SlideShare a Scribd company logo

Hacking a Xiami Mi Vacuum Robot

P
Paul Terrasi

The document discusses efforts to develop ROS drivers for a Xiaomi robotic vacuum cleaner by gaining access to the robot's hardware and software, installing ROS on the limited storage system, attempting to monitor the communication between sensors and processors, and eventually being able to read lidar data and visualize it in ROS/RVIZ. Future work proposed includes developing drivers for other peripherals by further analyzing the communication protocols and potentially modifying firmware.

Devices & Hardware
1 of 15
Download to read offline
Generating ROS drivers for Hacked Gen 1 Xiaomi Mi All Traces Complete Group 7: Neil Dave Spencer Pozder John Tan Paul Terrasi GitLab Link: https://gitlab.com/EECE-5698-Group-7
Project Overview • Root & create ROS drivers to control Xiaomi Vacuum • 4GB total storage • High processing power (3 dedicated ARM processors) • Multitude of sensors to work with • Runs onboard SLAM using player
Hardware Teardown - Motherboard • Only 2 processors present: • R16 Application Processor • Quad Core, performs slam • STM Peripheral Processor • Sensor Handler, relays info between R16 & sensors • Connector Breakouts for: • Lidar • 2 Wheels + Encoders • 4 cliff sensors • Main & Side Brush Motors • No connector breakouts for: • R16 - STM comm/prog • Flash storage
Accessing Hardware & Getting WiFi 1. Connect to robot Wi-Fi (wlan0) 2. Download & build encrypted firmware (with English language packages) written by Dennis Giese and assign SSH key 3. SSHed into robot over wlan0 4. Wrote script to bring up 2nd wireless interface (wlan1), connect robot to router/hotspot, and request an IP address with dhclient 5. Install packages & dependencies to robot over Wi-Fi Adding key and re-encrypting firmware We in!
Installing ROS • Limited Space in root partition (246 Mb) • Barebones ROS requires at least 400 Mb • More space in /mnt/data partition (1.4 Gb) • Attempted to Symlink root dirs /var/cache/apt and /var/lib/apt to /mnt/data to increase space • Frees up 150 Mb (enough room for ROS but not dependencies required to complete installation) • Attempted to Install ROS from source • ros_comm more lightweight than ros_base, but compiler dependencies took too much space • Ideally we can resize partitions on firmware image • Beyond scope of project • Current solution is to copy most of root partition onto the /mnt/data partition, then use chroot to install ROS • Once complete, we edit PYTHONPATH to search for modules on the /mnt/data partition, so that ROS can be run without using chroot
Communicating with Sensors and Motor • Application processor communicates with sensors/motors over UART through STM32 • Uses proprietary protocol to send/receive data • Initial plan: monitor uart_test program to observe and reverse engineer protocol structure • Attempt 1: Using uart_test’s option to output raw MCU data • This seemed to be omitting some of the header and setup data that it was sending • We eventually found the byte that corresponded to the wall sensor reading • Attempt 2: Using socat to intercept the UART data sent and received by uart_test • Able to see some data written to UART, but for some data packets, we couldn’t discern if they were being read or written uart_test raw output socat output - first line shows output from uart_test, couldn’t tell if rest is read or written
