Labs Mini-Drone Controller

Matériel

Source : https://www.youtube.com/watch?v=74ssfS2vyyE

Connectivité

  • Bluetooth Smart technology, Bluetooth V4.0 BLE (Bluetooth Low Energy).

Capteurs

  • capteur ultrasons
  • un gyroscope 3 axes et un accéléromètre 3 axes
  • une caméra verticale
  • un capteur de pression

Batterie

  • Lithium-Polymer et amovible avec une autonomie de 8 minutes (6 minutes avec les roues) et recharge complète en 90 minutes.

Poids/dimension

  • Poids : 55g (65g avec les roues)
  • Diamètre du Rolling Spider : 140 mm
  • Diamètre des hélices : 55mm
  • Espacement moteur : 85 mm

Autres

  • Deux LEDs bi-couleurs
  • 4 moteurs

Présentation

  • Présentation générale, application IOS/Android, BLE
  • Hacking Hardware
  • Hacking Software

Hacking

Inspiré de https://lawlorcode.wordpress.com/2015/08/12/parrot-rolling-spider-uav-hacking-dumping-the-filesystem/

En connectant directant le rolling spider en USB à une station Linux, on constate le montage d'un nouveau disque et la création d'une interface réseau USB avec une adresse 192.168.2.2/24 :

# df -h | grep media
/dev/sdb1                  33M    3,6M   29M  11% /run/media/root/Parrot_RS

# ip add show ens35u2
8: ens35u2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 2e:87:eb:ab:c8:3c brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.2/24 brd 192.168.2.255 scope global dynamic ens35u2
       valid_lft 863557sec preferred_lft 863557sec
    inet6 fe80::2c87:ebff:feab:c83c/64 scope link
       valid_lft forever preferred_lft forever

Quelle est l'adresse joignable sur cette nouvelle interface ?

# arp-scan -I ens35u2 192.168.2.0/24
Interface: ens35u2, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.4 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.2.1    12:ca:c7:0e:87:b3    (Unknown)

1 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.4: 256 hosts scanned in 2.021 seconds (126.67 hosts/sec). 1 responded

Un scan ARP découvre l'adresse 192.168.2.1. Quels sont les services à l'écoute sur cette adresse ?

# nmap 192.168.2.1

Starting Nmap 6.40 ( http://nmap.org ) at 2016-06-08 22:00 CEST
Nmap scan report for 192.168.2.1
Host is up (0.0032s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
23/tcp open  telnet
80/tcp open  http
MAC Address: 12:CA:C7:0E:87:B3 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 5.77 seconds

Les ports TCP 21 (FTP), 23 (Telnet) et 80 (HTTP) répondent.

Connexion HTTP

On vérifie le port TCP 80 :

# curl http://192.168.2.1
<!DOCTYPE html>
<html>
<body>
<h1>### Parrot Dragon Firmware ###</h1>
<p>TARGET_PRODUCT            = delos      </p>
<p>BUILD_DATE                = 2015-03-06          </p>
<p>BUILD_TIME                = 17h51m20s          </p>
<p>BUILD_COMPILER            = alexandregondeu      </p>
<p>BUILD_COMPUTER            = ERIC_THE_T-REX      </p>
<p>BUILD_MYKONOS3_MAIN_SHA1  = eddcb97ce362380ccdc86c9592c9dad271e44505          </p>
<p>BUILD_DRAGON_VERSION      = 1.99.2</p>
</body>
</html>

Connexion Telnet

Que donne une tentative de connexion Telnet ?

# telnet 192.168.2.1
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.



BusyBox v1.20.2 (2015-03-06 17:53:39 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

------------------------------------
HW Status :
------------------------------------
 > Acc/Gyros MPU6050       :OK
 > Temp/Press MS5607       :OK

[Delos] $

Shell

On obtient un shell ! On constate l'usage de ces ports TCP via le fichier /etc/inetd.conf.

[Delos] $ cat /etc/inetd.conf
21 stream tcp nowait root ftpd ftpd -w /data/video
5551 stream tcp nowait root ftpd ftpd -w /update
80 stream tcp nowait root busybox httpd -h /www -i

CPU

$ cat /proc/cpuinfo
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 207.66
Features        : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : Delos sip6 board
Revision        : 2105
Serial          : 0000000000000000

RAM

[Delos] $ free -hm
             total         used         free       shared      buffers
Mem:         28736        17764        10972            0            0
-/+ buffers:              17764        10972
Swap:            0            0            0

