which call the ROM'sBE70queue helper.latch: command-50x006B/0x0096/0x0097/0x00C6/0x00F8, which can clear theF731/F790latch bits when that path is live.all: all of the above.
Current matrix result summary:
minimal suite at 150 ms gaps: all cases stayed CONNECT NOT ACT
gap suite at 10/50/150 ms: stayed CONNECT NOT ACT
gap suite at 700 ms and 1.5 s: CONNECT OK, then CONNECT NOT ACT
minimal suite at 700 ms gaps: singles stayed CONNECT NOT ACT; all pairs reached CONNECT OK then CONNECT NOT ACT
repeated 80 -> 80 at about 700 ms: CONNECT OK responses, then CONNECT NOT ACT
hold suite at 150 ms gaps: stayed CONNECT NOT ACT
no-power-cycle NOT ACT recovery: CONNECT OK responses observed, then heartbeat resumes
Advance sweep result summary:
core suite: no new LCD behavior
all suite, ack-006C (05 00 6C 00 00 33): CONNECT OK, then LCD blank while CAM POWER lamp stayed on
all suite, ack-006D (05 00 6D 00 00 32): CONNECT OK, then COPY IN PROGRESS, then CONNECT NOT ACT
all suite, ack-006E/latch candidates: mostly OK then NOT ACT
fresh isolated ack-006D run: COPY path reproduced after a relay power-cycle
The 0x006D copy path is now confirmed outside the earlier all-suite ordering caveat: captures/connect-ok-advance-special-20260526-153339.txt power-cycled the panel, waited for heartbeats, sent the two-frame 0x8080 CONNECT baseline, then sent only 05 00 6D 00 00 32; the LCD again entered the copy path. The ROM strongly supports that these are real selector side effects:
- Command 5 compares
R5against0x006C,0x006D, and0x006E; those selectors callBE70to append the selector to theF970processing queue. - Selector
0x006Cdispatches toH'2FAF. Forced decoding shows it manipulatesF76E,F795,F797,F799, can set display selectorF732=H'1904, setsFB02=H'14, and calls the48FAdisplay/report bridge. - Selector
0x006Ddispatches toH'3015. Forced decoding shows it setsF731.7, loadsF798=H'C8, setsF795.6/F795.7, sets display selectorF732=H'1903, setsFB02=H'64, calls48FA, then setsF76E.6. - The LCD dispatch for these states is now traced:
loc_48FAreads the high byte atF732, soF732=H'1903/H'1904selects display page0x19, not direct page0x03/0x04.493E[0x19] -> H'930A; that page's local table atH'931CincludesH'9F6AforCOPY/IN PROGRESSandH'9FDAforCOPY/COMPLETED. The low byte atF733is the substate selector:0x03is in-progress and0x04is completed. - This makes the likely copy handshake:
0x006Dstarts copy and sets theF795.6/F795.7in-progress flags;0x006Cis the completion/exit sibling only when those flags are live. Sending0x006Calone can therefore blank or clear state instead of displayingCOPY COMPLETED. - Bench step-through confirmed the sequence model:
006Calone producedCONNECT OK -> blank;006Dalone producedCONNECT OK -> COPY IN PROGRESS;006Dfollowed by006Cafter 250 ms produced a briefCOPY IN PROGRESSthenCOPY COMPLETED; the same after 1.0 s and 1.5 s produced a longerCOPY IN PROGRESSthenCOPY COMPLETED; after 2.0 s or 2.5 s it fell toCONNECT:NOT ACTinstead of completing. Repeating006Dbefore006Calso completed successfully in the 2x and 3x repeat tests. A longer006Dhold test keptCOPY IN PROGRESSactive for several seconds and then completed when006Carrived, while the same hold without006Ctimed out fromCOPY IN PROGRESStoCONNECT:NOT ACT. This points to006Das an in-progress/progress-window refresh selector and006Cas the explicit completion/exit selector, not a stateless command pair. - The FRT1 timer path decrements
F797andF798; when either reaches zero, it clearsF731.7. This matches the observed transient display modes falling back toCONNECT:NOT ACT. - The string
COPY IN PROGRESSis present in the ROM LCD resources, so the006Dresult is not a generic serial artifact. - Manual interpretation: the RCP-TX7 operating manual describes
COPY IN PROGRESSas the LCD state shown during the multi-cameraCOPY TO SLAVESdata-transfer operation over the RS232C command-link system. During that state, all linked RCP units display the message and their buttons/knobs are locked untilCOPY COMPLETED. Therefore selector0x006Dis best treated as entering a command-link copy/data-transfer state, not as a normal CCU connection ACK.
