Messages

LockSw                        // MPU_send_Msg0300（0x5，0x3, 0x0，LockSw，0x0);               
CardCover                    // MPU_send_Msg0301（0x5，0x3, 0x1，CardCover，0x0);           
BatCover                      // MPU_send_Msg0302（0x5，0x3, 0x2，BatCover，0x0);           
CF2DetectSw               // MPU_send_Msg0304（0x5，0x3, 0x4，CF2DetectSw，0x0);
ELButton                     // MPU_send_Msg0312（0x5，0x3, 0x12，ELButton，0x0);
SubDialLockSw            // MPU_send_Msg031B（0x5，0x3, 0x1B，SubDialLockSw，0x0);
Sw1                           // MPU_send_Msg0305（0x5，0x3, 0x5，Sw1，0x0);
Sw2                           // MPU_send_Msg0306（0x5，0x3, 0x6，Sw2，0x0);
AELockButton             // MPU_send_Msg0307（0x5，0x3, 0x7，AELockButton，0x0);
AFStartButton             // MPU_send_Msg0308（0x5，0x3, 0x8，AFStartButton，0x0);
AFFrameSelectButton       // MPU_send_Msg030B（0x5，0x3, 0x8，AFFrameSelectButton，0x0);
MIFSw                         : Off
ShotModeButton         // MPU_send_Msg030A（0x5，0x3, 0xA，ShotModeButton，0x0);
M                             // MPU_send_Msg030C（0x5，0x3, 0xC，M，0x0);
SetButton                     // MPU_send_Msg030D（0x5，0x3, 0xD，SetButton，0x0);
MenuButton                   // MPU_send_Msg030E（0x5，0x3, 0xE，MenuButton ，0x0);
PlayButton                    // MPU_send_Msg030F（0x5，0x3, 0xF，PlayButton ，0x0);
InfoButton                    // MPU_send_Msg0310（0x5，0x3, 0x10，InfoButton ，0x0);
EraseButton                  // MPU_send_Msg0311（0x5，0x3, 0x11，EraseButton ，0x0);
LvMovieStartButton       // MPU_send_Msg0314（0x5，0x3, 0x14，LvMovieStartButton ，0x0);
CrossUp                       // MPU_send_Msg0315（0x5，0x3, 0x15，CrossUp，0x0);
CrossDown                   // MPU_send_Msg0316（0x5，0x3, 0x16，CrossDown，0x0);
CrossRight                   // MPU_send_Msg0317（0x5，0x3, 0x17，CrossRight，0x0);
CrossLeft                     // MPU_send_Msg0318（0x5，0x3, 0x18，CrossLeft，0x0);

[Be careful not to type MEMW by accident, which will overwrite data in RAM and may lead to undefined behaviour of the MPU! This meight destroy hardware components in worst case.]

Code Select Expand


MEMR 0 FFFFF


Does a hex dump from a region of the MPUs memory. First argument is start address, second argument is number of bytes to read.
Maximum value allowed for second argument is FFFFF.

When executing the command above, the complete firmware of MPU is dumped, since firmware is mapped to 0.
From address ~0x60000 to 0xFFFFF data bytes are all 0xFF on EOS RP and do not need to be dumped.

The firmware of MPU on EOS RP can be dumped by executing the following command:

Code Select Expand


MEMR 0 60000


Be careful not to type MEMW by accident, which will overwrite data in RAM and may lead to undefined behaviour of the MPU! This meight destroy hardware components in worst case.

Based on analyzing of RP MPU firmware, Both of First argument and second argument are address ,
so Usage : MEMR StartingADDR EndingADDR
StartingADDR and EndingADDR could add prefix "0x"

structure of MPU Msg in RP is exactly same as that in EOS.
MainTimeLapse_SW1OFF : mpu_send(0x5 0x3 0x21 0x00 0x00);
MainTimeLapse_SW1ON : mpu_send(0x5 0x3 0x21 0x01 0x00);
MainTimeLapse_SW2OFF : mpu_send(0x5 0x3 0x22 0x00 0x00);
MainTimeLapse_SW2ON : mpu_send(0x5 0x3 0x22 0x01 0x00);

Just build IDB with RP_MPU Dumping,
ROM:00019E56                 BLX             R2  is call interface of all monitor function found by coon ,
key struc_table at 0x4ED38:
00000000 struc_DbgFunction struc
00000000 lp_DbgCmdString
00000004 lp_funcall
Anybody wants the IDB? send PM to me or let me know in this post please.       

