Close

ETTL protocol with the EOS RP & 580 EX II

A project log for Wireless ETTL flash conversion

Convert a vintage flash to wireless with full ETTL

lion mclionheadlion mclionhead 12/08/2022 at 05:300 Comments

The STM32 board was just a hair bigger than the PIC, but the biggest pieces are still the power switch, channel button, & battery.  The plan is just to print an L enclosure which scotch tapes around the hot shoe & sticks up.  The antenna will stick vertically in a plastic tube.  The original hot shoe farsteners won't be used.  The flash enclosure will be a horizontal board.

The STM32 at 168Mhz can sample all 3 ADCs at 2Mhz.  X can be sampled digitally.  ID requires analog sampling, so it has to sample CLK full time & either sample ID if CLK is high or D1 (from flash) if CLK is low.  D1 is only sampled for protocol sniffing.  There's no plan to send any data from the flash to the camera via a bidirectional radio.

Fortunately, the data comes in slowly enough to print.  Sadly, the decoded data during metering is gibberish & matches very little of http://staff.www.ltu.se/~joborg/ettl/.

B5 is a start code.  Then the rest departs.

Welcome to wireless ETTL
FROM FLASH        TO FLASH
ff                ff
8e                b5
de                4c
8e                ff
8e                b5
de                4c
8e                e5
0d                ff
8e                a9
91                25
8e                a1
2b                f8
2b                a5
00                2c
8e                b9
00                80
8e                bd
aa                00
59                1c
00                99
ff                fb
02                ff
8e                f9
75                ff
8e                f7
7b                ff
8e                b3
00                12
00                46
00                2f
00                f5
57                ff
49                ff
5c                ff
0f                ff
00                be
8e                14
8e                bb
00                48
00                ff
8e                e6
3f                ff
10                ff
00                ff
8e                b7
8e                38
8e                b8
8e                6d
8e                b4
8e                1d

The object of the game is replaying the conversation rather than knowing what any of the data means, so the trick is detecting repeating patterns, tracking just the differences.  It can print time differences between bytes.

It emits nothing when powering up the cam before the flash.

It emits a single packet when powering up the flash before the cam:

Welcome to wireless ETTL
FROM FLASH/TO FLASH/uS DIFFERENCE/PACKET OFFSET
ff    ff    3189193    0
8e    b5    117    1
de    4c    111    2
8e    ff    116    3
8e    b5    116    4
de    4c    111    5
8e    e5    75    6
0d    ff    117    7
8e    a9    115    8
91    25    117    9
8e    a1    83    10
2b    f8    154    11
2b    a5    84    12
00    2c    116    13
8e    b9    88    14
00    80    117    15
8e    bd    70    16
aa    00    116    17
59    1c    69    18
00    99    74    19
ff    fb    112    20
02    ff    116    21
8e    f9    116    22
55    ff    117    23
8e    f7    116    24
7b    ff    112    25
8e    b3    116    26
00    12    158    27
00    46    84    28
00    2f    74    29
00    f5    74    30
57    ff    116    31
49    ff    69    32
5c    ff    71    33
0f    ff    74    34
00    be    70    35
8e    14    120    36
8e    bb    71    37
00    48    116    38
00    ff    69    39
8e    e6    117    40
3f    ff    121    41
10    ff    88    42
00    ff    83    43
8e    b7    117    44
8e    38    112    45
8e    b8    74    46
8e    6d    111    47
8e    b4    69    48
8e    1d    117    49
8e    a8    69    50
91    00    116    51

Tapping the metering button emits a long sequence of packets which automatically times out. 

