The following figure illustrates the lower layers of the protocol used by some Canon PowerShot cameras:
Table 2.1. Layers of the serial protocol
| Example: payload 00 C0 01 | ||
|---|---|---|
| [Upper layers] | ||
| 00 C0 01 | ||
| <CRC> | ||
| 00 C0 01 12 34 (fictious CRC) | ||
| <Escaping> | ||
| 00 7E E0 01 12 34 | ||
| <Framing> | ||
| C0 00 7E E0 01 12 34 C1 | ||
| [Wire format] | ||
The upper layers are described later in this file.
Initialization: PC sends sequences of U bytes at 9600 bps until the camera responds by sending its ID. Each sequence has a length of 2-8 bytes. The interval to wait between sequences is 0.9-1.04 sec (measured for 8 bytes).
When the camera sends its ID, the computer can ask it to change to a higher speed. The speed can go up to 115200 bps. Afterward, a one/two seconds command timeout should be set. E.g. retrieving a directory with 1200 files takes several seconds. Opening a large capacity flash card takes time as well.
Each message begins with the byte C0 and ends with the byte C1. The length of a message including the framing bytes and any escape bytes (see below) never exceeds 1024 bytes.
The value 7E is used to XOR the following byte with the value 0x20. This is used for the following three combinations:
7E 5E 7E
7E E0 C0
7E E1 C1
The last two bytes of a message (without framing and escaping) contain a 16-bit CCITT CRC in little-endian order. The CRC is calculated over the entire message, without framing and escaping, and without including the CRC bytes. The CRC generator [1] is initialized to a length-dependent value. The algorithm for the initial value is not known. However, a table of values emitted by the camera has been compiled and is in crc.c:crc_init. It is indexed by the length, i.e. the number of bytes over which the CRC is taken.
[1] Assuming the use of http://www.cse.fau.edu/~sam/course/dc_htm/src_dir/crc_att.c, generator polynomial 0102010 (octal), the initial value of crc is the CRC generator's initial value (in the original code always zero).