Capturing Cozmo Communication

Overview

Capturing the communication between the Cozmo app and Cozmo is very valuable for understanding how Cozmo works.

One way to achieve this is by placing a Linux machine between the two as shown on the following diagram.

+---------------+         Wi-Fi          +---------------+          Wi-Fi         +---------------+
|               |                        |               |                        |               |
| Mobile Device | ---------------------> | Linux Machine | ---------------------> |     Cozmo     |
|               |                  wlan1 |               | wlan0                  |               |
+---------------+                        +---------------+                        +---------------+

The Linux machine acts as a Wi-Fi client on one interface (wlan0) and associates with Cozmo. It acts as a Wi-Fi access point (AP) on the other interface and allows a mobile device, running the Cozmo app to associate with it.

With appropriate network configuration such a setup allows capturing Cozmo communication in pcap files using tcpdump.

Prerequisites

• Cozmo robot
• Mobile device with the Cozmo app
• (Ubuntu) Linux machine with 2 Wi-Fi interfaces (e.g. a Raspberry Pi)
• The following tools installed:
  • wireless-tools
  • wpa_supplicant
  • hostapd
  • dnsmasq
  • tcpdump

Connecting to Cozmo

Ensure that wireless tools and wpa_supplicant are installed.

$ sudo apt-get install wireless-tools wpasupplicant

Wake up Cozmo but placing it on the charging platform.

Make Cozmo display it’s Wi-Fi PSK key by rising and lowering its lift.

Get Cozmo’s Wi-Fi SSID by scanning for Wi-Fi devices:

$ sudo iwlist wlan0 scan
wlan0     Scan completed :
          Cell 01 - Address: 5E:CF:7F:XX:XX:XX
                    ESSID:"Cozmo_XXXXXX"
                    Protocol:IEEE 802.11bg
                    Mode:Master
                    Frequency:2.412 GHz (Channel 1)
                    Encryption key:on
                    Bit Rates:54 Mb/s
                    Extra:rsn_ie=30180100000fac020200000fac04000fac020100000fac020000
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    Quality=100/100  Signal level=100/100  

Open wpa_supplicant’s configuration file:

$ sudo vi /etc/wpa_supplicant/wpa_supplicant.conf

Configure wpa_supplicant to automatically connect to Cozmo by adding the following:

network={
    ssid="Cozmo_XXXXXX"
    psk="XXXXXXXXXXXX"
}

Load the new configuration (or reboot):

$ sudo wpa_cli -i wlan0 reconfigure
OK

At this point the Linux machine should be associated with Cozmo:

$ ip addr
...
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 80:1f:02:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 172.31.1.172/24 brd 172.31.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::1d4b:9d3b:c6f0:f5b1/64 scope link 
       valid_lft forever preferred_lft forever

Cozmo should respond to ping:

$ ping 172.31.1.1
PING 172.31.1.1 (172.31.1.1) 56(84) bytes of data.
64 bytes from 172.31.1.1: icmp_seq=1 ttl=128 time=1.94 ms
64 bytes from 172.31.1.1: icmp_seq=2 ttl=128 time=2.28 ms
...

Masquerading as a Cozmo

Install hostapd and dnsmasq:

$ sudo apt-get install hostapd dnsmasq

Edit dhcpdcd`s configuration file:

$ sudo vi /etc/dhcpcd.conf

Disable wpa_supplicant on wlan1 and configure a static IP address by adding the following:

interface wlan1
nohook wpa_supplicant
static ip_address=192.168.50.1/24

Edit dnsmasq’s configuration file:

$ sudo vi /etc/dnsmasq.conf

Configure DHCP on wlan1 by adding the following:

interface=wlan1
dhcp-range=192.168.50.50,192.168.50.100,255.255.255.0,24h

Restart dnsmasq

$ sudo systemctl start dnsmasq

Create a configuration file for hostapd:

$ sudo vi /etc/hostapd/hostapd.conf 

Configure a Wi-Fi AP with WPA2 PSK on wlan1 by adding the following:

interface=wlan1
hw_mode=g
channel=1
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ssid=Cozmo_111111
wpa_passphrase=XXXXXXXXXXXX

The SSID should be different from Cozmo’s SSID and should follow the form Cozmo_XXXXXX, where XXXXXX are upper-case hexadecimal digits as this is what the Cozmo app looks for.

The passphrase should consist of exactly 12 upper-case hexadecimal digits as this is what the Cozmo app expects.

Edit /etc/default/hostapd:

$ sudo vi /etc/default/hostapd

Configure the newly created configuration file:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Enable and start hostapd:

$ sudo systemctl unmask hostapd
$ sudo systemctl enable hostapd
$ sudo systemctl start hostapd

Ensure that IP forwarding is enabled on boot:

$ sudo vi /etc/sysctl.conf

The following line should be uncommented:

net.ipv4.ip_forward=1

Ensure that IP forwarding is enabled:

$ sudo sysctl net.ipv4.ip_forward=1

The Cozmo app always tries to communicate with Cozmo using the IP address 172.31.1.1 .

Configure masquerading on wlan0 so that packets, coming from the Cozmo app, with source IP in the range 192.168.50.0/24, reach Cozmo with the wlan0 IP address of the Linux machine.

$ sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

This is necessary, because Cozmo only responds to UDP packets with source IP address in the range 172.31.1.0/24 .

Capturing Communication

Ensure that tcpdump is installed:

$ sudo apt-get install tcpdump

At this point, it should be possible to capture Cozmo communication using tcpdump:

$ sudo tcpdump -i wlan0 -w cozmo.pcap

Connect to cozmo from the app. The app should find at least 2 Cozmos (one being the masqueraded Linux machine) and a selection screen should show up.

The captured PCAP file can be analyzed with Wireshark or with pycozmo_dump.py.