MPU communication

Started by a1ex, July 22, 2016, 11:26:59 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

a1ex

There was some progress understanding the communication between the main CPU and the MPU (a secondary CPU that controls buttons, lens communication, shutter actuation, viewfinder and others), so I think it's time to open a new thread.

Resources:

* QEMU docs: MPU Communication
* http://magiclantern.wikia.com/wiki/Tx19a
* Code to dump MPU firmware: modules/mpu_dump
* NikonHacker emulator for TX19A: http://magiclantern.fm/forum/index.php?topic=3467.msg91186#msg91186
* Communication protocol emulated in QEMU: qemu/eos/mpu.c
* How to log the MPU messages: [1] [2] [3] (you can use this build)
* Early discussion regarding button interrupt: http://www.magiclantern.fm/forum/index.php?topic=3189.0
* Button codes in QEMU: http://magiclantern.fm/forum/index.php?topic=2864.msg169517#msg169517
* First trick implemented using a MPU message:

Quote from: Greg on July 21, 2016, 03:22:31 PM
500D, LV
mpu_send(06 04 09 00 00)
mpu_recv(3c 3a 09 00 3c 3c e0 00 3f 80 00 00 38 12 c0 00 b9 cb c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 08 11 10 50 49 02 59 88 88 00 32 00 00 00 00 00 01 00 00 00)
PROP_LV_LENS


0x32 - focal length
0x10 - aperture


Now we can read lens_info in Photo mode.
Just call mpu_send(06 04 09 00 00). CPU receives data and automatically overwrite property lens_info.




a1ex

5D3: 0x08, 0x09, 0x01, num_steps_hi, num_steps_lo, 0x07, 0x00, 0x00: lens focus control in LiveView (also works in paused LiveView). Commands appear to be queued properly, but breaks focus distance reporting.

Related: http://magiclantern.wikia.com/wiki/Focus (struct prop_focus) and http://www.magiclantern.fm/forum/index.php?topic=4997 .

Greg

Quote from: a1ex on July 22, 2016, 10:46:21 PM
Something worth trying IMO:


/* stub for EOS M 2.0.2; "dwSize < TXBD_DATA_SIZE" */
void (*mpu_send)(char*,int) = (void*) (0xFFA872BC - 0xFFA69590);
char msg[] = { 0x08, 0x09, 0x01, 0x10, 0x00, 0x07, 0x00, 0x00 };
mpu_send(msg, msg[0]);


Ref: http://www.magiclantern.fm/forum/index.php?topic=17596.msg170023#msg170023

This code works on 5D3?

500D to display lens_info :
void (*mpu_send)(char*,int) = (void*) (0xFF18A884);
char msg[] = { 0x04, 0x09, 0x00 };
mpu_send(msg, 5);


dm-log
mpu_send(06 04 09 00 19)

a1ex

Yes, it does. Correction:


char msg[] = { 0x04, 0x09, 0x00, 0x00 };
mpu_send(msg, msg[0]);


The first number in a MPU message is transfer_size (always even), and the second number is message_size. Since MPU messages are transferred 16 bits at a time, transfer_size is (message_size + 2) & 0xFE (that is, either message_size + 1 or message_size + 2). When calling mpu_send, we need to pass only the useful part of the message (that is, message_size + message_content). The transfer size and the leading zero, if any, are added by mpu_send.

In other words, when you start a MPU message with 0x04, you must provide 4 values.

Side note: I'm pretty sure the same command (requesting LV lens info) can be done using properties, somehow.

Greg

Sensor cleaning :
mpu_send(06 05 04 0d 04 00) // ACTIVE_SWEEP_STATUS : 4 (sensor cleaning with shutter)
mpu_send(06 05 04 0d 01 00) // ACTIVE_SWEEP_STATUS : 1 (sensor cleaning without shutter)


Quote from: a1ex on July 23, 2016, 06:31:18 AM
Side note: I'm pretty sure the same command (requesting LV lens info) can be done using properties, somehow.

