Creating, testing (and flashing -- TBD) a custom kernel

In my last post, I announced that creating and uploading a custom kernel works. Now I will explain how this can be done.

Thanks to MAPGPS from http://www.ardrone-flyers.com for testing my tools.

You need:

- Linux! I used Ubuntu 10.10
- ARDrone linux kernel source (get it from [1])
- ARDrone linux kernel config (get it from [2])
- The Sourcery G++ toolchain (get it from [3] or [4] )
- My plftool, usb_flash tool (see below)
- The old parrot flash tool (for ardrone_usb_bootloader.bin)
- libusb-0.1 (linux) or libusb-win32 (windows)
- zlib

Getting & Compiling plftool + usb_flash tool

These tools are not yet released. Thus I will not provide binaries for windows, instead you have to compile them by yourself. For windows, you need to use mingw32.

Getting the sources

The sources are stored at my google code project. In order to get them, you need to install a svn client. For linux you then call something like this:

svn checkout http://ardrone-tool.googlecode.com/svn/projects/libplf/trunk libplf
svn checkout http://ardrone-tool.googlecode.com/svn/projects/usb_flash/trunk usb_flash
svn checkout http://ardrone-tool.googlecode.com/svn/projects/plftool/trunk plftool

Compiling

Now that you got the sources, you need to compile them. First start with libplf as this is needed by all projects. The library contains the code to read and write .plf files.

cd libplf 
make
cd ..

When compiling with mingw32 call "make -f Makefile.w32" instead.

If libplf was compiled succesfully you should get either a libplf.so or libplf.dll file.
Next compile plftool and usb_flash:

cd plftool
make
cd ..
cd usb_flash
make
cd ..

When compiling with mingw32, call "make -f Makefile.w32" instead.

This should create plftool(.exe) and usb_flash(.exe).

For Linux, if you do not want to install the libplf.so file, you need to call plftool and usb_flash with LD_LIBRARY_PATH=<path_to_the_folder_where_libplf.so_is_located>  prefix.

E.g.

LD_LIBRARY_PATH=/home/scorp2kk/projects/ardrone/tools/libplf plftool 

For Windows, you need to add the folder where libplf.dll is located to your PATH variable before calling usb_flash or plftool.

Patching the kernel

As Parrot's published source code does not match the kernel delivered with firmware > 1.3.3, a patch is required to ensure correct behaviour. This patch mainly affects p6_sdhci.c.

You can get the patch from here. To apply it, just call:

cd linux-2.6.27
patch -p1 < p6_sdhci-patch1.patch

Compiling the kernel

Now as the kernel is patched, you should use Parrot's original config [2] and cross-compile the sources with Sourcery G++. Basically you need to do something like this (don't forget to add the Sourcery' bin directory to your PATH):

cp ARDrone_Version_20100809_1_2-busybox.config .config
make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- zImage 

After a few minutes (or hours) make informs you that the zImage file is available:

Kernel: arch/arm/boot/Image is ready
Kernel: arch/arm/boot/zImage is ready

Creating a kernel.plf file

If you got your zImage, it is time to build a kernel.plf file from it. This is done by plftool. plftool expects a build-ini file that describes the plf file. A sample ini file can be found at plftool/samples/kernel. Using the sample kernel.ini, you only have to modify the "File=" parameters in section "[zImage]" and "[BootParams]" so they point to the zImage file and to a text file, the boot parameters are located in (e.g. called bootparams.txt).

To create the kernel.plf from the kernel.ini, just call:

plftool -b kernel.ini -o kernel.plf 

The tool should output something similar to this and create the kernel.plf file.

Creating kernel.plf based on this config:
File [HdrVersion: 11 EntryPoint: 0x40800000; Version: 0.0.0
TargetPlat=4, TargetAppl=78, HwCompat=0, LangZone=0]
  zImage     @ 0x40800000 (zImage)
  initrd     @ ---------- (no initrd)
  bootparams @ 0x40700000 (bootparams.txt)

 *** kernel.plf created ***

Testing the kernel.plf file

If  kernel.plf file was created, it is time to test this file. First inspect it with plftool:

plftool -d -i kernel.plf

Have a look at dwFileType, dwEntryPoint and Section->LoadAddr.