Points de montage

[Delos] $ df -h
Filesystem                Size      Used Available Use% Mounted on
ubi1:system              26.3M     13.0M     11.9M  52% /
tmp                      14.0M     64.0K     14.0M   0% /tmp
dev                      14.0M         0     14.0M   0% /dev
ubi0:factory              4.8M    116.0K      4.4M   3% /factory
ubi2:update              13.2M     28.0K     12.5M   0% /update
ubi2:data                46.6M     32.9M     11.3M  74% /data
[Delos] $ cat /proc/mounts
rootfs / rootfs rw 0 0
ubi1:system / ubifs rw,relatime 0 0
tmp /tmp tmpfs rw,relatime 0 0
proc /proc proc rw,relatime 0 0
dev /dev tmpfs rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
sys /sys sysfs rw,relatime 0 0
ubi0:factory /factory ubifs ro,relatime 0 0
ubi2:update /update ubifs rw,sync,relatime 0 0
ubi2:data /data ubifs rw,relatime 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0

Noyau Linux

[Delos] $ uname -a
Linux (none) 2.6.36 #1 PREEMPT Fri Mar 6 17:53:21 CET 2015 armv5tejl GNU/Linux

Modules du noyau

[Delos] $ lsmod
Module                  Size  Used by    Tainted: G
g_multi                64811  2
fsl_usb2_udc           12792  1 g_multi
usb_storage            37531  0
uvcvideo               62896  0
usbcore               120019  2 usb_storage,uvcvideo
ultra_snd               9017  0

Scripts

[Delos] $ ls /bin/*.sh
/bin/DragonDebug.sh                /bin/create_btconfig.sh            /bin/delos_shell.sh                /bin/init_motors.sh                /bin/reboot.sh
/bin/DragonStarter.sh              /bin/create_imgdisk.sh             /bin/delos_shutdown.sh             /bin/initsalsa.sh                  /bin/reset_config.sh
/bin/activate_coredump.sh          /bin/debug_lib.sh                  /bin/delos_slip.sh                 /bin/kmemleak.sh                   /bin/reset_settings.sh
/bin/blink_led_greenleft.sh        /bin/delos_camera.sh               /bin/demo_global.sh                /bin/login.sh                      /bin/set_led_greenleft.sh
/bin/blink_led_orangeleft.sh       /bin/delos_devmem_2.sh             /bin/detect_data.sh                /bin/meminfo.sh                    /bin/set_led_orange_both.sh
/bin/bnep_setup.sh                 /bin/delos_flightmode_start.sh     /bin/device_monitoring.sh          /bin/memory_check.sh               /bin/set_led_orangeleft.sh
/bin/cgroup.sh                     /bin/delos_flightmode_stop.sh      /bin/dragon_shell.sh               /bin/mount_imgdisk.sh              /bin/switch_usb_mode.sh
/bin/check_and_reset_etron.sh      /bin/delos_fvt6.sh                 /bin/etron_checker.sh              /bin/mount_usb.sh                  /bin/umount_imgdisk.sh
/bin/check_update_demos.sh         /bin/delos_gadgetmode_start.sh     /bin/etron_setup.sh                /bin/nfs.sh                        /bin/wifi_setup.sh
/bin/ckcmd_file.sh                 /bin/delos_gadgetmode_stop.sh      /bin/factory_check.sh              /bin/nfs_usb.sh
/bin/ckcmd_redirect.sh             /bin/delos_lsusb.sh                /bin/freeflight_monitoring.sh      /bin/pairing_setup.sh
/bin/ckcmd_tcp.sh                  /bin/delos_monitor_vbus_script.sh  /bin/gdbsalsa.sh                   /bin/parallel-stream.sh
/bin/common_check_update.sh        /bin/delos_reset_factory.sh        /bin/init_gpios.sh                 /bin/post.sh

Par exemple :

[Delos] $ cat /bin/blink_led_greenleft.sh
#!/bin/sh


# temp behaviour : red light right on
gpio 33 -d ho 1
# temp behaviour : red light left off
gpio 30 -d ho 0

#green light off
gpio 31 -d ho 0
gpio 32 -d ho 0



while [ 1 ];
do
    gpio 32 -d ho 0
    usleep 100
    gpio 32 -d ho 1
    usleep 100
done
[Delos] $ /bin/blink_led_greenleft.sh

^C
[Delos] $

Script de démarrage

[Delos] $ cat /etc/init.d/rcS
#!/bin/sh

# IP_ADDR - this target IP address using CIDR notation:
# <target-ip>/<target-bitmask>
#
# For example:

echo init started...

source /bin/delos_shell.sh

/bin/mount -t tmpfs tmp /tmp
/bin/mount -t proc proc /proc
/bin/mount -o remount,rw /
/bin/mount -t tmpfs dev /dev
/bin/mkdir -p /dev/shm /dev/pts
/bin/mount -t devpts devpts /dev/pts
/bin/mount -t sysfs sys /sys

# Add a symbolic link for each I2C sensor
ln -s /dev/i2c-0 /dev/i2c-akm8963
ln -s /dev/i2c-0 /dev/i2c-mpu6050
ln -s /dev/i2c-0 /dev/i2c-ms5607

#don't allow overcommit (allocate more memory that the physical one)
echo 2 > /proc/sys/vm/overcommit_memory
echo 90 > /proc/sys/vm/overcommit_ratio

