26 KiB
PT2 Protocol Working Notes
This document is the current working model for the serial protocol spoken by the Sony RCP-TX7 panel ROM.
A later RCP manual mentions a "PT2 compatibility mode" for controlling the same CCU family this panel was made for. We are using "PT2" here as a practical label for this six-byte SCI1 protocol model. It is not yet a claim that every field name matches Sony's official PT2 terminology.
Current High-Confidence Facts
- The real bench link is
38400 8E1, not38400 8N1. - The ROM uses H8/536 SCI1 through the MAX202 RS232 transceiver.
- Frames are six bytes long.
- The checksum is
0x5A XOR byte0 XOR byte1 XOR byte2 XOR byte3 XOR byte4. - The ROM validates the checksum before normal command dispatch.
- The first byte is decoded as
command = byte0 & 0x07. - Bytes 1 and 2 encode a logical selector.
- Bytes 3 and 4 are a 16-bit value for write-style commands.
- The protocol is stateful. Some commands only work while a continuation/session latch is live.
CONNECT:NOT ACTis recoverable without a power cycle.CONNECT: OKcan be reached on real hardware after using the correct8E1serial format.
Hardware Path
SCI1 is the external serial path:
- H8/536 pin 66,
P95/TXD, goes to MAX202 pin 11. - MAX202 pin 12 goes to H8/536 pin 67,
P96/RXD. - The ROM initializes SCI1 as async 8-bit, even parity, 1 stop.
ROM evidence:
build/rom_decompiled.asm:437:SCI1_SMR = H'24.build/rom_decompiled.asm:438:SCI1_SCR = H'3C.build/rom_decompiled.asm:439:SCI1_BRR = H'07.
Bench implication:
- Use
38400 8E1for all real-device captures and probes. - Old
38400 8N1captures mostly exercised parity/error handling and retry echoes. Do not assign normal protocol meaning to old8N107...frames until they are reproduced under8E1.
Frame Format
Working host/RCP frame layout:
byte0 command byte; ROM uses byte0 & 0x07
byte1 selector page/high bits; byte1.7 is rejected by normal handlers
byte2 selector low byte
byte3 value high byte
byte4 value low byte
byte5 checksum = 0x5A XOR byte0..byte4
Examples:
00 00 00 80 80 5A ; command 0, selector 0x000, value 0x8080
01 00 00 00 00 5B ; command 1, read selector 0x000
04 00 00 80 00 DE ; command 4 shape, selector 0x000, value high 0x80
07 00 00 00 00 5D ; command 7, repeat previous finalized TX frame
Selector Decode
The ROM builds a raw selector from bytes 1 and 2, then maps it through loc_622B.
Known decode:
| byte1 page | byte2 range | selector |
|---|---|---|
| page 0, or pages 4-7 | 00-7F |
0x000 + byte2 |
| page 1 | 00-FF |
0x080 + byte2 |
| page 2 | 00-7F |
0x180 + byte2 |
| page 3 | any | 0x1FF fallback |
| invalid range | any | 0x1FF fallback |
Important caveats:
byte1.7is rejected before normal command handling.- Frames like
01 80 40 ...may look like a selector encoding, but the normal command path rejectsbyte1.7. - Pages 4-7 appear to alias the page-0 path when the low byte is in range.
Checksum
Checksum formula:
checksum = 0x5A
for b in frame[:5]:
checksum ^= b
The ROM path:
- RXI captures bytes into
F868-F86D. - Main-loop processing copies them to
F860-F865. - Physical error latch
FAA4.7is checked before checksum dispatch. - Checksum mismatch enters the retry/error path.
- Valid checksum clears retry counter
FAA6, decodes selector, and dispatches onbyte0 & 0x07.
Key ROM areas:
- RXI/ERI capture:
BB57,BB67. - Validation and checksum:
BBAB-BBF0. - Selector decode call:
BC01 -> 622B. - Command dispatch:
BC08-BC67.