If it looks okay, it is time to start (not flash!) the kernel:

1. Copy ardrone_usb_bootloader.bin to the folder of usb_flash
2. Connect the drone to your PC via USB (the LED should be RED)
3. Connect the BATTERY to your drone (the LED becomes GREEN) 
4. Check if the device was found (with lsusb)
5. Start usb_flash in TEST mode:

usb_flash -t kernel.plf

This will load (NOT flash) the kernel over USB. In general, it is helpful to observe A.R. Drone's serial port, as the whole boot sequence is shown there. usb_flash outputs on success:

...

Mode: kernel test

*** VERIFICATION ***
Verifying ardrone_usb_bootloader.bin
Verifying test_kernel.plf


*** DOWNLOADING USB BOOTLOADER ***
Try [00/10] to connect to VID: 0x19cf PID: 0x1000
Found a possible device:
- Manufacturer: Parrot SA
- Product: P6 USB Stage1
- Serialnumber: ?
- Number of configurations: 1
Sending bootloader (0x5b20 bytes)
- Send Hello P6 (0xA3)
Success!!!

Checksum returned: 0x5256 Expected: 0x5256 => OK
Starting the bootloader...

*** INSTALLER DOWNLOAD ***
Closing usb connection...
Try [00/10] to connect to VID: 0x19cf PID: 0x1000
Found a possible device:
- Manufacturer: Parrot SA
- Product: P6 USB Stage1
- Serialnumber: ?
- Number of configurations: 1
loading installer
Uploading file: test_kernel.plf
Error Code returned: 0x00000000  ==> OK
*** INSTALLATION DONE ***

If everything works, the kernel boots up, WiFi ist started and you should be able to connect to the drone with telnet.

Check the kernel version with

uname -a

If the default kernel starts without problems, you can now begin to modify the kernel config.

Flashing the kernel to NAND works but I still need to modify the plftool.. so stay tuned.


Happy hacking :-)


[1] https://projects.ardrone.org/documents/show/19
[2] https://projects.ardrone.org/documents/show/18
[3] https://projects.ardrone.org/documents/show/20
[4] http://www.codesourcery.com/sgpp/lite/arm/portal/release858

Creating + Flashing Custom Kernel

Yeah...

Creating a kernel.plf file from zImage+initrd --> WORKS!
Booting this kernel.plf file over USB --> WORKS!
Flashing this kernel.plf to NAND --> to be done...

More will follow soon :-)

Tools for A.R. Drone

I finally released some tools for A.R. Drone:

1. libplf - A library to read / write plf files
2. plf_inst_extract - A tool to extract and patch a ardrone_installer.plf from a given ardrone_update.plf
3. usb_flash - A tool to flash a ardrone_update.plf over USB. This tool requires:
1. ardrone_update.plf - the firmware to flash
2. ardrone_installer.plf - can be obtained from ardrone_update.plf with plf_inst_extract
3. ardrone_usb_bootloader.bin - was delivered with the old flash tool. I will probably write an open-source boot loader sooner or later.

Have a look at my goolge code project:

http://code.google.com/p/ardrone-tool

PLF File Format

A few weeks ago i bought an A.R. Drone from Parrot. This quadcopter is controlled over WLAN and uses an embedded Linux on an ARM chipset.

Altough it is possible via FTP / Telnet to modify the file system, i was intreseted in the flash file format. So I analyzed the available firmware.

I was quite successful athough there are still some unkown fields left.

Fileheader:

typedef struct sPLFFile
{
  u32 dwMagic; 
  u32 dwHdrVersion;
  u32 dwHeaderSize;
  u32 dwEntryHeaderSize;
  u32 uk_0x10;
  u32 uk_0x14;
  u32 uk_0x18;
  u32 uk_0x1C;
  u32 uk_0x20;
  u32 dwVersionMajor;
  u32 dwVersionMinor;
  u32 dwVersionBugfix;
  u32 uk_0x30;
  u32 dwFileSize;
}

The fields have the following meaning:

• dwMagic: MagicCode of the file. Must be 0x21464C50
• dwHdrVersion: Version of the header struct. Only seen with 0xB or 0xA
• dwHeaderSize: Size of the file header. Must be 0x38.
• dwEntryHeaderSize: Size of the section header. Must be 0x14.
• uk_0x10: Currently unkown. Maybe some Type. Seen with 0x2
• uk_0x14: Currently unkown. Maybe an EntryPoint. Seen with 0x0
• uk_0x18: Currently unkown. Maybe the Device Type. Seen with 0x4
• uk_0x1C: Currently unkown. Maybe the Model Number. Seen with 0x4E
• uk_0x20: Currenlty unkown. Seen with 0x20
• dwVersionMajor: Major version of this firmware
• dwVersionMinor: Minor version of this firmware
• dwVersionBugfix: Bugfix version of this firmware
• uk_0x30: Curently unkown
• dwFileSize: Size of the file.

