Ar. Drone: Linux on board

AR. Parrot Drone has achieved tremendous success since its release in September 2010, and is constantly striking the gaming and developer communities. Moreover, having rummaged in it it is possible to find out that AR. Drone works under Linux . What makes this gadget?
Connecting it to a computer is easy, because it is a WiFi device. It looks like a special network, which you can then join from any computer that has a wireless network card. If you have already connected it to a mobile device, the IP address will not be assigned when connected to the network, and it will not be possible to connect to it. To work around this problem, launch a mobile device and disable the pairing function in the Free Fligh t application settings, or simply click the Unpair button on the device.
What can be learned from this toy without taking it apart? Since we are on its network and know its IP address, port scanning will be a good starting point. By doing this, we will find out which ports are open and accessible, and also understand what access we will get to connect to the device.
Running nmap showed two ports:

21/tcp open ftp
23/tcp open telnet

Trying to establish a connection to the free telnet port, we get into Bash without the need to enter a password. The login information indicates that we were able to connect to a Linux installation with BusyBox and that there is an available version number, so we can check intimate details and security issues, if necessary.
Further consideration shows that we were in fact naturally dropped as root without a password, and we got full access to the device.

#echo $USER
root

Somehow too easy. Leden at the thought that someone from the neighbors can connect to the network from a laptop and kill the processes while I am floating on a quadricopter in the sky.
Let's look at the information on the processor and memory:
')
#cat /proc/cpuinfo
Processor: ARM926EJ-S rev 5 (v5I)
BogoMIPS: 233.47
Features: swp half thumb fastmult edsp java
CPU implementer: 0x41
CPU architecture: 5TEJ
CPU variant: 0x0
CPU part: 0x926
CPU revision: 5
Cache type: write-back
Cache clean: cp15 c7 ops
Cache lockdown: format C
Cache format: Harvard
I size: 32768
I assoc: 4
I line linght: 32
I sets: 256
D size: 16384
D assoc: 4
D line lenght: 32
D sets: 128
Hardware: Mykonos Parrot platform
Revision: 0904
Serial: 0000000000000000

As well as information regarding memory:
#cat /proc/meminfo
MemTotal:126072 kB
MemFree: 105652 kB
Buffers: 0 kB
Cached: 3604 kB

There is 128 MB of RAM on board - a bit more than you expect to find on such a small little thing. There is enough memory and computing power for the embedded device, and we know that at least FTP and telnet daemons work on it. Let's look at the list of processes and see what is inside the interesting part.
Looking at the list of processes, we find in addition to the two daemons listed above, there is also a DHCP server and a syslogger . In addition, there are two interesting processes that look specific to this device, one of which is responsible for processing all the controls and outputting the video back to your mobile device:

960 root 2736 S /bin/sh /bin/check_update.sh
961 root 11824 S /bin/program.elf

In appearance, this program.elf process is similar to hosting the main device code. The source code is not available here, and it probably was compiled to the motherboard to close the source code from users.
The process check_update.sh looks readable:

#cat /bin/check_update.sh

It seems that he controls the directory of the firmware in search of new versions to update. So, there is only one process left - program.elf . He is probably responsible for all communication and interaction with mobile devices.
By issuing netstat, you can see if there are open ports, and if so, which ports and to which address they are attached.
The netstat -p command shows that we have an open TCP port for 5559 and three UDP ports - 5554, 5555, 5556. All of them belong to the program.elf process. Given the functionality of AR. Drone , there are a number of possible reasons for this. One port is needed to control the device itself, two more - for the video channels of the front and bottom cameras. This covers UDP ports , but in order to more accurately determine which port is intended for, you will need to take a closer look.
It is noteworthy that the only security mechanism built into the device is the pairing technique available in the application settings: Free Flight . It must be turned on to prevent hooligans from acting on WiFi, which can capture the device when it is in flight.
AR. Drone is perfectly equipped - it has built-in Linux , a lot of RAM, and a reliable mechanical part to support the flight. What actually opens up a number of possibilities for this breathtaking toy is available on the built-in Linux installation BusyBox . With a copy of Linux flying under your control, you get the opportunity to do a lot of unusual things.
By performing simple port scans and checks on open ports and processes, you can transfer packets from and back to the device, potentially allowing you to create streaming video and control mechanisms that are used in your chosen language or platform.
What you want to expect from the AR community . Drone is the main open source application for device management. This would open the hardware to use any version of Linux . In the meantime, this is one of the weaknesses, which should not hinder the development of one of the most exciting modern toys.