After a non-extensive search on Parrot MiniDrone Hacking, this is my true story. My hardware version is HW_01 I am fairly sure the Parrot manufacturer has on purpose made it easier to hack their devices to have at least some appeal to the DIY hacking communities and still be able to tell their investors that their IP is in dry sheets.Using the Rolling Spider with the wheels takes of 2 minutes giving 6 minutes of flight. The parrot charger has an output of 4.2V and charges at 0.5A. The charging chip used is from Texas Instruments BQ24040 (DSQ)(R)(T) datasheet Where the R means Reel and T Tape which is plainly how they ship when you order bulk. The parrot drone charges faster but no specifications can be found on the chip used. Using the Drone I had full charge in +- 35 Minutes using 2.4A USB charger. All parrot drones seem to be flashable with Parrots own .plf format. The firmware is not encrypted and a banal strings reveals most of the internals of the operating system which is Linux based.

Internally this firmware is known as: Parrot Dragon Firmware as per HTML page:so Parrot has its own firmware format. Opening the file immediately gives a good hint on what to expect. From 0x00000 to Offset 0x2BB seems to be the header of the Firmware file. Scrolling a few bytes down we see that it is most probably a Linux image of some sort.parrot ar drone bada Personally I would stop there and run strings over the file to see if that can help us further.parrot ar drone moteur bloqué This shrinks the 11MB file to 655k of Text. parrot ar drone gewinnenThis is still rather large but I had a train ride (or two) ahead so I scrolled and deleted the garbage in the file. Click here to see the sanitized strings file. Sleuthkits mls will be used once I carved the "payload" from the firmware.

Binwalk will do the carving. As it seems clear that this is plainly a big blob containing a header and then the actual OS I make the assumption that the boot loader look for a file called AirborneCargo.plf (or perhaps even wild-card *.plf) then looks at the header and dumps the entire content after the header to the drones memory. To easily flash the drone my self I need to extract the payload, do the changes, pack it all back together, hope for the best. First I need to understand the file header. This is mostly a manual hex-edit jobby. The header is 709 bytes, starts with PLF! and ends with PLF! Beautiful, but I do not read hex fluently with no real "separators". Let's beautify it in… radare2 and put it in MarkDown :) [0x00000000 0% 720 AirborneCargo.plf]> x @ fcn.00000000 They do some NFS magic: As of 23.10.2015 I am not sure how the networking works on the drone. Plainly plugging it into an OS X Box only mounts the Mass Storage of the drone (which can be used to flash the drone or transfer images taken by the drone)

A Linux test comes next as the bigger sister drones can be plugged in and they present themselves as a USB-Network device. Once attached to a Linux machine, you will see the following output The only interesting info here would be Mass storage device and idVendor=19cf // idProduct=0907 Linux maps these ids to the Parrot Rolling Spider but I can tell you this is a Parrot Airborne Cargo Minidrone. Check if all is ok The Rolling Spider is in essence the same as the Airborne Cargo with additional sides that server as wheels. Learn Visual Programming with the Tickle App Rolling Spider software package for Education Rolling Spider edu quick start Learn How to Design Feedback Control Systems and Experiment with a Palm-size Drone Getting Started with MIT's Rolling Spider MATLAB Toolbox The Rolling Spider according to the internet will give you a Bluetooth BNEP Network interface as well as an USBNet interface. One person even had a serial port appearing.

This same person has a detailed account on playing with the RS on various VMs. Here is the write-up On this random scratchpad file in the firmwared repo is the following oddball The GET command is from libwww-perl and recode can be found in the recode package on most systems. The firmwared repo is a Daemon responsible of spawning drone firmware instances in containers. AR SDK Build Utils can be used to write applications which control the latest generation of Parrot Drones (including the Airborne) AR SDK Build Utils on GitHub (Thanks to @rafi0t) Install AR SDK Build Utils Parrot AR Drone 2.0 Hacking Rolling Spider Bluetooth LE Analysis BLE packet capture on Android 4.4 RSControl Android app to control Rolling Spider Jessica - Parrot Minidrone Rolling Spider Repo NOT controlled via Python Bluepy - Python interface to Bluetooth LE on Linux blucat - netcat for bluetooth Paparazzi The Free Autopilot on AR. To downgrade the firmware on the AR.

Drone to you need to fool the OS in thinking it's out of date:Drone 2 has an FTP Server running on port 5551. Connect and upload your New-Old Firmware.If you would like to downgrade, upgrade, or re-install firmware you can do so at your own risk by using these files and instructions. Download the version you want below. (Don’t change the filename.) Power up your AR. Connect your computer to the AR. Open a telnet session to 192.168.1.1 type the following:  echo “1.1.1″ > /firmware/version.txt type the following:  echo “1.1.1″ > /update/version.txt Connect an FTP client to 192.168.1.1 Port: 5551 Upload the downloaded plf file to the FTP server (AR. Disconnect your computer from the AR. Disconnect the battery from the AR. Wait (about 5 minutes while the upgrade completes) Upgrade, downgrade, and re-install are all done using the same procedure as seen in the video below. Any FTP client will work. We use and recommend Cyberduck which is available here: http://cyberduck.ch/