Attempt to Monitor uart_test - Software • Attempt 3: Using strace to monitor uart_test’s syscalls • We were able to see the packets that uart_test sent over UART, which matched what we saw using socat • Uart_test never read from the serial port, but it mmap’d the file /dev/uart_mcu, which led us to believe that it might be getting the UART data from there • Attempt 4: Reading from memory space at /dev/uart_mcu • We noticed that a few bytes before the wall sensor data in the packet almost never changed, so we searched for those bytes and obstructed the wall sensor to verify that the data was correct • Very slow due to search - packets varied in size, so we could not consistently jump from one wall sensor reading to the next strace output - packet written matches data seen in socat Wall sensor byte location from raw uart_test output
Hardware Teardown - Lidar (3rd Processor) • Couldn’t find Lidar handling processor on motherboard. • Decided to look into lidar independently to create lidar drivers (data should come on separate bus than STM data) • Opened top of module & found lidar MCU actually present in rotating enclosure • Lidar Module uses 6 pin connector to connect to Robot (4 Visible wires on Lidar) • Initial assumption: Wires correspond to module V+, V-, TX, RX, • Probe TX, RX to sniff lidar Data Untouched lidar module Opened module w/MCU exposed
Lidar: Initial Assumption == False! • Module can be separated into 2 boards: Lidar PCB & Relay PCB • Lidar PCB contains Piccolo MCU • Relay PCB connects directly to robot, contains photodiode • Relay PCB powers up coil to wirelessly induce lidar power through coil attached to lidar PCB • Lidar PCB wirelessly transmits data by pulsing output MCU UART over LED to photodiode • This means wireless communication 1 way! • Assumption 2: Less likely that Xiaomi customized data packet format out of lidar MCU. Nothing transmitted upstream to standard Piccolo LiDar handling MCU. Should be easier to find library to interpret packet structure! Wait, what? No wires through slip ring? LED from lidar module (left) Photodiode (right)
Lidar Assumption 2 == True: Reading Data over Arduino • Found python visualization library for Piccolo enabled lidar using VPython • Connected lidar to Arduino Mega to parse UART output from photodiode into Arduino serial pin. • Arduino COM port can be subscribed to over python (serves as Lidar UART to USB adapter) • When still lidar only outputs heartbeat (lidar board @ .6V) • When motor active, rotating coil generates full power and module outputs data Lidar output when lidar motor inactive obtained with Saleae Logic Analyzer Lidar output when lidar motor active obtained with Saleae Logic Analyzer
Lidar: Arduino + Viz in action Lidar Demo through ArduinoLidar needs spin to generate data
Lidar - Working with ROS and rviz • ROS Lidar Driver running on vacuum • Existing driver almost worked correctly: https://github.com/rohbotics/xv_11_laser_driver • Changed to allow for inconsistent connection • ROS Core running on external machine • rviz running on external machine • Allowed for real-time data visualization • No speed reduction from arduino or file i/o
Lidar - Data Consistency • Largest issue with Lidar was inconsistent data • Mostly invalid readings (~12 good angles out of 360) • Occasionally a good reading (~256 good angles out of 360) • The fix: applying resistance to Lidar’s rotation! • Consistent readings (360/360 angles) • Real-time data • Possibly increases current through inductive coil that powers lidar sensor
Future work - Hardware • Currently soldered to test points on main PCB • Correspond to 2 UARTS and potentially an I2C breakout • If possible solder to known buses on IC’s to quantify behavior over BUS & send commands upstream to determine UART (using logic analyzer) • Potentially send new STM32 firmware upstream to write our own UART protocol
Future Work - Drivers • Create drivers for peripherals relayed through STM32 (motors & sensors) • Involves reverse engineering UART protocol between STM32 and application processor or flashing STM32 with altered firmware with a a documented UART protocol • SLAM? Sensor/Control Driver Acc Topic Gyro Topic ... Movement Topic STM Serial

