lion mclionhead
The STM32 board was just a hair bigger than the PIC, but the biggest pieces are still the power switch, channel button, & battery. The plan is just to print an L enclosure which scotch tapes around the hot shoe & sticks up. The antenna will stick vertically in a plastic tube. The original hot shoe farsteners won't be used. The flash enclosure will be a horizontal board.
The STM32 at 168Mhz can sample all 3 ADCs at 2Mhz. X can be sampled digitally. ID requires analog sampling, so it has to sample CLK full time & either sample ID if CLK is high or D1 (from flash) if CLK is low. D1 is only sampled for protocol sniffing. There's no plan to send any data from the flash to the camera via a bidirectional radio.
Fortunately, the data comes in slowly enough to print. Sadly, the decoded data during metering is gibberish & matches very little of http://staff.www.ltu.se/~joborg/ettl/.
B5 is a start code. Then the rest departs.
Welcome to wireless ETTL FROM FLASH TO FLASH ff ff 8e b5 de 4c 8e ff 8e b5 de 4c 8e e5 0d ff 8e a9 91 25 8e a1 2b f8 2b a5 00 2c 8e b9 00 80 8e bd aa 00 59 1c 00 99 ff fb 02 ff 8e f9 75 ff 8e f7 7b ff 8e b3 00 12 00 46 00 2f 00 f5 57 ff 49 ff 5c ff 0f ff 00 be 8e 14 8e bb 00 48 00 ff 8e e6 3f ff 10 ff 00 ff 8e b7 8e 38 8e b8 8e 6d 8e b4 8e 1d
The object of the game is replaying the conversation rather than knowing what any of the data means, so the trick is detecting repeating patterns, tracking just the differences. It can print time differences between bytes.
It emits nothing when powering up the cam before the flash.
It emits a single packet when powering up the flash before the cam:
Welcome to wireless ETTL FROM FLASH/TO FLASH/uS DIFFERENCE/PACKET OFFSET ff ff 3189193 0 8e b5 117 1 de 4c 111 2 8e ff 116 3 8e b5 116 4 de 4c 111 5 8e e5 75 6 0d ff 117 7 8e a9 115 8 91 25 117 9 8e a1 83 10 2b f8 154 11 2b a5 84 12 00 2c 116 13 8e b9 88 14 00 80 117 15 8e bd 70 16 aa 00 116 17 59 1c 69 18 00 99 74 19 ff fb 112 20 02 ff 116 21 8e f9 116 22 55 ff 117 23 8e f7 116 24 7b ff 112 25 8e b3 116 26 00 12 158 27 00 46 84 28 00 2f 74 29 00 f5 74 30 57 ff 116 31 49 ff 69 32 5c ff 71 33 0f ff 74 34 00 be 70 35 8e 14 120 36 8e bb 71 37 00 48 116 38 00 ff 69 39 8e e6 117 40 3f ff 121 41 10 ff 88 42 00 ff 83 43 8e b7 117 44 8e 38 112 45 8e b8 74 46 8e 6d 111 47 8e b4 69 48 8e 1d 117 49 8e a8 69 50 91 00 116 51
Tapping the metering button emits a long sequence of packets which automatically times out.
The start of a packet sequence for metering:
Welcome to wireless ETTL FROM FLASH/TO FLASH/uS DIFFERENCE/PACKET OFFSET ff ff 17591745 0 8e b5 117 1 de 4c 125 2 8e ff 159 3 8e b5 115 4 de 4c 112 5 8e e5 75 6 0d ff 120 7 8e a9 116 8 91 25 117 9 8e a1 84 10 2b f8 153 11 2b a5 84 12 00 2c 121 13 8e b9 88 14 00 80 116 15 8e bd 69 16 aa 00 131 17 59 1c 69 18 00 99 70 19 ff fb 111 20 02 ff 117 21 8e f9 125 22 75 ff 116 23 8e f7 117 24 7b ff 125 25 8e b3 117 26 00 12 157 27 00 46 84 28 00 2f 88 29 00 f5 89 30 57 ff 134 31 49 ff 69 32 5c ff 69 33 0f ff 84 34 00 be 70 35 8e 14 121 36 8e bb 79 37 00 48 116 38 00 ff 70 39 8e e6 129 40 3f ff 135 41 10 ff 89 42 00 ff 88 43 8e b7 116 44 8e 38 112 45 8e b8 88 46 8e 6d 111 47 8e b4 70 48 8e 1d 112 49 8e a8 69 50 91 00 131 51 8e a5 148 52 00 2d 117 53 8e a5 288 54 01 2c 116 55 8e ff 47540 0 8e b5 116 1 de 4c 112 2 8e e5 75 3 0d ff 125 4 8e a9 117 5 91 25 116 6 8e a1 84 7 2b f8 153 8 2b a5 84 9 00 2c 116 10 8e b9 93 11 00 80 116 12 8e bd 69 13 18 00 126 14 69 1c 69 15 1e 99 70 16 ff fb 111 17 02 ff 117 18 8e f9 125 19 75 ff 116 20 8e f7 117 21 7b ff 125 22 8e b3 116 23 00 12 158 24 00 46 83 25 00 2f 74 26 00 f5 75 27 57 ff 