lion mclionheadGot some more packets with timing values for key bits.
8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23 23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00 8e/a5 00/2d X 0V 100uS X 3.3V 400uS 8e/a5 01/2c PACKET SIZE: 53 96000uS 8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23 23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00 8e/a5 00/2d X 0V 100uS X 3.3V 400uS 8e/a5 01/2c PACKET SIZE: 53 24000uS 8e/ff 8e/b4 8e/1d 8e/f2 c0/ff 8e/ff 8e/b4 8e/03 8e/f2 a0/ff 8e/b0 8e/80 8e/b1 8e/04 8e/b3 00/12 00/46 00/2f PACKET SIZE: 18 64000uS 00/b4 8e/23 CLK 0V 24000uS CLK 3.3V 30000uS PACKET SIZE: 2 30000uS 7f/ff 8e/b3 00/32 00/46 00/2f 00/f8 3a/ff 8e/bb 00/48 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b0 8e/88 8e/b4 8e/1d 8e/f2 c0/ff 8e/b3 00/36 00/46 00/2f 00/b4 8e/3d CLK 0V 16000uS X 0V 20000uS X 3.3V 30000uS CLK 3.3V 40000uS PACKET SIZE: 26 40000uS 7f/b4 8e/1d 8e/b3 00/12 00/46 00/2f 00/fc 88/ff c0/ff 1a/ff 2a/ff 85/ff 78/ff 8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23 23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00
The timing values are uS since the last byte.
The minimum time before a packet is
90ms before 8e/ff 8e/b5 metering
20ms before 8e/ff 8e/b4 preflash
20ms before 7f/ff 8e/b3 mane flash
There's no delay between the mane flash 2a/ff 85/ff 78/ff & next metering packet 8e/ff 8e/b5
This is actually a separate packet which occurs after metering repeat, power on, metering start:
8e/a5 00/2d X 0V 66uS X 3.3V 237uS 8e/a5 01/2c
There's no delay before it & it doesn't always occur.
There's up to a 60ms delay in the preflash packet before 00/b4 8e/23.
Time between the preflash packet & preflash trigger CLK 0V is 20ms at minimum.
Time between the mane flash packet & mane flash trigger CLK 0V is 16ms at minimum.
Then the time between CLK 0V & X 0V is 1ms at minimum.
X is held down for the duration of the shutter speed.
For 2nd curtain sync, the trigger starts up reversed. X fires 1st, then CLK is fired at the end of the exposure.
MANE FLASH1 235uS
7f/ff 8e/b3 00/32 00/46 00/2f 00/f8 26*/ff 8e/bb
00/48 00/ff 8e/b7 8e/50* 8e/b8 8e/38* 8e/b0 8e/a2*
8e/b4 8e/1d 8e/f2 c0/ff 8e/b3 00/36 00/46 00/2f
00/b4 8e/3d
X 0V 22704uS
CLK 0V 1005237uS
X 3.3V 1017336uS
CLK 3.3V 1023915uS
MANE FLASH2 225uS
Eventually, the protocol was divided into 9 discrete packets identified by 1-4 starting bytes
?? b5 4c ff POWERON ?? b5 4c e5 METERING1 a5 METERING2 ?? b4 PREFLASH1 b4 23 PREFLASH2 ?? b3 MANE FLASH1 b4 1d MANE FLASH2 b4 25 FAST FLASH bb MANUAL FLASH
Shutter speeds of 1/200 & above introduce an extra b4 25 after MANE FLASH1 & show the high speed icon in the camera LCD.
The next step was putting reference captures of all the packets in the firmware & beginning to parse the variable bits. This was the beginning of yet another long slog through corner cases.
POWERON:
offset 15,38 FROM FLASH: exposure compensation
18=-3
15=-2 2/3
13=-2 1/3
10=-2
0d=-1 2/3
0b=-1 1/3
08=-1
05=-2/3
03=-1/3
00=none
fd=+1/3
fb=+2/3
f8=+1
f5=+1 1/3
f3=+1 2/3
f0=+2
ed=+2 1/3
eb=+2 2/3
e8=+3
offset 18 TO FLASH: focal length in mm Max 255
offset 38 TO FLASH: ISO code
48=100
50=200
58=400
60=800
68=1600
70=3200
88=25,600
8d=40,000
offset 42 FROM FLASH: mode code. These values are only for 90 deg.