Debug Commands of DIGIC 8 MPU look like same as that in DIGIC 6/7.
https://www.magiclantern.fm/forum/index.php?topic=17596.0

Architecture of MPU is 32 bit ARMv7 (little endian) like ICU. Therefore it is not TX19a / MIPS anymore.
Base address of MPU firmware image is 0x20000000.

It looks like that a minimal version of DryOS is running on MPU. I think it should be possible to emulate MPU in qemu now.
We may also abuse the MPUs update mechanism to boot up some MPU version of ML and start our own tasks there, if we should ever be in need for that.

Could you please send MPU firmware dumping to my E-mail? [email protected]
I can analyze the firmware with IDA PRO, add value to your DIGIC 8 MPU investigation.

On 550D MCU side ,  sub_0x376F8 sends and receives 16bits Command/Response to/from AF ccd .
in TX 16bits , bit15:bit13 looks like CMD code , bit12:bit0 is unknown .
Does anybody know the detailed info of AF CCD in550D ?

Msg0303 is ERR code , Msg03_0x29 (PROP 80030023) is Err ClassID which may be remapped from ERR code .

Any info of pixel color pattern of AE CCD ?   

550D MCU sends many structures to CPU with successive multi Msg03_0x32 (PROP 8003003A)
which is stated in known_spells.h , the following table is info of structures inside PROP 8003003A ,
each Msg03_0x32 contains of 0x32 bytes of payload of structures listed in TAB_Msg03_32_payload_info .
EDIT : Name in TAB_Msg03_32_payload_info is just the name of first byte of the structure , does't stands for
name of structure .

Code Select Expand

00000000 struc_23FC0     struc  # (sizeof=0x8)    # XREF: ROM:TAB_Msg03_32_payload_infor
00000000 SizeOfByte:     .half ?                  # XREF: Report_Msg03_32+3Ar
00000002 SRC_Data_Location:.byte ?                # 0 - RAM , 1 : EEPROM
00000003 unused_byte:    .byte ?
00000004 RAM_ADDR:           .word ?                  # offset
00000008 struc_23FC0     ends

Code Select Expand

00000000 struc_94        struc  # (sizeof=0x8)    # XREF: ROM:00024008r
00000000 SizeOfByte:     .half ?
00000002 SRC_Data_Location:.byte ?                # 0 - RAM , 1 : EEPROM
00000003 field_3:        .byte ?
00000004 EEPROM_ADDR:    .word ?                  # base 16
00000008 struc_94        ends

Code Select Expand

00023FC0 TAB_Msg03_32_payload_info:struc_23FC0 <  0x12,    0,    0, PROP_SHUTTER_bak00> # 0
ROM:00023FC0                 struc_23FC0 <     8,    0,    0, PROP_SHUTTER_FFFFD7E4> # 1
ROM:00023FC0                 struc_23FC0 <  0x1E,    0,    0, RAM00_struc_D7B0> # 2
ROM:00023FC0                 struc_23FC0 <  0x1A,    0,    0, PROP_SHOOTING_MODE> # 3
ROM:00023FC0                 struc_23FC0 <  0x1E,    0,    0, RAM01_struc_D7B0> # 4
ROM:00023FC0                 struc_23FC0 <     4,    0,    0, Msg01_42_PROP_PHOTO_STUDIO_MODE> # 5
ROM:00023FC0                 struc_23FC0 <  0x64,    0,    0, unk_FFFFD568> # 6
ROM:00023FC0                 struc_23FC0 <  0x64,    0,    0, unk_FFFFD630> # 7
ROM:00023FC0                 struc_23FC0 <  0x64,    0,    0, unk_FFFFD5CC> # 8
ROM:00024008                 struc_94 <  0x12,    1,    0,     0x14D0> # 0
ROM:00024008                 struc_94 <     8,    1,    0,     0x15C0> # 1
ROM:00024008                 struc_94 <  0x1A,    1,    0,     0x1480> # 2
ROM:00024008                 struc_94 <  0x1A,    1,    0,     0x1480> # 3
ROM:00024008                 struc_94 <  0x1A,    1,    0,     0x1480> # 4
ROM:00024008                 struc_94 <  0x64,    1,    0,     0x1300> # 5
ROM:00024008                 struc_94 <  0x64,    1,    0,     0x1380> # 6
ROM:00024008                 struc_94 <  0x64,    1,    0,     0x1400> # 7
ROM:00024008                 struc_94 <  0x64,    1,    0,     0x1500> # 8
ROM:00024008                 struc_94 <  0x64,    1,    0,     0x1300> # 9
ROM:00024008                 struc_94 <  0x64,    1,    0,     0x1300> # 0xA
ROM:00024008                 struc_94 <  0x1E,    1,    0,     0x14A0> # 0xB
ROM:00024008                 struc_94 <  0x1E,    1,    0,     0x14A0> # 0xC
ROM:00024008                 struc_94 <  0x1E,    1,    0,     0x1580> # 0xD

   

Based on known_spells.h ,  on 550D MCU side ，
if i'm not mistaken ,  MCU reports PROP 80030035  to CPU , which is equal to ( temperature + 128 ) inside Msg_03_0x38.

