Jump to content


CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.

Photo

SkyHack -- Things you shouldn't be doing with Celestron's SkyScout

  • Please log in to reply
12 replies to this topic

#1 joshumax

joshumax

    Explorer 1

  • -----
  • Posts: 71
  • Joined: 13 Mar 2013

Posted 05 August 2014 - 08:18 PM

While I'm waiting for my Advanced VX mount to arrive, I thought I'd start my first post with my progress on reverse engineering and modifying the now-defunkt-and-discontinued Celestron SkyScout.

I've always been a big fan of both the Meade MySky and Celestron SkyScout, and currently own a few of both. One day, long after Celestron discontinued support and updates to the SkyScout, I decided enough was enough...the Autostar 497/II had custom patches and a developer community--so why can't the SkyScout?

 

So I cracked open the case and hoped that I didn't blow the thing up:

 

What I've discovered about the SkyScout so far:

 

CPU: Samsung S3C2410AL-20 ARM920T Low-power MCU

NAND: Samsung K9F5608U0D 32Mx8bit Flash Memory

RAM: Samsung K4S641632N 64M Flash Memory

GPS: SkyLab SKG13C

UART: Three pins next to the top of the CPU, labeled TP18, TP17, and TP16, respectively. TP18 is RXD, TP17 is TXD, and TP16 is GND. Can be connected to using an FTDI board set to 9600 8N1.

JTAG: Unknown currently.

 

Boot process (dumped from UART):

Nand Bootloader Aug  5 2010 09:15:13
Clearing memory
Loading Image
...............................................
jumping to loaded image: 30010000

UCOS_FRAMEWORK Ver 1.10 for S3c2410 (ARM920T from Samsung) :04/01/03
Built using ADS on Aug  5 2010 <09:16:26>
Endian: LITTLE
CONSOL: COM0, 9600bps, 8Bit, NP
CPU Clk: 135MHz MMU: ON   Cache: ON       Write Buf: ON
FLASH_SADDR:00000000h
SDRAM_SADDR:                    30000000h SFR_BADDR :48000000h ISR_BADDR :307fff00h
SkyScout application developed by Mike Lemp and Mike Hatalski
 
Welcome to the SkyScout
Initializing OS Timer Tic...
Initializing NonVolatile data commands... done
Initializing BSP...[18,2]
UART ---->:unit:0 rate:9600 divisor:220.........
 
UART ---->:unit:1 rate:4800 divisor:440.........
 
UART ---->:unit:2 rate:9600 divisor:220.........
 
 done
Initializing NVDataBase...done
Initializing Peg... done
Initializing USB... done
Initializing FileSystem... done
Initializing GPS task...done
Initializing SD card...done
Creating Shell Task...done
Initialization All done...
[..\src\SkyScout.cpp] line=277 - clock(): 1226
[..\src\SkyScout.cpp] line=310 - Serial# 128331
Initializing NVFactoryData3 :454e kkkkkkkkkkkkkkkkkkk
Language: EN
[..\src\SkyScout.cpp] line=400 - SkyDBLib.deserialize: 148
[..\src\SkyScout.cpp] line=402 - SkyDBLib.searchInit: 60
hasBypass = 0, hasLock=0, hasPWLock=0
Attempted access without key
sdDB.InitDB() result = 104
error sdDB.GetNVFile( NVDB_SKYSCOUTDATA) result = 1
error sdDB.GetNVFile( NVDB_MENUDATA) result = 1
[..\src\SkyScout.cpp] line=2344 - SkyMenuAccess.load(): 2301
drv_[..\src\SkyScout.cpp] line=510 - Initializing sensors...
[..\src\SkyScout.cpp] line=534 - $$$$$$$mpAccelX ->calibrate offsetError:-135.9941 sensitivityError:-18364.2930 slope:0.0000 offset:0.0000
[..\src\SkyScout.cpp] line=558 - $$$$$$$mpAccelY ->calibrate offsetError:168.8008 sensitivityError:134.7421 slope:0.0000 offset:0.0000
[..\src\SkyScout.cpp] line=577 - $$$$$$$mpAccelZ ->calibrate offsetError:585.7109 sensitivityError:76.3508 slope:0.0000 offset:0.0000
Using ref voltage calibration: -0.585304t + 35720.140625
((int)referenceVoltageCompensator->getValue()) is 35704
 
[..\src\SkyScout.cpp] line=736 - total init time: 4039
SetConfiguration port:1 4800-8-N-1 ......
 
UART ---->:unit:1 rate:4800 divisor:440.........
 
Shell is starting ... ...
 