#in case of unaligned access print a message and send a SIGBUS
echo 5 > /proc/cpu/alignment

#reboot after 1s after a panic
echo 1 > /proc/sys/kernel/panic

#panic when an oops or BUG is encountered
#disable this for developer
echo 1 > /proc/sys/kernel/panic_on_oops

echo -1 > /proc/sys/kernel/sched_rt_runtime_us

echo "/sbin/mdev" > /proc/sys/kernel/hotplug
/sbin/mdev -s

mount -t usbfs none /proc/bus/usb

/bin/mkdir -p /update
/bin/mkdir -p /factory
/bin/mount -a

#create groups of priorities
mkdir /dev/cpuctl
mount -t cgroup -ocpu none /dev/cpuctl
#mkdir /dev/cpuctl/video
# reserve most cpu for video tasks
#touch /dev/cpuctl/video/cpu.shares
#echo "2048" > /dev/cpuctl/video/cpu.shares
# group others
mkdir /dev/cpuctl/others
touch /dev/cpuctl/others/cpu.shares
echo "10000" >/dev/cpuctl/others/cpu.shares
touch /dev/cpuctl/others/tasks
for task in $(cat /dev/cpuctl/tasks)
do
echo $task > /dev/cpuctl/others/tasks
done

# Init all LEDs GPIOS
/usr/bin/gpio 30 -d ho 1
/usr/bin/gpio 31 -d ho 0
/usr/bin/gpio 32 -d ho 0
/usr/bin/gpio 33 -d ho 1

# Create mount point for the virtual USB key
mkdir -p ${DELOS_MOUNT_PATH}
# Make it read-only by default
chmod 400 ${DELOS_MOUNT_PATH}

# Load the Ultrasound driver early, it fails otherwise
modprobe ultra_snd

# Be sure we have a config file
if [ ! -s /data/dragon.conf ]
then
    cp /etc/default-dragon.conf /data/dragon.conf
fi

if [ ! -s /data/system.conf ]
then
    cp /etc/default-system.conf /data/system.conf
fi

# Check the data in /factory, create default values if necessary
# BT config requires dragon.conf to exist
/bin/factory_check.sh
/bin/create_btconfig.sh



/usr/bin/gpio 53 -d i
# Init the EtronTech USB<->Camera chip
/usr/bin/gpio 58 -d ho 1


# Create the FVT6 flash report at first boot
/bin/create_imgdisk.sh ${DELOS_USBDISKIMG_PATH} ${DELOS_MOUNT_PATH} 33 "Parrot_RS"
/bin/delos_fvt6.sh

# Check if an update is available
echo "Check if update is necessary ..."
if [ -e ${DELOS_MOUNT_PATH} ]; then
# if usb image disk contains a PLF file, move it to the update partition
        mount_imgdisk.sh ${DELOS_USBDISKIMG_PATH} ${DELOS_MOUNT_PATH} ${DELOS_PRODUCT_MEDIA_PATH}
        /bin/updater/updater_scan.sh ${DELOS_MOUNT_PATH}
        /bin/check_update_demos.sh
        # unmount_imgdisk.sh ${DELOS_MOUNT_PATH}
fi
/bin/updater/updater_process.sh

# enabling 5V power supply
#/usr/sbin/gpio 89 -d ho 0

if [ -e /etc/hostname ]; then
    /bin/hostname -F /etc/hostname
fi
/sbin/ifconfig lo 127.0.0.1 up
/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo

#
# Start permanent TCP/IP services
# Available during flight via BT or via USB
#
inetd

#
# Start telnet deamon
#
telnetd -l /bin/login.sh


init_motors.sh &

modprobe uvcvideo

# Start the ON/OFF button daemon
(/usr/bin/delos_button_onoff)&

# Make a backup of old navdata files
if [ -f /data/navdata_blackbox.bin ]; then mv /data/navdata_blackbox.bin /data/navdata_blackbox_old.bin; fi

# Start UDev
udevd.sh

# Debug management
DragonDebug.sh

#
# Start Bluetooth
#
(BLEproxy $(cat /etc/BLEproxy.args 2>/dev/null) >/dev/null 2>/dev/null) &

#
# Start the main soft
#
echo "Launching Dragon" | logger -s -t "rcS" -p user.info
DragonStarter.sh -out2null &

# Start the FSM managing USB Modes
(delos_monitor_vbus_script.sh)&


echo end init...

Transférer le système de fichiers localement

Sur le rolling spider, [^p][^y] évitant /proc et /sys :

tar cpf - [^p][^y]* | nc -l -p 1234

Sur la station connectée :

nc 192.168.2.1 1234 > rootfs.tar

Découverte et connexion en BLE

Contrôle en node.js

Capture de trafic BLE

Contrôle de plusieurs minidrones

Contrôle via cylon

Autopilotage

Interface web de contrôle

results matching ""

    No results matching ""