Code Select Expand

00000000 Metering_Row    struc  # (sizeof=0x12) 
00000000 Pixel_00:       .half ?                  # XREF: AE_action_API+17Cr
00000002 Pixel_01:       .half ?
00000004 Pixel_02:       .half ?
00000006 Pixel_03:       .half ?
00000008 Pixel_04:       .half ?
0000000A Pixel_05:       .half ?
0000000C Pixel_06:       .half ?
0000000E Pixel_07:       .half ?
00000010 Pixel_08:       .half ?
00000012 Metering_Row    ends

Code Select Expand

00000000 half_7x9_Metering struc  # (sizeof=0x7E)
00000000 Metering_Row0:  Metering_Row ?           # XREF: AE_action_API+17Cr
00000012 Metering_Row1:  Metering_Row ?
00000024 Metering_Row2:  Metering_Row ?
00000036 Metering_Row3:  Metering_Row ?
00000048 Metering_Row4:  Metering_Row ?
0000005A Metering_Row5:  Metering_Row ?
0000006C Metering_Row6:  Metering_Row ?
0000007E half_7x9_Metering ends

Code Select Expand

RAM:FFFFAE98 ADch02_Metering_LayerA:half_7x9_Metering <0>  # DATA XREF: AE_action_API+1A8r
RAM:FFFFAE98                                          # AE_data_non_linear_converting+E2r ...
RAM:FFFFAE98                                          # from AD CH02
RAM:FFFFAF16 ADch02_Metering_LayerB:half_7x9_Metering <0>:3  # DATA XREF: AE_action_API+1C0r
RAM:FFFFAF16                                          # AE_data_non_linear_converting+12Ar ...
RAM:FFFFAF16                                          # from AD CH02

Code Select Expand

Msg0503_ReleaseAfter_Data struc  # (sizeof=0x3D)
00000000 MsgHeader:      struc_msg_header ?       # == 0x3D , 0x5 , 0x3
00000003 field_3:        .byte ?
00000004 field_4:        .byte ?
00000005 CYC07_timing_counter_X_10:.word ?        # XREF: build_msg05_03_ReleaseAfterData+6Co
00000009 PROP_AF_MODE:   .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+82w
0000000A field_A:        .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+90w
0000000B Image_orientation:.byte ?                # XREF: build_msg05_03_ReleaseAfterData+98w
0000000C strobo_CMD_0xFC_response_char0:.byte ?   # XREF: build_msg05_03_ReleaseAfterData+A6o
0000000D strobo_CMD_0xFC_response_char1:.byte ?
0000000E strobo_CMD_0xFC_response_char2:.byte ?
0000000F strobo_CMD_0xFC_response_char3:.byte ?
00000010 strobo_CMD_0xFC_response_char4:.byte ?
00000011 strobo_CMD_0xFC_response_char5:.byte ?
00000012 field_12:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+D4w
00000013 field_13:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+EAw
00000014 field_14:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+F8w
00000015 field_15:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+106w
00000016 field_16:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+110w
00000017 field_17:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData:loc_54934w
00000018 field_18:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+166w
00000019 field_19:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+16Cw
0000001A Vfo1_div_4:     .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+17Ew
0000001B Vfo2_div_4:     .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+184w
0000001B                                          # build_msg05_03_ReleaseAfterData+1BEo
0000001C vbat_noload_div_4:.byte ?                 # XREF: build_msg05_03_ReleaseAfterData+18Aw
0000001D vbat_bcon_div_4: .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+190w
0000001E Aop_div_4:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+196w
0000001F Aop??_div_4:     .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+19Cw
00000020 battery_Resister_div4:.byte ?            # XREF: build_msg05_03_ReleaseAfterData+1A2w
00000021 battery_remaining_capacity:.byte ?       # XREF: build_msg05_03_ReleaseAfterData+1A8w
00000022 field_22:       .byte ?
00000023 field_23:       .byte ?
00000024 field_24:       .byte ?
00000025 field_25:       .byte ?
00000026 field_26:       .byte ?
00000027 field_27:       .byte ?
00000028 field_28:       .byte ?
00000029 field_29:       .byte ?
0000002A FocusDistance_first:.half ?              # XREF: build_msg05_03_ReleaseAfterData+1CEw
0000002A                                          # build_msg05_03_ReleaseAfterData+1D6w  # from response half00 of Lens CMD 0xC2
0000002C FocusDistance_second:.half ?             # XREF: build_msg05_03_ReleaseAfterData+1E0w
0000002C                                          # build_msg05_03_ReleaseAfterData+1E8w  # from response half02 of Lens CMD 0xC2
0000002E field_2E:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+1EEw  # == 0
0000002F field_2F:       .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+B0w  # == 0xC
00000030 TMRC_Capture03_timing_1st:.half ?        # XREF: build_msg05_03_ReleaseAfterData+C0o
00000032 TMRC_Capture03_timing_2nd:.half ?
00000034 TMRC_Capture03_timing_3th:.half ?
00000036 TMRC_Capture02_timing_1st:.half ?
00000038 TMRC_Capture02_timing_2nd:.half ?
0000003A TMRC_Capture02_timing_3th:.half ?
0000003C dummy:          .byte ?                  # XREF: build_msg05_03_ReleaseAfterData+22w
0000003D Msg0503_ReleaseAfter_Data ends