**INTERRUP TryPostEvent(&"TaskClass", &"LiveViewMgr", 0x2, 0x0, 0x0), from ff0da5bc
LiveViewMg before3_mpu_send(&"StateObject", &"LiveViewMgr", 0x2, 0x0, 0x0), from ff1a6298
LiveViewMg prop_request_change(0x80050000, 0x15a124, 0x4), from ff035270
           prop data = 2
LiveViewMg TryPostEvent(&"TaskClass", &"PropMgr", 0x6, 0xa63744, 0xc), from ff059cfc
LiveViewMg TryPostEvent(&"TaskClass", &"LVC_AE", 0x3, 0x4086b9d4, 0x0), from ff03528c
LiveViewMg TryPostEvent(&"TaskClass", &"LVC_DEV", 0x1, 0x40a637d4, 0x0), from ff0363e4
   PropMgr before3_mpu_send(&"StateObject", &"PropMgr", 0x6, 0xa63744, 0xc), from ff1a6298
   PropMgr before2_mpu_send(0xff42d278), from ff1876c8
   PropMgr before1_mpu_send(0x9, 0x0, 0x1), from ff188bd0
   PropMgr mpu_send(06 04 09 00 00), from ff05c438

Greg

Electronic level :

   ml_init:00070fe8:00:00: *** RollingPitching(0x0), from 4d6b4
   ml_init:ff1be48c:83:03: GUI_SetRollingPitchingLevelStatus Status(0)
   ml_init:00070fe8:00:00: *** prop_request_change(0x80030039, 0x14fa8, 0x6), from 4d6b4
   ml_init:00093d18:00:00: prop data = 0
   ml_init:00070fe8:00:00: *** TryPostEvent(&"TaskClass", &"PropMgr", 0x6, 0xa42d94, 0xe), from ff059cfc
   PropMgr:00070fe8:00:00: *** before3_mpu_send(&"StateObject", &"PropMgr", 0x6, 0xa42d94, 0xe), from ff1a6298
   PropMgr:00070fe8:00:00: *** afterRollingPitching(0xff42ce18, 0xa42d9c, 0xff188c1c, 0x3), from ff1876c8
   PropMgr:00070fe8:00:00: *** before1_mpu_send(0x3, 0x3a, 0x7), from ff188c50
   PropMgr:000710e0:00:00: *** mpu_send(0c 0a 03 3a 00 00 00 00 00 00 00), from ff05c438



GUI_SetRollingPitchingLevelStatus Status(0)
mpu_send(0c 0a 03 3a 00 00 00 00 00 00 00)

GUI_SetRollingPitchingLevelStatus Status(1)
mpu_send(0c 0a 03 3a 01 00 00 00 00 00 00)


It looks like the CPU sends a request to the MPU, but no response.


Image orientation :

mpu_recv(3e 3c 05 03 01 01 00 00 00 00 03 00 00 ...) // horizontal
mpu_recv(3e 3c 05 03 01 01 00 00 00 00 03 00 00 ...) // horizontal
mpu_recv(3e 3c 05 03 01 01 00 00 00 00 03 00 02 ...) // rotate 270 CW
mpu_recv(3e 3c 05 03 01 01 00 00 00 00 03 00 02 ...) // rotate 270 CW
mpu_recv(3e 3c 05 03 01 01 00 00 00 00 03 00 01 ...) // rotate 90 CW
mpu_recv(3e 3c 05 03 01 01 00 00 00 00 03 00 01 ...) // rotate 90 CW


Possible that this is related to the electronic level, yet I'm not sure.

Audionut

So many exciting things happening with this project lately, this being just one of them.

In the spirit of DeafEyeJedi.......Keep up the good work.   :)

Greg

Video temperature :
mpu_recv(06 05 03 38 af 00) // 0xAF - 128 = 47°C
PROP_BOARD_TEMP 47Ž


Photo temperature :
mpu_recv(06 05 03 17 9e 00) // 0x9E - 128 = 30°C
Temp_RAW_to_C(0x9e)
PROP_EFIC_TEMP 30Ž