Command Model
The biggest protocol lesson is that the command set has two modes:
- Initial dispatcher: active while
FAA2 == 0. - Continuation dispatcher: active while
FAA2 != 0.
That means command numbers are not globally meaningful. Command 4, 5, and 6 are continuation-path commands, not normal idle commands.
| Command | Path | Current meaning | Response |
|---|---|---|---|
0x00 |
initial | Set primary/current value, queue selector processing | Immediate 0x04 echo-style response |
0x01 |
initial | Read primary value table | Immediate 0x04 readback response |
0x02 |
initial | Quiet clear/no-op style command | No immediate response seen in ROM |
0x04 |
continuation | Set/update value without immediate response | Usually no immediate response |
0x05 |
continuation | ACK/session-clear/pending handling | Usually no immediate response |
0x06 |
continuation | Set secondary value table | Usually no immediate response |
0x07 |
both | Retransmit previous finalized TX frame | Repeats last TX frame |
Command Details
Command 0: Initial Set Value
Path: BC69.
Conditions:
- Valid checksum.
FAA2 == 0.byte1.7 == 0.
Effects:
- Writes value into
E000 + 2*selector. - Writes value into
E800 + 2*selector. - Sets dirty flag bit 7 in
EC00 + selector. - Calls
BE70, which appends the selector into theF970selector-processing queue. - Sends an immediate
0x04response throughBA26.
Selector-zero special case:
- For selector
0x000, the low byte is forced to0x80. - This makes selector-zero writes look like
xx80, not arbitraryxxLL.
Important candidate:
00 00 00 80 80 5A ; selector 0 = 0x8080, strongest CONNECT OK seed
Command 1: Read Value
Path: BCD7.
Effects:
- Reads
E000 + 2*selector. - Stages a
0x04response. - Clears
FAA2.7.
Useful readback examples:
01 00 00 00 00 5B ; read selector 0x000
01 00 40 00 00 1B ; read selector 0x040
01 01 76 00 00 2C ; read selector 0x0F6
Bench implication:
- Command 1 verifies table state.
- It is not an ACK and does not enter continuation handling.
- Command 7 after command 1 can repeat the last finalized readback.
Command 2: Initial Clear/No-Op Candidate
Path: BD04.
Effects:
- Clears
FAA2.7. - Returns without staging an obvious response.
Meaning is still unclear. Treat it as a quiet/session-control candidate, not as a data write.
Command 4: Continuation Set Value
Path: BD0E.
Conditions:
- Valid checksum.
FAA2 != 0.- Command bit 2 set.
byte1.7 == 0.
Effects:
- Writes value into
E000 + 2*selector. - Selector zero also updates
E800. - Nonzero selectors set dirty flag bit 7 in
EC00 + selector. - Can mirror/persist mapped nonzero selectors through the
F400/EEPROM path whenF76E.7allows it. - If
FAA2.3was set by a queued report, command 4 can advanceF9B5to consume that report. - Clears
FAA3andFAA2before exit.
Known CONNECT test frames:
04 00 00 40 00 1E
04 00 00 80 00 DE
04 00 00 C0 00 9E
ROM caveat:
- A standalone command 4 from a truly idle
FAA2 == 0state should not reachBD0E. - Bench evidence now proves the panel can still recover from
CONNECT:NOT ACTwithout power cycling, so visibleNOT ACTis not equivalent to "all serial continuation state is impossible".
Command 5: Continuation ACK/Clear Candidate
Path: BD80.
Conditions:
- Continuation path only.
Effects:
- Usually no immediate response.
- Selectors
0x006C,0x006D, and0x006EcallBE70. - If
F731.7is set, selectors0x006B,0x0096,0x0097,0x00C6, and0x00F8clearF731.7/F790.7. - If
FAA2.3was set by a queued report, command 5 can advanceF9B5. - Clears
FAA3andFAA2before exit.
Bench implication:
- Command 5 is not a generic always-live ACK.
- It only has ACK-like meaning when the continuation latch is live.
Command 6: Continuation Secondary Set
Path: BDDB.