STROBO communication interface is found , lots of STROBO commands such as 0xA1 , 0xA2 .......
AE CCD data is found , double int16 7x9 array , low 10bits are effective , then converted into 8bits 7x9 array.

Code Select Expand

00000000 Msg0502_ReleaseBeforeData struc  # (sizeof=0x2E)
00000000 MsgHeader:      struc_msg_header ?       # XREF: build_msg05_02_ReleaseBeforeData+Ew
00000000                                          # build_msg05_02_ReleaseBeforeData+12w ...  # == 0x2E , 0x5 , 0x2
00000003 TV?:            .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+2Ew
00000004 AV?:            .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+30o
00000005 TV??ISO??:      .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData:loc_54462w
00000006 field_6:        .byte ?
00000007 ISO_sure:       .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+D4w
00000008 field_8:        .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+DCw
00000009 LV_BV_char0:    .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData:loc_544F0w
0000000A LV_BV_char1:    .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+F6w
0000000B AE??:           .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+102o
0000000C field_C:        .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+120w  # == 0x3
0000000D field_D:        .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+1B8w
0000000E _PROP_AEB_div_3:.byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+1BCw
0000000F _PROP_WBB_GM_div_3:   .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+1C4w
00000010 _PROP_WBB_BA_div_3:   .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+1CCw
00000011 _PROP_WBS_GM_div_3:   .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+1D4w
00000012 _PROP_WBS_BA_div_3:   .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+1DCw
00000013 field_13:       .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+1E4w
00000014 strobo_CMD_0xA9_response:.byte ?         # XREF: build_msg05_02_ReleaseBeforeData+1ECw
00000015 field_15:       .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+23Aw
00000016 strobo_CMD_0xE6_Response_char01_b2b1b0_remapped:.byte ?
00000016                                          # XREF: build_msg05_02_ReleaseBeforeData+23Cw
00000017 field_17:       .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+244w
00000018 field_18:       .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+248w
00000019 PROP_LV_HALF_SHUTTER_bit0:.byte ?        # XREF: build_msg05_02_ReleaseBeforeData+252w
0000001A temperature_plus_128:    .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+25Cw
0000001B Lens_attrib:    .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+26Cw
0000001B                                          # build_msg05_02_ReleaseBeforeData+2A6w
0000001C _important_char0:.byte ?                 # XREF: build_msg05_02_ReleaseBeforeData+296w
0000001C                                          # build_msg05_02_ReleaseBeforeData+2B4w ...
0000001D _important_char1:.byte ?                 # XREF: build_msg05_02_ReleaseBeforeData+29Cw
0000001D                                          # build_msg05_02_ReleaseBeforeData+2B6w ...
0000001E _important_char2:.byte ?                 # XREF: build_msg05_02_ReleaseBeforeData:loc_546C0w
0000001E                                          # build_msg05_02_ReleaseBeforeData+2C4o
0000001F Focal_Length:   .half ?                  # XREF: build_msg05_02_ReleaseBeforeData+2C8o
0000001F                                          # build_msg05_02_ReleaseBeforeData+2DEo
00000021 FocusPoint_bit_pattern:.half ?           # XREF: build_msg05_02_ReleaseBeforeData+30Cw
00000021                                          # build_msg05_02_ReleaseBeforeData+312w
00000023 field_23:       .byte ?
00000024 field_24:       .byte ?
00000025 field_25:       .byte ?
00000026 field_26:       .byte ?
00000027 Metering_calculating_result_char00:.byte ?
00000027                                          # XREF: build_msg05_02_ReleaseBeforeData+31Cw
00000028 Metering_calculating_result_char01:.byte ?
00000028                                          # XREF: build_msg05_02_ReleaseBeforeData+324w
00000029 Metering_calculating_result_char02:.byte ?
00000029                                          # XREF: build_msg05_02_ReleaseBeforeData+32Cw
0000002A Metering_calculating_result_char03:.byte ?
0000002A                                          # XREF: build_msg05_02_ReleaseBeforeData+334w
0000002B field_2B:       .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+33Aw  # == 1
0000002C BOOL_unknown:   .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+348w
0000002D field_2D:       .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+18w
0000002E Msg0502_ReleaseBeforeData ends