Recommended

How I built my robot with ROS and deep learning
How I built my robot with ROS and deep learningHow I built my robot with ROS and deep learning
How I built my robot with ROS and deep learning
MeetupDataScienceRoma
 
Edge detector robot
Edge detector robotEdge detector robot
Edge detector robot
UVSofts Technologies
 
IRDA Infrared Data Association (IrDA)
IRDA Infrared Data Association (IrDA)IRDA Infrared Data Association (IrDA)
IRDA Infrared Data Association (IrDA)
Sushant Kushwaha
 
Robot Control using ROS: an Introduction
Robot Control using ROS: an IntroductionRobot Control using ROS: an Introduction
Robot Control using ROS: an Introduction
Jago Robotika Indonesia
 
Robotics and ROS
Robotics and ROSRobotics and ROS
Robotics and ROS
khan saad bin hasan
 
Lecture 1 - Introduction to Robotics.pptx
Lecture 1 - Introduction to Robotics.pptxLecture 1 - Introduction to Robotics.pptx
Lecture 1 - Introduction to Robotics.pptx
SelvamM36
 
Raspberry pi
Raspberry pi Raspberry pi
Raspberry pi
Naga Srinivas
 
Embedded Systems & Robotics
Embedded Systems & RoboticsEmbedded Systems & Robotics
Embedded Systems & Robotics
spoorani
 

Recommended

How I built my robot with ROS and deep learning
How I built my robot with ROS and deep learningHow I built my robot with ROS and deep learning
How I built my robot with ROS and deep learning
MeetupDataScienceRoma
 
Edge detector robot
Edge detector robotEdge detector robot
Edge detector robot
UVSofts Technologies
 
IRDA Infrared Data Association (IrDA)
IRDA Infrared Data Association (IrDA)IRDA Infrared Data Association (IrDA)
IRDA Infrared Data Association (IrDA)
Sushant Kushwaha
 
Robot Control using ROS: an Introduction
Robot Control using ROS: an IntroductionRobot Control using ROS: an Introduction
Robot Control using ROS: an Introduction
Jago Robotika Indonesia
 
Robotics and ROS
Robotics and ROSRobotics and ROS
Robotics and ROS
khan saad bin hasan
 
Lecture 1 - Introduction to Robotics.pptx
Lecture 1 - Introduction to Robotics.pptxLecture 1 - Introduction to Robotics.pptx
Lecture 1 - Introduction to Robotics.pptx
SelvamM36
 
Raspberry pi
Raspberry pi Raspberry pi
Raspberry pi
Naga Srinivas
 
Embedded Systems & Robotics
Embedded Systems & RoboticsEmbedded Systems & Robotics
Embedded Systems & Robotics
spoorani
 
ARM
ARMARM
ARM
Pune University
 
Guide to ROS tools
Guide to ROS tools Guide to ROS tools
Guide to ROS tools
Ashwin Rajendran
 
Line maze solver robot
Line maze solver robot Line maze solver robot
Line maze solver robot
saiharsha41
 
Universal synchronous asynchronous receiver transmitter(usart) and AtoD Coverter
Universal synchronous asynchronous receiver transmitter(usart) and AtoD CoverterUniversal synchronous asynchronous receiver transmitter(usart) and AtoD Coverter
Universal synchronous asynchronous receiver transmitter(usart) and AtoD Coverter
Tejas Shetye
 
OBSTACLE AVOIDACE ROBOT USING ARDUINO UNO AND ULTRASONIC SENSOR
OBSTACLE AVOIDACE ROBOT USING ARDUINO UNO AND ULTRASONIC SENSOROBSTACLE AVOIDACE ROBOT USING ARDUINO UNO AND ULTRASONIC SENSOR
OBSTACLE AVOIDACE ROBOT USING ARDUINO UNO AND ULTRASONIC SENSOR
LeTsKnOw1
 
ROS Based Programming and Visualization of Quadrotor Helicopters
ROS Based Programming and Visualization of Quadrotor HelicoptersROS Based Programming and Visualization of Quadrotor Helicopters
ROS Based Programming and Visualization of Quadrotor Helicopters
Atılay Mayadağ
 
Embedded C - Day 1
Embedded C - Day 1Embedded C - Day 1
Embedded C - Day 1
Emertxe Information Technologies Pvt Ltd
 
Boss-Bharat Operating System Solution Presentation
Boss-Bharat Operating System Solution PresentationBoss-Bharat Operating System Solution Presentation
Boss-Bharat Operating System Solution Presentation
Shubham Rokade
 
Modbus.ppt
Modbus.pptModbus.ppt
Modbus.ppt
HasaanHussain1
 
Remote Control Robot
Remote Control RobotRemote Control Robot
Remote Control Robot
Arhind Gautam
 
Introduction to Arduino & Raspberry Pi
Introduction to Arduino & Raspberry PiIntroduction to Arduino & Raspberry Pi
Introduction to Arduino & Raspberry Pi
Ahmad Hafeezi
 
Verilog HDL - 3
Verilog HDL - 3Verilog HDL - 3
Verilog HDL - 3
Prabhavathi P
 
Obstacle and edge detector report.
Obstacle and edge detector report.Obstacle and edge detector report.
Obstacle and edge detector report.
Himanshu Kumar Singh
 
