FAQ FAQ  Forum Search   Events   Register Register  Login Login

E-mount electronic protocol reverse engineering

Page  <1 23456 14>
Author
Entropy512 View Drop Down
Groupie
Groupie

Joined: 22 July 2015
Country: United States
Status: Offline
Posts: 55
Post Options Post Options   Quote Entropy512 Quote  Post ReplyReply Direct Link To This Post Posted: 26 May 2017 at 22:27
Grumble, I haven't found a good way to do multi-quoting...

Originally posted by Leegong Leegong wrote:

I'm analyzing firmware of sony LAEA ,which is helpful
for hacking E-mount protocol , any info of A-mount is welcome!


Oh nice - did you do it by analyzing the recent update, or by performing a readback of the firmware insude the unit? If a readback - what microcontroller are they using? What architecture?

Your frame_tail struct was exactly what I've seen in my data - looks good.

A bit more info (will post a parsing script to github once I finish moving apartments and get my desktop set up again...) - Within each frame payload, there are multiple commands/responses packed into a frame. Each command/response starts with a command/response ID, and the content of each command/response is a fixed length. All of my previous analysis assumed that the low byte of the frame length field was a command ID which was wrong.

To the other poster - we're a LONG way away from a DIY adapter. In addition to the electrical/protocol challenges, even a "simple" (from a mechanical point of view, at least relative to other mounts) mechanical adapter WITH proper electronic contacts is difficult. It requires either sourcing pogo pins of custom lengths, or figuring out a way to build your own pogo pins and a way to properly mount them. I'm hoping that maybe this summer I'll at least have enough time to make a microcontroller talk to a body and get recognized as a lens. I was hoping that the Neewer NW-S-AF4 adapter would make a good "development platform" adapter, but they screwed it up by wiring USB D+ and D- to SWDIO and GND of the microcontroller - so the USB port of that adapter will never work for its advertised purpose. You can't even just run SWD into the USB port since you need access to SWCLK. At some point I may try and drill a hole in the adapter body and wire out SWDIO and SWCLK - if I can ever reassemble the adapter (I likely lost parts of it during moving...)
 



Back to Top
rev0 View Drop Down
Newbie
Newbie

Joined: 25 May 2017
Country: United States
Status: Offline
Posts: 2
Post Options Post Options   Quote rev0 Quote  Post ReplyReply Direct Link To This Post Posted: 26 May 2017 at 22:30
I wasn't thinking of making one mechanically DIY, but taking a cheap electronic lens adapter like the Fotga I have and hacking in our own microcontroller with upgradeable firmware and maybe even other features like rack focus down the line. I would certainly be open to modifying one from the hardware side (I'm less strong on embedded software but I do have some experience).
Back to Top
Entropy512 View Drop Down
Groupie
Groupie

Joined: 22 July 2015
Country: United States
Status: Offline
Posts: 55
Post Options Post Options   Quote Entropy512 Quote  Post ReplyReply Direct Link To This Post Posted: 26 May 2017 at 22:53
Originally posted by rev0 rev0 wrote:

I wasn't thinking of making one mechanically DIY, but taking a cheap electronic lens adapter like the Fotga I have and hacking in our own microcontroller with upgradeable firmware and maybe even other features like rack focus down the line. I would certainly be open to modifying one from the hardware side (I'm less strong on embedded software but I do have some experience).

The FOTGA is cheap and fairly easy to wire up the ATMega's ISP pins.

On the other hand an ATMega is not where I want to start for purposes like this - I'd prefer a processor with more headroom. The FOTGA's EF-mount pogo pins are utter crap and prone to jamming/misalignment too.

The Neewer NW-S-AF4 would've been perfect for this, as it has the most powerful CPU I've seen in any adapter I've opened up. (Note: I have NOT opened up the EA3, MC-11, or Metabones IV) Too bad they botched the USB port wiring. :(
Back to Top
Leegong View Drop Down
Newbie
Newbie

Joined: 30 September 2016
Status: Offline
Posts: 25
Post Options Post Options   Quote Leegong Quote  Post ReplyReply Direct Link To This Post Posted: 27 May 2017 at 12:16
@Entropy512
MCU inside LAEA is Toshiba TMP19A44 , MIPS architecture .
I'm quite familiar with TMP19A44 during i analyzed Nikon D5100 at Nikon Hacker
https://nikonhacker.com/index.php

Edited by Leegong - 27 May 2017 at 12:19
Back to Top
Leegong View Drop Down
Newbie
Newbie

Joined: 30 September 2016
Status: Offline
Posts: 25
Post Options Post Options   Quote Leegong Quote  Post ReplyReply Direct Link To This Post Posted: 27 May 2017 at 15:06
The first byte of Commans/Respone is Command/Response ID :
B2L_0x1C stops AF moving at once
B2L_0x1D commands lens moves focus to specific position.
B2L means body sends to lens