There are two kinds of Msg05 03 Release after data , the difference between them is from field0x1A to field0x29 ,
this section (16 bytes) may contains power info or AF info , depending on setting in eeprom .
Here is  Msg05 03 which contains power info :

Code Select Expand

00000000 struc_Msg05_03  struc  # (sizeof=0x3D)
00000000 MsgHeader:      struc_msg_header ?       # == 0x3D , 0x5 , 0x3
00000003 field_3:        .byte ?
00000004 field_4:        .byte ?
00000005 CYC07_timing_counter:.word ?
00000009 PROP_AF_MODE:   .byte ?
0000000A field_A:        .byte ?
0000000B Image_orientation:.byte ?
0000000C field_C:        .byte ?
0000000D field_D:        .byte ?
0000000E field_E:        .byte ?
0000000F field_F:        .byte ?
00000010 field_10:       .byte ?
00000011 field_11:       .byte ?
00000012 field_12:       .byte ?
00000013 field_13:       .byte ?
00000014 field_14:       .byte ?
00000015 field_15:       .byte ?
00000016 field_16:       .byte ?
00000017 field_17:       .byte ?
00000018 field_18:       .byte ?
00000019 field_19:       .byte ?
0000001A Vfo1_div_4:     .byte ?
0000001B Vfo2_div_4:     .byte ?
0000001C vbat_noload:    .byte ?
0000001D vbat_bcon:      .byte ?
0000001E field_1E:       .byte ?
0000001F field_1F:       .byte ?
00000020 _Resister:.byte ?
00000021 _remaining_capacity:.byte ?
00000022 field_22:       .byte ?
00000023 field_23:       .byte ?
00000024 field_24:       .byte ?
00000025 field_25:       .byte ?
00000026 field_26:       .byte ?
00000027 field_27:       .byte ?
00000028 field_28:       .byte ?
00000029 field_29:       .byte ?
0000002A FocusDistance_first?:.half ?
0000002C FocusDistance_second?:.half ?
0000002E field_2E:       .byte ?
0000002F field_2F:       .byte ?
00000030 field_30:       .byte ?
00000031 field_31:       .byte ?
00000032 field_32:       .byte ?
00000033 field_33:       .byte ?
00000034 field_34:       .byte ?
00000035 field_35:       .byte ?
00000036 field_36:       .byte ?
00000037 field_37:       .byte ?
00000038 field_38:       .byte ?
00000039 field_39:       .byte ?
0000003A field_3A:       .byte ?
0000003B field_3B:       .byte ?
0000003C field_3C:       .byte ?
0000003D struc_Msg05_03  ends


Decoding of part of Msg05 02 :