00=ETTL
01=manual slow speed
08=ETTL 2nd curtain
09=manual 2nd curtain
10=ETTL high speed
11=manual high speed
12=multi
offset 45 TO FLASH: aperture code
16=1.8
20=2.8
30=5.6
38=8.0
50=22
offset 47 TO FLASH: shutter speed code 1 truncated to 73
METERING1:
offset 12 FROM FLASH: exposure compensation code
offset 15 TO FLASH: focal length in mm Max 255
offset 16 FROM FLASH: focal length flash is set to. Limited to 105
offset 35 TO FLASH: ISO code
offset 39 FROM FLASH: mode code
offset 42 TO FLASH: aperture code
offset 44,46 TO FLASH: shutter speed code 1 & 2
shutter speed code 1 & 2:
38 1d=1s
48 1d=1/4
65 1d=1/50
6d 1d=1/100
73 1d=1/160
75 05=1/200
78 05=1/250
80 05=1/500
88 05=1/1000
93 05=1/4000
PREFLASH1:
offset 2 TO FLASH: shutter speed code 2
offset 4 FROM FLASH: shutter speed code response
c0=1/160 & below
a0=1/200 & above
offset 11 TO FLASH: power
example power codes: 80,98
MANE FLASH1:
offset 6 FROM FLASH: ISO code response. This value is based on lens & ISO. 0x62 works for all the lenses tested. Other values cause the 100mm to overexpose.
200mm ISO 100,1600: 0x64
100mm ISO 100,3200: 0x62
50mm ISO 100,3200: 0x5d
35mm ISO 100,400,3200: 0x5a
28mm ISO 100: 0x36
28mm ISO 200: 0x36
28mm ISO 400: 0x3e
28mm ISO 800: 0x46
17mm ISO 100,200: 0x34
17mm ISO 400: 0x3c
17mm ISO 1600: 0x4c
17mm ISO 3200: 0x54
15mm ISO 100, 200, 400, 800, 1600: 0x54
offset 8 FROM FLASH: exposure compensation code
offset 8 TO FLASH: ISO code
offset 11 TO FLASH: aperture code
offset 13 TO FLASH: shutter speed code 1
offset 15 TO FLASH: power
example power codes: 72, 83, 84, 90, 91, 98
offset 17 TO FLASH: shutter speed code 2
offset 19 FROM FLASH: shutter speed code response
offset 24 TO FLASH: shutter speed code
b4 if 1/160 & below
b1 if 1/200 & above
offset 25 TO FLASH: shutter speed code
3d if 1/160 & below
69 if 1/200
41 if 1/1000
MANE FLASH2:
offset 1 TO FLASH: shutter speed code 2
last 6 bytes FROM FLASH: unknown data
In manual mode, there is no preflash packet & MANE FLASH1 is replaced by MANUAL FLASH, 64ms after the last metering packet.
8e/ff 8e/b5 de/4c 8e/e5 METERING1 149uS 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/1c 11/99 ff/fb 00/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff 48/ff 5c/ff 2f/ff 00/be 8e/14 8e/bb fb/48 00/ff 8e/e6 3f/ff 11/ff 00/ff 8e/b7 8e/16 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8 91/00 CAPTURE RESTARTS 8e/a5 METERING2 306uS 00/2d X 0V 104uS X 3.3V 377uS 8e/a5 01/2c CAPTURE RESTARTS BYTES: 53 64416uS 8e/bb fb/48 00/ff 8e/b7 8e/16 8e/b8 8e/6d 8e/b4 8e/1d 8e/b4 8e/3d CLK 0V 26760uS X 0V 30938uS X 3.3V 41665uS CLK 3.3V 49127uS BYTES: 11 49487uS 7f/b4 8e/1d 8e/b3 00/12 00/46 00/2f 00/fc 88/ff c0/ff 1a/ff 2a/ff 85/ff 78/ff 8e/ff
MANUAL FLASH has occured 14ms-90ms after METERING2. Any closer & it omits METERING2.
Multi mode causes it to send MANUAL FLASH & then hold down the X trigger for the complete shutter time. This one fired 14ms after METERING1 with no METERING2.
METERING1 151uS 8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/1c 11*/99 ff/fb 00*/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 53*/ff 48*/ff 5c/ff 2f*/ff 00/be 8e/14 8e/bb fb*/48 00/ff 8e/e6 3f/ff 12*/ff 00/ff 8e/b7 8e/50* 8e/b8 8e/38* 8e/b4 8e/1d 8e/a8 91/00 MANUAL FLASH 14960uS 8e/bb fb/48 00/ff 8e/b7 8e/50* 8e/b8 8e/38* 8e/b4 8e/1d 8e/b4 8e/3d CLK 0V 50402uS X 0V 54590uS X 3.3V 1047345uS CLK 3.3V 1053964uS MANE FLASH2 225uS 7f/b4 8e/1d 8e/b3 00/12 00/46 00/2f 00/fc 88/ff ba*/ff 1a/ff 25*/ff 85/ff 79*/ff METERING1 149uS
Exposure compensation adds an offset to the power value which is derived from the exposure compensation code. Negative numbers are 1 less.
-3=-0x17
-2=-0x0f
-1=-0x07
+1=+0x08
+2=0x10
+3=+0x18
It takes time to figure out what packet to replay & detect the changed bits, so the flash is going to lag the camera. Fortunately, there are long delays before the flash triggers.
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.