Serial Communication Interfaces
Serial Communication InterfacesSerial Communication Interfaces
Serial Communication Interfaces
anishgoel
 
Bus and Memory transfer
Bus and Memory transferBus and Memory transfer
Bus and Memory transfer
mahesh kumar prajapat
 
Hexapod Presentation
Hexapod PresentationHexapod Presentation
Hexapod Presentation
Veronika Snyder
 
line following robot
line following robotline following robot
line following robot
Rehnaz Razvi
 
The line follower robot
The line follower robotThe line follower robot
The line follower robot
Poonam Narang
 
Intel Microprocessors 8086 Documentation
Intel Microprocessors 8086 DocumentationIntel Microprocessors 8086 Documentation
Intel Microprocessors 8086 Documentation
Adeel Rasheed
 
28. 8251 programmable communication interface
28. 8251 programmable communication interface28. 8251 programmable communication interface
28. 8251 programmable communication interface
sandip das
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
Alexander Bolshev
 
Microcontroller from basic_to_advanced
Microcontroller from basic_to_advancedMicrocontroller from basic_to_advanced
Microcontroller from basic_to_advanced
Imran Sheikh
 

More Related Content

What's hot

line following robot
line following robotline following robot
line following robot
Rehnaz Razvi
 
The line follower robot
The line follower robotThe line follower robot
The line follower robot
Poonam Narang
 

What's hot (20)

ARM
ARMARM
ARM
 
Guide to ROS tools
Guide to ROS tools Guide to ROS tools
Guide to ROS tools
 
Line maze solver robot
Line maze solver robot Line maze solver robot
Line maze solver robot
 
Universal synchronous asynchronous receiver transmitter(usart) and AtoD Coverter
Universal synchronous asynchronous receiver transmitter(usart) and AtoD CoverterUniversal synchronous asynchronous receiver transmitter(usart) and AtoD Coverter
Universal synchronous asynchronous receiver transmitter(usart) and AtoD Coverter
 
OBSTACLE AVOIDACE ROBOT USING ARDUINO UNO AND ULTRASONIC SENSOR
OBSTACLE AVOIDACE ROBOT USING ARDUINO UNO AND ULTRASONIC SENSOROBSTACLE AVOIDACE ROBOT USING ARDUINO UNO AND ULTRASONIC SENSOR
OBSTACLE AVOIDACE ROBOT USING ARDUINO UNO AND ULTRASONIC SENSOR
 
ROS Based Programming and Visualization of Quadrotor Helicopters
ROS Based Programming and Visualization of Quadrotor HelicoptersROS Based Programming and Visualization of Quadrotor Helicopters
ROS Based Programming and Visualization of Quadrotor Helicopters
 
Embedded C - Day 1
Embedded C - Day 1Embedded C - Day 1
Embedded C - Day 1
 
Boss-Bharat Operating System Solution Presentation
Boss-Bharat Operating System Solution PresentationBoss-Bharat Operating System Solution Presentation
Boss-Bharat Operating System Solution Presentation
 
Modbus.ppt
Modbus.pptModbus.ppt
Modbus.ppt
 
Remote Control Robot
Remote Control RobotRemote Control Robot
Remote Control Robot
 
Introduction to Arduino & Raspberry Pi
Introduction to Arduino & Raspberry PiIntroduction to Arduino & Raspberry Pi
Introduction to Arduino & Raspberry Pi
 
Verilog HDL - 3
Verilog HDL - 3Verilog HDL - 3
Verilog HDL - 3
 
Obstacle and edge detector report.
Obstacle and edge detector report.Obstacle and edge detector report.
Obstacle and edge detector report.
 