RCP-side OTHERS/COPY menu trace:
- The OTHERS menu is page
0x01:493E[0x01] -> H'631C, local tableH'632E. - Local table entry 1 points to
H'6FF0, the page that rendersOTHERS/COPY TO SLAVES. - The entry descriptor immediately before
H'6FF0requires selector0x0015in the secondary table:E400[0x0015] != 0. Because command 6 writesE400, this is probably a CCU-provided feature/visibility bit, and command 6 must be sent in a live continuation/report window to have an effect. - The root OTHERS/SHUTTER page
H'6EE4consumesF770.0/F770.1; the COPY pageH'6FF0consumesF770.2. Both handlers readF770, clear it, and then act on those low bits. - The only decoded direct writers to
F770found so far write high bits0x80,0x40, and0x20from value/dial redraw paths. No direct decoded write toF770=0x01/0x02/0x04has been found yet, so the physical OTHERS/COPY action probably arrives through an indirect panel-key latch or page-local mechanism. - When the page sees
F770.2set, it only follows the local copy-start branch ifF791.7is already set. That branch setsF76E.6,F795.7,F731.7,F798=H'C8,F711.7,F726=H'64, callsloc_5500, then displaysCOPY TO SLAVES. This is the RCP-side equivalent of the serial0x006Dcopy-start effect. - If
F770.2is set whileF791.7is clear, the ROM diverts throughH'704Cto aSET RCP/MASTERdisplay path instead of starting copy. That makesF791.7a second, likely master/link/session gate for the physical COPY operation. - The OTHERS root handler at
H'6EE4also tests primary selectorE000[0x008F](H'E11E) bits 11 and 12, and uses them to setF711.6andF711.4. Bench isolation shows this selector is broader than an OTHERS gate: bit 11 makes the SHUTTER seven-segment display show observedEUS, probably the manual'sEVSdisplay, and bit 12 makes it show the literal lettersOFF; either bit also illuminates the iris AUTO lamp. - Candidate gate probes, not final protocol truth:
00 01 0F 18 00 4C ; command 0, set E000[0x008F] bits 11+12
06 00 15 00 01 48 ; command 6, set E400[0x0015] nonzero; requires live continuation
06 00 15 80 00 C9 ; command 6, alternate nonzero visibility value; requires live continuation
Read table state:
.\.venv\Scripts\python.exe scripts\serial_table_dump.py --port COM5 --relay-port COM6 --start 0x000 --count 0x200 --parity E --log captures\table-read-8e1.txt
Current Best Model Of Normal CCU/RCP Communication
The protocol looks like a shared selector table with stateful reporting:
- CCU sends initial state seeds into selector tables, especially selector zero and status/display selectors.
- RCP updates LCD, lamps, and numeric readouts from selector dispatch handlers.
- RCP emits heartbeat/report frames from
E800via theF870 -> BAF2report queue. - Host/CCU uses continuation commands to consume/ACK/update live reports while
FAA2/FAA3gates are active. - If the CCU stops talking or session state expires, RCP clears volatile session state and returns to
CONNECT:NOT ACT.
This fits the real panel behavior:
- Idle panel emits heartbeat.
- Correct fake-CCU traffic can wake it to
CONNECT: OK. - Without richer CCU state, readouts illuminate but show placeholders like
----.
Active-State Local-Control Watch
Bench evidence now suggests CONNECT: OK is maintained by an ongoing CCU refresh stream, not by one magic wake frame. This creates a useful local-control test: keep the RCP in the active state and press/turn physical controls while logging device TX.