$

There's a nice little debug shell built into the ucOS II Firmware of the SkyScout, which can do a whole bunch of interesting and consumer-unintended things:

$ help
 
Listing All Commands...
ClockOff, usage=ClockOff [arg], Turns the 1 second clock off
ClockOn, usage=ClockOn [arg], Turns a 1 second clock on which dumps a '.' to the console
MCVersion, usage=MCVersion, Prints the running version of MicroC
TaskDump, usage=TaskDump [arg], Prints Information about all running tasks
Test, usage=Test, Prints a test string to the console
clkinfo, usage=clkinfo, Displays information about the cpu clocks
delaytest, usage=delaytest [count], delay the number of counts specified
dumpstats, usage=dumpstats, dump statistics counters
hwrtc, usage=hwrtc [-g] | [-s <yyyy.m.d.h.m.s>], primitive access to hw rtc
nvdata, usage=[-g/-s/-v] address data, get/set/setVariable contents of flash NVData
nvdump, usage=nvdump, Dumps the contents of the flash NVData area
heapstats, usage=heapstats, Displays statistics on the state of the storage allocation heap
heapvalid, usage=heapvalid [1=verbose], Performs a consistency check on the heap
memtest, usage=memtest, Performs a series of memory tests
memtest2, usage=memtest2, Performs a series of memory tests
statictest, usage=statictest, tests static data initializers
a2dscan, usage=a2dscan, Continuous scan of a2d sample set
dac, usage=dac <chnl> <val>, set the output of the reference dac <chnl> to value <0-0x1FF>
dlytest, usage=dlytest, test the low level delay routine
geta2d, usage=geta2d, Gets a 16 bit sample from the a2d converter
setTemp, usage=setTemp, Set DEBUG temperature
setWay, usage=setWay, Set temperature way
TraceT0, usage=TraceT0, Starting Tracert point 0
TraceT1, usage=TraceT1, Starting Tracert point 1
autopwr, usage=autopwr, Set AutoPower
getadc, usage=getadc [channel], reads the specified adc channel
getbat, usage=getbat, primitive access to hw rtc
gettemp, usage=gettemp, primitive access to hw rtc
hwrtc, usage=hwrtc [-g] | [-s <yyyy.m.d.h.m.s>], primitive access to hw rtc
lcd_con, usage=lcd_con <val>, set lcd contrast val=1-360
led, usage=led [lednum] [val], set led on or off
magsr, usage=magsr [0,1,2], 0-set/reset pulse, 1-set pulse, 2-reset pulse
mux, usage=mux <chnl>, set the analog mux to the specified channel <0-7>
pwm, usage=pwm [chan] [val], set pwm channel to value val=1-4095
scanpause, usage=scanpause, pause the sensor scan
scanresume, usage=scanresume, resume the sensor scan
sensorscan, usage=sensorscan [sensprnum], scan the sensor with rms averager
sscanf, usage=sscanf [sensprnum], scan the sensor to file data.txt
atten, usage=atten [val], 0.0-no atten, 127.0-max atten
audioinfo, usage=audioinfo, gets the audioinfo struct for the current audi clip
audiopos, usage=audiopos, gets the current playback position of the audio clip
audiopwr, usage=audiopwr, puts dac in powerdown mode
getatten, usage=getatten, returns the current attenuation setting
play, usage=play [fileid], play fileID audio file
ls, usage=ls, Lists the contents of the current working directory
cat, usage=cat <filename>, Dumps the contents of the file to the console
pwd, usage=pwd, Print full path of current working directory
fstest, usage=fstest <filename> <string>, Writes 'string' into 'filename'
df, usage=df, displays volume usage information
hipsaotst, usage=hipsaotst, hip sao clock test
nvgetblock, usage=nvgetblock id len, calls GetNVFileBlock(id,len)
nvgetfile, usage=nvgetfile id, calls GetNVFile(id)
nvgetsd, usage=nvgetsd offset len, calls SD card FS read on SDDB.BIN
nvfast, usage=nvfast num, reads num blocks using low level SD SectorRead
nvpwlock, usage=nvpwlock_cmd cmd onepw twopw, cmd = 0/unlock, 1/lock, 2/setpw, 3/clrpw, 4/erase
nvspeex, usage=nvspeex fileid, read, decode, store on SD
crash, usage=crash, Force a system crash via DAbort
nftest, usage=nftest, NF 0xFF read test
usbd, usage=usbd, usb trace dump
resetUSBshell, usage=resetUSBshell, Reset USB Shell mode
gpsfix, usage=gpsfix, GPS Fix
gpsstop, usage=gpsstop, GPS Stop
gpsOTOF, usage=gpsOTOF, GPS OneTrack One Fix
gpsShow, usage=gpsShow, toggle showing of GPS msgs
gpsReq, usage=gpsReq, request GPS assistance data
gpsReset, usage=gpsReset, Perform a GPS soft reset
sdstat, usage=sdstat, SDcard status
sdinit, usage=sdinit, SDcard init
$

Firmware:

I haven't been able (yet) to get a directly bootable dump of the firmware, since there doesn't seem to be a JTAG port on the device. There are downloadable firmware files from Celestron at http://software.cele...dates/SkyScout/, but they don't seem to be directly flashed to the device, but rather separated into parts by the Celestron updater application (.cel). As soon as I find the start and end of the firmware image in the cel file I can get started with the reverse engineering portion of things.