Effects:
- Writes value into
E400 + 2*selector. - Sets dirty flag bit 6 in
EC00 + selector. - Can advance queued-report state when
FAA2.3is live. - Clears
FAA3andFAA2.
Command 7: Repeat Previous TX
Path: BE05.
Effects:
- Copies the previous finalized TX frame back into staging.
- Sends it again through
BA26. - Works from initial and continuation paths.
Bench implication:
- Command 7 is useful as a "what did you last finalize?" probe.
- It does not prove a hidden continuation token by itself.
RCP Transmit Frames
The TX side uses the same six-byte checksum model.
TX staging:
F850-F854: staging bytes.F858-F85C: finalized bytes.F85D: computed checksum.BA26: finalizes and starts SCI1 TX.- TXI sends bytes 1-5 after the first TDR write.
Known RCP-origin frames:
| Frame | Confidence | Current meaning |
|---|---|---|
00 00 00 00 80 DA |
high | idle heartbeat / selector-zero report |
00 00 07 80 00 DD |
medium-high | observed CAM POWER button/report candidate |
00 00 15 80 00 CF |
medium-high | observed CALL on/report candidate |
00 00 15 00 00 4F |
medium-high | observed CALL off/report candidate |
02 00 02 00 00 5A |
medium | emulator CONNECT OK path response candidate |
Heartbeat:
- Idle frame:
00 00 00 00 80 DA. - Observed cadence: about 700 ms.
- ROM path:
loc_4067enqueues selector 0,loc_BAF2/BB08dequeues it,BB1C/BB20/BB2Bstages TX bytes,BA26emits the frame. - FRT2 timing model:
TCR=H'02,OCRA=H'7A12, modeled as a 100 ms tick at 10 MHz;F9C4=0x07gives about 700 ms post-send heartbeat delay.
Retry/Error 07 Frames
07... frames are easy to misread.
The ROM can generate a 0x07 retry/error echo when:
- A physical RX error occurs, or
- A checksum mismatch occurs, and
FAA5.7is set, and- Retry count
FAA6is below two.
Path:
BE29retry gate.BE4DstagesF850=0x07.F851-F854copy hostRX[1:4].BA26sends it.
Bench implication:
- A visible
07...frame is not automatically a normal status report or ACK. - Old
8N1captures produced many misleading07...frames because parity errors exercised this path.
Table Model
The ROM behaves like a selector-indexed state machine. The CCU likely seeds values, and the RCP updates LCD/lamp/control behavior from those values.
| Table | Range | Role |
|---|---|---|
| Primary value table | E000-E3FF |
Command 0/4 writes, command 1 reads |
| Secondary value table | E400-E7FF |
Command 6 writes |
| Current/report table | E800-EBFF |
Used when RCP builds outbound report frames |
| Dirty/flag table | EC00-EFFF |
Per-selector flags, bit7 for primary writes, bit6 for secondary writes |
| EEPROM/shadow | F400-F4FF |
Optional mapped persistence/config surface |
Important details:
- Selector zero is special in command 0 and command 4.
- Command 0 writes both
E000andE800. - Command 4 writes
E800only for selector zero in the current ROM evidence. BAF2readsE800 + 2*selectorwhen building autonomous RCP reports.BE70/F970is a selector-processing queue.3E54/F870is a separate serial-visible report queue.
Do not mix up:
F970: "process this selector internally".F870: "send this selector/report over serial".