Two JSON scenarios are set up for that:
.\.venv\Scripts\python.exe scripts\serial_scenario.py scenarios\active-control-report-watch-quiet.json --parity E --log captures\active-control-report-watch-quiet.txt --result-json captures\active-control-report-watch-quiet-result.json
.\.venv\Scripts\python.exe scripts\serial_scenario.py scenarios\active-control-report-watch-broad.json --parity E --log captures\active-control-report-watch-broad.txt --result-json captures\active-control-report-watch-broad-result.json
.\.venv\Scripts\python.exe scripts\serial_scenario.py scenarios\active-control-report-watch-gated.json --parity E --log captures\active-control-report-watch-gated.txt --result-json captures\active-control-report-watch-gated-result.json
The quiet scenario sends the selector-zero OK seed, then refreshes E000[0x0093]=0x9020 every 0.60 s. This is the lowest-noise active hold that has already kept CONNECT: OK alive.
The broad scenario streams E000[0x008F]=0x1800 and E000[0x0093]=0xFFFF every cycle. This is noisier, but may open more local-control/status gates.
The gated scenario first seeds candidate secondary-table feature bits with command 6:
06 00 15 80 00 C9 ; E400[0x0015] OTHERS/COPY visibility candidate
06 01 0F 18 00 4A ; E400[0x008F] shutter/OTHERS bits 11+12
06 01 13 FF FF 4E ; E400[0x0093] broad local-report/status gate candidate
Then it streams E000[0x008F]=0x1800 and E000[0x0093]=0x90FF. This is the better next watch if quiet/broad E000-only refreshes do not produce local-control TX.
After a run, summarize unexpected device frames with:
.\.venv\Scripts\python.exe scripts\serial_scenario_unexpected.py captures\active-control-report-watch-quiet.txt --show-all
.\.venv\Scripts\python.exe scripts\serial_scenario_unexpected.py captures\active-control-report-watch-broad.txt --show-all
.\.venv\Scripts\python.exe scripts\serial_scenario_unexpected.py captures\active-control-report-watch-gated.txt --show-all
Expected refresh responses are ignored by default: heartbeat, table readbacks, and 02 00 02 00 00 5A. Any remaining checksum-valid frame is a candidate local-control report. This is where physical button/dial reports should appear if the RCP only talks while the CCU keeps the selector tables active.
The unexpected-frame summarizer also labels known autonomous button frames so they are not mistaken for newly unlocked controls:
00 00 15 80 00 CF ; known CALL active report
00 00 15 00 00 4F ; known CALL inactive report
00 00 07 80 00 DD ; known CAM POWER report
First quiet/broad watch captures on 2026-05-26 showed no unexpected checksum-valid frames in the observed window:
active-control-report-watch-quiet: 114 detected frames, all expected refresh/heartbeat/readback
active-control-report-watch-broad: 133 detected frames, all expected refresh/heartbeat/readback
Those runs stopped mid-scenario, so this is not a full negative proof. The practical interpretation is narrower: E000 active-state refresh alone did not make the pressed controls emit visible TX in the watched window. The gated command-6 version is the next ROM-supported test.
The first gated watch capture produced a new periodic active-state response:
02 00 04 00 00 5C ; gated 0x0004 transition candidate, seen twice
01 00 04 00 00 5F ; gated 0x0004 active response candidate, seen 328 times
After treating those as expected gated refresh traffic, the capture had zero novel frames. A direct search found no known CALL/CAM POWER frames in that log. So the gated setup changed the session/status response shape, but it did not yet prove that physical controls beyond the already-known autonomous buttons are reporting.
Lamp Selector Mapping
Bench lamp sweeps now prove that several panel outputs are directly driven by command-0 selector writes while CONNECT: OK is alive. The current detailed map lives in docs/pt2-lamp-selector-map.md.
