Pasco Xplorer GLX Hardware

[CVSoft]

I took some highly detailed PCB pictures of the Pasco PS-2002 Xplorer GLX. Pasco hasn't really published anything about its hardware so I do not have much to go off of (unlike Vernier, Pasco doesn't talk much about their hardware). I've worked out the following info:

• The CPU is clocked at 50 MHz. I don't even know which IC the CPU is, and I don't know what type of CPU it has; Pasco calls it a "floating point CPU." I hope it isn't in the FPGA.
  
• There's a FPGA in there, and it makes the most heat. It's an Altera Cyclone EP1C12F256C8N.
  
• 8 MB FlashROM
  
• There's a bunch of RAM chips. One of them is a 32 KB SRAM, and somewhere the system has a 16-ish MB RAM chip (11 MB available to the user). It could be the BGA IC below the FPGA, I haven't worked out its identity.
  
• The system uses six NiCad/NiMH batteries in series to receive 7.2V. The system expects those batteries to be present, as there are numerous warnings to not connect the system to power without batteries installed.
  
• There's a TI MSP430F147 in there, I think it is used to decode PasPORT data but I'm not sure. It has its own 512KB FlashROM.
  
• The LCD is not made by Pasco. It uses a Powertip PG320240H-P2 LCD module glued to the front housing.
  
• A TI AIC28I handles audio I/O. The GLX has a microphone, speaker, and speaker-out port.

I also wrote down the names of the ICs on the LCD and keyboard-audio PCBs:

Code Select Expand


LCD board:
IC1         Row driver: Sitronix ST8024F4 AOG659.1W8B1187703
IC2/IC3 Column drivers: Sitronix ST8016F3 AOM275.1 AS9500Q
IC4          EL Driver: ZSP4\403L [ZSP4403]

555-0894O-D Keyboard/Audio board:
U1            Microcontroller: (TI)96A2PKT G4\M430F147\REV N [TI MSP430F147]
U2            Serial FlashROM: 25P40VP
U3                           : BY42
U4           Audio Controller: AIC28I\TI 96W\Z13N G4
U5/U6                  Op-amp: BB OPA\2340UA\96JQD
U7                           : Not present
U8          Voltage Converter: [National Semiconductor logo]CHAB\LMC76\96JQD [LMC7660]
U9                           : PDP
U10                          : R2B
U11 Instrumentation Amplifier: AD623A\[Analog Devices logo]#0926\1654476


Should anyone be bored enough to try and reverse-engineer or hack this device, the above information should be helpful.

[novenary]

Nice job on the pictures and the research.

[CVSoft]

After some analysis of the firmware by @Adriweb and myself, we found that it is likely based on the Ubicom32 architecture, a proprietary architecture not related to ARM.

[Adriweb]

At least that's what binwalk detected.
If that's it, reversing won't be easy, if that ever was the goal.

[CVSoft]

With an Ubicom32 architecture, I would expect to see a Ubicom-branded chip somewhere in there though. I don't see anything that would indicate this. The architecture is an oddball.

[novenary]

It's very likely that the CPU is hosted in the FPGA if there's no Ubicom or Qualcomm chip on the board.

[CVSoft]

That's what I'm thinking, but hoping against. An FPGA-hosted CPU would be a nightmare for homebrewing. The firmware includes a raw binary for the FPGA, but I don't have any idea how to have ideas on interpreting that data. I also don't know how the FPGA would be able of self-updating its firmware (maybe the MSP430 can do this?).

I counted up the occurrence of each byte in the firmware, the PNGs are here, and the CSV source files are here.

I'm searching DataStudio for any references to the CPU. This will take a fair bit of time.

[novenary]

That's what I'm thinking, but hoping against. An FPGA-hosted CPU would be a nightmare for homebrewing. The firmware includes a raw binary for the FPGA, but I don't have any idea how to have ideas on interpreting that data. I also don't know how the FPGA would be able of self-updating its firmware (maybe the MSP430 can do this?).

FPGAs usually load their firmware from external flash when you power them up then they work entirely from the internal block RAM. Pretty simple to reflash the firmware from there, and as you said the msp430 can do it otherwise.

Also, reversing a bitstream is not easy, it's basically a massive truth table and the format changes for each device.

[CVSoft]

After poking around in the firmware files, I've determined the OS was written in C++. Strings in the firmware are weird, they're stored with 32 bits per character. The OS uses Unicode, but the character map only shows a UTF-16 implementation. I still can't match up binary characteristics to any architecture I compared against, but the CPU is a 32-bit architecture.

[Adriweb]

After poking around in the firmware files, I've determined the OS was written in C++.

Lies! I've told you that since the very beginning!

(however you made it much clearer after properly extracting stuff )

* Adriweb runs

[CVSoft]

After poking around in the firmware files, I've determined the OS was written in C++.

Lies! I've told you that since the very beginning!

The firmware, or the GLX Simulator which is a Windows executable?

[Adriweb]

Firmware. I believe it was glx.bin, but I'm not 100% sure.

[CVSoft]

Yup, that's firmware. The string tables I extracted from the simulator (it had some debug info about the GLX OS), the bin files are firmware updates extracted out of S-Record format.

[CVSoft]

So after a bit of tomfoolery I found that the Nios II CPU architecture used with the Altera Cyclone FPGAs is a viable candidate for the GLX's instruction set. It would be easy to implement, uses a 32-bit word size, and supports compiled C/C++ code via GCC or something. Once I get time, I'll manually disassemble the first couple of bytes of the firmware and see if the content makes sense.

[DJ Omnimaga]

So you could get some games to run on this?