121 28 49 ff 70 29 5c ff 70 30 0f ff 83 31 00 be 70 32 8e 14 121 33 8e bb 79 34 00 48 116 35 00 ff 70 36 8e e6 130 37 3f ff 130 38 10 ff 93 39 00 ff 88 40 8e b7 117 41 8e 38 112 42 8e b8 83 43 8e 6d 111 44 8e b4 71 45 8e 1d 111 46 8e a8 70 47 91 00 116 48 8e a5 149 49 00 2d 116 50 8e a5 335 51 01 2c 116 52 8e ff 48556 0 8e b5 121 1 de 4c 111 2 8e e5 75 3 0d ff 129 4 8e a9 117 5 91 25 121 6 8e a1 83 7 2b f8 153 8 2b a5 83 9 00 2c 117 10 8e b9 83 11 00 80 117 12 8e bd 69 13 18 00 130 14 69 1c 70 15 1c 99 69 16 ff fb 111 17 02 ff 116 18 8e f9 125 19 55 ff 116 20 8e f7 117 21 7b ff 125 22 8e b3 116 23 00 12 158 24 00 46 84 25 00 2f 74 26 00 f5 74 27 57 ff 121 28 49 ff 70 29 5c ff 69 30 0f ff 83 31 00 be 70 32 8e 14 121 33 8e bb 79 34 00 48 116 35 00 ff 70 36 8e e6 125 37 3f ff 121 38 10 ff 84 39 00 ff 84 40 8e b7 115 41 8e 38 111 42 8e b8 75 43 8e 6d 125 44 8e b4 70 45 8e 1d 111 46 8e a8 70 47 91 00 116 48 8e a5 1889 49 00 2d 121 50 8e a5 288 51 01 2c 116 52 8e ff 46831 0
The timing is pretty consistent, so we can strip it down to packets.
The camera powerup is 52 bytes:
FROM FLASH/TO FLASH 7f/7f 8e/b5 de/4c 8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd aa/00 59/23 00/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00
Metering starts with a 56 byte packet:
FROM FLASH/TO FLASH 7f/7f 8e/b5 de/4c 8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd aa/00 59/23 00/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00 8e/a5 00/2d 8e/a5 01/2c
then a repeating 53 byte packet until it times out.
FROM FLASH/TO FLASH 8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23 23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00 8e/a5 00/2d 8e/a5 01/2c
The 1st byte is random. It's going to take some logic to figure out what packet to replay. Meter packet #1 seems to be powerup packet + 4 bytes. Meter packet #2 seems to start with 0xb5, 0x4c, 0xe5 instead of 0xb5, 0x4c, 0xff.
When the flash LCD shows the current F stop or the camera LCD shows the flash icon, it's happening during this metering packet sequence. After the sequence ends, the screen widgets go away until you press the metering button again. The next problem is sampling X.
All standard metering packets end with
8e/a5 00/2d X 0V X 3.3V 8e/a5 01/2c
It seems triggering the preflash requires the following packet:
8e/ff 8e/b4 8e/1d 8e/f2 c0/ff 8e/ff 8e/b4 8e/03 8e/f2 a0/ff 8e/b0 8e/80 8e/b1 8e/04 8e/b3 00/12 00/46 00/2f 00/b4 8e/23 CLK 0V CLK 3.3V (end of preflash packet)
The mane flash comes next with the following packet:
ff/ff 8e/b3 00/32 00/46 00/2f 00/f8 3a/ff 8e/bb 00/48 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b0 8e/88 8e/b4 8e/1d 8e/f2 c0/ff 8e/b3 00/36 00/46 00/2f 00/b4 8e/3d CLK 0V X 0V X 3.3V CLK 3.3V 7f/b4 8e/1d 8e/b3 00/12 00/46 00/2f 00/fc 88/ff c0/ff 1a/ff 2a/ff 85/ff 78/ff (end of mane flash packet) 8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23 23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00 (metering packet without 8e/a5 00/2d 8e/a5 01/2c) 8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23 23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00 (metering packet without 8e/a5 00/2d 8e/a5 01/2c)
Standard metering packets ending with
8e/a5 00/2d X 0V X 3.3V 8e/a5 01/2c
follow until the timeout. If multiple flashes fire in succession, the last 91/00 goes straight into the next preflash packet.
ID is 1.4V through all of the metering, exposures & 0V otherwise.
The next step is tracking down what changes with different flash & camera settings, especially the focal length, the flash power setting.
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.