While I'm waiting for my Advanced VX mount to arrive, I thought I'd start my first post with my progress on reverse engineering and modifying the now-defunkt-and-discontinued Celestron SkyScout.
I've always been a big fan of both the Meade MySky and Celestron SkyScout, and currently own a few of both. One day, long after Celestron discontinued support and updates to the SkyScout, I decided enough was enough...the Autostar 497/II had custom patches and a developer community--so why can't the SkyScout?
So I cracked open the case and hoped that I didn't blow the thing up:
What I've discovered about the SkyScout so far:
CPU: Samsung S3C2410AL-20 ARM920T Low-power MCU
NAND: Samsung K9F5608U0D 32Mx8bit Flash Memory
RAM: Samsung K4S641632N 64M Flash Memory
GPS: SkyLab SKG13C
UART: Three pins next to the top of the CPU, labeled TP18, TP17, and TP16, respectively. TP18 is RXD, TP17 is TXD, and TP16 is GND. Can be connected to using an FTDI board set to 9600 8N1.
JTAG: Unknown currently.
Boot process (dumped from UART):
Nand Bootloader Aug 5 2010 09:15:13 Clearing memory Loading Image ............................................... jumping to loaded image: 30010000 UCOS_FRAMEWORK Ver 1.10 for S3c2410 (ARM920T from Samsung) :04/01/03 Built using ADS on Aug 5 2010 <09:16:26> Endian: LITTLE CONSOL: COM0, 9600bps, 8Bit, NP CPU Clk: 135MHz MMU: ON Cache: ON Write Buf: ON FLASH_SADDR:00000000h SDRAM_SADDR: 30000000h SFR_BADDR :48000000h ISR_BADDR :307fff00h SkyScout application developed by Mike Lemp and Mike Hatalski Welcome to the SkyScout Initializing OS Timer Tic... Initializing NonVolatile data commands... done Initializing BSP...[18,2] UART ---->:unit:0 rate:9600 divisor:220......... UART ---->:unit:1 rate:4800 divisor:440......... UART ---->:unit:2 rate:9600 divisor:220......... done Initializing NVDataBase...done Initializing Peg... done Initializing USB... done Initializing FileSystem... done Initializing GPS task...done Initializing SD card...done Creating Shell Task...done Initialization All done... [..\src\SkyScout.cpp] line=277 - clock(): 1226 [..\src\SkyScout.cpp] line=310 - Serial# 128331 Initializing NVFactoryData3 :454e kkkkkkkkkkkkkkkkkkk Language: EN [..\src\SkyScout.cpp] line=400 - SkyDBLib.deserialize: 148 [..\src\SkyScout.cpp] line=402 - SkyDBLib.searchInit: 60 hasBypass = 0, hasLock=0, hasPWLock=0 Attempted access without key sdDB.InitDB() result = 104 error sdDB.GetNVFile( NVDB_SKYSCOUTDATA) result = 1 error sdDB.GetNVFile( NVDB_MENUDATA) result = 1 [..\src\SkyScout.cpp] line=2344 - SkyMenuAccess.load(): 2301 drv_[..\src\SkyScout.cpp] line=510 - Initializing sensors... [..\src\SkyScout.cpp] line=534 - $$$$$$$mpAccelX ->calibrate offsetError:-135.9941 sensitivityError:-18364.2930 slope:0.0000 offset:0.0000 [..\src\SkyScout.cpp] line=558 - $$$$$$$mpAccelY ->calibrate offsetError:168.8008 sensitivityError:134.7421 slope:0.0000 offset:0.0000 [..\src\SkyScout.cpp] line=577 - $$$$$$$mpAccelZ ->calibrate offsetError:585.7109 sensitivityError:76.3508 slope:0.0000 offset:0.0000 Using ref voltage calibration: -0.585304t + 35720.140625 ((int)referenceVoltageCompensator->getValue()) is 35704 [..\src\SkyScout.cpp] line=736 - total init time: 4039 SetConfiguration port:1 4800-8-N-1 ...... UART ---->:unit:1 rate:4800 divisor:440......... Shell is starting ... ... $
There's a nice little debug shell built into the ucOS II Firmware of the SkyScout, which can do a whole bunch of interesting and consumer-unintended things:
$ help Listing All Commands... ClockOff, usage=ClockOff [arg], Turns the 1 second clock off ClockOn, usage=ClockOn [arg], Turns a 1 second clock on which dumps a '.' to the console MCVersion, usage=MCVersion, Prints the running version of MicroC TaskDump, usage=TaskDump [arg], Prints Information about all running tasks Test, usage=Test, Prints a test string to the console clkinfo, usage=clkinfo, Displays information about the cpu clocks delaytest, usage=delaytest [count], delay the number of counts specified dumpstats, usage=dumpstats, dump statistics counters hwrtc, usage=hwrtc [-g] | [-s <yyyy.m.d.h.m.s>], primitive access to hw rtc