Code Select Expand

00000000 struc_Msg05_02  struc  # (sizeof=0x2E)
00000000 MsgHeader:      struc_msg_header ?       # == 0x2E , 0x5 , 0x2
00000003 TV?:            .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+2Ew
00000004 AV?:            .byte ?
00000005 TV??ISO??:      .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData:loc_54462w
00000006 field_6:        .byte ?
00000007 ISO_sure:       .byte ?                  # XREF: build_msg05_02_ReleaseBeforeData+D4w
00000008 field_8:        .byte ?
00000009 LV_BV_char0:    .byte ?
0000000A LV_BV_char1:    .byte ?
0000000B field_B:        .byte ?
0000000C field_C:        .byte ?                  # == 0x3
0000000D field_D:        .byte ?
0000000E field_E:        .byte ?
0000000F _PROP_WBB_GM:   .byte ?
00000010 _PROP_WBB_BA:   .byte ?
00000011 _PROP_WBS_GM:   .byte ?
00000012 _PROP_WBS_BA:   .byte ?
00000013 field_13:       .byte ?
00000014 field_14:       .byte ?
00000015 field_15:       .byte ?
00000016 field_16:       .byte ?
00000017 field_17:       .byte ?
00000018 field_18:       .byte ?
00000019 LV_HALF_SHUTTER_bit0:.byte ?
0000001A temperature:    .byte ?
0000001B Lens_attrib:    .byte ?
0000001C _important_char0:.byte ?
0000001D _important_char1:.byte ?
0000001E _important_char2:.byte ?
0000001F Focal_Length:   .half ?
00000021 Focus_Point:    .half ?
00000023 field_23:       .byte ?
00000024 field_24:       .byte ?
00000025 field_25:       .byte ?
00000026 field_26:       .byte ?
00000027 field_27:       .byte ?
00000028 field_28:       .byte ?
00000029 field_29:       .byte ?
0000002A field_2A:       .byte ?
0000002B field_2B:       .byte ?
0000002C field_2C:       .byte ?
0000002D field_2D:       .byte ?
0000002E struc_Msg05_02  ends

@a1ex :
Sorry , just get why no Msg 05 08 in your log , Msg05 08 is not enabled  in usual setting , it's a hidden option ,
In 550D , Msg05 08 depends on 16bits setting data at eeprom ADDR 0x1042 ,
you have to modify setting in eeprom @0x1042 to enable Msg05 08 at first .
EDIT :
Msg08 02 fun_0x52 changes eeprom @0x1042.
Msg08 02 fun_0x53 reads eeprom @0x1042.
EDIT :
The 16bits comes from EEPROM @0x1042 ， but i have no idea about big endian or little endian in EEPROM ,
bit1:bit0 = 0 - Msg0508 disabled
bit1:bit0 = 1 ，2 ，3 -  type of info data

@a1ex:
After Msg05 03 (after release data) is sent from MPU to CPU ,   
MPU may send AF debug info to CPU , size of AF debug info is inside Msg05 08 ,
payload of AFdebug info is probably sent to CPU with Multi-Msg05 09 .

How AFdebug info is used on CPU side ? is it for Canon private AF info in CR2 ?

@a1ex，here is debug UI on 550D MPU side :

Code Select Expand


ROM:00004448 asc_4448:       .ascii "-----------------------------------------------------------\n"
ROM:00004448                                          # DATA XREF: TITLE+12o
ROM:00004448                                          # TITLE+20o
ROM:00004448                 .ascii "               K270 Debug Monitor (Ver 1.00)               \n"
ROM:00004448                 .ascii "     Copyright(C) CANON INC. 2007  All Rights Reserved.    \n"
ROM:00004448                 .ascii "-----------------------------------------------------------\n"
ROM:00004448                 .ascii 0
ROM:00004539                 .byte 0xFF
ROM:0000453A                 .byte 0xFF
ROM:0000453B                 .byte 0xFF


@a1ex :
SC1 on MPU side is responsible for these debug info communication .
I guess that maybe there is a backdoor in normal communication workflow for normal Msg ,  but not found yet .
In Nikon d5100 , both of UART(similar as SC1 in 550D) and HSC (similar as HSC for communication between
MPU and CPU in 550D) may communicate debug CMD .

Any idea where this might be used in Canon code? Tried to grep for this command in my logs with MPU messages, but found nothing.

My wild guessing , these Msg08 02 might belong to factory debug section ,
they don't belong to normal Msg transfering workflow between MPU and CPU .