State And Queues
Important RAM/state bytes:
| Address | Working name | Meaning |
|---|---|---|
FAA2.7 |
RX command in progress | Set on initial parse, cleared on exits |
FAA2.3 |
queued report continuation needed | Set after autonomous report send |
FAA3.7 |
pending resend mask | Set after queued report send |
FAA4.7 |
RX physical error latch | Set by SCI1 ERI |
FAA5.7 |
RX session gate | Set while F9C5 is alive after complete RX |
FAA6 |
retry counter | Limits retry/error echoes |
F9C1 |
inter-byte timeout | Reloaded on RXI |
F9C3 |
RX byte count | Counts up to six |
F9C4 |
heartbeat/report cadence gate | Controls idle heartbeat enqueue |
F9C5 |
RX/session timeout | Loaded with 0x14 after full RX frame |
F9B0/F9B5 |
serial report queue cursors | Drive F870/BAF2 |
F9B4/F9B9 |
selector-processing queue cursors | Drive F970/2806 |
Session expiry:
- A complete six-byte RX frame loads
F9C5=0x14. - FRT2 decrements
F9C5. - When
F9C5reaches zero,loc_3FEFcan clear queues/session state. - If
FAA5.7was set, expiry callsloc_400C. loc_400Cclears connection/session RAM and refreshes inactive display state.
This explains why random traffic tends to settle back to CONNECT:NOT ACT.
CONNECT State
CONNECT strings are built through the LCD driver, not received as literal serial text.
Known LCD path:
FAF0-FAFF line buffer -> 3ECC -> 3F28 -> 3F40 -> F200/F201 LCD ports
ROM/emulator findings:
- Boot/no-active-session display can show
CONNECT:NOT ACT. - Direct emulator entry at
loc_2CB9withE000[0]=0x8080andF730=0reachesCONNECT: OK. - Queued selector-zero path reaches OK when:
F970[0]=0F9B9=0F9B4=1E000[0]=0x8080F730=0
- Selector zero dispatches through the
28A6jump table into the CONNECT handler window.
Bench findings:
- Correct
8E1serial format made the CONNECT path work on real hardware. - Real hardware can recover from
CONNECT:NOT ACTtoCONNECT: OKwithout a power cycle. - Successful active-looking state included:
CONNECT: OK- CAM POWER lamp illuminated
- numeric readouts illuminated as
----
- Matrix tests show that cadence matters:
40 -> 80 -> C0with 10 ms, 50 ms, or 150 ms inter-frame gaps stayed atCONNECT:NOT ACTafter a fresh power-cycle test.- The same order with 700 ms and 1.5 s inter-frame gaps produced
CONNECT: OKbefore falling back toCONNECT:NOT ACT. - At 700 ms gaps, no single frame worked by itself.
- At 700 ms gaps, every tested two-frame pair worked:
40 -> 80,80 -> C0, and40 -> C0. - A repeated identical pair also worked:
80 -> 80at about 700 ms produced eight02 00 02 00 00 5AOK-path responses, then heartbeat traffic resumed. - The no-power-cycle recovery test from an already visible
CONNECT:NOT ACTstate produced repeated02 00 02 00 00 5AOK-path responses, then returned to heartbeat traffic.
Current interpretation:
CONNECT:NOT ACTis a normal no-active-session/cleared-state display, not a terminal latch.CONNECT: OKis table/state driven, probably selector-zero active/connect state.0x8080at selector zero is the strongest known active/connect value.- The panel likely expects the CCU to consume/ACK report-queue frames and keep seeding or refreshing state after entering OK.
- The working fake-CCU sequence is probably not "three frames as fast as possible"; it appears to need CCU-like cadence or a live session window, roughly on the heartbeat/report timescale.
- A single selector-zero continuation-shaped frame is insufficient in the current tests; two selector-zero writes at the working cadence are enough. They do not need to carry different values, because
80 -> 80also worked.
ROM report-source update:
- The active
02/01 ...frames seen during CONNECT OK attempts are best modeled asF870 -> BAF2 -> BA26report-queue transmissions. BAF2dequeues a report word, encodes the first three TX bytes, reads the payload fromE800 + 2*selector, andBA26appends the0x5AXOR checksum.- After sending a queued report, the ROM sets
FAA2.3andFAA3.7; command4,5, or6can then consume/advance the report only while that continuation latch is live. - This makes a reactive fake-CCU test more valuable than another blind fixed-delay matrix: recover to OK, wait for the first active report, then send one candidate continuation/ACK frame.