After the header the sections follow. Each section starts with the following header.

typedef struct sPLFEntryTag
{
  u32 dwSectionType;
  u32 dwEntrySize;
  u32 dwCRC32;
  u32 uk_0x0C;
  u32 dwUncompressedSize;
}

The fields have the following meaning:

• dwSectionType: Type of the section.
  
  0x00: unkown
  0x03: probably the bootloader
  0x07: unkown
  0x09: Filesystem action/content
  0x0b: Configuration Data (Mounting, creation of partitions)
  0x0c: Installer (contains another PLF file)
  
• dwEntrySize: Size of the section (excluding header size)
• dwCRC32: CRC-32 of the content and EntrySize
• uk_0x0C: Currently unkown. Seems to be the address where to load the section to
• dwUncompressedSize: If > 0, the content of this entry is compressed with gzip format. The value represents the uncompressed size of the entry.

The meaning of each section depends on dwSectionType.

0x09 - File system content
Each section represents one entry on the file system. It first starts with the null-terminated filename (variable length). After this name, the following header is placed:

typedef struct sFileEntryTag
{
  u32 dwFlags;
  u32 uk_0x04;
  u32 uk_0x08;
} sFileEntry;

• dwFlags: Flags of the file entry. Encodes the type of the entry and the access rights.
  
  bit00-11: Rights of the file. Its the same as you would use for chmod. E.g. 0755 -> 0x1ED
  bit12-15: Type of the file entry:
• 0x04: mkdir. No more data follows after the header.
• 0x08: write. The file content follows after the header.
• 0x0A: symlink. The target of the link follows after the header.
  
• uk_0x04: Currently unkown. Seems to be either the UID or GID.
• uk_0x08: Currently unkown. Seems to be either the UID or GID.

0x0b - Configuration data
This section contains informations about mounting, truncating and creating partitions. There is an old and a new version.

Old version (starts with "/mnt"):
32 bytes unkown. Then a u32 with some unkown_count follows. Then unkown_count*8 bytes follows. Then a u32 with the number of entries follows. Afterwards, the entries follow.

New version (does not start with "/mnt"):

typedef struct sPartitionSectionTag
{
  u32 dwTblVersion;
  u32 dwVersionMajor;
  u32 dwVersionMinor;
  u32 dwVersionBugfix;
  u32 uk_0x10;
  u32 uk_0x14;
  u32 uk_0x18;
  u32 uk_0x1C;
  u32 uk_0x20;
  u32 dwNumEntries;
} sPartitionSection;

• dwTblVersion: Seems to be the version of this "partition table". 
• dwVersionMajor: Major version
• dwVersionMinor: Minor version
• dwVersionBugfix: Bugfix version
• uk_0x10 - uk_0x20: Unkown
• dwNumEntries number of partition entries

For both, new and old version, the entries follow directly after the header. Each entries had the following format:

typedef struct sPartitionEntryTag
{
  u16 wDevice;
  u16 wVolumeType;
  u16 wVolume;
  u16 uk_0x06;
  u32 dwVolumeSize;
  u32 wVolumeAction;
  u8  cVolumeName[32];
  u8  cMountName[32];
} sPartitionEntry;

• wDevice: Device number
• wVolumeType: Volume type.
• 0x0: RAW - no file system is available on this device
• 0x1: STATIC - A filesystem is available but will not change (e.g. for the boot partitions)
• 0x2: DYNAMIC - A filesystem is availalbe and can be changed 
• wVolume: Volume number
• uk_0x06: Unkown
• dwVolumeSize: Size of the volume. Only to be used for wVolumeAction=2
• wVolumeAction
• 0x0: mount. Only for wVolumeType=2! -> mount /dev/ubi__
• 0x1: truncate and mount -> Truncates the partition and mounts it afterwards
• 0x2: create partition -> will call ubimkvol

... to be continued ...

Feel free to leave your comments!