Canon eTTL Protocol Investigation

Having established an Arduino based sniffer complete with an IDE I was finally ready to do some actual real investigation of the Canon eTTL protocol - as spoken by my Canon G16 and a 430EX II flash.

My prior work had indicated that there was constant chatter between the camera and flash. Even in an idle state.

The constant traffic stream meant it was very hard to locate messages related to specific camera or flash functions. My initial sniffer program dumped a continuous stream of data to my debugging monitor window. Too much chatter. This meant I needed to develop code to get rid of the chaff. I needed to identify and discard the repetitive data. That would allow me to easily identify distinct data exchanges based upon operation of specific camera and flash controls.

This was accomplished via a large number of tedious and repetitive sessions. I took the approach of restarting each experiment from the known state of camera and flash powered off. I started sniffing and powered them up.

The first challenge was identifying and building a list of messages. Bill Grundmann's work provided a solid (but incomplete) starting point. As expected, each message is multiple bytes long. Different messages are different lengths. Some message turned out to be variable length (ouch!). The constant chatter meant it was very difficult to locate the start and end of a message as my initial sniffer program dumped a constant stream of data. Even when I was not touching the camera or the flash.

I first inspected the data dump of the camera to flash exchange in a powered up idle state and manually looked for repetitive byte sequence patterns. I altered my sniffer to look for and filter this repetitive idle chatter. Success! I ended up with an unknown spew of data at power up, followed by blissful silence. If I changed a control I received another spew of unknown data followed by silence.This approach was very rewarding and enabled me to concentrate on the unknowns in the protocol.

I slowly enhanced the sniffer program to identify the sequence of startup messages, but then discovered a major problem with my initial approach.

My first filter was very crude - it simply discarded repeats of a list of "common" messages based upon "opcode". A common message structure (in any protocol) is to use a leading opcode byte that identifies the type of message that is then followed by a series of data bytes that report information specific to the purpose of the message. A simple example is the camera reporting its aperture value to the flash. Bill Grundmann provides an example here that illustrates 2 byte exchange of aperture information.

Filtering based solely on opcode was a bad decision. My idle chatter eliminator was suppressing too much. Changing aperture on the camera went unreported. I enhanced the filter to remember the last "state" of each message type and then had it report on every state change.

Armed with this knowledge I settled in to a series of sessions over the next 2 weeks (I extended the flash rental by 1 week) and worked up a sniffer program that fairly reliably reported camera - flash data exchanges.

Game on! I now had insight into the behaviour that the G16 expected from a flash. Most important, this included the data exchange for continuous flash operation.