Dr. Lawlor's Code, Robots, & Things

August 12, 2015

Parrot “Rolling Spider” UAV Hacking: Dumping the Filesystem

Filed under: Hardware, Linux, Programming, Rolling Spider — Dr. Lawlor @ 11:53 pm

I just got a new tiny UAV, the Parrot “Rolling Spider” ($80), which is very fun to fly via bluetooth with my phone.  But it’s also a linux-based computer, so it’s also fun to hack!

The easiest way to get a root shell is to just plug it in via the USB cable, which not only shows up as a removable USB drive, it also shows up as a network device (at least, as of the 1.99.2 firmware version).  This means you can immediately get a root shell with:


That was easy!  Now to dump the filesystem, to netcat on port 1234.  (The ^p avoids /proc, which has infinite recursive root links; the ^y avoids /sys, which has files that change in size.)

tar cpf - [^p][^y]* | nc -l -p 1234

To get the filesystem as a file on your desktop computer, now just:

nc 1234 > rootfs.tar

This has *everything*, from:

drwxr-xr-x root/root 0 1969-12-31 14:00 bin/
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/getopt -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/dd -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/cp -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/df -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/ip -> busybox
-rwxrwxr-x root/root 35 1969-12-31 14:00 bin/kk
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/ln -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/ls -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/mv -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/ps -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/rm -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/sh -> busybox
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/vi -> busybox
-rwxrwxr-x root/root 305 1969-12-31 14:00 bin/blink_led_orangeleft.sh
lrwxrwxrwx root/root 0 1969-12-31 14:00 bin/ash -> busybox


drwxr-xr-x root/root 0 1969-12-31 14:00 usr/share/avahi/
-rw-r--r-- root/root 560 1969-12-31 14:00 usr/share/avahi/avahi-service.dtd
-rw-r--r-- root/root 5104 1969-12-31 14:00 usr/share/avahi/service-types
drwxr-xr-x root/root 0 1969-12-31 14:00 var/
lrwxrwxrwx root/root 0 1969-12-31 14:00 var/log -> /tmp/
-rw-rw-r-- root/root 7 1969-12-31 14:00 version.txt
drwxr-xr-x root/root 0 1969-12-31 14:00 www/
-rw-rw-r-- root/root 485 1969-12-31 14:00 www/index.html

For example, now I can see the contents of the control shell scripts:

$ cat bin/set_led_greenleft.sh 

# temp behaviour : red light right on
gpio 33 -d ho 1
# temp behaviour : red light left off
gpio 30 -d ho 0

#green light right off
gpio 31 -d ho 0

#green light left on
gpio 32 -d ho 1

I can also see the details of how the code was built:

$ file bin/busybox
busybox: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, stripped

Of course, eventually I’ll want to permanently modify this filesystem, by re-flashing the UAV with a reverse engineered PLF firmware file, which is similar to the Parrot AR Drone PLF format.  I’m nearly there with “plftool -e raw -i rollingspider_update.plf -o .”, but each resulting file has the filename prepended in some sort of fixed-length binary header.

Stay tuned!

August 6, 2015

Alaska90: my huge new 3D printer design

Filed under: 3D Printing, Hardware — Dr. Lawlor @ 12:51 am

I started working on a huge new 3D printer design, the “Alaska90”, back in November 2014, but I got busy with school and stalled out.  This summer I finally got a few spare days and finished up the build, which is working well and printing huge things. Main features:

  • 600mm x 500mm x 600mm build volume (24 inch x 20 inch x 24 inch), to construct models as big as a few feet on each side.  By contrast, a typical printer prints about 200mm (8 inches) on a side.
  • Frame is built from 3/4 inch plywood, and parts are secured using 1/4 inch hex head bolts.  By contrast, a typical printer uses 1/4 inch wood or plastic, and tiny M4 screws.
  • Uses heavy 16mm steel rods, so it’s rigid enough to mill wood with a small dremel tool.
  • Support rods are moved inward, to gauss points, to better support the 24 inch x 24 inch bed.

3D rendering of Alaska90 3D printerPhotograph of Alaska90 3D printer The full design details, STL files, and OpenSCAD source code for the Alaska90 printer is on my github.

May 21, 2014

Tolerating Electrical Interference: reconnecting USB ports

Filed under: Arduino, Hardware, Linux — Dr. Lawlor @ 6:18 pm

UAF’s Aurora Robotics team entry in the NASA Robotic Mining Competition is using a standard Arduino Mega as the central microcontroller, which has worked well except for one intermittent disconnection problem, which we believe is caused by electrical interference from our big motors.

When it disconnects, the Linux kernel shows a dmesg error like “ehci_hub: USB disconnect on port 3 (EMI?)”.  We had previously built a system to tolerate this, by simply waiting a few seconds and reopening the USB serial connection, but this was only a partial fix since eventually the kernel disables the port completely.  This is bad because we could only fix it with a complete restart.  During our second practice mission yesterday, the kernel disabled all USB ports just as we began the run, resulting a completely scrubbed practice mission.