Temp_RAW_to_C -> http://www.magiclantern.fm/forum/index.php?topic=9673.msg170387#msg170387

leegong

On TX19 side of 550D  ,  sub_0x15620  sends msg to main MPU with HSIO0  ,
here are some examples sent out to main MPU :
char msg[] = { 0x05, 0x07, 0x01, 0x00 , 0x0};
char msg[] = { 0x05, 0x07, 0x01, 0x01 , 0x0};
char msg[] = { 0x05, 0x07, 0x01, 0x02 , 0x0};
char msg[] = { 0x05, 0x07, 0x00, 0x03 , 0x0};
char msg[] = { 0x05, 0x07, 0x00, 0x04 , 0x0};

leegong

On EOS-550D ,TX19a  may send the following msg to main CPU :
char msg[] = { 0x04, 0x05, 0x00, 0x00 };  // ae start
char msg[] = { 0x04, 0x05, 0x01, 0x00 };  // rel start
char msg[] = { 0x04, 0x05, 0x05, 0x00 };  // rel end , or bulb end
char msg[] = { 0x04, 0x05, 0x06, 0x00 };  // rel cancel
char msg[] = { 0x04, 0x05, 0x07, 0x00 };  // ae stop
char msg[] = { 0x04, 0x05, 0x0B, 0x00 };  // ae timer start
char msg[] = { 0x04, 0x05, 0x0E, 0x00 };  // related to rel
char msg[] = { 0x04, 0x05, 0x0F, 0x00 };  // related to rel

leegong

@alex , in your posting ,
mpu_recv(3c 3a 09 00 3c 3c e0 00 3f 80 00 00 38 12 c0 00 b9 cb c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 08 11 10 50 49 02 59 88 88 00 32 00 00 00 00 00 01 00 00 00)
PROP_LV_LENS

My wild guessing ,  all of 11 10 50 are Aperture , pobably current aperture , max aperture , mini aperture respectively . 
EDIT : almost 100% sure about definition of 11 10 50 mentioned above.

a1ex

Great findings, leegong. Your hints are very helpful for emulating the MPU firmware in QEMU - something that was a pipe dream until recently.

leegong

char msg[] = { 0x05, 0x03, 0x04, power_kind , 0 };  //  power_kind = 0 : LI , 1 : AM , 2 : AC
char msg[] = { 0x05, 0x03, 0x05, power_level , 0 };  // when power_kind == 2 ( AC ) , power_level = 2

Ant123

Is this large chip at the upper left corner of 760D MPU?


leegong

char msg[] = { 0x06,  0x09, 0x13,  , end , AF_driving_speed , unknwon_para  }; //  focus  to infinite or nearest end  , no idea about what's the meaning of the last byte , probably related to timeout  . 

nikfreak

this is leegong  8) from nikonhackers, right? welcome!
[size=8pt]70D.112 & 100D.101[/size]

leegong

Thank you nikfreak . i'm nikonhacker leegong , i'm newbie here , i'm glad to learn Canon hacking from you guys here ,
TX19A43 in EOS 550D is almost same as TX19A44 in Nikon D5100 , i'm happy and willing to add value to Magic Lantern project . 

leegong

TX19a is responsible for communicating with AF sensor /  AE sensor  ,
but i have no idea about which part of TX19 is connected to AF sensor /  AE sensor  , 
any hardware connection info for TX19a on EOS 550D side ?

leegong 

a1ex

I have no idea either, but I can find out some MPU messages related to AF and AE, if it helps.


**INT-36h*:00ca8dac:00:00: *** mpu_recv(18 17 0a 08 0f 00 02 00 01 01 a0 10 00 68 01 01 50 20 25 01 01 00 48 00), from ff1bf420
  MainCtrl:ff01e44c:9c:01: ID:8(21)
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[1][4][2]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd140:9f:01:     tv 68
  MainCtrl:ff0bd15c:9f:01:     range tv a0,10
  MainCtrl:ff0bd1bc:9f:01:     av 25
  MainCtrl:ff0bd1d8:9f:01:     range av 50,20
  MainCtrl:ff0bd214:9f:01:     iso 48
  MainCtrl:ff01bf50:89:03: bindReceiveNewTFTOLC
  MainCtrl:ff024524:85:03: GUI_Control:90 0xbeb5b8
  MainCtrl:ff01e44c:9c:01: ID:8000002C(22)
   PropMgr:ff039df0:33:01: ptpPropChangeEvCBR[8000002c][4][68]
   PropMgr:ff0399c4:33:01: SendPipeEvent [0][0][9]
   PropMgr:ff0399c4:33:01: SendPipeEvent [0][0][49]
   PropMgr:ff0399c4:33:01: SendPipeEvent [0][0][49]
   PropMgr:ff039df0:33:01: ptpPropChangeEvCBR[8000002d][4][25]
   PropMgr:ff0399c4:33:01: SendPipeEvent [0][0][9]
   PropMgr:ff0399c4:33:01: SendPipeEvent [0][0][49]
   PropMgr:ff0399c4:33:01: SendPipeEvent [0][0][49]
   PropMgr:ff039df0:33:01: ptpPropChangeEvCBR[8000002e][4][48]
   PropMgr:ff0399c4:33:01: SendPipeEvent [0][0][9]

