 Hello, welcome to this talk. I'm David Melendez and I will to share with you several projects that I have been over the years. The title of this talk is Building Drone the Hard Way because we are talking about three robots, one each with their particularities. So I named this project Trash Robotic Router Platform at the beginning and the lay motive was low or nothing cost of embedded platforms, the Internet of Things and they use whatever is lying around and I don't like to recycle, don't recycle at all, simply reuse. So for the first two robots I decided to use a router, some of you may know the Lynxies, it's a very classic router. So like seven years ago I decided to build my first robot, it's called Texas Ranger so we are going to see why. The main reason is to use the Lynxies, seven years ago there was no Raspberry Pi or maybe Arduino but it was very new. So I decided to use a Lynxies and a homemade pick board, homemade. So I loaded the Lynxies, the Lynxies open WRT and we got everything. And the second one was a drone, we are talking about all of them with the La Fonera 2201 and a very old model indeed. So the wrong one is the Robert Texas Ranger, you can find it on, you can Google it and you will find a lot of a lot of stuff about this but I would like to share with you this robot but this was the first time I used a robot so this robot has a Lynxies to a board, an AP camera and two guns, okay. There are two guns are made with the plastic guns turned backwards and all the bullets fall into the camera. So I only need a transistor to make work the gun from the pick. The pick was connected to directly to the Lynxies by serial port and we have an interface. And the laser, this is the laser, was used to estimate the distance between the robot and, for example, the wall by calculating the distance between the most bright light on the screen, the capture screen by the camera, the router decompress, the image and then, well, the calculate estimates the distance between the robot and the wall. So the first one is the Texas Ranger and the second one was the Meet. It's built with a phonera as a router like the Texas Ranger. It's the same technology at the beginning because I still use the open WRT and I was to program the stabilization process inside the router because I decided to program my own stabilization program and avoid any kind of board like R2Pilot or so on. Just for fun and to learn how the stabilization process works and I would like to share with you my insights. So the telemetry and control, the first attempt was unsuccessful. It was by control, by the web page of the router by case strokes by Havascript. But I found that that was not very comfortable to pilot the drone, especially with the drone can kill you because it's too big. So we all know what's the ABC for quadcopters and drones. So we can skip this slide. I think that we all know we have four motors two spinning clockwise and the other two spinning counterclockwise. So we have a complete control over all the axes. We want to turn to one side, we spin faster one motor and the other. Well this is the architecture of the Atropos. This kind of slide is for troll you. So don't be afraid. We have a la phonera in the front with a background process. But at the beginning we have a client in web page with an iFrame taking the camera. At the first time it was an IP camera and we have a control for like this one. This is not an RC, it's a USB trainer so it's like a remote control like we play station and so on. La phonera takes the commands through our Wi-Fi and tells to the main process all the commands from pilot. That flight control runs inside the Linux box, inside the Linux router and it has to be some kind of special tweaks in order to achieve some kind of real-time execution. We know that Linux is not indeed by default a real-time operating system so we have a special policy, scheduling policy to achieve this some sort of real-time response. So we need to re-censors, make calculations and send the command to the motors in a fixed time, in a specific fixed time. So we cannot make 100 calculations in a second and 200 in another second because you have to be very time constrained. We are talking about that later. So the inter-processing communication is made by CER memory for fast response and the sensors are the Wi-Motion Plus and the Wi-Noon Chaku. It was taken from the Nintendo Wii console because like six or seven years ago it was not so easy to buy a complete set of sensors and the best choice was to go to the supermarket by some Wii sensors not having the Wi console and connected to the router lights. So the first step we need to identify in the router is where are the lights because the lights are GPOs. So if we have enough GPOs identified we could make a virtual I2C bus by software. So I could identify four pins for example the network activity or the Wi-Fi activity. We have several pins identified here. So I could make two I2C buses to connect the Wi-Motion and the Wi-Noon Chaku. Well this is some kind of professional soldering. This is pretty awesome I know. So we have the GPOs. Let's attach to that and the serial port that is useful too as you know. And there are the steps to load the I2C to compile the module of the I2C. You don't have a driver because you don't have a specific hardware with I2C. Simply you create an I2C bus but by software it's not related to any specific hardware. So we have to load these modules and that's the commands we tell to the kernel middle which pins of the CPU are related to clock and the data. So we will bus 0 and bus 1 with the GPOs 4, 7, 3 and 1. So I leave this information, we load the module at the start and we can throw the I2C detect command as normal. But this is the serial port of the FONERA. It's no real mystery here. And I would like to explain how it works a little and why I need Wi-Motion Plus for the Atropos. Well Wi-Motion