Next step I guess is to either hook and log PTP functions and/or capture USB traffic.
I went with hooking. Canon UploadFirmware.exe doesn't trigger the crash because it uses OC 0x9019, identified as "PTP_OC_CANON_SendPartialObject" in the gphoto source.
Attached is a log from uploading a 262645 byte file with and corresponding patch. The patch is only set up for A540, but provides a generic mechanism for hooking PTP handlers which could be useful in the future.
Most of the chatty stuff in the log is initializing the hooks and the Canon program querying storage and object handles. The actual upload is
SendObjectInfo
00011830 DBG:ptp h:0x001fb6ac d:0x00008d94 oc:0x100c s:0x1 t:0x21 0x0 0x0 0x0 0x0 0x0
00011870 DBG:recv h:0x001bb09c b:0x0021e490 s:0x8d (141) u1:0x0 u2:0x0
2x PTP_OC_CANON_SendPartialObject
00011960 DBG:ptp h:0x001fb6ac d:0x00008d94 oc:0x9019 s:0x1 t:0x22 0x0 0x40000 0x1 0x0 0x0
00012000 DBG:recv h:0x001bb09c b:0x11f80000 s:0x40000 (262144) u1:0x0 u2:0x0
00012220 DBG:ptp h:0x001fb6ac d:0x00008d94 oc:0x9019 s:0x1 t:0x23 0x40000 0x1f5 0x3 0x0 0x0
00012270 DBG:recv h:0x001bb09c b:0x11f80000 s:0x1f5 (501) u1:0x0 u2:0x0
Note only object related calls are logged (the ones in the table at 0xffe5bacc on A540) are logged. The transaction ID indicates some other operations were done.
Given that Canon uses this approach, the it seems likely our only fix would be to extend the CHDK protocol to allow similarly splitting uploads over multiple transactions.
This is somewhat complicated for CHDK since with the current code, we don't know in advance how big a chunk can be sent at a time. If we switched to using the Canon PTP buffer, it would be simpler.
I'm not sure this is worth fixing given the lack of complaints in the last 10 years, but at least we have an option.
May or may not be related: the low end a4xx series has crippled USB ("full speed"), up to and including a470.
Wow, I thought that was only the really old ones. Interesting.