Labs Mini-Drone Controller
- Matériel
- Présentation
- Hacking
- Découverte et connexion en BLE
- Contrôle en node.js
- Capture de trafic BLE
- Contrôle de plusieurs minidrones
- Contrôle via cylon
- Autopilotage
- Interface web de contrôle
Matériel
Source : https://www.youtube.com/watch?v=74ssfS2vyyE
(https://ms01.parrot.com/760-large_parrot/motherboard-rolling-spider.jpg)
- CPU : http://elinux.org/ARM926EJ-S
- RAM : 32 Mo
- Flash : 4 Mo
Connectivité
- Bluetooth Smart technology, Bluetooth V4.0 BLE (Bluetooth Low Energy).
Capteurs
- capteur ultrasons
- un gyroscope 3 axes et un accéléromètre 3 axes
- une caméra verticale
- un capteur de pression
Batterie
- Lithium-Polymer et amovible avec une autonomie de 8 minutes (6 minutes avec les roues) et recharge complète en 90 minutes.
Poids/dimension
- Poids : 55g (65g avec les roues)
- Diamètre du Rolling Spider : 140 mm
- Diamètre des hélices : 55mm
- Espacement moteur : 85 mm
Autres
- Deux LEDs bi-couleurs
- 4 moteurs
Présentation
- Présentation générale, application IOS/Android, BLE
- Hacking Hardware
- Hacking Software
Hacking
En connectant directant le rolling spider en USB à une station Linux, on constate le montage d'un nouveau disque et la création d'une interface réseau USB avec une adresse 192.168.2.2/24 :
# df -h | grep media
/dev/sdb1 33M 3,6M 29M 11% /run/media/root/Parrot_RS
# ip add show ens35u2
8: ens35u2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 2e:87:eb:ab:c8:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.2/24 brd 192.168.2.255 scope global dynamic ens35u2
valid_lft 863557sec preferred_lft 863557sec
inet6 fe80::2c87:ebff:feab:c83c/64 scope link
valid_lft forever preferred_lft forever
Quelle est l'adresse joignable sur cette nouvelle interface ?
# arp-scan -I ens35u2 192.168.2.0/24
Interface: ens35u2, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.4 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.2.1 12:ca:c7:0e:87:b3 (Unknown)
1 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.4: 256 hosts scanned in 2.021 seconds (126.67 hosts/sec). 1 responded
Un scan ARP découvre l'adresse 192.168.2.1. Quels sont les services à l'écoute sur cette adresse ?
# nmap 192.168.2.1
Starting Nmap 6.40 ( http://nmap.org ) at 2016-06-08 22:00 CEST
Nmap scan report for 192.168.2.1
Host is up (0.0032s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
MAC Address: 12:CA:C7:0E:87:B3 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 5.77 seconds
Les ports TCP 21 (FTP), 23 (Telnet) et 80 (HTTP) répondent.
Connexion HTTP
On vérifie le port TCP 80 :
# curl http://192.168.2.1
<!DOCTYPE html>
<html>
<body>
<h1>### Parrot Dragon Firmware ###</h1>
<p>TARGET_PRODUCT = delos </p>
<p>BUILD_DATE = 2015-03-06 </p>
<p>BUILD_TIME = 17h51m20s </p>
<p>BUILD_COMPILER = alexandregondeu </p>
<p>BUILD_COMPUTER = ERIC_THE_T-REX </p>
<p>BUILD_MYKONOS3_MAIN_SHA1 = eddcb97ce362380ccdc86c9592c9dad271e44505 </p>
<p>BUILD_DRAGON_VERSION = 1.99.2</p>
</body>
</html>
Connexion Telnet
Que donne une tentative de connexion Telnet ?
# telnet 192.168.2.1
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
BusyBox v1.20.2 (2015-03-06 17:53:39 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
------------------------------------
HW Status :
------------------------------------
> Acc/Gyros MPU6050 :OK
> Temp/Press MS5607 :OK
[Delos] $
Shell
On obtient un shell ! On constate l'usage de ces ports TCP via le fichier /etc/inetd.conf.
