Apr 2, 2008

NXT as GPS Receiver


I have been reading through a disassembly of the NXT firmware and ROMS, and discovered a couple of tricks that made this app possible. It turns out that it is possible to reprogram the bluetooth radio receiver to receive GPS frequencies, which allows you to implement a simple GPS position readout, even from this NXT-G program! The reception is not very strong (I had to stand outside in a large clear area), but it was able to determine basic position data for me.


Key to getting this to work, I was surprised to discover, embedded in the ROMs, there is a DOS (!) micro-kernal, which is apparently only used as a debug console for attaching a remote debugging host. However, if you can get a process running under this kernal then you have full access to all of the internal hardware registers, including the bluetooth controller, which allows you to remap the radio frequencies.



Then I discovered some "back door" hooks in NXT-G (also apparently there as debug hooks) that allow access to system traps and basic DMA (memory) access, by reading and writing to variables with special names. This made this actually possible from NXT-G, including the process of getting the app to run under the debug micro-kernal. Check out the program above to see how it is done. There are probably a number of other interesting things you could try using these hooks!


18 comments:

Rick Rhodes said...

Dave,

Knowing nothing about GPS, I went outside and ran your program.

I came up with the following coordinates:

55.72N
9.12E

These are, of course, the coordinates for Billund, Denmark. :)

So, how can we neophytes use it to find our own locations?

Thanks,

Rick

Tom Johnson said...

I just tried it and it works perfectly! Fantastic! It will be especially useful for FLL navigation.

Alkarex said...

Yes, it is a great solution. With the same approach, it is possible to make Wi-Fi and 3G all at once :-)

Dave Parker said...

Rick and others,

If you are getting 55.72 N and 9.12 E, then that just means that the signal strength is not good enough. Try getting farther away from any source of interference (e.g. cordless phones, car batteries) and hold the NXT up high over your head.

To keep the program simple I didn't put any error checking in for weak signals, and it was easiest to zero the coordinates at Billund given the way LEGO's radio controller works, so these results are essentially like (0, 0) -- no data.

Rick Rhodes said...

Thanks, Dave.

I'll climb the town's water tower tonight, to get a better reading. :)

(JUST KIDDING, KIDS--Climbing the town's water tower will get you arrested. And you'll be cleaning the rest rooms in City Hall for a year, as part of your community-service sentence).

Jilles Groenendijk said...

Hi Dave,

As always, your project worked perfectly! Documentation was very clear.

It took me a while to get a strong enough channel.

Jelle and Jurre reminded me to do the reading in open field instead of in our house.

We got a perfect:

51.82N
4.15E

in Hellevoetsluis, Netherlands!

Smile,

Jilles, Jelle & Jurre Groenendijk

Guy Ziv said...

Dave,

This is astonishing! A couple of immediate question come into my mind:
1. How did you find these back-doors?
2. Are there equivalent back doors in Labview toolkit?
3. Does these depend crucialy on firmware version?
4. Where can one find a list of all DMAs and system traps?
5. Where is this micro-kernel documented?
6. What other back doors are there in NXT-G?

This starts looking like old RCX hack-a-firmware days...

Guy Ziv

Dave Parker said...

On Guy's questions:

1. Being an old DOS hack, I recognized the DOS kernal and system traps by noticing a clumping of procedures terminated with the RTI (return from interrupt) instruction. I found the NXT-G backdoor variables by examining a binary dump of the NXT editor resources and found the variable names in the string table next to the standard "Logic 1", "Number 1" variables, etc., so I just took a guess at their functionality from their names. It took several system crashes to zero in on the details..., but the good news is that the standard RAM is restored each time you reboot, and you can't trash the ROM.

2. No idea about LabView, haven't used that.

3. It could depend on the firmware version, since I have hard coded some memory addresses. I use firmware 1.01 to make sure none of the projects I post depend on later fixes, but I would guess that probably none of the low memory addresses used here would have changed in the updates, just higher-level stuff.

4-6. I don't know of any existing documentation (and I'm sure LEGO wouldn't let us have it even if there was any), so it will probably have to be puzzled together. I'm sure there is more to discover.

Aaron said...

Great utility, works perfectly, but for some reason, the lat/long readings get reversed when my microwave is on. Is there a reason for this? I know microwaves check for an unused 2.4 GHz frequency prior to cooking - is your program checking for and responding to 8U115h.1T ACK/NACK pings as per RFC? In the mean time I'll just keep my microwave off ;)

Jonathan Daudelin said...

Tom,

I don't think it will help in FLL... you most likely won't be able to use it since bluetooth is not allowed at tournaments. Also, I doubt it would be anywhere near accurate enough for a small area like the FLL field.

-Jonathan

Buckskinn92 said...

Wow, that is really cool. I'll have to try it. I do geocaching which is an online/outdoor game that uses a GPSr and the www.geocaching.com. I doubt this will be accurate enough, but is still pretty cool.

Buckskinn92

Zlite said...

This is genius! Now if only you can reprogram the BT to listen for alien transmissions we can use it for SETI@Home, too ;-)

Guy Ziv said...

Dave,

Can you post a dump of DMA addresses and system traps?

Guy

Steve said...

Dave,
I just had a look at the code, and I'm quite sure when I saw it yesterday, I didn't appreciate the amount of work that went into creating that program.

Very well done.

Steve

Dave Parker said...

OK, the GPS coordinates are not very accurate... Actually, they are totally fake. This was an April Fool's gag. And the DOS micro-kernel is fake too, and the NXT-G backdoor tricks are... sadly,... fake. But you NXT-G programmers out there still may find it a bit challenging to explain the results you see on screen. See the challenge at http://www.nxtprograms.com/fake_GPS/index.html.

Jim Kelly said...

Enjoyed reading all the posts - thanks for the post, Dave!

Jim

Anonymous said...

At german mindstormsforum.de we had a similar article, it's name is NXTav, an antivirus program for a 1.april virus, detected early in the morning... :-)

NXTav was downloaded more than 50 times... ;-(

chrimo

Anonymous said...

I don't get it.

Related Posts Plugin for WordPress, Blogger...