nvdata, usage=[-g/-s/-v] address data, get/set/setVariable contents of flash NVData nvdump, usage=nvdump, Dumps the contents of the flash NVData area heapstats, usage=heapstats, Displays statistics on the state of the storage allocation heap heapvalid, usage=heapvalid [1=verbose], Performs a consistency check on the heap memtest, usage=memtest, Performs a series of memory tests memtest2, usage=memtest2, Performs a series of memory tests statictest, usage=statictest, tests static data initializers a2dscan, usage=a2dscan, Continuous scan of a2d sample set dac, usage=dac <chnl> <val>, set the output of the reference dac <chnl> to value <0-0x1FF> dlytest, usage=dlytest, test the low level delay routine geta2d, usage=geta2d, Gets a 16 bit sample from the a2d converter setTemp, usage=setTemp, Set DEBUG temperature setWay, usage=setWay, Set temperature way TraceT0, usage=TraceT0, Starting Tracert point 0 TraceT1, usage=TraceT1, Starting Tracert point 1 autopwr, usage=autopwr, Set AutoPower getadc, usage=getadc [channel], reads the specified adc channel getbat, usage=getbat, primitive access to hw rtc gettemp, usage=gettemp, primitive access to hw rtc hwrtc, usage=hwrtc [-g] | [-s <yyyy.m.d.h.m.s>], primitive access to hw rtc lcd_con, usage=lcd_con <val>, set lcd contrast val=1-360 led, usage=led [lednum] [val], set led on or off magsr, usage=magsr [0,1,2], 0-set/reset pulse, 1-set pulse, 2-reset pulse mux, usage=mux <chnl>, set the analog mux to the specified channel <0-7> pwm, usage=pwm [chan] [val], set pwm channel to value val=1-4095 scanpause, usage=scanpause, pause the sensor scan scanresume, usage=scanresume, resume the sensor scan sensorscan, usage=sensorscan [sensprnum], scan the sensor with rms averager sscanf, usage=sscanf [sensprnum], scan the sensor to file data.txt atten, usage=atten [val], 0.0-no atten, 127.0-max atten audioinfo, usage=audioinfo, gets the audioinfo struct for the current audi clip audiopos, usage=audiopos, gets the current playback position of the audio clip audiopwr, usage=audiopwr, puts dac in powerdown mode getatten, usage=getatten, returns the current attenuation setting play, usage=play [fileid], play fileID audio file ls, usage=ls, Lists the contents of the current working directory cat, usage=cat <filename>, Dumps the contents of the file to the console pwd, usage=pwd, Print full path of current working directory fstest, usage=fstest <filename> <string>, Writes 'string' into 'filename' df, usage=df, displays volume usage information hipsaotst, usage=hipsaotst, hip sao clock test nvgetblock, usage=nvgetblock id len, calls GetNVFileBlock(id,len) nvgetfile, usage=nvgetfile id, calls GetNVFile(id) nvgetsd, usage=nvgetsd offset len, calls SD card FS read on SDDB.BIN nvfast, usage=nvfast num, reads num blocks using low level SD SectorRead nvpwlock, usage=nvpwlock_cmd cmd onepw twopw, cmd = 0/unlock, 1/lock, 2/setpw, 3/clrpw, 4/erase nvspeex, usage=nvspeex fileid, read, decode, store on SD crash, usage=crash, Force a system crash via DAbort nftest, usage=nftest, NF 0xFF read test usbd, usage=usbd, usb trace dump resetUSBshell, usage=resetUSBshell, Reset USB Shell mode gpsfix, usage=gpsfix, GPS Fix gpsstop, usage=gpsstop, GPS Stop gpsOTOF, usage=gpsOTOF, GPS OneTrack One Fix gpsShow, usage=gpsShow, toggle showing of GPS msgs gpsReq, usage=gpsReq, request GPS assistance data gpsReset, usage=gpsReset, Perform a GPS soft reset sdstat, usage=sdstat, SDcard status sdinit, usage=sdinit, SDcard init $
I haven't been able (yet) to get a directly bootable dump of the firmware, since there doesn't seem to be a JTAG port on the device. There are downloadable firmware files from Celestron at http://software.cele...dates/SkyScout/, but they don't seem to be directly flashed to the device, but rather separated into parts by the Celestron updater application (.cel). As soon as I find the start and end of the firmware image in the cel file I can get started with the reverse engineering portion of things.
If anyone wants to help out or has any ideas, just message me or reply to this thread.
Edited by joshumax, 05 August 2014 - 08:22 PM.