Jump to content

CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.


SkyHack -- Things you shouldn't be doing with Celestron's SkyScout

  • Please log in to reply
5 replies to this topic

#1 joshumax



  • -----
  • Posts: 43
  • Joined: 13 Mar 2013

Posted 05 August 2014 - 08:18 PM

While I'm waiting for my Advanced VX mount to arrive, I thought I'd start my first post with my progress on reverse engineering and modifying the now-defunkt-and-discontinued Celestron SkyScout.

I've always been a big fan of both the Meade MySky and Celestron SkyScout, and currently own a few of both. One day, long after Celestron discontinued support and updates to the SkyScout, I decided enough was enough...the Autostar 497/II had custom patches and a developer community--so why can't the SkyScout?


So I cracked open the case and hoped that I didn't blow the thing up:


What I've discovered about the SkyScout so far:


CPU: Samsung S3C2410AL-20 ARM920T Low-power MCU

NAND: Samsung K9F5608U0D 32Mx8bit Flash Memory

RAM: Samsung K4S641632N 64M Flash Memory

GPS: SkyLab SKG13C

UART: Three pins next to the top of the CPU, labeled TP18, TP17, and TP16, respectively. TP18 is RXD, TP17 is TXD, and TP16 is GND. Can be connected to using an FTDI board set to 9600 8N1.

JTAG: Unknown currently.


Boot process (dumped from UART):

Nand Bootloader Aug  5 2010 09:15:13
Clearing memory
Loading Image
jumping to loaded image: 30010000

UCOS_FRAMEWORK Ver 1.10 for S3c2410 (ARM920T from Samsung) :04/01/03
Built using ADS on Aug  5 2010 <09:16:26>
Endian: LITTLE
CONSOL: COM0, 9600bps, 8Bit, NP
CPU Clk: 135MHz MMU: ON   Cache: ON       Write Buf: ON
SDRAM_SADDR:                    30000000h SFR_BADDR :48000000h ISR_BADDR :307fff00h
SkyScout application developed by Mike Lemp and Mike Hatalski
Welcome to the SkyScout
Initializing OS Timer Tic...
Initializing NonVolatile data commands... done
Initializing BSP...[18,2]
UART ---->:unit:0 rate:9600 divisor:220.........
UART ---->:unit:1 rate:4800 divisor:440.........
UART ---->:unit:2 rate:9600 divisor:220.........
Initializing NVDataBase...done
Initializing Peg... done
Initializing USB... done
Initializing FileSystem... done
Initializing GPS task...done
Initializing SD card...done
Creating Shell Task...done
Initialization All done...
[..\src\SkyScout.cpp] line=277 - clock(): 1226
[..\src\SkyScout.cpp] line=310 - Serial# 128331
Initializing NVFactoryData3 :454e kkkkkkkkkkkkkkkkkkk
Language: EN
[..\src\SkyScout.cpp] line=400 - SkyDBLib.deserialize: 148
[..\src\SkyScout.cpp] line=402 - SkyDBLib.searchInit: 60
hasBypass = 0, hasLock=0, hasPWLock=0
Attempted access without key
sdDB.InitDB() result = 104
error sdDB.GetNVFile( NVDB_SKYSCOUTDATA) result = 1
error sdDB.GetNVFile( NVDB_MENUDATA) result = 1
[..\src\SkyScout.cpp] line=2344 - SkyMenuAccess.load(): 2301
drv_[..\src\SkyScout.cpp] line=510 - Initializing sensors...
[..\src\SkyScout.cpp] line=534 - $$$$$$$mpAccelX ->calibrate offsetError:-135.9941 sensitivityError:-18364.2930 slope:0.0000 offset:0.0000
[..\src\SkyScout.cpp] line=558 - $$$$$$$mpAccelY ->calibrate offsetError:168.8008 sensitivityError:134.7421 slope:0.0000 offset:0.0000
[..\src\SkyScout.cpp] line=577 - $$$$$$$mpAccelZ ->calibrate offsetError:585.7109 sensitivityError:76.3508 slope:0.0000 offset:0.0000
Using ref voltage calibration: -0.585304t + 35720.140625
((int)referenceVoltageCompensator->getValue()) is 35704
[..\src\SkyScout.cpp] line=736 - total init time: 4039
SetConfiguration port:1 4800-8-N-1 ......
UART ---->:unit:1 rate:4800 divisor:440.........
Shell is starting ... ...