Newest confirmed behavior:
lamp-known-button-selector-probemade CAM, CALL, BARS, MASTER, and camera tally outputs flash individually.0x0007 = 0x8000/0x0000blinked CAM POWER in isolation.0x0015 = 0x8000/0x0000blinked CALL and red tally in isolation.- Fresh-boot isolation maps
0x0013to SLAVE,0x0016to green tally, and0x0017to BARS for the0x8000/0x0000value pair. - Fresh-boot isolation maps
0x0092to iris AUTO/OFF behavior, and maps both0x00B9and0x0110to KNEE-related behavior. - A ROM trace now explains why the KNEE tests looked non-level-held.
loc_1795is reached from the panel input lane (F104 -> F692 -> F6F0.1) and readsE000[0x00B9]plusE000[0x0110]. - The live KNEE value/report gate is
0x00B9.13, not the earlier bench-only0x00B9.15guess. 0x0110.15forces a timed KNEE page/display override (F732=0x1C03,FB02=0x14), which matches the observed "lights, then clears" behavior.- On that KNEE LCD page,
0x0110.15selectsDL,0x00B9.15selectsPRESET, and both clear selectsAUTO. - When
0x00B9.13is set and0x0110.15is clear, the ROM reports/updates selector0x00BCfrom theF692 - F6B2panel-input delta. Seedocs/pt2-knee-rom-trace.md. - The first KNEE ROM probe produced a new bench LCD state with
DTLon the left andKNEEon the right, matching the ROM page-0x1C DETAIL/KNEE neighborhood. - A follow-up isolation lit the KNEE AUTO lamp in later KNEE windows but did not change the LCD. Current model: KNEE AUTO lamp/status is mostly selector driven, while the DETAIL/KNEE LCD page needs an additional local menu/display condition.
What Is Still Unknown
- The official PT2 names for commands and selectors.
- Which selectors drive every lamp and numeric display.
- Whether the CCU sends a periodic refresh stream after CONNECT OK.
- Exact hold time before OK falls back to NOT ACT, if no refresh traffic follows.
- Whether command 4 CONNECT success depends on an existing continuation latch, timing, or a side effect created by earlier frames.
- Whether the remaining emulator/bench mismatch is an SCI timing bug or a missing ROM/peripheral behavior. The emulator now has an optional 8E1 TX wire-timing mode; with it enabled, repeated
80no longer immediately reachesCONNECT: OK, which is closer to bench behavior but still needs calibration. - How EEPROM option bits change selector behavior.
- Whether all old visible
07...families can be reproduced under8E1.
Next Best Refinements
- Finish the CONNECT matrix runs:
- rerun
holdwith 700 ms gaps to measure how long OK remains without refresh traffic.
- rerun
- Run the reactive advance sweep from OK and compare:
- ACK-only
05 00 40 00 00 1F - refresh/consume
04 00 00 80 00 DE - command-5 special selectors
0x006C/0x006D/0x006E
- ACK-only
- Test whether periodic report ACKs plus periodic
80refreshes hold CONNECT OK. - Sweep emulator RX phase/gap with
--tx-wire-timingand compare whereBD0Eis reached or missed. - Dump selector table state before and after CONNECT OK.
- Seed selectors
0x003,0x040, and0x0F6after selector-zero OK and watch lamps/readouts. - Mine selector dispatch handlers for known UI text terms:
IRIS,GAIN,SHUTTER,BARS,BLACK,CALL,AUTO,DIAG. - Run the active-control watch scenarios and map any unexpected frames back to physical controls.
Source Files And Reports
Generated evidence:
build/rom_decompiled.asmbuild/rom_rx_branch_trace.txtbuild/rom_ccu_seed_hints.txtbuild/rom_eeprom_layout.txtbuild/rom_table_xrefs.txtbuild/connect-state-search-ok.json
Useful tools:
h8536_protocol_trace.pyh8536_protocol_capture.pyh8536_rx_branch_trace.pyh8536_ccu_seed_hints.pyh8536_emulator_rx_probe.pyh8536_emulator_state_search.pyscripts/bench_connect_lcd_sequence.pyscripts/connect_ok_matrix.pyscripts/connect_ok_advance_sweep.pyscripts/serial_table_dump.pyscripts/serial_scenario.py