Candidate CCU Seed Values
These are syntactically valid host frames produced from ROM table mining. Use them as candidate fake-CCU state seeds, not as final protocol truth.
| Selector | Candidate value | Frame | Why it matters |
|---|---|---|---|
0x000 |
0x8080 |
00 00 00 80 80 5A |
strongest CONNECT OK seed |
0x003 |
0x8000 |
00 00 03 80 00 D9 |
ROM default enabled bit candidate |
0x040 |
0xFFFF |
00 00 40 FF FF 1A |
ROM default all-ones/status block candidate |
0x040 |
0x4030 |
00 00 40 40 30 6A |
bench-touched 0x40 family value |
0x0F6 |
0x2000 |
00 01 76 20 00 0D |
loc_48FA tests E1EC.13 and can enqueue report 0x00F6 |
Readbacks:
01 00 00 00 00 5B ; selector 0x000
01 00 03 00 00 58 ; selector 0x003
01 00 40 00 00 1B ; selector 0x040
01 01 76 00 00 2C ; selector 0x0F6
Observed Button/Panel Reports
Before the protocol format was corrected, the RCP appeared to emit only a few report families by itself:
00 00 00 00 80 DA ; heartbeat
00 00 07 80 00 DD ; CAM POWER candidate
00 00 15 80 00 CF ; CALL on candidate
00 00 15 00 00 4F ; CALL off candidate
Current interpretation:
- The RCP can report some panel events.
- Many other controls probably need CCU-provided state before they become reportable or meaningful.
- The CCU likely streams display/lamp/readout state to the RCP, while the RCP reports operator changes back.
EEPROM And Board Config
The P9 bus is not the external PT2 serial link. It is a bit-banged EEPROM/config path:
- H8 pin 62,
P91, reaches X24164 pin 6SCL. - H8 pin 68,
P97, reaches shared X24164 pin 5SDA.
ROM findings:
loc_40BBchecksP7DR.7andF402 == H'6B6Fbefore deciding whether to default EEPROM/shadow tables.loc_4103writes ROM default words throughBFE0.loc_41D2reads sixteen 8-byte records intoF7B0-F82F.- Command 4 can persist mapped serial table writes when
F76E.7is set.
Current interpretation:
- EEPROM stores panel/config/default state.
- It can affect startup and option behavior.
- After the
8E1discovery, EEPROM is less likely to be the fundamental reason CONNECT failed, but it can still influence which selectors/features are active.
Known Useful Bench Commands
Minimal CONNECT sequence runner:
.\.venv\Scripts\python.exe scripts\bench_connect_lcd_sequence.py --port COM5 --relay-port COM6 --parity E --prompt-screen
Recover from CONNECT:NOT ACT without power cycling:
.\.venv\Scripts\python.exe scripts\bench_connect_lcd_sequence.py --port COM5 --relay-port COM6 --no-power-cycle --parity E --prompt-before-send --prompt-screen --post-sequence-read 10 --log captures\connect-notact-to-ok.txt
Run the reproducibility/minimization matrix:
.\.venv\Scripts\python.exe scripts\connect_ok_matrix.py --suite minimal --parity E --prompt-observation --result-json captures\connect-ok-minimal-result.json
Test timing/cadence:
.\.venv\Scripts\python.exe scripts\connect_ok_matrix.py --suite gap --parity E --prompt-observation --result-json captures\connect-ok-gap-result.json
Test whether OK is held:
.\.venv\Scripts\python.exe scripts\connect_ok_matrix.py --suite hold --parity E --prompt-observation --result-json captures\connect-ok-hold-result.json
Sweep strong continuation/ACK candidates after recovering to CONNECT: OK:
.\.venv\Scripts\python.exe scripts\connect_ok_advance_sweep.py --suite core --parity E --prompt-observation --result-json captures\connect-ok-advance-core-result.json
Candidate suites:
core:05 00 40 00 00 1Fpure command-5 report-consume candidate, then04 00 00 80 00 DEselector-zero refresh/consume candidate.special: command-50x006C/0x006D/0x006E, which call the ROM'sBE70queue helper.latch: command-50x006B/0x0096/0x0097/0x00C6/0x00F8, which can clear theF731/F790latch bits when that path is live.all: all of the above.