Serial Communication Interfaces
Serial Communication InterfacesSerial Communication Interfaces
Serial Communication Interfaces
 
Bus and Memory transfer
Bus and Memory transferBus and Memory transfer
Bus and Memory transfer
 
Hexapod Presentation
Hexapod PresentationHexapod Presentation
Hexapod Presentation
 
line following robot
line following robotline following robot
line following robot
 
The line follower robot
The line follower robotThe line follower robot
The line follower robot
 
Intel Microprocessors 8086 Documentation
Intel Microprocessors 8086 DocumentationIntel Microprocessors 8086 Documentation
Intel Microprocessors 8086 Documentation
 
28. 8251 programmable communication interface
28. 8251 programmable communication interface28. 8251 programmable communication interface
28. 8251 programmable communication interface
 

Similar to Hacking a Xiami Mi Vacuum Robot

Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
Alexander Bolshev
 

Similar to Hacking a Xiami Mi Vacuum Robot (20)

Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
 
Microcontroller from basic_to_advanced
Microcontroller from basic_to_advancedMicrocontroller from basic_to_advanced
Microcontroller from basic_to_advanced
 
Embedded systems and robotics by scmandota
Embedded systems and robotics by scmandotaEmbedded systems and robotics by scmandota
Embedded systems and robotics by scmandota
 
serial.ppt
serial.pptserial.ppt
serial.ppt
 
serial.ppt
serial.pptserial.ppt
serial.ppt
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017
 
EE6602 Embedded System
EE6602 Embedded SystemEE6602 Embedded System
EE6602 Embedded System
 
PILOT Session for Embedded Systems
PILOT Session for Embedded Systems PILOT Session for Embedded Systems
PILOT Session for Embedded Systems
 
Multipilot pres-ufficiale def
Multipilot pres-ufficiale defMultipilot pres-ufficiale def
Multipilot pres-ufficiale def
 
Introduction to embedded System.pptx
Introduction to embedded System.pptxIntroduction to embedded System.pptx
Introduction to embedded System.pptx
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...
 
DuinOS controlled Rover with MATLAB 2009 and Android GingerBread - 2012-11-04
DuinOS controlled Rover with MATLAB 2009 and Android GingerBread - 2012-11-04DuinOS controlled Rover with MATLAB 2009 and Android GingerBread - 2012-11-04
DuinOS controlled Rover with MATLAB 2009 and Android GingerBread - 2012-11-04
 
embedded systems and robotics on avr platform
embedded systems and robotics on avr platformembedded systems and robotics on avr platform
embedded systems and robotics on avr platform
 
IoT Programming on the Raspberry Pi
IoT Programming on the Raspberry PiIoT Programming on the Raspberry Pi
IoT Programming on the Raspberry Pi
 
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT IV Designing Embedded System with 8051...
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT IV Designing Embedded System with 8051...SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT IV Designing Embedded System with 8051...
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT IV Designing Embedded System with 8051...
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Embedded system design using arduino
Embedded system design using arduinoEmbedded system design using arduino
Embedded system design using arduino
 
Autonomous robotics based on simple sensor inputs.
Autonomous robotics based on simple sensor inputs. Autonomous robotics based on simple sensor inputs.
Autonomous robotics based on simple sensor inputs.
 

Recently uploaded

Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in DammamAbortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
ahmedjiabur940
 
Abortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Dammam +966572737505 Buy CytotecAbortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
wsppdmt
 
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
vwymvu
 
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
wpkuukw
 
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
oopacde
 
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
uodye
 
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
ougvy
 
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotecAbortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
wpkuukw
 
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
wpkuukw
 
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get CytotecBuy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Obat Aborsi 088980685493 Jual Obat Aborsi
 
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
Obat Cytotec
 
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
uodye
 

Recently uploaded (20)

Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in DammamAbortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
 
Abortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Dammam +966572737505 Buy CytotecAbortion pills in Dammam +966572737505 Buy Cytotec
Abortion pills in Dammam +966572737505 Buy Cytotec
 
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
 
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
 
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
一比一定(购)坎特伯雷大学毕业证(UC毕业证)成绩单学位证
 
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
 
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
 
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
 
Dell Inspiron 15 5567 BAL20 LA-D801P Rev 1.0 (A00) Schematics.pdf
Dell Inspiron 15 5567 BAL20 LA-D801P Rev 1.0 (A00) Schematics.pdfDell Inspiron 15 5567 BAL20 LA-D801P Rev 1.0 (A00) Schematics.pdf
Dell Inspiron 15 5567 BAL20 LA-D801P Rev 1.0 (A00) Schematics.pdf
 
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotecAbortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
 
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
 
NO1 Pakistan Best vashikaran specialist in UK USA UAE London Dubai Canada Ame...
NO1 Pakistan Best vashikaran specialist in UK USA UAE London Dubai Canada Ame...NO1 Pakistan Best vashikaran specialist in UK USA UAE London Dubai Canada Ame...
NO1 Pakistan Best vashikaran specialist in UK USA UAE London Dubai Canada Ame...
 
