I've been looking at communication between control panel and main board of a Canon Pixma MX340 multi-function inkjet. Comparing electronic traffic against user visible behavior, I associated a particular pattern with a LCD screen update. Turns out it transmitted the entire screen buffer, something I was able to visualize thanks to Microsoft Excel.

With Excel's help counting and demystifying the screen update payload, I have a pretty good grasp on the shape of the data I captured in six basic scenarios:

  • The control panel (more specifically the NEC K13988 chip on board) transmits a report on button matrix data every 9.2ms. Upon initial power-up, this is a two-byte sequence. One of the main board initialization procedure turns off the second byte, so it's usually a single byte report.

  • Almost every command from the main board is a two-byte sequence, which is acknowledged by the K13988 with a single byte 0x20.

  • I've seen one exception to the two-byte pattern, a bulk transfer used for LCD screen update. It starts with a two-byte command: 0x06, then 0xC4 representing the length of 196 bytes. Once that is acknowledged with 0x20, a large transfer of the declared length occurs. The K13988 doesn't acknowledge 0x20 until 196 bytes have been transferred. (It continues transmitting button matrix data every 9.2ms while transfer is underway.)

While I've deciphered a few of the two-byte commands, most of them are still mysterious and I know my list is still incomplete.

In the "known unknowns" category are two of the LEDs. The control panel has four LEDs total, and I've traced two of them (power and alarm) to wires under direct main board control. The other two (WiFi and "Memory/In Use") are under control of the K13988 and I haven't figured out which commands manage their state.

Then there are the "unknown unknowns" category: the six scenarios I captured with my logic analyzer represented the several activities transitioning from one machine state to another, but they add up to less than a minute. The machine must have other states outside of what I've captured.

What I'd like to do next is to set up something to monitor the serial communication stream. I want to teach it to recognize the patterns I now recognize, and alert me if something happens outside of those patterns. How might such a thing be implemented?

This teardown ran far longer than I originally thought it would. Click here to rewind back to where this adventure started.