Re: [amsat-bb] Flight Computers

[Artur sp5qan <sp5qan@xxxxxxxxx>]

Hi Phil,

On Mon, 29 Apr 2002, Phil Karn wrote:

> It's hard to know what might be best for your application without
> knowing more about it and your constraints (power, heat,
> communications, etc). But I'm puzzled by your statement about
> monolithic programs.

Well, this is need by outside force. Primary goal is to fulprof, ie idots 
resistant. End user will get one file with core system. Like ISO or Cisco 
PIX. Lets call CPU module IHU in this case. 
IHU will have 64 M flash disk, and 16 RAM, with file system similar to 
FAT. Disk will by divided into 2 slices. Fist SYSTem image, second application
and data. Primary it is planned secondary flash disk.
When local control operator is reciving system update he need only to 
upload only one file, change running image name and reboot. 
All needed modules will be included in the base system. And I will be 
shure that all of then are in correct versions etc. The is no need to 
worry about local operator errors like wrong modules versions, wrong file 
persinions etc. In case of penetration it will by easy detectable 
( system has 1-wire for sensors, and know seriall numbers of dallas 
components attached. System image has cryto checksum with acount of 
serial numbers of local dallas chips, and my local secret key ). When system 
is tempered this will be easy detectable and the are implemented fallback 
routines like reboot with special striped version of system. That is 
whay we need faster CPU. Crypto is eating cycles.
Some advantage is that in case of flash disk fail we will have automatic 
revert to contingency mode. Particular kernel in this case only allow max 
of 63 application task to be runnig. 
I hope the end version will end wih about max 10 or 12 tasks.
And ther is no need for many remote ops. Task are like loading data from 
sensors, I hope that soon packet radio will be returned to the system 
( it was based on SYMEK wonderfull TNC-3S, two port packet radio switch 
with own operation system and apllication base ), house keeping, comand link 
maintenance.  
CPU board is PCM-4823, IO board is PCM-3718HG ( 16 / 8 channel 12bit, and 
2 - 8 bit TTL Multi IO), PCM-3612 for additional 2 RS-232 Ports.
One on board rs232 i used by command system, second is reserved by TNC-3,
3 rs323 is in use by 1-wire conntrol procesor Philips PCF 80C552 + Dallas 
2940 if i recal 1-wire controler. The '552 is still running forth and has 
silicon tape recorder ;) - we call 2 i2c 256k serial chips + i2c clock 
independed from main system time. They are independend watching eatch 
other, ie i486 can pull reset of '552 and  '552 can pull restet of main CPU if 
ther will be no heart bit from it ( on the one digital IO line and on the 
RS-232 link ). State machine is watching all parts.
But only Main CPU can power down '552 ( ie, it is able to self go to low 
power but not power off ). 4 rs232 port i reserved for last resort command 
link - very dump DTMF series of tonnes. If CPU will crash and all other 
watchdogs will faill it is still posible to issue hard restart via 
very long and repated DTMF string. Some sort of state machine. 
All it is fabricated mostyl by hand, and desing is very dumb. But it 
worked well. In orginal desing ther are two '552 chips. 

In finall working configuration there will be 6 CPU working.  
 
> My old NOS TCP/IP code was one big monolithic program, much like
> Cisco's IOS. Frequently I'd update a remote packet switch by FTPing a
> new version of net.exe or a configuration file and commanding a
> reset. It usually worked, but it sure was slow and inelegant.
> Fortunately we had 56kb/s links.

Phil, i'm impresive by You outstanding job with NOS. My salutations.
It's my first TCP/IP system that i establish long time ago. I remenber 
that I prepare all nessesary files and go sleep while sources compile on 
my 386sx16 Mhz system. All night :) But it worked well.
In my first job i connected Warsaw University - Faculty of Menagement to 
the Internet with 386 dx 40 running Your Nos and 9.6k leasd line modem.

> When Linux appeared, my code quickly became obsolete. Now I routinely
> administer several remote Linux machines, including my dad's on the
> opposite coast of the US, in ways that simply weren't possible with a
> monolithic program like NOS.

I know what You mean.
In my job as Unix ( mostyly Linux ) system enginier and security officer i 
menage many systems, some time in very distant locations.  
But in my project i don't need many of linux fruits. No programing 
language, no many additional and unchecked programs and librares. 
Remenber any line of code is potential bug, and security hole.
In development version it will be capable to load addtitional executables 
from secondary disk, but in final not. All disk IO wil be only data 
handling. It will be able to upgdrade system onto TNC-3 or bulk reload 
'552 but Main IHU executable will be only one file with integrity check.

I know that this solution is only siutable for fast and good link. 
Btw my command and data link are 9k6 only. But the are full duplex. And 
opreation system isn't reload every day. Let say on time about 2 or 4 
weeks in the begining to some month in stable condition. Now ther is 
internet 33.6k modem with small router ( second the same 486 mb sa 
firewall) with crosover ethernet, but becouse land line is very often 
stolen ( with power line too ) for brass, we dosn't depend on it.
Sollar power, Wind generator, BCR and bateries. But the system will 
matadory sleep several days in the year becouse of negative power. 
Of couse if we lost power line again.

> One of the biggest advantages of IPS is its ability to be
> incrementally updated over slow comm links.  Among many other things,
> the development of shared libraries (what Windows call DLLs) makes
> that possible with other operating systems as well. I just don't see
> how a monolithic program can still be better.

Satelite has other goals, and restrictions. I say previously that my 
situation is easy. But operation system of IHU must be small, i hope that 
without TCP/IP no more then 100 to 250 K, with TCP/IP about 512 K max. In 
LEO sat it can be reload with one day at 9.6k by no more than 2 command 
stations. GTO sat is other story. 400 bps is far more chalanging. You work 
about FEC is very interesting. And promising. 
I must preform some test how it is working. 
But keep in mind that GTO is in view far more time than LEO sat. 
Slow link but more time make quite a big upload. And in normal use You 
will only adjust parameters, starting tasks adn so on. If all routines are 
tested You will be quite shure the when you or system scheduler start some 
service  the spacecraft dasen't shutdown all rx'es becouse he put all 
zeros in control register.

Best regard's.

Artur sp5qan

-- 
----------------------------------
Artur Dworak  AD1272-RIPE 
artur(at)supermedia.pl
Security Officer - Super Media ISP


----
Via the amsat-bb mailing list at AMSAT.ORG courtesy of AMSAT-NA.
To unsubscribe, send "unsubscribe amsat-bb" to Majordomo@amsat.org