Edited by Leegong - 27 May 2017 at 15:11
Back to Top
Leegong View Drop Down
Newbie
Newbie

Joined: 30 September 2016
Status: Offline
Posts: 25
Post Options Post Options   Quote Leegong Quote  Post ReplyReply Direct Link To This Post Posted: 27 May 2017 at 15:54
Here is size of each B2L command and L2B response ,
the second byte in struc_9 is size of B2L , the third byte is size of L2B :

struc_9 <   0,     0,     0,    0,    0, 30h,    0>; 0       
                        ; DATA XREF: send_L2B_response+F7r   
                        ; send_L2B_0x2+12Br                  
                        ; send_L2B_response+CEr              
                        ; send_L2B_response+DAr              
                        ; send_L2B_0x2+56r ...              
struc_9 <   0,    33,    33,    2,    0,    1,    1>; 1       
struc_9 <   3,     0,     8,    1,    0,    1,    3>; 2       
struc_9 <   0,    21,     0,    0,    1, 30h,    3>; 3       
struc_9 <   0,    14,     0,    0,    2, 30h,    3>; 4       
struc_9 <   1,     0,     0,    1,    1, 30h,    3>; 5       
struc_9 <   1,     0,     0,    1,    2, 30h,    3>; 6       
struc_9 <   0,     2,    35,    2,    0,    1,    1>; 7       
struc_9 <   0,     9,   202,    2,    0,    1,    1>; 8       
struc_9 <   0,     5,    12,    2,    0,    1,    1>; 9       
struc_9 <   0,    17,    17,    2,    0,    1,    1>; 0Ah     
struc_9 <   0,     3,     3,    2,    0,    1,    1>; 0Bh     
struc_9 <   0,     2,     2,    2,    0,    1,    1>; 0Ch     
struc_9 <   0,     2,     2,    2,    0,    1,    1>; 0Dh     
struc_9 <   0,     2,     2,    2,    0,    1,    1>; 0Eh     
struc_9 <   0,     2,     2,    2,    0,    1,    1>; 0Fh     
struc_9 <   0,     2,     2,    2,    0,    1,    1>; 10h     
struc_9 <   0,     5,     5,    2,    0,    1,    1>; 11h     
struc_9 <   0,   259,   259,    2,    0,    1,    1>; 12h     
struc_9 <   0,     2,    33,    2,    1,    1,    2>; 13h     
struc_9 <   0,    16,     2,    2,    0,    1,    1>; 14h     
struc_9 <   0, 1032,     2,    2,    0,    1,    1>; 15h     
struc_9 <   0,     2,     2,    2,    0,    1,    1>; 16h     
struc_9 <   3,     0,     3,    1,    0,    1,    3>; 17h     
struc_9 <   1,    11,     9,    1,    1,    3,    2>; 18h     
struc_9 <   0,     2,     2,    2,    0,    3,    1>; 19h     
struc_9 <   0,     3,     0,    0,    1,    3,    3>; 1Ah     
struc_9 <   0,     6,    11,    2,    0,    3,    1>; 1Bh     
struc_9 <   0,     1,     2,    2,    2,    2,    1>; 1Ch     
struc_9 <   0,     5,     2,    2,    2,    2,    1>; 1Dh     
struc_9 <   0,     4,     2,    2,    2,    2,    1>; 1Eh     
struc_9 <   0,    14,     2,    2,    2,    2,    1>; 1Fh     
struc_9 <   0,     2,     0,    0,    2,    2,    3>; 20h     
struc_9 <   0,     3,     2,    2,    2,    2,    1>; 21h     
struc_9 <   0,     3,     3,    2,    2,    2,    1>; 22h     
struc_9 <   1,    15,     2,    1,    2,    2,    2>; 23h     
struc_9 <   1,    17,     8,    1,    1,    5,    2>; 24h     
struc_9 <   0,     2,    17,    2,    1,    5,    2>; 25h     
struc_9 <   0,     2,     5,    2,    0,    5,    2>; 26h     
struc_9 <   1,     6,     6,    1,    2,    2,    1>; 27h     
struc_9 <   0,     2,    36,    2,    0,    3,    1>; 28h     
struc_9 <   0,     1,     0,    0,    2,    2,    3>; 29h     
struc_9 <   0,     1,     0,    0,    2,    2,    3>; 2Ah     
struc_9 <   0,     0,     0,    0,    0, 30h,    0>; 2Bh     
struc_9 <   0,     1,    65,    2,    0,    1,    1>; 2Ch     
struc_9 <   0,     1,     2,    2,    2,    2,    1>; 2Dh     
struc_9 <   0,     3,     3,    2,    2,    2,    1>; 2Eh     
struc_9 <   0,     3,     0,    0,    1,    1,    3>; 2Fh     
struc_9 <   0,     0,     0,    0,    0, 30h,    0>; 30h     
struc_9 <   0,     0,     0,    0,    0, 30h,    0>; 31h     
struc_9 <   0,     0,     0,    0,    0, 30h,    0>; 32h     
struc_9 <   0,     0,     0,    0,    0, 30h,    0>; 33h     
struc_9 <   0,    24,    24,    2,    0,    2,    1>; 34h     
 