Current matrix result summary:
minimal suite at 150 ms gaps: all cases stayed CONNECT NOT ACT
gap suite at 10/50/150 ms: stayed CONNECT NOT ACT
gap suite at 700 ms and 1.5 s: CONNECT OK, then CONNECT NOT ACT
minimal suite at 700 ms gaps: singles stayed CONNECT NOT ACT; all pairs reached CONNECT OK then CONNECT NOT ACT
repeated 80 -> 80 at about 700 ms: CONNECT OK responses, then CONNECT NOT ACT
hold suite at 150 ms gaps: stayed CONNECT NOT ACT
no-power-cycle NOT ACT recovery: CONNECT OK responses observed, then heartbeat resumes
Advance sweep result summary:
core suite: no new LCD behavior
all suite, ack-006C (05 00 6C 00 00 33): CONNECT OK, then LCD blank while CAM POWER lamp stayed on
all suite, ack-006D (05 00 6D 00 00 32): CONNECT OK, then COPY IN PROGRESS, then CONNECT NOT ACT
all suite, ack-006E/latch candidates: mostly OK then NOT ACT
fresh isolated ack-006D run: COPY path reproduced after a relay power-cycle
The 0x006D copy path is now confirmed outside the earlier all-suite ordering caveat: captures/connect-ok-advance-special-20260526-153339.txt power-cycled the panel, waited for heartbeats, sent the two-frame 0x8080 CONNECT baseline, then sent only 05 00 6D 00 00 32; the LCD again entered the copy path. The ROM strongly supports that these are real selector side effects:
- Command 5 compares
R5against0x006C,0x006D, and0x006E; those selectors callBE70to append the selector to theF970processing queue. - Selector
0x006Cdispatches toH'2FAF. Forced decoding shows it manipulatesF76E,F795,F797,F799, can set display selectorF732=H'1904, setsFB02=H'14, and calls the48FAdisplay/report bridge. - Selector
0x006Ddispatches toH'3015. Forced decoding shows it setsF731.7, loadsF798=H'C8, setsF795.6/F795.7, sets display selectorF732=H'1903, setsFB02=H'64, calls48FA, then setsF76E.6. - The LCD dispatch for these states is now traced:
loc_48FAreads the high byte atF732, soF732=H'1903/H'1904selects display page0x19, not direct page0x03/0x04.493E[0x19] -> H'930A; that page's local table atH'931CincludesH'9F6AforCOPY/IN PROGRESSandH'9FDAforCOPY/COMPLETED. The low byte atF733is the substate selector:0x03is in-progress and0x04is completed. - This makes the likely copy handshake:
0x006Dstarts copy and sets theF795.6/F795.7in-progress flags;0x006Cis the completion/exit sibling only when those flags are live. Sending0x006Calone can therefore blank or clear state instead of displayingCOPY COMPLETED. - Bench step-through confirmed the sequence model:
006Calone producedCONNECT OK -> blank;006Dalone producedCONNECT OK -> COPY IN PROGRESS;006Dfollowed by006Cafter 250 ms produced a briefCOPY IN PROGRESSthenCOPY COMPLETED; the same after 1.0 s and 1.5 s produced a longerCOPY IN PROGRESSthenCOPY COMPLETED; after 2.0 s or 2.5 s it fell toCONNECT:NOT ACTinstead of completing. Repeating006Dbefore006Calso completed successfully in the 2x and 3x repeat tests. This points to an active completion window that can likely be refreshed/restarted by additional in-progress/progress traffic, rather than a stateless command. - The FRT1 timer path decrements
F797andF798; when either reaches zero, it clearsF731.7. This matches the observed transient display modes falling back toCONNECT:NOT ACT. - The string
COPY IN PROGRESSis present in the ROM LCD resources, so the006Dresult is not a generic serial artifact. - Manual interpretation: the RCP-TX7 operating manual describes
COPY IN PROGRESSas the LCD state shown during the multi-cameraCOPY TO SLAVESdata-transfer operation over the RS232C command-link system. During that state, all linked RCP units display the message and their buttons/knobs are locked untilCOPY COMPLETED. Therefore selector0x006Dis best treated as entering a command-link copy/data-transfer state, not as a normal CCU connection ACK.