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
 
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get CytotecBuy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
 
NON INVASIVE GLUCOSE BLODD MONITORING SYSTEM (1) (2) (1).pptx
NON INVASIVE GLUCOSE BLODD MONITORING SYSTEM (1) (2) (1).pptxNON INVASIVE GLUCOSE BLODD MONITORING SYSTEM (1) (2) (1).pptx
NON INVASIVE GLUCOSE BLODD MONITORING SYSTEM (1) (2) (1).pptx
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
 
Test bank for consumer behaviour buying having and being eighth canadian edit...
Test bank for consumer behaviour buying having and being eighth canadian edit...Test bank for consumer behaviour buying having and being eighth canadian edit...
Test bank for consumer behaviour buying having and being eighth canadian edit...
 
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
 
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
 
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
 

Hacking a Xiami Mi Vacuum Robot

  • 1. Generating ROS drivers for Hacked Gen 1 Xiaomi Mi All Traces Complete Group 7: Neil Dave Spencer Pozder John Tan Paul Terrasi GitLab Link: https://gitlab.com/EECE-5698-Group-7
  • 2. Project Overview • Root & create ROS drivers to control Xiaomi Vacuum • 4GB total storage • High processing power (3 dedicated ARM processors) • Multitude of sensors to work with • Runs onboard SLAM using player
  • 3. Hardware Teardown - Motherboard • Only 2 processors present: • R16 Application Processor • Quad Core, performs slam • STM Peripheral Processor • Sensor Handler, relays info between R16 & sensors • Connector Breakouts for: • Lidar • 2 Wheels + Encoders • 4 cliff sensors • Main & Side Brush Motors • No connector breakouts for: • R16 - STM comm/prog • Flash storage
  • 4. Accessing Hardware & Getting WiFi 1. Connect to robot Wi-Fi (wlan0) 2. Download & build encrypted firmware (with English language packages) written by Dennis Giese and assign SSH key 3. SSHed into robot over wlan0 4. Wrote script to bring up 2nd wireless interface (wlan1), connect robot to router/hotspot, and request an IP address with dhclient 5. Install packages & dependencies to robot over Wi-Fi Adding key and re-encrypting firmware We in!
  • 5. Installing ROS • Limited Space in root partition (246 Mb) • Barebones ROS requires at least 400 Mb • More space in /mnt/data partition (1.4 Gb) • Attempted to Symlink root dirs /var/cache/apt and /var/lib/apt to /mnt/data to increase space • Frees up 150 Mb (enough room for ROS but not dependencies required to complete installation) • Attempted to Install ROS from source • ros_comm more lightweight than ros_base, but compiler dependencies took too much space • Ideally we can resize partitions on firmware image • Beyond scope of project • Current solution is to copy most of root partition onto the /mnt/data partition, then use chroot to install ROS • Once complete, we edit PYTHONPATH to search for modules on the /mnt/data partition, so that ROS can be run without using chroot
  • 6. Communicating with Sensors and Motor • Application processor communicates with sensors/motors over UART through STM32 • Uses proprietary protocol to send/receive data • Initial plan: monitor uart_test program to observe and reverse engineer protocol structure • Attempt 1: Using uart_test’s option to output raw MCU data • This seemed to be omitting some of the header and setup data that it was sending • We eventually found the byte that corresponded to the wall sensor reading • Attempt 2: Using socat to intercept the UART data sent and received by uart_test • Able to see some data written to UART, but for some data packets, we couldn’t discern if they were being read or written uart_test raw output socat output - first line shows output from uart_test, couldn’t tell if rest is read or written