John Pender found a very simple way to re-enable the USB ports by running these commands as root:

echo "0000:00:1a.0" > /sys/bus/pci/drivers/ehci_hcd/unbind
echo "0000:00:1d.0" > /sys/bus/pci/drivers/ehci_hcd/unbind
echo "0000:00:1a.0" > /sys/bus/pci/drivers/ehci_hcd/bind
echo "0000:00:1d.0" > /sys/bus/pci/drivers/ehci_hcd/bind

This basically just turns off the kernel’s EHCI USB driver, then turns it back on, allowing the USB ports to be used again. Use “lspci | grep USB” to verify those addresses are correct for your machine (they seem right for most laptops).

The long-term fix for electrical interference issues on Arduino is using opto isolators on each digital control channel connected to a noisy source, but it’s often difficult to fully separate the ground planes in real robotics designs, so this is a simple fast way to get your robot moving again!

March 16, 2014

Arduino millis() jumps by 2 every 43 milliseconds

Filed under: Arduino, Programming — Dr. Lawlor @ 1:07 am

I’ve been doing some software-modulated infrared light detection work, and for the signal to be sent correctly I need millisecond-accurate timings.  I realize professionals do this sort of thing with interrupts, but I hate debugging interrupt code, and I’m always afraid there’s some rare timing glitch that will kill the entire project at the worst possible moment.

I was using Arduino’s millis() function as my time base, and I kept getting weird screwy timing every 43 milliseconds.  I assumed it was my code, which does a bunch of other stuff like serial communication, but the glitch didn’t change regardless of what I did.  Turns out, the Arduino Uno’s oscillator runs at a power of two rate, 1.024 milliseconds per overflow, so every 1/0.024 = 41.666 milliseconds, it’s a full millisecond off.  Arduino wiring.c fixes this by keeping track of the fractional milliseconds, and adds a sort of “leap millisecond” every 43 milliseconds to keep things in sync.  This results in millis() instantly jumping up by more than one.

Here’s an example Arduino Uno sketch that demonstrates these timing jumps, and shows two fixes.

/* Demonstrate timing gaps in the millis() function */
void setup(void) {
 Serial.begin(57600); // to report the horror

extern "C" volatile unsigned long timer0_overflow_count; // from wiring.

unsigned long last=0; // last value of millis()
void loop(void) {
 unsigned long next;
 do { // watch the timer until it changes
   next=millis(); // jumps by 2 every 43 ms
   //Two possible fixes:
   // next=micros()/1000; // slow, but works
   // cli(); next=timer0_overflow_count; sei(); // faster, but 1024 microseconds/tick
 } while (next==last);

 int delta=next-last;
 if (delta!=1) {
   Serial.print(" jump at ");

 if (last%10000==0) {
   Serial.print("Still running at ");

On my Arduino Uno, the millis() version of this reports regular timing glitches:

Still running at 0
2 jump at 43
2 jump at 86
2 jump at 128
2 jump at 171
2 jump at 214
2 jump at 256
2 jump at 299
2 jump at 342

The easy way to avoid these timing jumps is never to use millis() at all!  It works to just use micros()/1000, although looking at wiring.c’s implementation of delay(), you need to be a bit careful about when micros() overflows every hour.  You can also directly read the raw timer0_overflow_count as shown above, although the actual speed this increments depends on the Arduino clock rate, and you need to do cli/sei around the read to avoid jumps of +-256, as the interrupt function updates the two bytes of that value.  Both fixes never have leap milliseconds, and result in dependable timing.

February 27, 2014

Ubuntu USB serial circuit boards vs “modem-man”

Filed under: Arduino, Hardware, Linux — Dr. Lawlor @ 9:41 pm

For CYBER-Alaska we built a custom Arduino-style circuit board (“Rovoduino”) that connects to the PC via USB.  It generally worked, but there was always a weird half-minute delay when you plugged it into a Linux PC before anything would start to work.  Tonight I was testing a new sensor on an Arduino Mega, a similar board, and noticed the plug-in-to-work delay there was only a little over one *second* (due to the bootloader).

Back to my custom board, trying a “sudo lsof | grep ttyUSB” during the half-minute delay shows the unexpected process “modem-man” spending this time sending commands like “AT+++” and trying to convince my circuit board that it is, in fact, a modem.

It’s not a modem.

You can explicitly blacklist your custom USB device from modem-man on Ubuntu in /lib/udev/rules.d/77-mm-usb-device-blacklist.rules, but it’s more reliable to just remove the darn thing entirely:

sudo apt-get remove modemmanager

Because seriously, who uses a modem?

This makes plugging and working on my USB serial board a lot snappier!

Blog at WordPress.com.