E-mount reverse engineering

Started Jul 12, 2015 | Discussions thread
OP Entropy512 Senior Member • Posts: 3,940
Success with hacked Meike extension tube!

OpenBench Logic Sniffer connected to modified 16mm Meike tube

SUCCESS!  I've managed to get traces from my OLS and this modified Meike tube.

So far, since a 16mm extension tube will affect my SEL55210 the least, I'm using that for most traces now:

A6000 + SEL55210 init sequence from power on


I have never seen both lens and body speak simultaneously

Data is never transmitted on the UART lines unless the respective handshake line is high.  (LENS_CS_BODY for RXD, BODY_CA_LENS for TXD.  I think I need to rename BODY_CA_LENS to BODY_CS_LENS though based on the service manuals...)

There appears to be only a single "packet" per transmission.  The associated handshake line drops low and then rises again before another "packet" is sent.

All packets start with byte 0xf0 - The protocol appears to be LSB-first like most serial protocols, so the end result is that the first character transmitted has 5 low bit periods then 5 high ones.  (Start bit is low, then 4 low data bits, 4 high data bits, high stop bit)  This should allow automatically determining the data speed at the beginning of a packet

All packets seem end with 0x55 - Some packets have additional 0x00 bytes after the 0x55 (especially on TXD from body to lens), but I've never seen anything but 0x00 after a 0x55 end byte.

The system supports negotiation of serial speed changes.  After a lens is first attached, communications starts at 750kbaud, but every lens I've looked at so far negotiates up to 1.5Mbaud shortly after init - even the Viltrox EF-NEX II adapter.

During a speed change, the body raises BODY_CS_LENS high without transmitting data.  The lens also raises LENS_CS_BODY high a bit after this, also without transmitting data.  This is the only time I have seen both handshake lines high at the same time.  I am assuming that the packets immediately preceding this signal an impending speed change.  This state lasts about 5ms

BODY_VD_LENS is normally high, with brief pulses low at 60 Hz.  It appears that once initialization is complete and the body/lens are doing a busy/idle poll, a low pulse of BODY_VD_LENS will trigger two packets from the lens, followed by two packets from the body to the lens.

Before going further, I either need to sort out some issues with sigrok's VCD import (sigrok does not support the OLS RLE capture mode well, and the official OLS client does not have the analysis flexibility of sigrok/pulseview - pulseview is really flaky about file import...), and I think I need to switch to different logic analyzer hardware - the OLS buffer is too short for this sort of thing, but the good news is that sigrok's opensource fx2lafw allows any Cypress FX2 development board to be used as a cheap logic analyzer - I've got a $25 one coming Wednesday.  The FX2 is one of the "slower" analyzers out there, but I only need 5-10Msps sample rate.

So far I have not seen the lens ID string appear in data, which is a bad sign indicating that something could be encrypted or at least partially obfuscated - or it hadn't yet been transferred by the time my OLS capture buffer filled.

 Entropy512's gear list:Entropy512's gear list
Sony a6000 Pentax K-5 Pentax K-01 Sony a6300 Canon EF 85mm f/1.8 USM +5 more
Post (hide subjects) Posted by
Keyboard shortcuts:
FForum PPrevious NNext WNext unread UUpvote SSubscribe RReply QQuote BBookmark MMy threads
Color scheme? Blue / Yellow