[Delos] $ cat /etc/inetd.conf
21 stream tcp nowait root ftpd ftpd -w /data/video
5551 stream tcp nowait root ftpd ftpd -w /update
80 stream tcp nowait root busybox httpd -h /www -i
CPU
$ cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 207.66
Features : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Hardware : Delos sip6 board
Revision : 2105
Serial : 0000000000000000
RAM
[Delos] $ free -hm
total used free shared buffers
Mem: 28736 17764 10972 0 0
-/+ buffers: 17764 10972
Swap: 0 0 0
Points de montage
[Delos] $ df -h
Filesystem Size Used Available Use% Mounted on
ubi1:system 26.3M 13.0M 11.9M 52% /
tmp 14.0M 64.0K 14.0M 0% /tmp
dev 14.0M 0 14.0M 0% /dev
ubi0:factory 4.8M 116.0K 4.4M 3% /factory
ubi2:update 13.2M 28.0K 12.5M 0% /update
ubi2:data 46.6M 32.9M 11.3M 74% /data
[Delos] $ cat /proc/mounts
rootfs / rootfs rw 0 0
ubi1:system / ubifs rw,relatime 0 0
tmp /tmp tmpfs rw,relatime 0 0
proc /proc proc rw,relatime 0 0
dev /dev tmpfs rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
sys /sys sysfs rw,relatime 0 0
ubi0:factory /factory ubifs ro,relatime 0 0
ubi2:update /update ubifs rw,sync,relatime 0 0
ubi2:data /data ubifs rw,relatime 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
Noyau Linux
[Delos] $ uname -a
Linux (none) 2.6.36 #1 PREEMPT Fri Mar 6 17:53:21 CET 2015 armv5tejl GNU/Linux
Modules du noyau
[Delos] $ lsmod
Module Size Used by Tainted: G
g_multi 64811 2
fsl_usb2_udc 12792 1 g_multi
usb_storage 37531 0
uvcvideo 62896 0
usbcore 120019 2 usb_storage,uvcvideo
ultra_snd 9017 0
Scripts
[Delos] $ ls /bin/*.sh
/bin/DragonDebug.sh /bin/create_btconfig.sh /bin/delos_shell.sh /bin/init_motors.sh /bin/reboot.sh
/bin/DragonStarter.sh /bin/create_imgdisk.sh /bin/delos_shutdown.sh /bin/initsalsa.sh /bin/reset_config.sh
/bin/activate_coredump.sh /bin/debug_lib.sh /bin/delos_slip.sh /bin/kmemleak.sh /bin/reset_settings.sh
/bin/blink_led_greenleft.sh /bin/delos_camera.sh /bin/demo_global.sh /bin/login.sh /bin/set_led_greenleft.sh
/bin/blink_led_orangeleft.sh /bin/delos_devmem_2.sh /bin/detect_data.sh /bin/meminfo.sh /bin/set_led_orange_both.sh
/bin/bnep_setup.sh /bin/delos_flightmode_start.sh /bin/device_monitoring.sh /bin/memory_check.sh /bin/set_led_orangeleft.sh
/bin/cgroup.sh /bin/delos_flightmode_stop.sh /bin/dragon_shell.sh /bin/mount_imgdisk.sh /bin/switch_usb_mode.sh
/bin/check_and_reset_etron.sh /bin/delos_fvt6.sh /bin/etron_checker.sh /bin/mount_usb.sh /bin/umount_imgdisk.sh
/bin/check_update_demos.sh /bin/delos_gadgetmode_start.sh /bin/etron_setup.sh /bin/nfs.sh /bin/wifi_setup.sh
/bin/ckcmd_file.sh /bin/delos_gadgetmode_stop.sh /bin/factory_check.sh /bin/nfs_usb.sh
/bin/ckcmd_redirect.sh /bin/delos_lsusb.sh /bin/freeflight_monitoring.sh /bin/pairing_setup.sh
/bin/ckcmd_tcp.sh /bin/delos_monitor_vbus_script.sh /bin/gdbsalsa.sh /bin/parallel-stream.sh
/bin/common_check_update.sh /bin/delos_reset_factory.sh /bin/init_gpios.sh /bin/post.sh
Par exemple :
[Delos] $ cat /bin/blink_led_greenleft.sh
#!/bin/sh
# temp behaviour : red light right on
gpio 33 -d ho 1
# temp behaviour : red light left off
gpio 30 -d ho 0
#green light off
gpio 31 -d ho 0
gpio 32 -d ho 0
while [ 1 ];
do
gpio 32 -d ho 0
usleep 100
gpio 32 -d ho 1
usleep 100
done
[Delos] $ /bin/blink_led_greenleft.sh
^C
[Delos] $
Script de démarrage
[Delos] $ cat /etc/init.d/rcS
#!/bin/sh
# IP_ADDR - this target IP address using CIDR notation:
# <target-ip>/<target-bitmask>
#
# For example:
echo init started...
