Messages

Lens firmware of EF-S 55-250 and EF-S 40 f2.8 are downloadable on Canon offical site ,
with great help from a1ex , i tried to analyze 55-250 firmware , but no progress ,
the BIN seems to be encrypted or i was wrong somewhere.
Now start to analyze Lens firmware of Sigma 24-105mm f4.0 .

@a1ex ,
Data payload inside Msg09 02 is same as that of Msg09 05 , status of AF , Aperture
and IS (motor) in Lens and  ERCD of Lens communication.
Msg09 0A is strongly related to "lv ae".
Msg05 02 is "release data"
Msg05 03 is "release after data"
Msg05 05 is "bulb end"

@a1ex ,
MPU reports Lens status in Msg09 05 to CPU , 4 bytes in Msg09 05 payload,
the last one is probablly ERCD of Lens communication :
0x00 : good
0x02 : no 0xAA response from Lens after sending Lens CMD 0xA
0x20 : Lens-Camera RTX timeout 
Any info of Msg09 05 on CPU side ?

EDIT :
0x1 looks like that lens is detached.
0x80 is very special ， maybe Lens in debug mode.

@a1ex ， event of SW1 and SW2 in 550D MPU FW are not sent in Msg 06  ,
i guess they are strongly related to half shutter and full shutter pressing ,
i'm going to check how they work .

@a1ex , LensIDs are described in Canon Exif Tags  https://sno.phy.queensu.ca/~phil/exiftool/TagNames/Canon.html
do you know , in which kind of MPU Msg , LensID mentioned above is sent to CPU ?   



 

@a1ex , some decodings in 550D MPU FW :
Msg 06 01 = Display
Msg 06 03 = Play
Msg 06 04 = EraseButton
Msg 06 0A = AE_Lock
Msg 06 0C = Set button
Msg 06 11 = LockSW
Msg 06 12 = CardCover
Msg 06 13 = BatCover
Msg 06 18 = CrossUp
Msg 06 19 = CrossDown
Msg 06 1A = CrossRight
Msg 06 1B = CrossLeft
Msg 06 1C = AVbutton
Msg 06 1E is strongly related to mestimer starting
Msg 06 21 = RECstart

MPU reports Lens status in Msg09 05 to CPU , 4 bytes in Msg09 05 payload,
the last one is probablly ERCD of Lens communication :
0x00 : good
0x02 : no 0xAA response from Lens after sending Lens CMD 0xA
0x20 : Lens-Camera RTX timeout 
Any info of Msg09 05 on CPU side ?

it would be cool if you could merge your findings. e.g. in the magic lantern wiki on wikia? http://magiclantern.wikia.com/wiki/

So sorry , my english is too bad to writting in  the magic lantern wiki , so many types of msgs as you know .   
however i'll be glad to share my findings here or sending to anyone if he writes info of MPU msgs  in  the magic lantern wiki .

Any description or info of any Msg is appreciated ,  for example msg 05 02 , msg 09 17 , msg 08 02......

 Lens max aperture ， minimum aperture ， Lens ID ， Wide FocalLength ， tele Focal Length ...... are inside msg 03  15

Payload of msg 09 14  includes  short integer LensFocusPosition and long integer timing 

500D, LV

Code Select Expand

mpu_send(06 04 09 00 00)
mpu_recv(3c 3a 09 00 3c 3c e0 00 3f 80 00 00 38 12 c0 00 b9 cb c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 08 11 10 50 49 02 59 88 88 00 32 00 00 00 00 00 01 00 00 00)
PROP_LV_LENS


0x32 - focal length
0x10 - aperture

Since msg 09 00 is PROP_LV_LENS , meanwhile msg 09 12 is exactly same as msg 09 00 , i guess  msg 09 12 is for photo mode .

5D3: 0x08, 0x09, 0x01, num_steps_hi, num_steps_lo, 0x07, 0x00, 0x00: lens focus control in LiveView (also works in paused LiveView).

07 in the msg above is Focus driving speed .

char msg {0x? , 0xA , 0x8 , flag00 , flag01 , data00 , data01 .......} ;
each bit of flag00 , flag01 indicates a specific type of data paylaod is present in msg0A08 or not ,
so there are 16 kinds of different data structure , only 13 kinds of  payload type are available in 550D TX19 .