Back to Top
Entropy512 View Drop Down
Groupie
Groupie

Joined: 22 July 2015
Country: United States
Status: Offline
Posts: 55
Post Options Post Options   Quote Entropy512 Quote  Post ReplyReply Direct Link To This Post Posted: 28 May 2017 at 14:19
Oh, that'll be VERY useful for confirming my observations and filling in my parser ahead of when I see a particular message.
Back to Top
Leegong View Drop Down
Newbie
Newbie

Joined: 30 September 2016
Status: Offline
Posts: 25
Post Options Post Options   Quote Leegong Quote  Post ReplyReply Direct Link To This Post Posted: 29 May 2017 at 02:28
@Entropy512,
I hav decoded debug interface inside sony 55-210 lens firmware ,
did you try sending debug commands to lens ?

leegong
Back to Top
Entropy512 View Drop Down
Groupie
Groupie

Joined: 22 July 2015
Country: United States
Status: Offline
Posts: 55
Post Options Post Options   Quote Entropy512 Quote  Post ReplyReply Direct Link To This Post Posted: 29 May 2017 at 14:10
Originally posted by Leegong Leegong wrote:

@Entropy512,
I hav decoded debug interface inside sony 55-210 lens firmware ,
did you try sending debug commands to lens ?

leegong

So far I've only monitored communications between existing bodies/lenses - I haven't gotten to emulating a body or lens yet. Hopefully I'll be getting there this summer. Your information brings me a lot closer to the point where I have to start faking bodies/lenses. :)
Back to Top
Leegong View Drop Down
Newbie
Newbie

Joined: 30 September 2016
Status: Offline
Posts: 25
Post Options Post Options   Quote Leegong Quote  Post ReplyReply Direct Link To This Post Posted: 30 May 2017 at 06:27
@Entropy512,
There is a UART inside Sony 55-210 for debug commands only ,
if it is active and you connect correctly , you'll be able
to read AD conversion , GPIO , RAM and get the most important
sys log info .
Back to Top
Entropy512 View Drop Down
Groupie
Groupie

Joined: 22 July 2015
Country: United States
Status: Offline
Posts: 55
Post Options Post Options   Quote Entropy512 Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2017 at 02:28
Originally posted by Leegong Leegong wrote:

@Entropy512,
There is a UART inside Sony 55-210 for debug commands only ,
if it is active and you connect correctly , you'll be able
to read AD conversion , GPIO , RAM and get the most important
sys log info .

Interesting - I haven't opened up my 55-210 - I assume that it's a separate UART from the one used to communicate with the body?

I posted some of my current capture/decoding/parsing scripts at https://github.com/Entropy512/emount_tools - be warned that my plotter/parser is in desperate need of a refactoring. I won't have much time the rest of this week to do any further work - but I plan on rewriting the message length handlers to use your data next week.

I also plan on reviewing your PM regarding the detailed meaning of L2B 0x05 and 0x06 - you'll see that I have motor position and aperture but there's a LOT more I don't know. I also found a field that appears to be used for focus distance calculation - the field is roughly 100*sqrt(focal_length_in_mm) when the lens is at infinity - I suspect it's the distance an "ideal" lens would be from the sensor for calculating subject distance.

As far as body2lens command IDs:
I can confirm your findings regarding 0x1C and 0x1D

0x22 appears to also contain position information - I need to go back through my data to find more examples of this and which lenses it appears to be sent to

0x1F appears to command the beginning of a native hybrid AF hunt sequence. I'm fairly certain you'll never see this sent to an EA3 - It's 14 bytes long so I haven't yet figured out the details of it. When a 0x1F is sent, the lens will "jump" in one direction as fast as possible, then reverse and begin moving at reduced speed. When PDAF is in use, the "jump" will always be away from the subject (I am assuming this is to ensure that the CDAF refinement always crosses the focus point when the cycle is starting "close to subject")

0x3C commands the lens to move in a given direction at a given speed. I have seen it sent to the SEL55210 - strangely, it is NEVER sent to a Sigma MC-11 or a Metabones IV in Advanced mode. Both of these adapters drive the lens at full speed. (Or, if not full speed - a fixed constant speed)

Aperture values are sent as stops/256 - with 16 stops being f/1.0

In some situations I've seen the lens close down the aperture slightly narrower than commanded - I have no idea why
Back to Top
Entropy512 View Drop Down
Groupie
Groupie

Joined: 22 July 2015
Country: United States
Status: Offline
Posts: 55
Post Options Post Options   Quote Entropy512 Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2017 at 02:47
OK, let's see if setting the font to "courier new" will make some data easier to read.