**INT-36h*:00ca8dac:00:00: *** mpu_recv(0e 0c 0a 08 09 00 03 00 01 01 00 6b 00), from ff1bf420
  MainCtrl:ff01e44c:9c:01: ID:8(6)
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[1][4][3]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd214:9f:01:     iso 6b

**INT-36h*:00ca8dac:00:00: *** mpu_recv(14 13 0a 08 49 00 02 00 01 01 00 70 01 01 f8 00 00 00 00 00), from ff1bf420
  MainCtrl:ff01e44c:9c:01: ID:8(27)
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[1][4][2]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd214:9f:01:     iso 70
  MainCtrl:ff0bd078:9f:01:     aeb_count 0

**INT-36h*:00ca8dac:00:00: *** mpu_recv(20 1e 0a 08 49 09 02 00 01 01 00 5b 01 01 00 00 00 00 00 00 00 00 00 01 40 01 00 00 00 00 00), from ff1bf420
  MainCtrl:ff01e44c:9c:01: ID:8(22)
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[1][4][2]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd214:9f:01:     iso 5b
  MainCtrl:ff0bd078:9f:01:     aeb_count 0
  MainCtrl:ff0bd340:9f:01: rmt_olc_com_gr8:0,0,0
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[3][4][0]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd36c:9f:01:     focusstatus 1,1
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[0][4][4001]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd49c:9f:01:     focusinfo 1,40,1
  MainCtrl:ff01bf50:89:03: bindReceiveNewTFTOLC
  MainCtrl:ff024524:85:03: GUI_Control:90 0xbf2f44
   PropMgr:ff039df0:33:01: ptpPropChangeEvCBR[8000002e][4][5b]
   PropMgr:ff0399c4:33:01: SendPipeEvent [0][0][9]
   PropMgr:00c7b3b4:00:00: PROP_ISO_AUTO 91

**INT-36h*:00ca8dac:00:00: *** mpu_recv(12 11 0a 08 00 09 00 00 00 00 00 00 00 00 00 00 00 00), from ff1bf420
  MainCtrl:ff01e44c:9c:01: ID:8(24)
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[0][4][0]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd340:9f:01: rmt_olc_com_gr8:0,0,0
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[3][4][0]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd36c:9f:01:     focusstatus 0,1
  MainCtrl:ff03a3a4:33:01: PD_NotifyOlcInfoChanged[0][4][0]
  MainCtrl:ff0399c4:33:01: SendPipeEvent [0][0][10]
  MainCtrl:ff0bd49c:9f:01:     focusinfo 0,0,1


So, 0a 08 is a complex message with variable size that appears to send exposure info and focus status from MPU to the main CPU.

Focus status messages are only sent in LiveView (contrast-detect AF):

#define PROP_LV_FOCUS_STATE     0x80050009 // 1 OK, 101 bad, 201 not done?

   PropMgr:00ca8d64:00:00: *** mpu_send(06 05 09 0b 02 00), from ff05e224
   PropMgr:ff02a148:8f:02: dcsChangeAckCBR (0x80050009, 0x201)
       Gmt:ff100128:98:03: PROP_LV_AF_RESULT 1 2

PropMgr:00ca8d64:00:00: *** mpu_send(06 05 09 0b 00 00), from ff05e224
   PropMgr:ff02a148:8f:02: dcsChangeAckCBR (0x80050009, 0x1)
       Gmt:ff100128:98:03: PROP_LV_AF_RESULT 1 0

   // not sure about this one
   PropMgr:00ca8d64:00:00: *** mpu_send(26 24 09 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00), from ff05e224
   PropMgr:ff02a148:8f:02: dcsChangeAckCBR (0x80050009, 0x200)
       Gmt:ff0fe5c4:98:02: [GMT] gmtProperty ID=0x80050009(0x200)
       Gmt:ff100128:98:03: PROP_LV_AF_RESULT 0 2
       Gmt:ff261044:98:03: TA10 OFF (AF Start)


I could not find any property triggered when focusing outside LiveView, except for NotifyOlcInfoChanged. The focus confirmation status (e.g. for dot_tune AFMA) is recognized by ML from the "focusinfo" messages triggered by that property, and it's also sent in manual focus mode, so this one must be related to AF sensor somehow.

