NXT as GPS Receiver
I have been reading through a disassembly of the NXT firmware and ROMS, and discovered a couple of tricks that made this app possible. It turns out that it is possible to reprogram the bluetooth radio receiver to receive GPS frequencies, which allows you to implement a simple GPS position readout, even from this NXT-G program! The reception is not very strong (I had to stand outside in a large clear area), but it was able to determine basic position data for me.
Key to getting this to work, I was surprised to discover, embedded in the ROMs, there is a DOS (!) micro-kernal, which is apparently only used as a debug console for attaching a remote debugging host. However, if you can get a process running under this kernal then you have full access to all of the internal hardware registers, including the bluetooth controller, which allows you to remap the radio frequencies.
Then I discovered some "back door" hooks in NXT-G (also apparently there as debug hooks) that allow access to system traps and basic DMA (memory) access, by reading and writing to variables with special names. This made this actually possible from NXT-G, including the process of getting the app to run under the debug micro-kernal. Check out the program above to see how it is done. There are probably a number of other interesting things you could try using these hooks!
Comments
Knowing nothing about GPS, I went outside and ran your program.
I came up with the following coordinates:
55.72N
9.12E
These are, of course, the coordinates for Billund, Denmark. :)
So, how can we neophytes use it to find our own locations?
Thanks,
Rick
If you are getting 55.72 N and 9.12 E, then that just means that the signal strength is not good enough. Try getting farther away from any source of interference (e.g. cordless phones, car batteries) and hold the NXT up high over your head.
To keep the program simple I didn't put any error checking in for weak signals, and it was easiest to zero the coordinates at Billund given the way LEGO's radio controller works, so these results are essentially like (0, 0) -- no data.
I'll climb the town's water tower tonight, to get a better reading. :)
(JUST KIDDING, KIDS--Climbing the town's water tower will get you arrested. And you'll be cleaning the rest rooms in City Hall for a year, as part of your community-service sentence).
As always, your project worked perfectly! Documentation was very clear.
It took me a while to get a strong enough channel.
Jelle and Jurre reminded me to do the reading in open field instead of in our house.
We got a perfect:
51.82N
4.15E
in Hellevoetsluis, Netherlands!
Smile,
Jilles, Jelle & Jurre Groenendijk
This is astonishing! A couple of immediate question come into my mind:
1. How did you find these back-doors?
2. Are there equivalent back doors in Labview toolkit?
3. Does these depend crucialy on firmware version?
4. Where can one find a list of all DMAs and system traps?
5. Where is this micro-kernel documented?
6. What other back doors are there in NXT-G?
This starts looking like old RCX hack-a-firmware days...
Guy Ziv
1. Being an old DOS hack, I recognized the DOS kernal and system traps by noticing a clumping of procedures terminated with the RTI (return from interrupt) instruction. I found the NXT-G backdoor variables by examining a binary dump of the NXT editor resources and found the variable names in the string table next to the standard "Logic 1", "Number 1" variables, etc., so I just took a guess at their functionality from their names. It took several system crashes to zero in on the details..., but the good news is that the standard RAM is restored each time you reboot, and you can't trash the ROM.
2. No idea about LabView, haven't used that.
3. It could depend on the firmware version, since I have hard coded some memory addresses. I use firmware 1.01 to make sure none of the projects I post depend on later fixes, but I would guess that probably none of the low memory addresses used here would have changed in the updates, just higher-level stuff.
4-6. I don't know of any existing documentation (and I'm sure LEGO wouldn't let us have it even if there was any), so it will probably have to be puzzled together. I'm sure there is more to discover.
I don't think it will help in FLL... you most likely won't be able to use it since bluetooth is not allowed at tournaments. Also, I doubt it would be anywhere near accurate enough for a small area like the FLL field.
-Jonathan
Buckskinn92
Can you post a dump of DMA addresses and system traps?
Guy
I just had a look at the code, and I'm quite sure when I saw it yesterday, I didn't appreciate the amount of work that went into creating that program.
Very well done.
Steve
Jim
NXTav was downloaded more than 50 times... ;-(
chrimo