There's a nice little debug shell built into the ucOS II Firmware of the SkyScout, which can do a whole bunch of interesting and consumer-unintended things:

$ help
Listing All Commands...
ClockOff, usage=ClockOff [arg], Turns the 1 second clock off
ClockOn, usage=ClockOn [arg], Turns a 1 second clock on which dumps a '.' to the console
MCVersion, usage=MCVersion, Prints the running version of MicroC
TaskDump, usage=TaskDump [arg], Prints Information about all running tasks
Test, usage=Test, Prints a test string to the console
clkinfo, usage=clkinfo, Displays information about the cpu clocks
delaytest, usage=delaytest [count], delay the number of counts specified
dumpstats, usage=dumpstats, dump statistics counters
hwrtc, usage=hwrtc [-g] | [-s <yyyy.m.d.h.m.s>], primitive access to hw rtc
nvdata, usage=[-g/-s/-v] address data, get/set/setVariable contents of flash NVData
nvdump, usage=nvdump, Dumps the contents of the flash NVData area
heapstats, usage=heapstats, Displays statistics on the state of the storage allocation heap
heapvalid, usage=heapvalid [1=verbose], Performs a consistency check on the heap
memtest, usage=memtest, Performs a series of memory tests
memtest2, usage=memtest2, Performs a series of memory tests
statictest, usage=statictest, tests static data initializers
a2dscan, usage=a2dscan, Continuous scan of a2d sample set
dac, usage=dac <chnl> <val>, set the output of the reference dac <chnl> to value <0-0x1FF>
dlytest, usage=dlytest, test the low level delay routine
geta2d, usage=geta2d, Gets a 16 bit sample from the a2d converter
setTemp, usage=setTemp, Set DEBUG temperature
setWay, usage=setWay, Set temperature way
TraceT0, usage=TraceT0, Starting Tracert point 0
TraceT1, usage=TraceT1, Starting Tracert point 1
autopwr, usage=autopwr, Set AutoPower
getadc, usage=getadc [channel], reads the specified adc channel
getbat, usage=getbat, primitive access to hw rtc
gettemp, usage=gettemp, primitive access to hw rtc
hwrtc, usage=hwrtc [-g] | [-s <yyyy.m.d.h.m.s>], primitive access to hw rtc
lcd_con, usage=lcd_con <val>, set lcd contrast val=1-360
led, usage=led [lednum] [val], set led on or off
magsr, usage=magsr [0,1,2], 0-set/reset pulse, 1-set pulse, 2-reset pulse
mux, usage=mux <chnl>, set the analog mux to the specified channel <0-7>
pwm, usage=pwm [chan] [val], set pwm channel to value val=1-4095
scanpause, usage=scanpause, pause the sensor scan
scanresume, usage=scanresume, resume the sensor scan
sensorscan, usage=sensorscan [sensprnum], scan the sensor with rms averager
sscanf, usage=sscanf [sensprnum], scan the sensor to file data.txt
atten, usage=atten [val], 0.0-no atten, 127.0-max atten
audioinfo, usage=audioinfo, gets the audioinfo struct for the current audi clip
audiopos, usage=audiopos, gets the current playback position of the audio clip
audiopwr, usage=audiopwr, puts dac in powerdown mode
getatten, usage=getatten, returns the current attenuation setting
play, usage=play [fileid], play fileID audio file
ls, usage=ls, Lists the contents of the current working directory
cat, usage=cat <filename>, Dumps the contents of the file to the console
pwd, usage=pwd, Print full path of current working directory
fstest, usage=fstest <filename> <string>, Writes 'string' into 'filename'
df, usage=df, displays volume usage information
hipsaotst, usage=hipsaotst, hip sao clock test
nvgetblock, usage=nvgetblock id len, calls GetNVFileBlock(id,len)
nvgetfile, usage=nvgetfile id, calls GetNVFile(id)
nvgetsd, usage=nvgetsd offset len, calls SD card FS read on SDDB.BIN
nvfast, usage=nvfast num, reads num blocks using low level SD SectorRead
nvpwlock, usage=nvpwlock_cmd cmd onepw twopw, cmd = 0/unlock, 1/lock, 2/setpw, 3/clrpw, 4/erase
nvspeex, usage=nvspeex fileid, read, decode, store on SD
crash, usage=crash, Force a system crash via DAbort
nftest, usage=nftest, NF 0xFF read test
usbd, usage=usbd, usb trace dump
resetUSBshell, usage=resetUSBshell, Reset USB Shell mode
gpsfix, usage=gpsfix, GPS Fix
gpsstop, usage=gpsstop, GPS Stop
gpsOTOF, usage=gpsOTOF, GPS OneTrack One Fix
gpsShow, usage=gpsShow, toggle showing of GPS msgs
gpsReq, usage=gpsReq, request GPS assistance data
gpsReset, usage=gpsReset, Perform a GPS soft reset
sdstat, usage=sdstat, SDcard status
sdinit, usage=sdinit, SDcard init


