Monday, February 28, 2011

Deconstructing the AR.drone: Part 1

When I first became aware of the existence of the AR.drone, made by the Paris-based manufacturer of wireless gadgets Parrot, I knew I was going to own one. To some, the AR.drone is a radio-controlled quad-rotor helicopter. To others, it's a fragile $300 toy. To me, it's nothing less than a sophisticated Linux-based WiFi-enabled flying embedded system just begging for me to peek under its hood. The device has been so popular, I am walking down a road well traveled; but it is scenery I have never seen before.

AR.drone in Flight

The AR.drone is piloted by an iPod app, making it usable with any WiFi-enabled iDevice (although Android-based apps are starting to appear). The drone has two video cameras, one front facing and the other down facing, plus an accelerometer, two gyrometers, and an ultrasonic altimeter. It is all controlled by an ARM-based processor running Linux. Both the iOS-based app and the Linux-based embedded system are hackable; Parrot provides an SDK and encourages developers to use it as an application platform. I control my AR.drone with my iPad.

iPad controller, AR.drone

Unlike other RC helicopters of my personal experience, the AR.drone is relatively easy to fly, by virtue of its sophisticated embedded flight control software and sensors. The system can take-off and hover with stability with just the press of a virtual button in the app. A few minutes of practice and I was able to slowly maneuver it around a room in the Palatial Overclock Estate. Roll and pitch are controlled by tilting the iPad; yaw is controlled by a virtual thumbwheel in the app. The controls on the app are superimposed on a video image from the front facing camera. (The very first time I flew the device I was so focused on the controls that I failed to notice the screen-filling face of one of our house cats on the display just as I hit the take-off button. Wackiness ensued.)

As much fun as the AR.drone is to play with, it didn't take long for my child-like curiosity to overcome my child-like glee. I fired up one of my most useful embedded system tools - an HP Mini 110 netbook running Windows 7 and equipped with a raft of useful software - and started poking at the AR.drone.

My drone appeared as an ad hoc WiFi network whose service set identifier (SSID) was ardrone_040582. An ad hoc WiFi network is one which does not require any infrastructure like an access point or router. All members of an ad hoc WiFi network implement a packet radio network, treating their shared radio channel in a collision-sense multiple-access / collision detect (CSMA/CD) manner. This is just like the original unswitched baseband Ethernet architecture circa 1975, which borrowed from the even earlier ALOHAnet, which itself was a wireless packet radio network that first became operational in 1971. Pairing the iPad with the drone network is a simple manner of choosing the right network in the iPad WiFi control.

iPad Ad Hoc WiFi Connection

Notice that the iPad gets its internet address, mask, and default gateway (router) via Dynamic Host Configuration Protocol (DHCP). That means the AR.drone must be running a DHCP server. The upside is this makes pairing the iPad to the drone easy. The downside is this makes integrating the drone into an existing WiFi infrastructure difficult, since running two DHCP servers (one of which you don't control) on the same subnet is problematic. And who is the router? That must be the AR.drone as well.

Next, I used the netbook to scan for WiFi networks, and connected it to the same ad hoc network. (To make my neighbor's lives a little easier, I've obfuscated the other SSIDs in my neighborhood.)

Windows 7 WiFi Wizard

I left the netbook set up for DHCP, so it also acquired its internet parameters from the DHCP server in the AR.drone.

Windows 7 Cmd ipconfig

I fired up IPScan on the netbook to see if there were any other hosts responding on the subnet running on the drone's ad hoc WiFi network. is the AR.drone. is the iPad. named gypsum is the netbook.

IPScan Host Map

Next, I pointed Nmap at the AR.drone to scan for TCP ports that the device exposes. The tool can see ports 23 (typically the network terminal protocol TELNET), 21 (typically File Transfer Protocol or FTP), and two other ports: 5559 and 5551.

Nmap Port Map

A service scan of the known ports reveals that port 21 can be accessed for anonymous FTP, making the AR.drone a flying file server which provides three files right out of the box: licenses.txt, repair, and sys_bootldr.bin. Although it's not shown in this screen snapshot, the tool also reveals that the TELNET port delivers a root prompt without requiring a password.

Nmap Service Map

At this point I would be remiss if I didn't TELNET into the AR.drone using my favorite Windows-based virtual terminal tool, PuTTY. Configuring PuTTY to TELNET into the AR.drone is easy given we know its IP address and port number.

PuTTY TELNET into AR.drone

Connecting to the TELNET port yields a root shell prompt. Below is a photograph of, from left to right, the netbook TELNETed into the AR.drone, the AR.drone, and the iPad running the AR.drone app. These three devices constitute a tiny wireless IP subnet, one component of which could be flying around the room.

AR.drone Ad Hoc WiFi Network

Next up: exploring the host software side of the AR.drone as a flying Linux system.


Paul Moorman said...

Very interesting tool set you have there.

Chip Overclock said...

It's not bad for a $400 netbook and (other than Windows 7, which I paid dearly for) freeware. But network engineers and developers I work with every day routinely use stuff like this. You will not be surprised to know I have Wireshark and other tools on it as well.

On my TO WRITE list is an article about the tool kits (physical bags) I maintain: an actual tool kit, a network and system debugging kit that includes this netbook, a temporary network kit (with a wifi AP, switch, hub, router, etc.), etc.

gabriellalevine said...

Hey! thanks for this. Can i use the AR parrot sdk with xcode on my Mac?