Plus is a gyroscope so we have a three axis pitch roll and jab. But it gives me angular velocity to take the real angle we multiply angular velocity by time. But there is a problem, it drifts. If you multiply over and over the over time it will drift. It's the same problem that if you are too drunk and you turn around enough times you can go to the ground. So we need an accelerometer to cancel that drift. And the accelerometer is taken for the wind chak. It's also I2C port and acceleration. Well we need this to cancel the drift and take only when the drift has to be cancelled. The other over time is not necessary. And the magnetometer, this is not mandatory because it only cancels the course angle. So it's optional. Well in order to read with the I2C with a Linux program one of the easiest ways to read it is including the I2C header of the Linux kernel and we rate it like a regular file. We can ask for the specific sensor that we want to read sending an IOCTL command to read the gyroscope or the accelerometer. So this is the funny part because we have to mix these two sensors to obtain an attitude where the real motion on how the drone is moving in order to react and send the proper commands to keep the drone stabilized. All this sheet is managed by R2Pilot easily. You can put the R2Pilot and everything works fine. But if you want to make this by yourselves we have to deal with this sheet. The first approach that I made was okay. We have the poor man Kalman filter. Do you know Kalman filter? How many? One? It's fine. Two? Okay. Two. It's pretty fine. So this is like the paper, the original paper was the the balancer filter of the MIT. You can see that. And you can, it's taken for that. Okay. So the first approach was to take the angle of the gyroscope, multiply for delta time. Delta time is the time between reads. That is because it's important to keep reads at the same time because DT is fixed. It's a constant. So you can, you can remove that from the equation if we have a fixed delta time. So this is our first approximation. So we have some kind of stabilization because I'm thinking to account a very, very much the gyroscope but too little the accelerometer. You have here the games and we have some kind of stabilization. But this is the funniest part because what happens if the drones, okay, this is the this is the sensor, okay. And the sensor takes into account this turn, this turn, and this pitch, roll, and yeah, okay. But each axis is related to each axis of the sensor. But what happens is I'm moving like this. The pitch is no longer the pitch. The yaw is no longer the yaw. The yaw is no the last movement. Well, it's not the same movement. Well, again, we have a yaw. Okay. And the yaw is like this. But the yaw now is not like this. It's like this. But the related axis of the sensor remains the same. Okay. The yaw for the sensor still is that. But for the drone no more. Okay. That pretty stuff is so it's blown mine from the first time because we need a three plus three matrix transformation in order to transfer the coordinates of the hair or the sensor to the coordinates of the drone. So we have a nine values that is related to the x of the aircraft is related to the x Well, you see that. Okay. So we have to work once we have the conversion between the axis of the drone at the axis of the sensor. We have three things. Absolute angle, radiance. Okay. We have angular velocity radiance per second from gyroscopes and the angular acceleration radiance per second per second. Okay. So don't go away, please. Once we have an attitude, we have to send a proper command to motor. But what command, what quantity, what fucking shit of anything. So we have this algorithm that you can it's taking for the Wikipedia. Okay. This image you can you can search for that. We have three terms. Okay. We have the proportional term that this we have a zero. I have to stay at zero angle to stay stabilized. Okay. My set point is zero. But I am at 10 degrees. My error is minus 10 degrees. So we have to I have to take into account the error that this is the difference between I am and where I am to I want to stay. So I multiply the error by a number. Which number? I have no idea. I don't fucking idea. The first approximation is okay, let's let's test. Okay. And you test. You put the drone like a safe way. I fix it with only movement with one angle and you test how it's behavior. But it's nothing else. You can't control a drone with a proportional gain because it's nothing else. You have to take into account the integral. Don't throw me things, please. The integral is it's only in taking into account how much time I'm with the error. Okay. It's like you take the mouse and you naturally your brain are calculating the integral because if I can't lift the mouse, my brain will send more power to my hand to lift the mouse. That is the integral. I'm not on time with the error. So I accumulate the error to correct. And the other one is the derivative. Okay. The derivative thing takes into account how much speed I'm approaching or leaving my set point. Okay. So I have to take into account that three terms. And I have to tune it by trial and error. Okay. It's the best way. Although you have the real model of your drone or almost all the variables and you can calculate Laplace transform and so on. Okay. But for movements you can try to real an error. So this is an extra speed because we apply the PAD to angular velocity but over the roof we apply a P-controller. This is just for the record. So this is the Atropos with a professional grade mounting with all the staff. And we have to send all once we have to send we have calculated all the calculations we have to send to the motors the signal. So the signal is a PWM a pulse width modulation that it cannot be made inside the router because it's not real time. We have a specific hardware. So I use a peak. Okay. This is the real time