The start of a packet sequence for metering:

Welcome to wireless ETTL
FROM FLASH/TO FLASH/uS DIFFERENCE/PACKET OFFSET
ff    ff    17591745    0
8e    b5    117    1
de    4c    125    2
8e    ff    159    3
8e    b5    115    4
de    4c    112    5
8e    e5    75    6
0d    ff    120    7
8e    a9    116    8
91    25    117    9
8e    a1    84    10
2b    f8    153    11
2b    a5    84    12
00    2c    121    13
8e    b9    88    14
00    80    116    15
8e    bd    69    16
aa    00    131    17
59    1c    69    18
00    99    70    19
ff    fb    111    20
02    ff    117    21
8e    f9    125    22
75    ff    116    23
8e    f7    117    24
7b    ff    125    25
8e    b3    117    26
00    12    157    27
00    46    84    28
00    2f    88    29
00    f5    89    30
57    ff    134    31
49    ff    69    32
5c    ff    69    33
0f    ff    84    34
00    be    70    35
8e    14    121    36
8e    bb    79    37
00    48    116    38
00    ff    70    39
8e    e6    129    40
3f    ff    135    41
10    ff    89    42
00    ff    88    43
8e    b7    116    44
8e    38    112    45
8e    b8    88    46
8e    6d    111    47
8e    b4    70    48
8e    1d    112    49
8e    a8    69    50
91    00    131    51
8e    a5    148    52
00    2d    117    53
8e    a5    288    54
01    2c    116    55
8e    ff    47540    0
8e    b5    116    1
de    4c    112    2
8e    e5    75    3
0d    ff    125    4
8e    a9    117    5
91    25    116    6
8e    a1    84    7
2b    f8    153    8
2b    a5    84    9
00    2c    116    10
8e    b9    93    11
00    80    116    12
8e    bd    69    13
18    00    126    14
69    1c    69    15
1e    99    70    16
ff    fb    111    17
02    ff    117    18
8e    f9    125    19
75    ff    116    20
8e    f7    117    21
7b    ff    125    22
8e    b3    116    23
00    12    158    24
00    46    83    25
00    2f    74    26
00    f5    75    27
57    ff    121    28
49    ff    70    29
5c    ff    70    30
0f    ff    83    31
00    be    70    32
8e    14    121    33
8e    bb    79    34
00    48    116    35
00    ff    70    36
8e    e6    130    37
3f    ff    130    38
10    ff    93    39
00    ff    88    40
8e    b7    117    41
8e    38    112    42
8e    b8    83    43
8e    6d    111    44
8e    b4    71    45
8e    1d    111    46
8e    a8    70    47
91    00    116    48
8e    a5    149    49
00    2d    116    50
8e    a5    335    51
01    2c    116    52
8e    ff    48556    0
8e    b5    121    1
de    4c    111    2
8e    e5    75    3
0d    ff    129    4
8e    a9    117    5
91    25    121    6
8e    a1    83    7
2b    f8    153    8
2b    a5    83    9
00    2c    117    10
8e    b9    83    11
00    80    117    12
8e    bd    69    13
18    00    130    14
69    1c    70    15
1c    99    69    16
ff    fb    111    17
02    ff    116    18
8e    f9    125    19
55    ff    116    20
8e    f7    117    21
7b    ff    125    22
8e    b3    116    23
00    12    158    24
00    46    84    25
00    2f    74    26
00    f5    74    27
57    ff    121    28
49    ff    70    29
5c    ff    69    30
0f    ff    83    31
00    be    70    32
8e    14    121    33
8e    bb    79    34
00    48    116    35
00    ff    70    36
8e    e6    125    37
3f    ff    121    38
10    ff    84    39
00    ff    84    40
8e    b7    115    41
8e    38    111    42
8e    b8    75    43
8e    6d    125    44
8e    b4    70    45
8e    1d    111    46
8e    a8    70    47
91    00    116    48
8e    a5    1889    49
00    2d    121    50
8e    a5    288    51
01    2c    116    52
8e    ff    46831    0

The timing is pretty consistent, so we can strip it down to packets.  