 

If anyone wants to help out or has any ideas, just message me or reply to this thread.


Edited by joshumax, 05 August 2014 - 08:22 PM.

  • ccs_hello, Crow Haven and magoo79 like this

#2 fetoma

fetoma

    Mercury-Atlas

  • *****
  • Posts: 2699
  • Joined: 26 Sep 2006
  • Loc: Southern NJ

Posted 06 August 2014 - 12:47 PM

Josh,

 

What are you trying to make it do that it doesn't already do?



#3 joshumax

joshumax

    Explorer 1

  • -----
  • Posts: 71
  • Joined: 13 Mar 2013

Posted 06 August 2014 - 07:58 PM

Custom expansion cards, controlling non-celestron scopes, celestron-to-pc sensor interface, etc.


  • BoriSpider, Crow Haven and bsavoie like this

#4 fetoma

fetoma

    Mercury-Atlas

  • *****
  • Posts: 2699
  • Joined: 26 Sep 2006
  • Loc: Southern NJ

Posted 09 May 2015 - 09:48 AM

Josh,

 

Now is the time to be a hero. Seems many of these aren't working anymore.


  • BoriSpider and Crow Haven like this

#5 ccs_hello

ccs_hello

    Fly Me to the Moon

  • *****
  • Posts: 7269
  • Joined: 03 Jul 2004

Posted 09 May 2015 - 10:25 AM

Josh,

 

Great beginning and thank you for your contribution.

I was initially thinking its GPS module initialization related problems and

was trying to buy a dead Skyscout and replacing its GPS with a modern one ($10 or less) which has no dependency with

Celestron's firmware and would send 4800 bps NMEA messages straight out.

 

If the issue is software only, that is great.

If not I shared my thought above.

 

Clear Skies!

 

ccs_hello


Edited by ccs_hello, 09 May 2015 - 10:26 AM.


#6 joshumax

joshumax

    Explorer 1

  • -----
  • Posts: 71
  • Joined: 13 Mar 2013

Posted 17 May 2015 - 02:18 PM

Josh,

 

Now is the time to be a hero. Seems many of these aren't working anymore.

 

It just so happens that I should stumble across my old thread after I received a new JTAGulator...

 

I was just working on putting Linux on a Meade MySky when my faithful Celestron SkyScout started strangely malfunctioning out of the blue. My best guess is that the firmware has a few date-related bugs in it that's causing issues; with any luck I'll find the JTAG pinout on the SS pretty soon (which contradictory to my OP, it *does* seem to have), and then the _real_ fun can begin... I also have an old project I abandoned; an attempt to clean-room create an open-source SkyScout driver for 64-bit versions of Windows, which I can resuscitate if need be.

 

----

Cheers!

-Josh


Edited by joshumax, 17 May 2015 - 02:18 PM.

  • Crow Haven likes this

#7 head_dunce

head_dunce

    Lift Off

  • -----
  • Posts: 1
  • Joined: 01 Jan 2012

Posted 29 May 2015 - 06:38 AM

Right now I'm sitting in the Turks and Caicos on Middle Caicos for the week. I brought my SkyScout and some binoculars with me, only to find out the SkyScout is dead now. You'd be my hero if you can figure it out.

 

I play with Linux and Perl at work quite a bit, let me know if I can help. Thanks!


Edited by head_dunce, 29 May 2015 - 06:39 AM.

  • joshumax likes this

#8 joshumax

joshumax

    Explorer 1

  • -----
  • Posts: 71
  • Joined: 13 Mar 2013

Posted 12 June 2015 - 11:34 PM

UPDATE: According to iPrototype, the latest batches of JTAGulators are (finally) shipping so I should receive mine in a few days if all goes well. Plus since it's summer here in the US I should have some actual free time.

 

Right now I'm sitting in the Turks and Caicos on Middle Caicos for the week. I brought my SkyScout and some binoculars with me, only to find out the SkyScout is dead now. You'd be my hero if you can figure it out.

 

I play with Linux and Perl at work quite a bit, let me know if I can help. Thanks!

 

Since SkyScouts seem to be dying left and right nowadays, and with Celestron having essentially renounced support for the device, it seems that the fate of the SkyScout remains in the hands of the community.