scheduling from the process inside of the Linux box. This is only for if you want to investigate. I use the sked get priority. The sked library. So in a policy of first interest out. Okay. So there is some process by default in the Linux box that it's that they are not they are useless. Okay. That's the watchdog. Because this is what happens is the router hangs with I'm flying my drone. Okay. It's no it's makes no sense. Well, we see the motors and so on. And this is how I control the drone throughout the web page. This is what's my first approximation with Ajax. But I had to tweak the web server because too much too fast Ajax petitions queries. They are too much for the for the router. So I have to tune the web server. Okay. That's the remote. This is only a joystick. Okay. It's a regular joystick. And I would like to say some things about Android because I was thinking about to to avoid a PC to control my drone. Okay. I'm going to to put my all my stuff my pilot stuff to a tablet. Okay. So I have to recompile the on the the wall image only for a tiny and ridiculously module of joy depth. Okay. So thank you. And the last one was in in in a talk in Spain. A guy sent sent to me an authentication package to the Wi-Fi of the drone. It was it was no so funny. Okay. So I decided to make my own protocol by Wi-Fi that I explained in the in the talk before this. You could you could find it like with the the project interceptor. You could find the DEF CON web page. This is the my project interceptor. It's made with chopsticks because if I if I make with a 3D printer nobody believes me that it's my drone. Okay. So and I like this shit. I like I like to make things with my hands. Okay. So I decided to make a much smaller drone that the other post because other post can can kill me. And especially when I travel with with it with the airport. So I decided to to make a hand side drone. This time with a with a regular sensors that you can buy in Chinese dealers and so on. And but there are some there are some things that they have to take into account. First time first first one that Chinese sensors maybe maybe they are not documented. Okay. Maybe you can tune the filters and maybe your drone has too much vibrations. If you if you look close enough look at this. What do you think that that could be? Well there are the English term thermo thermo fusible with the this this kind of pipes you have to you take to to protect wires with the solder. Okay. So shrink to it. Thank you. As a as a dampening. Okay. To absolute to to take into account the vibrations. So it was nothing else. And I attached a 20 euro cent coin to make the sensor the the the perfect way to absorb the vibrations. Okay. I have to do this because I can't tweak the filters of the sensor. But it has an advantage. That sensors make all the math stuff for me or not all but the first part. Okay. The the real estimation. It's a low budget. $40. No seriously. And it has hacking capabilities. And the ideas have to minimum size and weight. So it is based on the b-core two Linux board. I think there is the tiniest board on the market. I don't I don't know if it's any other but this tiniest. But it's like a router. It's like a regular router. But you only have the board. Okay. I have no commission for this. But you can you can see all the parts. That's the b-core. And the the interesting part is has four pools with modulation outputs. And that's because I can't avoid a micro an extra micro controller for my setup. But there is a problem. When you bought the the b-core only two modules of the with modulation pulse with modulation are enabled. The other two are for what debugging. Okay. Good job. So we have to disable UART and enable pulse with the other one. But I went to the forum of the b-core and a random guy asked how can I disable all four pools with modulation pins. And the b-core creator as well. This is a hard way. You download the open WRT. You find the the source code of the DDS. The DDS is the the the pin definition of the b-core. Okay. DDS your mobile has a DDS. The Raspberry Pi has a DDS. It defines all the the pins are defined. Okay. So you have to understand the pin control section and better take the source code. So then you can enable the this module and you will be a good cleaners hacker. Good job man. Very helpful. So the this is what you need to enable the the four pv pulse with modulation outputs and disable the debugging UART. So we have to redefine the pins. But we have a pin name but an pin function. This can be tricky because we have UART function and UART name. If you can see that we have the UART pins but then we with the not the word function but the pulse with modulation function. Okay. We redefine the the moxer and we have this is only for the record the the dataset that you can you have to take this information. And this is mine pretending that I'm knowing that I'm doing my work. Okay. The power stage of the interceptor drone is is not performed with an electronic speed controller as usual. Because I choose a bruise a bruise motors okay bruise motors. Don't doesn't need an entire electronic speed controller. It's only needed one MOSFET a capacitor and an scotty diode. Why we need some kind of stuff apart of the MOSFET. That's just because the the motors when we power the motors we are putting power on the circuit. Okay. But we're not powering the motors at maximum capacity. Okay. We are modulating more or less the power. So what happens when we turn on and off the switch of the of the motor. The motor generates electricity because it is spinning. It acts as a generator. So we have a standard electricity flowing as normal but we turn off the motor. We have the counter-electromotive force. Okay. That this generates puts current in the circuit not from the battery but from the motors. It could harm the circuit. So we have to suppress it with the capacitor and the scotty diode.