Code Select Expand

00023BD0 Msg08_02_CallTable:.word Action_On_Msg0802_fun00+1 # 0
ROM:00023BD0                                          # DATA XREF: Msg08_Handler+134r
ROM:00023BD0                 .word Action_On_Msg0802_fun01+1 # 1  # in a0 = 0xFFFFD2E0
ROM:00023BD0                 .word Action_On_Msg0802_fun02+1 # 2
ROM:00023BD0                 .word Action_On_Msg0802_fun03_load_EEPROM_2_RAM+1 # 3
ROM:00023BD0                 .word Action_On_Msg0802_fun04_get_Image_orientation+1 # 4
ROM:00023BD0                 .word Action_On_Msg0802_fun05+1 # 5
ROM:00023BD0                 .word Action_On_Msg0802_fun06+1 # 6
ROM:00023BD0                 .word Action_On_Msg0802_fun07+1 # 7
ROM:00023BD0                 .word Action_On_Msg0802_fun08+1 # 8
ROM:00023BD0                 .word Action_On_Msg0802_fun09+1 # 9
ROM:00023BD0                 .word Action_On_Msg0802_fun0A+1 # 0xA
ROM:00023BD0                 .word Action_On_Msg0802_fun0B+1 # 0xB
ROM:00023BD0                 .word Action_On_Msg0802_fun0C+1 # 0xC
ROM:00023BD0                 .word Action_On_Msg0802_fun0D+1 # 0xD
ROM:00023BD0                 .word Action_On_Msg0802_fun0E+1 # 0xE
ROM:00023BD0                 .word Action_On_Msg0802_fun0F_custom_LensCMD+1 # 0xF
ROM:00023BD0                 .word Action_On_Msg0802_fun10_FocusScan+1 # 0x10
ROM:00023BD0                 .word Action_On_Msg0802_fun11+1 # 0x11
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x12
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x13
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x14
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x15
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x16
ROM:00023BD0                 .word Action_On_Msg0802_fun13+1 # 0x17
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x18
ROM:00023BD0                 .word Action_On_Msg0802_fun19_Lens_RTX_1byte+1 # 0x19
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x1A
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x1B
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x1C
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x1D
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x1E
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x1F
ROM:00023BD0                 .word Action_On_Msg0802_fun20+1 # 0x20
ROM:00023BD0                 .word Action_On_Msg0802_fun21+1 # 0x21
ROM:00023BD0                 .word Action_On_Msg0802_fun22+1 # 0x22
ROM:00023BD0                 .word Action_On_Msg0802_fun23+1 # 0x23
ROM:00023BD0                 .word Action_On_Msg0802_fun24+1 # 0x24
ROM:00023BD0                 .word Action_On_Msg0802_fun25+1 # 0x25
ROM:00023BD0                 .word Action_On_Msg0802_fun26+1 # 0x26
ROM:00023BD0                 .word Action_On_Msg0802_fun27+1 # 0x27
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x28
ROM:00023BD0                 .word Action_On_Msg0802_fun29+1 # 0x29
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x2A
ROM:00023BD0                 .word Action_On_Msg0802_fun2B+1 # 0x2B
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x2C
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x2D
ROM:00023BD0                 .word Action_On_Msg0802_fun2E+1 # 0x2E
ROM:00023BD0                 .word Action_On_Msg0802_fun2F+1 # 0x2F
ROM:00023BD0                 .word Action_On_Msg0802_fun30_DISPALLOFF+1 # 0x30
ROM:00023BD0                 .word Action_On_Msg0802_fun31_DISPALLON+1 # 0x31
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x32
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x33
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x34
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x35
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x36
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x37
ROM:00023BD0                 .word Action_On_Msg0802_fun38+1 # 0x38
ROM:00023BD0                 .word Action_On_Msg0802_fun39+1 # 0x39
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x3A
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x3B
ROM:00023BD0                 .word Action_On_Msg0802_fun3C+1 # 0x3C
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x3D
ROM:00023BD0                 .word Action_On_Msg0802_fun3E+1 # 0x3E
ROM:00023BD0                 .word Action_On_Msg0802_fun3F+1 # 0x3F
ROM:00023BD0                 .word Action_On_Msg0802_fun40+1 # 0x40
ROM:00023BD0                 .word Action_On_Msg0802_fun41+1 # 0x41
ROM:00023BD0                 .word Action_On_Msg0802_fun42+1 # 0x42
ROM:00023BD0                 .word Action_On_Msg0802_fun43+1 # 0x43
ROM:00023BD0                 .word Action_On_Msg0802_fun44+1 # 0x44
ROM:00023BD0                 .word Action_On_Msg0802_fun45+1 # 0x45
ROM:00023BD0                 .word Action_On_Msg0802_fun46+1 # 0x46
ROM:00023BD0                 .word Action_On_Msg0802_fun47+1 # 0x47
ROM:00023BD0                 .word Action_On_Msg0802_fun48_copy_Lens_aperture_data+1 # 0x48
