I have started to work on DroneProxy some time ago to work around bugs in the firmware of the drone. Basically it is a transparent proxy for the UDP AT command packets arriving on port 5556. The packets are parsed to keep track of the sequence number. If no packets are received for 1500 ms the proxy will start sending “landing” commands with increasing sequence numbers (until somebody plugs the battery…).
Archive for the ‘Parrot AR.Drone’ Category
If you wondered how the update process to version 1.3.3 would look if you attached a serial console….
During my telnet visits to the Parrot AR.Drone i wondered what all the serial ports (/dev/ttyPA0..2) are for. And now I know which one is used by what and where i can find them on the board.
The pinout for a USB cable can be found at the official Parrot website….here.
/dev/ttyPA0 is used by the bootloader and the kernel and can be found on the “USB” port (Pin 4 is RX and Pin 6 is TX) and greets us with:
Restarting system.Parrotboot for target MYKONOS, built on Apr 21 2010NAND: layer initializationNAND: found 8 bits nand 0xf1UBI: layer initialization (version 1)UBI: found volume with id 2147479551UBI: found volume with id 0UBI: found volume with id 2UBI: failed to open volume with ID 1 (Bad file handle)Attempt booting on UBI volume with ID 0…Booting Linux…
This serial interface should allow us to attach a GPS module (with a TTL level serial interface) directly, without the need of a new kernel! GPS here we come!
/dev/ttyPA1 is used to interface with the motor controllers. There must be some de-multiplexer between the serial port and the 4 motor controllers. I actually managed to randomly start a motor by typing garbage into this.
/dev/ttyPA2 connects to the navboard and continously spits out navdata from all sensors.
After Parrot finally released the GPL sources for their kernel changes it was time to dig into the firmware some more. Last week i was taking a closer look at the closed source control binary which has the innovative name “program.elf”.
It turns out that the binary dynamically links to libiw (from the wireless_tools) which is a GPL licensed library. You can easily check this yourself by telneting into the drone:
strings program.elf | grep iw
Antoine Ferran (from Parrot) confirmed this fact on the next morning:
The libiw is dynamically linked with the program but it is a mistake.
Libiw is not needed anymore: it is a remnant of a previous test version.
Any calls to libiw has been removed from the current build that will be released soon.
You can find the complete discussion here.
I am pretty confident that they will not get away with that and will have to release the source code. Actually that could be a really good way for Parrot to get help from the community to fix all of the critical bugs in the current firmware (“fly-away” syndrom, random crashes, ….) and make a much better product!
Now that i am done messing with the software and actually completing a few test flights, I figured it was about time to tear the drone apart. The only thing required is a tiny torx screwdriver (T6X20) which fortunately i had laying around on my desk because we use the same screws to tighten the GSM modules on to our GSM cards.
Once you remove the plastic shielding you can see the mainboard stacked on top of the navboard (which carries the ultrasonic sender/receiver). The front camera is connected with a ribbon cable coming from the right. Above that camera connector is a 7 pin USB header.
Undo 4 little screws and you can remove the navboard (which plugs into the backside of the mainboard with an 8 pin connector…probably serialish). Here you see the mainboard with the camera cable removed and the battery connector ripped out of the shell (to give some space for moving the mainboard). The mainboard has 2 on-circuit wifi antennas (ANT1 and ANT2):
This is the navboard with the ultrasonic sender/receiver pair. The “ugly padding” on the left is probably to shield the right one from receiving the “echo” through vibrations across the pcb (instead of receving the reflected signal through the air). The 8 pin connector connects to the mainboard.
The drone is really easy to take apart and also to re-assemble. It even does work again.
Finally I got my hands on a Parrot AR.Drone! 299 Euros bought me a wifi-pilotable quadro-copter with linux inside. It is marketed as a drone which is controlled by an iPhone app. However there is a demo Android app (which i did not test, yet) and the control protocol is documented (plain old AT commands).
After making a few first flight attempts (using my brothers iPad) it was about time to take a closer look at the embedded linux stuff inside the drone. Not wanting to tear down the drone (yet!) and search for a serial interface, I decided to take a shot at the wifi.
The communication between the iP(ad|od|hone) app and the drone is carried out using an unencrypted adhoc wifi. What a great secure concept…. So, I hooked up an Asus wifi ap (running openwrt) to the adhoc wifi and gave nmap a try:
Interesting ports on 192.168.1.1:
Not shown: 65532 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
2049/tcp closed nfs
MAC Address: 00:26:7E:30:B5:C8 (Unknown)
Yep, it’s sporting an open telnet. And (you might already have guessed it) it drops you to a root shell without asking for a password. I am expecting to see a “Drone-be-gone” app in the appstore or market place very soon…
Probably all you need to do is to kill the closed source control binary named “programm.elf” or just type “reboot” if you see one of those drones fly by. And down it will go. Again, splendid security!
So, let’s have a looksy at the CPU:
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 233.47
Features : swp half thumb fastmult edsp java
CPU implementer : 0×41
CPU architecture: 5TEJ
CPU variant : 0×0
CPU part : 0×926
CPU revision : 5
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 32768
I assoc : 4
I line length : 32
I sets : 256
D size : 16384
D assoc : 4
D line length : 32
D sets : 128
Hardware : Mykonos Parrot platform
Revision : 0904
Serial : 0000000000000000
and the 128 MB memory:
MemTotal: 126036 kB
MemFree: 105472 kB
Buffers: 0 kB
Cached: 3404 kB
The drone has an Atheros AR6000 wifi. Both cameras (front and bottom) are exposed ad V4L devices. And we are running a 2.6.27 kernel:
Linux myhost 126.96.36.199-parrot-01227-g93dde09 #1 PREEMPT Fri Jul 2 15:23:06 CEST 2010 armv5tejl GNU/Linux
So, it’s a great device for playing/hacking at a good price! But, the total lack of security (open wifi, open root shell) is really bad for a product that is pushed to average-joe consumers through major electronic retail stores!