  • 7. Attempt to Monitor uart_test - Software • Attempt 3: Using strace to monitor uart_test’s syscalls • We were able to see the packets that uart_test sent over UART, which matched what we saw using socat • Uart_test never read from the serial port, but it mmap’d the file /dev/uart_mcu, which led us to believe that it might be getting the UART data from there • Attempt 4: Reading from memory space at /dev/uart_mcu • We noticed that a few bytes before the wall sensor data in the packet almost never changed, so we searched for those bytes and obstructed the wall sensor to verify that the data was correct • Very slow due to search - packets varied in size, so we could not consistently jump from one wall sensor reading to the next strace output - packet written matches data seen in socat Wall sensor byte location from raw uart_test output
  • 8. Hardware Teardown - Lidar (3rd Processor) • Couldn’t find Lidar handling processor on motherboard. • Decided to look into lidar independently to create lidar drivers (data should come on separate bus than STM data) • Opened top of module & found lidar MCU actually present in rotating enclosure • Lidar Module uses 6 pin connector to connect to Robot (4 Visible wires on Lidar) • Initial assumption: Wires correspond to module V+, V-, TX, RX, • Probe TX, RX to sniff lidar Data Untouched lidar module Opened module w/MCU exposed
  • 9. Lidar: Initial Assumption == False! • Module can be separated into 2 boards: Lidar PCB & Relay PCB • Lidar PCB contains Piccolo MCU • Relay PCB connects directly to robot, contains photodiode • Relay PCB powers up coil to wirelessly induce lidar power through coil attached to lidar PCB • Lidar PCB wirelessly transmits data by pulsing output MCU UART over LED to photodiode • This means wireless communication 1 way! • Assumption 2: Less likely that Xiaomi customized data packet format out of lidar MCU. Nothing transmitted upstream to standard Piccolo LiDar handling MCU. Should be easier to find library to interpret packet structure! Wait, what? No wires through slip ring? LED from lidar module (left) Photodiode (right)
  • 10. Lidar Assumption 2 == True: Reading Data over Arduino • Found python visualization library for Piccolo enabled lidar using VPython • Connected lidar to Arduino Mega to parse UART output from photodiode into Arduino serial pin. • Arduino COM port can be subscribed to over python (serves as Lidar UART to USB adapter) • When still lidar only outputs heartbeat (lidar board @ .6V) • When motor active, rotating coil generates full power and module outputs data Lidar output when lidar motor inactive obtained with Saleae Logic Analyzer Lidar output when lidar motor active obtained with Saleae Logic Analyzer
  • 11. Lidar: Arduino + Viz in action Lidar Demo through ArduinoLidar needs spin to generate data
  • 12. Lidar - Working with ROS and rviz • ROS Lidar Driver running on vacuum • Existing driver almost worked correctly: https://github.com/rohbotics/xv_11_laser_driver • Changed to allow for inconsistent connection • ROS Core running on external machine • rviz running on external machine • Allowed for real-time data visualization • No speed reduction from arduino or file i/o
  • 13. Lidar - Data Consistency • Largest issue with Lidar was inconsistent data • Mostly invalid readings (~12 good angles out of 360) • Occasionally a good reading (~256 good angles out of 360) • The fix: applying resistance to Lidar’s rotation! • Consistent readings (360/360 angles) • Real-time data • Possibly increases current through inductive coil that powers lidar sensor
  • 14. Future work - Hardware • Currently soldered to test points on main PCB • Correspond to 2 UARTS and potentially an I2C breakout • If possible solder to known buses on IC’s to quantify behavior over BUS & send commands upstream to determine UART (using logic analyzer) • Potentially send new STM32 firmware upstream to write our own UART protocol
  • 15. Future Work - Drivers • Create drivers for peripherals relayed through STM32 (motors & sensors) • Involves reverse engineering UART protocol between STM32 and application processor or flashing STM32 with altered firmware with a a documented UART protocol • SLAM? Sensor/Control Driver Acc Topic Gyro Topic ... Movement Topic STM Serial