ROM:00023BD0                 .word Action_On_Msg0802_fun49_read_EEPROM+1 # 0x49
ROM:00023BD0                 .word Action_On_Msg0802_fun4A+1 # 0x4A
ROM:00023BD0                 .word Action_On_Msg0802_fun4B+1 # 0x4B
ROM:00023BD0                 .word Action_On_Msg0802_fun4C+1 # 0x4C
ROM:00023BD0                 .word Action_On_Msg0802_fun4D+1 # 0x4D
ROM:00023BD0                 .word Action_On_Msg0802_fun4E_read_button+1 # 0x4E
ROM:00023BD0                 .word Action_On_Msg0802_fun4F_backup_byte20004+1 # 0x4F
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x50
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x51
ROM:00023BD0                 .word Action_On_Msg0802_fun52+1 # 0x52
ROM:00023BD0                 .word Action_On_Msg0802_fun53+1 # 0x53
ROM:00023BD0                 .word Action_On_Msg0802_fun54+1 # 0x54
ROM:00023BD0                 .word Action_On_Msg0802_fun55+1 # 0x55
ROM:00023BD0                 .word Action_On_Msg0802_fun56+1 # 0x56
ROM:00023BD0                 .word Action_On_Msg0802_fun57+1 # 0x57
ROM:00023BD0                 .word Action_On_Msg0802_fun58+1 # 0x58
ROM:00023BD0                 .word Action_On_Msg0802_fun59+1 # 0x59
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x5A
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x5B
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x5C
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x5D
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x5E
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x5F
ROM:00023BD0                 .word Action_On_Msg0802_fun60_cal_MPU_CodeArea_checksum+1 # 0x60
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x61
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x62
ROM:00023BD0                 .word Action_On_Msg0802_fun63+1 # 0x63
ROM:00023BD0                 .word Action_On_Msg0802_fun64+1 # 0x64
ROM:00023BD0                 .word Action_On_Msg0802_fun65+1 # 0x65
ROM:00023BD0                 .word Action_On_Msg0802_fun66+1 # 0x66
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x67
ROM:00023BD0                 .word Action_On_Msg0802_fun68_Fresh_temperature+1 # 0x68
ROM:00023BD0                 .word Action_On_Msg0802_fun69_read_EEPROM_0x113B+1 # 0x69
ROM:00023BD0                 .word Action_On_Msg0802_fun6A_write_EEPROM_0x113B+1 # 0x6A
ROM:00023BD0                 .word Action_On_Msg0802_fun6B_read_temperature+1 # 0x6B
ROM:00023BD0                 .word Action_On_Msg0802_fun6C+1 # 0x6C
ROM:00023BD0                 .word Action_On_Msg0802_fun6D+1 # 0x6D
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x6E
ROM:00023BD0                 .word Action_On_Msg0802_fun6F+1 # 0x6F
ROM:00023BD0                 .word Action_On_Msg0802_fun70+1 # 0x70
ROM:00023BD0                 .word Action_On_Msg0802_fun71+1 # 0x71
ROM:00023BD0                 .word Action_On_Msg0802_fun72+1 # 0x72
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x73
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x74
ROM:00023BD0                 .word Action_On_Msg0802_fun75_read_RAM_byte+1 # 0x75
ROM:00023BD0                 .word Action_On_Msg0802_fun76+1 # 0x76
ROM:00023BD0                 .word Action_On_Msg0802_fun77_NULL+1 # 0x77
ROM:00023BD0                 .word Action_On_Msg0802_fun78+1 # 0x78
ROM:00023BD0                 .word Action_On_Msg0802_fun79_change_button_flag+1 # 0x79
ROM:00023BD0                 .word Action_On_Msg0802_fun7A_EEPROM_0x1360_verify+1 # 0x7A
ROM:00023BD0                 .word Action_On_Msg0802_fun7B+1 # 0x7B
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x7C
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x7D
ROM:00023BD0                 .word Action_On_Msg0802_clear_RAM_byte+1 # 0x7E
ROM:00023BD0                 .word Action_On_Msg0802_fun7F+1 # 0x7F
     

@a1ex:
Upon receiving Msg08 02 , MPU gets function code in payload of Msg , which is 0 - 0x7F in 550D ,
each  function code stands for one kind of specific action or operation on MPS side :
function code 0xF    : send lens custom CMD
function code 0x10  : maybe drive lens focus motor 
function code 0x48  : read current Lens data   
function code 0x60  : calculate checksum of FW on MPU side
function code 0x68  : fresh current unknown temperature
function code 0x6B  : get current PROP_EFIC_TEMP and stores it into eeprom.
 

Just get disassembly of Sigma 35mm F1.4 EF-mount lens firmware successfully ,
lots of EF lens protocol CMDs are found in the firmware , start analyzing !!!

Just get disassembly of Sigma 35mm F1.4 F-mount lens firmware successfully .
Todo :
1:Analyze firmware to understande how focus motor is driven .
2:Try to find datasheet of MCU EIS944A . then disassembly Sigma EF-mount firmware .

On mainboard of Sigma 24-105 f4.0 EF lens , there is a MCU marked "EIS 944A" ,
Does anybody have more info of this MCU ?