Hope it helps.

DeafEyeJedi

Welcome aboard @leegong -- I just did my first Nikon hack on a co-worker's D5100 and was surprised at how eerily similar the installation process was. Very NHDK tho. [emoji2]

Glad to have you on this project!
5D3.113 | 5D3.123 | EOSM.203 | 7D.203 | 70D.112 | 100D.101 | EOSM2.* | 50D.109

leegong

Thanks ,  DeafEyeJedi , nice to meet you and work with you on this project .
I'll be very glad to discuss Nikon D5100 hacking with you on Nikonhacker forum if you like . 

leegong

I'm searching for msg class 0xA on TX19 size , no  result yet .
Upon receiving msg 0x1 , 0x4 , TX19 seems to change AF mode , AF  point .
EDIT : msg 01 05 seems to change TV .

leegong

char msg {0x? , 0xA , 0x8 , flag00 , flag01 , data00 , data01 .......} ;
each bit of flag00 , flag01 indicates a specific type of data paylaod is present in msg0A08 or not ,
so there are 16 kinds of different data structure , only 13 kinds of  payload type are available in 550D TX19 .
00000000 struc_4         struc  # (sizeof=0x4)    # XREF: ROM:TAB_Msg0A08_payload_formatr
00000000 Msg0A_08_PayloadType_offset:.byte ?
00000001 Msg0A_08_payload_type:.byte ?
00000002 Msg0A_08_payload_offset:.byte ?
00000003 Msg0A_08_payload_size:.byte ?
00000004 struc_4         ends

ROM:0001884E TAB_Msg0A08_payload_format:struc_4 <   3,    1,    5,    2> # 0
ROM:0001884E                                          # DATA XREF: ROM:off_21504o
ROM:0001884E                                          # Report_MSG0A_08+7Ar ...
ROM:0001884E                 struc_4 <   3,    2,    7,    6> # 1
ROM:0001884E                 struc_4 <   3,    4,  0xD,    5> # 2
ROM:0001884E                 struc_4 <   3,    8, 0x12,    4> # 3
ROM:0001884E                 struc_4 <   3, 0x10, 0x16,    4> # 4
ROM:0001884E                 struc_4 <   3, 0x20, 0x1A,    6> # 5
ROM:0001884E                 struc_4 <   3, 0x40, 0x20,    7> # 6
ROM:0001884E                 struc_4 <   3, 0x80, 0x27,    3> # 7
ROM:0001884E                 struc_4 <   4,    1, 0x2A,    5> # 8
ROM:0001884E                 struc_4 <   4,    2, 0x2F,    5> # 9
ROM:0001884E                 struc_4 <   4,    4, 0x34,    5> # 0xA
ROM:0001884E                 struc_4 <   4,    8, 0x39,    6> # 0xB
ROM:0001884E                 struc_4 <   4, 0x10, 0x3F,    1> # 0xC

leegong

Quote from: a1ex on July 22, 2016, 10:43:28 PM
5D3: 0x08, 0x09, 0x01, num_steps_hi, num_steps_lo, 0x07, 0x00, 0x00: lens focus control in LiveView (also works in paused LiveView).
07 in the msg above is Focus driving speed .

leegong

Quote from: Greg on July 21, 2016, 03:22:31 PM
500D, LV
mpu_send(06 04 09 00 00)
mpu_recv(3c 3a 09 00 3c 3c e0 00 3f 80 00 00 38 12 c0 00 b9 cb c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 08 11 10 50 49 02 59 88 88 00 32 00 00 00 00 00 01 00 00 00)
PROP_LV_LENS


0x32 - focal length
0x10 - aperture

Since msg 09 00 is PROP_LV_LENS , meanwhile msg 09 12 is exactly same as msg 09 00 , i guess  msg 09 12 is for photo mode .