I have started to work on DroneProxy some time ago to work around bugs in the firmware of the drone. Basically it is a transparent proxy for the UDP AT command packets arriving on port 5556. The packets are parsed to keep track of the sequence number. If no packets are received for 1500 ms the proxy will start sending “landing” commands with increasing sequence numbers (until somebody plugs the battery…).
If you wondered how the update process to version 1.3.3 would look if you attached a serial console….
Now that i am done messing with the software and actually completing a few test flights, I figured it was about time to tear the drone apart. The only thing required is a tiny torx screwdriver (T6X20) which fortunately i had laying around on my desk because we use the same screws to tighten the GSM modules on to our GSM cards.
Once you remove the plastic shielding you can see the mainboard stacked on top of the navboard (which carries the ultrasonic sender/receiver). The front camera is connected with a ribbon cable coming from the right. Above that camera connector is a 7 pin USB header.
Undo 4 little screws and you can remove the navboard (which plugs into the backside of the mainboard with an 8 pin connector…probably serialish). Here you see the mainboard with the camera cable removed and the battery connector ripped out of the shell (to give some space for moving the mainboard). The mainboard has 2 on-circuit wifi antennas (ANT1 and ANT2):
This is the navboard with the ultrasonic sender/receiver pair. The “ugly padding” on the left is probably to shield the right one from receiving the “echo” through vibrations across the pcb (instead of receving the reflected signal through the air). The 8 pin connector connects to the mainboard.
The drone is really easy to take apart and also to re-assemble. It even does work again.
Finally I got my hands on a Parrot AR.Drone! 299 Euros bought me a wifi-pilotable quadro-copter with linux inside. It is marketed as a drone which is controlled by an iPhone app. However there is a demo Android app (which i did not test, yet) and the control protocol is documented (plain old AT commands).
After making a few first flight attempts (using my brothers iPad) it was about time to take a closer look at the embedded linux stuff inside the drone. Not wanting to tear down the drone (yet!) and search for a serial interface, I decided to take a shot at the wifi.
The communication between the iP(ad|od|hone) app and the drone is carried out using an unencrypted adhoc wifi. What a great secure concept…. So, I hooked up an Asus wifi ap (running openwrt) to the adhoc wifi and gave nmap a try:
Interesting ports on 192.168.1.1:
Not shown: 65532 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
2049/tcp closed nfs
MAC Address: 00:26:7E:30:B5:C8 (Unknown)
Yep, it’s sporting an open telnet. And (you might already have guessed it) it drops you to a root shell without asking for a password. I am expecting to see a “Drone-be-gone” app in the appstore or market place very soon…
Probably all you need to do is to kill the closed source control binary named “programm.elf” or just type “reboot” if you see one of those drones fly by. And down it will go. Again, splendid security!
So, let’s have a looksy at the CPU:
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 233.47
Features : swp half thumb fastmult edsp java
CPU implementer : 0×41
CPU architecture: 5TEJ
CPU variant : 0×0
CPU part : 0×926
CPU revision : 5
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 32768
I assoc : 4
I line length : 32
I sets : 256
D size : 16384
D assoc : 4
D line length : 32
D sets : 128
Hardware : Mykonos Parrot platform
Revision : 0904
Serial : 0000000000000000
and the 128 MB memory:
MemTotal: 126036 kB
MemFree: 105472 kB
Buffers: 0 kB
Cached: 3404 kB
The drone has an Atheros AR6000 wifi. Both cameras (front and bottom) are exposed ad V4L devices. And we are running a 2.6.27 kernel:
Linux myhost 126.96.36.199-parrot-01227-g93dde09 #1 PREEMPT Fri Jul 2 15:23:06 CEST 2010 armv5tejl GNU/Linux
So, it’s a great device for playing/hacking at a good price! But, the total lack of security (open wifi, open root shell) is really bad for a product that is pushed to average-joe consumers through major electronic retail stores!