Another brain dump, to help me organize what I know so far...
Most of the actual connection management is done by a task called ComWireless
Like many other tasks, it sits in a loop waiting for messages with ReceiveMessageQueue and performs various actions in response. The message format is 3 words: a message number, and two parameters which may be pointers or numbers. The meaning varies depending on the message. Pointers may be input or output parameters, with the second one frequently being the output.
ComWireless operates as a state machine, where the message handling function explicitly check a state field and generate error messages (e.g. "StartPairing State Error") and set an error state if the requested action isn't valid in the current state.
Structures:
The main ComWireless data structure seems to be at 0x65B0 (found at the top of the task_ComWireless)
0x65B0 + 8 is a pointer to another large structure
Offset 0 in this structure is the state machine state. Other members include the message queue (+0xBC) and an event flag (+0xC0). The structure extend to at least 0xF0; Based on the getCWSStatus eventproc states 0 and 1 are considered "idle". The underlying function used by this eventproc can probably be used in CHDK to see if the network is on.
Messages are sent to ComWireless using a function I've called post_to_comwireless (sub_FF17C4D0). It takes the 3 message fields as parameters. This helps find out what the messages do, since you can trace back to things like the eventprocs mentioned earlier (but I think the normal canon UI goes through a "controller" which uses function pointers that aren't easy to trace back to a particular UI action)
ComWireless frequently posts to itself, so a message from an external task may trigger multiple messages to be processed by ComWireless.
The attached patch has code to log the messages and state transitions. The attached log shows the following sequence:
1) connect with USB, start uart redirection, show camera log
2) disconnect usb, unplug USB cable
3) press wireless button (up) wait 5 seconds
4) press set to select connecting to my existing PC connection
5) camera connects to network, gets an IP address, goes into PTP/IP ready state
6) connect via PTP/IP, show camera log
7) Disconnect PTP
8 ) Press "menu" to exit the "connection closed" screen on the camera. This brings up the AP list
9) Press "menu" again to return to the device selection list, and again to exit the network screen
10) Connect USB, show camera log
Ok, that's all fun, but what can we do with it? I made post_to_comwireless available to lua, and started trying to re-create the connect sequence without going through the UI.
1) Some sequences of messages cause the camera to make a disturbing (mechanical I think, but possibly speaker?) clicking.
2) The camera being connected to USB PTP affects the behavior. No surprise since I already knew having USB connected and trying to start a network connection through the UI triggers an assert, but...
3) With USB connected:
If I post (8,0,0), (0,0,0) comwireless state goes 5,
wifi is turned on, the camera connects to my AP, and I can ping the camera. Wireshark shows that the second call triggers a DHCP request from the camera. If I attempt to make a PTP/IP connection (after unplugging USB), the TCP connection is refused. However, it seems likely that at this point you could use socket functions on the camera. The camera remains pingable if I switch to rec mode. If I re-plug the USB cable, a USB/PTP connection cannot be established (I believe the PTP code checks the status function mentioned earlier)
Adding a post (0x3,0,0) with a sleep that allows me to disconnect the USB cable results in a PTP/IP connection rejection on the command channel.
Adding
.sleep(5000) post_to_comwireless(0x3,0,0) sleep(1000) print('state',get_comwireless_state()) sleep(1000) post_to_comwireless(0xa,0,0) print('state',get_comwireless_state()) sleep(100) call_event_proc('ShowCameraLog')
Allows me to connect with PTP/IP, but the camera asserts on the OpenSession command, with the same SelectFuncCo0 assert mentioned earlier. I see [PTPState] PTP_Unexpected Type=1 STATE=3 EVENT=0 in the camera log (from the ShowCameraLog above, probably when the USB cable is disconnected)
edit: I believe the final message generates the UPnP announce stuff.
4) If USB PTP is not connected (running a standalone script on the camera)
The (8,0,0) (0,0,0) sequence above goes to state 4 and then to 0xa and 0x9 (I think 0xa is an error state). The camera doesn't generate any network traffic.