Code Select Expand

00000000 struc_4         struc  # (sizeof=0x4)    # XREF: ROM:TAB_Msg0A08_payload_formatr
00000000 Msg0A_08_PayloadType_offset:.byte ?
00000001 Msg0A_08_payload_type:.byte ?
00000002 Msg0A_08_payload_offset:.byte ?
00000003 Msg0A_08_payload_size:.byte ?
00000004 struc_4         ends


Code Select Expand

ROM:0001884E TAB_Msg0A08_payload_format:struc_4 <   3,    1,    5,    2> # 0
ROM:0001884E                                          # DATA XREF: ROM:off_21504o
ROM:0001884E                                          # Report_MSG0A_08+7Ar ...
ROM:0001884E                 struc_4 <   3,    2,    7,    6> # 1
ROM:0001884E                 struc_4 <   3,    4,  0xD,    5> # 2
ROM:0001884E                 struc_4 <   3,    8, 0x12,    4> # 3
ROM:0001884E                 struc_4 <   3, 0x10, 0x16,    4> # 4
ROM:0001884E                 struc_4 <   3, 0x20, 0x1A,    6> # 5
ROM:0001884E                 struc_4 <   3, 0x40, 0x20,    7> # 6
ROM:0001884E                 struc_4 <   3, 0x80, 0x27,    3> # 7
ROM:0001884E                 struc_4 <   4,    1, 0x2A,    5> # 8
ROM:0001884E                 struc_4 <   4,    2, 0x2F,    5> # 9
ROM:0001884E                 struc_4 <   4,    4, 0x34,    5> # 0xA
ROM:0001884E                 struc_4 <   4,    8, 0x39,    6> # 0xB
ROM:0001884E                 struc_4 <   4, 0x10, 0x3F,    1> # 0xC


I'm searching for msg class 0xA on TX19 size , no  result yet .
Upon receiving msg 0x1 , 0x4 , TX19 seems to change AF mode , AF  point .
EDIT : msg 01 05 seems to change TV .

Thanks ,  DeafEyeJedi , nice to meet you and work with you on this project .
I'll be very glad to discuss Nikon D5100 hacking with you on Nikonhacker forum if you like . 

TX19a is responsible for communicating with AF sensor /  AE sensor  ,
but i have no idea about which part of TX19 is connected to AF sensor /  AE sensor  , 
any hardware connection info for TX19a on EOS 550D side ?

leegong 

Thank you nikfreak . i'm nikonhacker leegong , i'm newbie here , i'm glad to learn Canon hacking from you guys here ,
TX19A43 in EOS 550D is almost same as TX19A44 in Nikon D5100 , i'm happy and willing to add value to Magic Lantern project . 

char msg[] = { 0x06,  0x09, 0x13,  , end , AF_driving_speed , unknwon_para  }; //  focus  to infinite or nearest end  , no idea about what's the meaning of the last byte , probably related to timeout  . 

char msg[] = { 0x05, 0x03, 0x04, power_kind , 0 };  //  power_kind = 0 : LI , 1 : AM , 2 : AC
char msg[] = { 0x05, 0x03, 0x05, power_level , 0 };  // when power_kind == 2 ( AC ) , power_level = 2

@alex , in your posting ,
mpu_recv(3c 3a 09 00 3c 3c e0 00 3f 80 00 00 38 12 c0 00 b9 cb c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 08 11 10 50 49 02 59 88 88 00 32 00 00 00 00 00 01 00 00 00)
PROP_LV_LENS

My wild guessing ,  all of 11 10 50 are Aperture , pobably current aperture , max aperture , mini aperture respectively . 
EDIT : almost 100% sure about definition of 11 10 50 mentioned above.