source /bin/delos_shell.sh
/bin/mount -t tmpfs tmp /tmp
/bin/mount -t proc proc /proc
/bin/mount -o remount,rw /
/bin/mount -t tmpfs dev /dev
/bin/mkdir -p /dev/shm /dev/pts
/bin/mount -t devpts devpts /dev/pts
/bin/mount -t sysfs sys /sys
# Add a symbolic link for each I2C sensor
ln -s /dev/i2c-0 /dev/i2c-akm8963
ln -s /dev/i2c-0 /dev/i2c-mpu6050
ln -s /dev/i2c-0 /dev/i2c-ms5607
#don't allow overcommit (allocate more memory that the physical one)
echo 2 > /proc/sys/vm/overcommit_memory
echo 90 > /proc/sys/vm/overcommit_ratio
#in case of unaligned access print a message and send a SIGBUS
echo 5 > /proc/cpu/alignment
#reboot after 1s after a panic
echo 1 > /proc/sys/kernel/panic
#panic when an oops or BUG is encountered
#disable this for developer
echo 1 > /proc/sys/kernel/panic_on_oops
echo -1 > /proc/sys/kernel/sched_rt_runtime_us
echo "/sbin/mdev" > /proc/sys/kernel/hotplug
/sbin/mdev -s
mount -t usbfs none /proc/bus/usb
/bin/mkdir -p /update
/bin/mkdir -p /factory
/bin/mount -a
#create groups of priorities
mkdir /dev/cpuctl
mount -t cgroup -ocpu none /dev/cpuctl
#mkdir /dev/cpuctl/video
# reserve most cpu for video tasks
#touch /dev/cpuctl/video/cpu.shares
#echo "2048" > /dev/cpuctl/video/cpu.shares
# group others
mkdir /dev/cpuctl/others
touch /dev/cpuctl/others/cpu.shares
echo "10000" >/dev/cpuctl/others/cpu.shares
touch /dev/cpuctl/others/tasks
for task in $(cat /dev/cpuctl/tasks)
do
echo $task > /dev/cpuctl/others/tasks
done
# Init all LEDs GPIOS
/usr/bin/gpio 30 -d ho 1
/usr/bin/gpio 31 -d ho 0
/usr/bin/gpio 32 -d ho 0
/usr/bin/gpio 33 -d ho 1
# Create mount point for the virtual USB key
mkdir -p ${DELOS_MOUNT_PATH}
# Make it read-only by default
chmod 400 ${DELOS_MOUNT_PATH}
# Load the Ultrasound driver early, it fails otherwise
modprobe ultra_snd
# Be sure we have a config file
if [ ! -s /data/dragon.conf ]
then
cp /etc/default-dragon.conf /data/dragon.conf
fi
if [ ! -s /data/system.conf ]
then
cp /etc/default-system.conf /data/system.conf
fi
# Check the data in /factory, create default values if necessary
# BT config requires dragon.conf to exist
/bin/factory_check.sh
/bin/create_btconfig.sh
/usr/bin/gpio 53 -d i
# Init the EtronTech USB<->Camera chip
/usr/bin/gpio 58 -d ho 1
# Create the FVT6 flash report at first boot
/bin/create_imgdisk.sh ${DELOS_USBDISKIMG_PATH} ${DELOS_MOUNT_PATH} 33 "Parrot_RS"
/bin/delos_fvt6.sh
# Check if an update is available
echo "Check if update is necessary ..."
if [ -e ${DELOS_MOUNT_PATH} ]; then
# if usb image disk contains a PLF file, move it to the update partition
mount_imgdisk.sh ${DELOS_USBDISKIMG_PATH} ${DELOS_MOUNT_PATH} ${DELOS_PRODUCT_MEDIA_PATH}
/bin/updater/updater_scan.sh ${DELOS_MOUNT_PATH}
/bin/check_update_demos.sh
# unmount_imgdisk.sh ${DELOS_MOUNT_PATH}
fi
/bin/updater/updater_process.sh
# enabling 5V power supply
#/usr/sbin/gpio 89 -d ho 0
if [ -e /etc/hostname ]; then
/bin/hostname -F /etc/hostname
fi
/sbin/ifconfig lo 127.0.0.1 up
/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo
#
# Start permanent TCP/IP services
# Available during flight via BT or via USB
#
inetd
#
# Start telnet deamon
#
telnetd -l /bin/login.sh
init_motors.sh &
modprobe uvcvideo
# Start the ON/OFF button daemon
(/usr/bin/delos_button_onoff)&
# Make a backup of old navdata files
if [ -f /data/navdata_blackbox.bin ]; then mv /data/navdata_blackbox.bin /data/navdata_blackbox_old.bin; fi
# Start UDev
udevd.sh
# Debug management
DragonDebug.sh
#
# Start Bluetooth
#
(BLEproxy $(cat /etc/BLEproxy.args 2>/dev/null) >/dev/null 2>/dev/null) &
#
# Start the main soft
#
echo "Launching Dragon" | logger -s -t "rcS" -p user.info
DragonStarter.sh -out2null &
# Start the FSM managing USB Modes
(delos_monitor_vbus_script.sh)&
echo end init...
Transférer le système de fichiers localement
Sur le rolling spider, [^p][^y] évitant /proc et /sys :
tar cpf - [^p][^y]* | nc -l -p 1234
Sur la station connectée :
nc 192.168.2.1 1234 > rootfs.tar
Découverte et connexion en BLE
Contrôle en node.js
Capture de trafic BLE
Contrôle de plusieurs minidrones
- https://github.com/voodootikigod/node-rolling-spider/blob/master/eg/swarm.js
- https://github.com/search?p=2&q=rolling+spider&type=Repositories&utf8=%E2%9C%93