Here's what is sent to a Metabones IV running firmware 0.55 in Advanced mode when a shot is taken - it appears to temporarily pause the 60 Hz command/response loop and then resume it, plus some other stuff:

3.326079, Plen: 0019, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 1, extra: 7, csum: 0025, data: "0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
3.327073, Plen: 0019, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 0, extra: 0, csum: 0025, data: "0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
3.327461, Plen: 000B, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 1, extra: 5, csum: 0048, data: "0B 30 00 "
3.327793, Plen: 000B, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 0, extra: 0, csum: 0048, data: "0B 30 00 "
3.331996, Plen: 000A, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 1, extra: 6, csum: 0034, data: "28 00 "
3.332340, Plen: 002C, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 0, extra: 0, csum: 0517, data: "28 00 07 80 FF F4 01 F4 01 01 00 00 00 00 00 00 00 00 26 00 00 00 00 00 16 00 0E 00 A0 00 00 16 50 00 00 00 "
3.335067, Plen: 000A, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 1, extra: 6, csum: 0028, data: "19 03 "
3.335403, Plen: 000A, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 0, extra: 0, csum: 0025, data: "19 00 "
3.453842, Plen: 000A, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 1, extra: 6, csum: 0025, data: "19 00 "
3.454181, Plen: 000A, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 0, extra: 0, csum: 0025, data: "19 00 "
3.454475, Plen: 000A, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 1, extra: 6, csum: 0034, data: "28 00 "
3.454808, Plen: 002C, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 0, extra: 0, csum: 0517, data: "28 00 07 80 FF F4 01 F4 01 01 00 00 00 00 00 00 00 00 26 00 00 00 00 00 16 00 0E 00 A0 00 00 16 50 00 00 00 "
3.526270, Plen: 000B, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 1, extra: 5, csum: 0078, data: "0B 60 00 "
3.526608, Plen: 000B, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 0, extra: 0, csum: 0078, data: "0B 60 00 "
3.526914, Plen: 0019, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 1, extra: 7, csum: 01E2, data: "0A FF 7F 00 00 00 00 00 00 3F 00 00 00 00 00 00 00 "
3.527269, Plen: 0019, ftype: 02, snum: 00, speed: 1500000.0, rxtx: 0, extra: 0, csum: 01E2, data: "0A FF 7F 00 00 00 00 00 00 3F 00 00 00 00 00 00 00 "

0x0A seems to be heavily tied to turning the loop off/on - when a lens is initialized, 0x0A is the last command sent before the loop starts, and it looks identical to when it is sent to resume the loop after the shutter trips

BTW - I noticed in the comments on someone else's blog post that you had been doing some work with the MC-11 firmware? Did you unpack one of Sigma's updates or did you read back the firmware from an actual adapter?

Similarly - with the EA3 - have you only looked at the recent update Sony issued to improve AF-C during bursts (Intended for the A9 but supposedly helps the A6300/A6500 too), or were you able to readback the previous firmware from an adapter?
Back to Top
Entropy512 View Drop Down
Groupie
Groupie

Joined: 22 July 2015
Country: United States
Status: Offline
Posts: 55
Post Options Post Options   Quote Entropy512 Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2017 at 02:58
Small observation: Recent changes to sigrok's output have broken my parser script - now all output is prepended with "sony-emount-1" - Need to figure out the best way to handle this change.

Also, so far, I've never seen any body/lens combination use command 0xC to set the baudrate to anything other than 1500 kilobits/sec - Body sends 0xC 0x02, lens responds 0xC 0x01

I have only seen the Sigma 19 DN stay at 750 kilobits/sec - and in that case, something in the earlier init data causes the body to not even send 0xC.

I have also never seen the payload for command 0xD be set to a value other than 0x00 - The body DOES send 0xD to the Sigma 19

Edited by Entropy512 - 06 June 2017 at 03:03
Back to Top
Leegong View Drop Down
Newbie
Newbie

Joined: 30 September 2016
Status: Offline
Posts: 25
Post Options Post Options   Quote Leegong Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2017 at 15:01
In Sony55-210 , Renesas R2J30503 is responsible for IS operation ,
is there datasheet of R2J30503 or any datasheet of R2J3 family for downloading ?
Back to Top
Dyxum main page >  Forum Home > Dyxum Community > Knowledge Base Page  <1 23456 14>

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.096 seconds.

Monitor calibration strip

Dyxum.com - Home of the alpha system photographer

In memory of Cameron Hill - brettania

Feel free to contact us if needed.