I haven't been able (yet) to get a directly bootable dump of the firmware, since there doesn't seem to be a JTAG port on the device. There are downloadable firmware files from Celestron at http://software.cele...dates/SkyScout/, but they don't seem to be directly flashed to the device, but rather separated into parts by the Celestron updater application (.cel). As soon as I find the start and end of the firmware image in the cel file I can get started with the reverse engineering portion of things.


If anyone wants to help out or has any ideas, just message me or reply to this thread.

Edited by joshumax, 05 August 2014 - 08:22 PM.

  • ccs_hello likes this

#2 fetoma



  • *****
  • Posts: 2620
  • Joined: 26 Sep 2006
  • Loc: Southern NJ

Posted 06 August 2014 - 12:47 PM



What are you trying to make it do that it doesn't already do?

#3 joshumax



  • -----
  • Posts: 43
  • Joined: 13 Mar 2013

Posted 06 August 2014 - 07:58 PM

Custom expansion cards, controlling non-celestron scopes, celestron-to-pc sensor interface, etc.

  • BoriSpider and bsavoie like this

#4 fetoma



  • *****
  • Posts: 2620
  • Joined: 26 Sep 2006
  • Loc: Southern NJ

Posted 09 May 2015 - 09:48 AM



Now is the time to be a hero. Seems many of these aren't working anymore.

  • BoriSpider likes this

#5 ccs_hello


    Fly Me to the Moon

  • *****
  • Posts: 7024
  • Joined: 03 Jul 2004

Posted 09 May 2015 - 10:25 AM



Great beginning and thank you for your contribution.

I was initially thinking its GPS module initialization related problems and

was trying to buy a dead Skyscout and replacing its GPS with a modern one ($10 or less) which has no dependency with

Celestron's firmware and would send 4800 bps NMEA messages straight out.


If the issue is software only, that is great.

If not I shared my thought above.


Clear Skies!



Edited by ccs_hello, 09 May 2015 - 10:26 AM.

#6 joshumax



  • -----
  • Posts: 43
  • Joined: 13 Mar 2013

Posted 17 May 2015 - 02:18 PM



Now is the time to be a hero. Seems many of these aren't working anymore.


It just so happens that I should stumble across my old thread after I received a new JTAGulator...


I was just working on putting Linux on a Meade MySky when my faithful Celestron SkyScout started strangely malfunctioning out of the blue. My best guess is that the firmware has a few date-related bugs in it that's causing issues; with any luck I'll find the JTAG pinout on the SS pretty soon (which contradictory to my OP, it *does* seem to have), and then the _real_ fun can begin... I also have an old project I abandoned; an attempt to clean-room create an open-source SkyScout driver for 64-bit versions of Windows, which I can resuscitate if need be.





Edited by joshumax, 17 May 2015 - 02:18 PM.

CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.

Recent Reviews

Imaging/Sketching Contest

Cloudy Nights LLC
Cloudy Nights Sponsor: Astronomics