The camera powerup is 52 bytes:

FROM FLASH/TO FLASH
7f/7f 8e/b5 de/4c 8e/ff 8e/b5 de/4c 8e/e5 0d/ff
8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80
8e/bd aa/00 59/23 00/99 ff/fb 02/ff 8e/f9 55/ff
8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff
49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff
8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d
8e/b4 8e/1d 8e/a8 91/00 

Metering starts with a 56 byte packet:

FROM FLASH/TO FLASH
7f/7f 8e/b5 de/4c 8e/ff 8e/b5 de/4c 8e/e5 0d/ff
8e/a9 91/25 8e/a1 2b/f8 2b/a5 00/2c 8e/b9 00/80
8e/bd aa/00 59/23 00/99 ff/fb 02/ff 8e/f9 55/ff
8e/f7 7b/ff 8e/b3 00/12 00/46 00/2f 00/f5 57/ff
49/ff 5c/ff 0f/ff 00/be 8e/14 8e/bb 00/48 00/ff
8e/e6 3f/ff 10/ff 00/ff 8e/b7 8e/38 8e/b8 8e/6d
8e/b4 8e/1d 8e/a8 91/00 8e/a5 00/2d 8e/a5 01/2c

 then a repeating 53 byte packet until it times out.

FROM FLASH/TO FLASH
8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1
2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23
23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3
00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff
00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff
00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8
91/00 8e/a5 00/2d 8e/a5 01/2c 

The 1st byte is random.  It's going to take some logic to figure out what packet to replay.  Meter packet #1 seems to be powerup packet + 4 bytes.  Meter packet #2 seems to start with 0xb5, 0x4c, 0xe5 instead of 0xb5, 0x4c, 0xff.

When the flash LCD shows the current F stop or the camera LCD shows the flash icon, it's happening during this metering packet sequence.  After the sequence ends, the screen widgets go away until you press the metering button again.  The next problem is sampling X.

All standard metering packets end with

8e/a5 00/2d 
X 0V

X 3.3V
8e/a5 01/2c

It seems triggering the preflash requires the following packet:

8e/ff 8e/b4 8e/1d 8e/f2 c0/ff 8e/ff 8e/b4 8e/03 
8e/f2 a0/ff 8e/b0 8e/80 8e/b1 8e/04 8e/b3 00/12 
00/46 00/2f 00/b4 8e/23 
CLK 0V

CLK 3.3V
(end of preflash packet)

The mane flash comes next with the following packet:

ff/ff 8e/b3 00/32 00/46 00/2f 00/f8 3a/ff
8e/bb 00/48 00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b0
8e/88 8e/b4 8e/1d 8e/f2 c0/ff 8e/b3 00/36 00/46
00/2f 00/b4 8e/3d 

CLK 0V
X 0V
X 3.3V
CLK 3.3V

7f/b4 8e/1d 8e/b3 00/12 00/46 00/2f 00/fc 88/ff 
c0/ff 1a/ff 2a/ff 85/ff 78/ff
(end of mane flash packet)

8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1
2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23
23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3
00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff
00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff
00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8
91/00 
(metering packet without 8e/a5 00/2d 8e/a5 01/2c)

8e/ff 8e/b5 de/4c 8e/e5 0d/ff 8e/a9 91/25 8e/a1
2b/f8 2b/a5 00/2c 8e/b9 00/80 8e/bd 18/00 69/23
23/99 ff/fb 02/ff 8e/f9 55/ff 8e/f7 7b/ff 8e/b3
00/12 00/46 00/2f 00/f5 57/ff 49/ff 5c/ff 0f/ff
00/be 8e/14 8e/bb 00/48 00/ff 8e/e6 3f/ff 10/ff
00/ff 8e/b7 8e/38 8e/b8 8e/6d 8e/b4 8e/1d 8e/a8
91/00 
(metering packet without 8e/a5 00/2d 8e/a5 01/2c)

Standard metering packets ending with 

8e/a5 00/2d 
X 0V

X 3.3V
8e/a5 01/2c

follow until the timeout.  If multiple flashes fire in succession, the last 91/00 goes straight into the next preflash packet.

ID is 1.4V through all of the metering, exposures & 0V otherwise.

The next step is tracking down what changes with different flash & camera settings, especially the focal length, the flash power setting.

Discussions