So, I figured I'd make a community roadmap of sorts that would help organize some goals for keeping the SkyScout alive into the future:

 

Information we should figure out:

  • Fully figure out how the SkyScout communicates with the SkyScout USB driver
  • Fully figure out how to the SkyScout updater puts the SkyScout in SSDFU mode
  • Understand the CEL update format (so far it seems to be a firmware blob with NVRAM prepended to it)
  • Reverse the SkyScout firmware enough to understand its basic internals (i.e. Sensor GPIO locations, LCD initialization code)
  • Find all methods of communicating directly to the device (USB obviously ;), UART's been found, JTAG pads should be soon when I get my JTAGulator unless someone else finds this sooner)
  • Create some scripts to aid in the reversing process (Preferably as IDC scripts for IDA Pro)

Goals:

  • Create a 64-bit driver! (Preferably using something like libusb so it's cross-platform)
  • Create a homebrew implementation of skyscout.dll (A personal project, libskyscout, seems to work as a drop-in replacement for it on Windows)
  • Build our own custom firmware for the SkyScout (probably the most important goal of this project, and should receive the most attention)
  • ^ As a short-term goal, we should at least get a SkyScout expansion card, dump the data via raw SPI reads, and figure out how it works and how to create custom expansion cards as a POC
  • Build a custom firmware updater for the community OS (should be relatively easy after the first two points on the list are complete)

Who/what we need:

  • Everyone! Really. Anyone who can help is highly important to this project, even if it's simply spreading the word
  • Skyscouts! And lots of 'em! (Okay, this isn't _really_ necessary but it eases the fear of having the SkyHack project come to a standstill because the only SkyScout used in development gets bricked)
  • ^ Arguably, we could also get around this with a SkyScout emulator, which (after reversing the firmware enough), should be fairly easy to implement considering the off-the-shelf components Celestron used
  • Embedded developers, preferably those with an ARM background (Seriously, you guys are *DEFINITELY* needed for this project to be a major success)
  • Programmers and driver developers (You guys will also be very helpful to the project!)
  • Somebody who knows how VB6 works under the hood so I don't have to look at VB-Decompiler dazed and wondering what the heck VBObjTakeTr does in the SS updater
  • Testers! (Very important, but we all know that, heh)

Hopefully this cobbled-together road-map can help this project expand and SAVE THE SKYSCOUTS!


Edited by joshumax, 14 June 2015 - 12:54 AM.

  • doctordub, MigL and Crow Haven like this

#9 mtlott

mtlott

    Explorer 1

  • *****
  • Posts: 80
  • Joined: 12 Jul 2008
  • Loc: Georgia

Posted 10 August 2015 - 03:54 PM

I have an old SkyScout which I would happily add to the testing pool for this project. The firmware is version 1.22.28, Oct 11 2006. Like the others reported, the GPS is no longer able to get a fix and the last selectable year is 2015.

Marie


  • Crow Haven and joshumax like this

#10 BigC

BigC

    Skylab

  • *****
  • Posts: 4077
  • Joined: 29 Sep 2010
  • Loc: SE Indiana

Posted 15 August 2015 - 12:23 PM

I'd be thrilled if only the original functionality was restored so the SkyScout could continue to be used as before. 


  • Crow Haven likes this

#11 rmollise

rmollise

    Hubble

  • *****
  • Posts: 17220
  • Joined: 06 Jul 2007

Posted 15 August 2015 - 02:50 PM

Some of 'em still work. Depends on the firmware version. Mine is fine, but I just use SkySafari on my iPhone anyway. :)



#12 joshumax

joshumax

    Explorer 1

  • -----
  • Posts: 71
  • Joined: 13 Mar 2013

Posted 15 August 2015 - 04:28 PM

Some of 'em still work. Depends on the firmware version. Mine is fine, but I just use SkySafari on my iPhone anyway. :)

I've been spending some of my free time working on completing the SkyScout emulator... I've learned a lot more about the insides of the SkyScout lately and hopefully that'll be finished soon. More importantly though, Rod, do you happen to know what version of the SkyScout firmware you're using?


  • Crow Haven likes this

#13 rmollise

rmollise

    Hubble

  • *****
  • Posts: 17220
  • Joined: 06 Jul 2007

Posted 19 August 2015 - 05:26 PM

Some of 'em still work. Depends on the firmware version. Mine is fine, but I just use SkySafari on my iPhone anyway. :)

I've been spending some of my free time working on completing the SkyScout emulator... I've learned a lot more about the insides of the SkyScout lately and hopefully that'll be finished soon. More importantly though, Rod, do you happen to know what version of the SkyScout firmware you're using?


1.30.22

Checked it to be sure and, yes, despite not having been turned on in a while it got a gps fix in just a couple of minutes.
  • joshumax likes this


CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.



Recent Reviews


Imaging/Sketching Contest






Cloudy Nights LLC
Cloudy Nights Sponsor: Astronomics