On EOS-550D ,TX19a  may send the following msg to main CPU :

Code Select Expand

char msg[] = { 0x04, 0x05, 0x00, 0x00 };  // ae start
char msg[] = { 0x04, 0x05, 0x01, 0x00 };  // rel start
char msg[] = { 0x04, 0x05, 0x05, 0x00 };  // rel end , or bulb end
char msg[] = { 0x04, 0x05, 0x06, 0x00 };  // rel cancel
char msg[] = { 0x04, 0x05, 0x07, 0x00 };  // ae stop
char msg[] = { 0x04, 0x05, 0x0B, 0x00 };  // ae timer start
char msg[] = { 0x04, 0x05, 0x0E, 0x00 };  // related to rel
char msg[] = { 0x04, 0x05, 0x0F, 0x00 };  // related to rel

On TX19 side of 550D  ,  sub_0x15620  sends msg to main MPU with HSIO0  ,
here are some examples sent out to main MPU :

Code Select Expand

char msg[] = { 0x05, 0x07, 0x01, 0x00 , 0x0};
char msg[] = { 0x05, 0x07, 0x01, 0x01 , 0x0};
char msg[] = { 0x05, 0x07, 0x01, 0x02 , 0x0};
char msg[] = { 0x05, 0x07, 0x00, 0x03 , 0x0};
char msg[] = { 0x05, 0x07, 0x00, 0x04 , 0x0};

Just take a look at  TX19 firmware of 550D , lots of buttons found in RAM :

Code Select Expand


RAM:FFFFCC3C LockSW:         .byte 1                  # DATA XREF: ROM:000213BCo
RAM:FFFFCC3C                                          # 0 - Lock(Off)
RAM:FFFFCC3D CardCover:      .byte 1                  # DATA XREF: sub_4BB14+B2r
RAM:FFFFCC3D                                          # 0 - open
RAM:FFFFCC3E BatCover:       .byte 1                  # DATA XREF: sub_4BB14+E4r
RAM:FFFFCC3E                                          # 0 - Open

RAM:FFFFCC40 SDDetectSw:     .byte 0                  # DATA XREF: sub_4BB14+116r

RAM:FFFFCC43 Sw1:            .byte 1                  # DATA XREF: sub_4BB14+148r
RAM:FFFFCC43                                          # 0 - on
RAM:FFFFCC44 Sw2:            .byte 1                  # DATA XREF: sub_4BB14+17Ar
RAM:FFFFCC44                                          # sub_6FED0+52r ...
RAM:FFFFCC45 AELockButton:   .byte 1                  # DATA XREF: sub_4BB14+1ACr
RAM:FFFFCC45                                          # 0 - on

RAM:FFFFCC48 SpdnButton:     .byte 1                  # DATA XREF: sub_4BB14+1DEr
RAM:FFFFCC48                                          # 0 - on
RAM:FFFFCC49 StroboPopUpButton:.byte 1                # DATA XREF: sub_4BB14+210r
RAM:FFFFCC49                                          # sub_6FED0+66r ...
RAM:FFFFCC4A StroboPopEndSw: .byte 0                  # DATA XREF: sub_4BB14+242r

RAM:FFFFCC4E AFFrameSelectButton:.byte 1              # DATA XREF: sub_4BB14+274r

RAM:FFFFCC54 ISOButton:      .byte 1                  # DATA XREF: sub_4BB14+2A6r

RAM:FFFFCC57 Av_Button:      .byte 1                  # DATA XREF: sub_4BB14+2D8r

RAM:FFFFCC59 SetButton:      .byte 1                  # DATA XREF: sub_4BB14+30Ar
RAM:FFFFCC5A MenuButton:     .byte 1                  # DATA XREF: sub_4BB14+33Cr
RAM:FFFFCC5B PlayButton:     .byte 1                  # DATA XREF: sub_4BB14+36Er
RAM:FFFFCC5C DisplayButton:  .byte 1                  # DATA XREF: sub_4BB14+3D4r
RAM:FFFFCC5D EraseButton:    .byte 1                  # DATA XREF: sub_4BB14+3A0r

RAM:FFFFCC61 EasyDirect_QuickSetting:.byte 1          # DATA XREF: sub_4BB14+408r

RAM:FFFFCC63 CrossUp:        .byte 1                  # DATA XREF: sub_4BB14+470r
RAM:FFFFCC64 CrossDown:      .byte 1                  # DATA XREF: sub_4BB14+4A4r
RAM:FFFFCC65 CrossRight:     .byte 1                  # DATA XREF: sub_4BB14+4D8r
RAM:FFFFCC66 CrossLeft:      .byte 1                  # DATA XREF: sub_4BB14+50Cr

RAM:FFFFCC68 RECStartButton: .byte 1                  # DATA XREF: sub_4BB14+43Cr
RAM:FFFFCC69 ModeDial:       .byte 2                  # DATA XREF: sub_4BB14+538r