Read table state:
.\.venv\Scripts\python.exe scripts\serial_table_dump.py --port COM5 --relay-port COM6 --start 0x000 --count 0x200 --parity E --log captures\table-read-8e1.txt
Current Best Model Of Normal CCU/RCP Communication
The protocol looks like a shared selector table with stateful reporting:
- CCU sends initial state seeds into selector tables, especially selector zero and status/display selectors.
- RCP updates LCD, lamps, and numeric readouts from selector dispatch handlers.
- RCP emits heartbeat/report frames from
E800via theF870 -> BAF2report queue. - Host/CCU uses continuation commands to consume/ACK/update live reports while
FAA2/FAA3gates are active. - If the CCU stops talking or session state expires, RCP clears volatile session state and returns to
CONNECT:NOT ACT.
This fits the real panel behavior:
- Idle panel emits heartbeat.
- Correct fake-CCU traffic can wake it to
CONNECT: OK. - Without richer CCU state, readouts illuminate but show placeholders like
----.
What Is Still Unknown
- The official PT2 names for commands and selectors.
- Which selectors drive every lamp and numeric display.
- Whether the CCU sends a periodic refresh stream after CONNECT OK.
- Exact hold time before OK falls back to NOT ACT, if no refresh traffic follows.
- Whether command 4 CONNECT success depends on an existing continuation latch, timing, or a side effect created by earlier frames.
- Whether the remaining emulator/bench mismatch is an SCI timing bug or a missing ROM/peripheral behavior. The emulator now has an optional 8E1 TX wire-timing mode; with it enabled, repeated
80no longer immediately reachesCONNECT: OK, which is closer to bench behavior but still needs calibration. - How EEPROM option bits change selector behavior.
- Whether all old visible
07...families can be reproduced under8E1.
Next Best Refinements
- Finish the CONNECT matrix runs:
- rerun
holdwith 700 ms gaps to measure how long OK remains without refresh traffic.
- rerun
- Run the reactive advance sweep from OK and compare:
- ACK-only
05 00 40 00 00 1F - refresh/consume
04 00 00 80 00 DE - command-5 special selectors
0x006C/0x006D/0x006E
- ACK-only
- Test whether periodic report ACKs plus periodic
80refreshes hold CONNECT OK. - Sweep emulator RX phase/gap with
--tx-wire-timingand compare whereBD0Eis reached or missed. - Dump selector table state before and after CONNECT OK.
- Seed selectors
0x003,0x040, and0x0F6after selector-zero OK and watch lamps/readouts. - Mine selector dispatch handlers for known UI text terms:
IRIS,GAIN,SHUTTER,BARS,BLACK,CALL,AUTO,DIAG. - Build a fake-CCU streamer that repeatedly writes a small selector set and logs which RCP reports appear.
Source Files And Reports
Generated evidence:
build/rom_decompiled.asmbuild/rom_rx_branch_trace.txtbuild/rom_ccu_seed_hints.txtbuild/rom_eeprom_layout.txtbuild/rom_table_xrefs.txtbuild/connect-state-search-ok.json
Useful tools:
h8536_protocol_trace.pyh8536_protocol_capture.pyh8536_rx_branch_trace.pyh8536_ccu_seed_hints.pyh8536_emulator_rx_probe.pyh8536_emulator_state_search.pyscripts/bench_connect_lcd_sequence.pyscripts/connect_ok_matrix.pyscripts/connect_ok_advance_sweep.pyscripts/serial_table_dump.pyscripts/serial_scenario.py