Legomaniac

Cow Milking Robot Hacks/Mods X11

14 posts in this topic

So I'm a dairy farmer, and a couple years ago we bought a pair of Lely A4 Astronaut milking robots. They work great and they milk cows pretty well but there are a few things that they don't let you do out of the box. 

Now for the cool part. They run Linux! I'm not exactly sure what's going on behind the scenes but according to their service techs the robot has a built in tablet running like Android 2 or something awful and ancient. Here's a screenshot. http://imgur.com/a/6CmiQ

The robots are connected to a LAN. I fired up a port scanner and found an open  VNC port, but unfortunately it is view only:. All is not lost however, Port 6000 is open! (and also unsecured) That's how I got this screenshot, Using
xwd -root -screen -silent -display 10.4.1.102:0 > screenshot.xwd

What I am asking you guys for help on, is taking over that X session remotely, so I can click those buttons on the screen from, well, not in front of the screen.  
I've spent about 5 hours reading but X11 terminology is really starting to wear by brain out, and it seems that 99.9% of examples deal with either SSH tunnelling (not an option) or using Xnest and XDMCP to start a new login session remotely, which is also not what I want to do. 

I think it seems like Xnest is along the lines of what I want, but the critical piece here is to connect to an existing "Client -Server session" ? Is that correct terminology?

TL;DR: Port 6000 is open, I can grab frames from it but my goals are 1) stream it live to my PC. 2) use mouse&keyboard for input - Ideally get terminal access. There is what I suspect is a dropbear terminal running but Hydra hasn't produced any results yet on that front. Perhaps I need a dutch wordlist -_-

Any input you guys have would be greatly appreciated. Will provide robot or cow pics on request

Andrew

0

Share this post


Link to post
Share on other sites

Posted (edited)

Fun and unusual project! It interested me enough to find and read a bit of the operating manual https://www.lely.com/techdocs/astronaut/a4/

In the T4C (Time for Cow) section there is some info on software and network. you probably have this already but I put here in case you hadn’t seen it or others are interested. There are also many lely android apps in the play store maybe one of those is a remote connect. I didn’t see any default passwords in the manual but I did see the system is using SQL.

never thought I’d see a milking machine in hak5 forums :)

edit: I think the e-link part is what you looking at.

Edited by Just_a_User
0

Share this post


Link to post
Share on other sites

Hey Just_a_User! Thanks for the reply. I do have that information already indeed. The "server" that is running T4C is physically accessible to us/me and I have snooped around it some. It is running IIS7 and whatever SQL server microsoft uses. I would really really really like to have raw SQL access too, so if you have any pointers on how to get those that would actually be pretty sweet too.  Here's a port scan of the server

Not shown: 984 closed ports                                                                                     
PORT     STATE SERVICE                                                                                          
80/tcp   open  http                                                                                             
135/tcp  open  msrpc                                                                                            
443/tcp  open  https                                                                                            
445/tcp  open  microsoft-ds                                                                                     
1025/tcp open  NFS-or-IIS                                                                                       
1026/tcp open  LSA-or-nterm                                                                                     
1027/tcp open  IIS                                                                                              
1028/tcp open  unknown                                                                                          
1047/tcp open  neod1                                                                                            
1050/tcp open  java-or-OTGfileshare                                                                             
2222/tcp open  EtherNetIP-1                                                                                     
2869/tcp open  icslap                                                                                           
4242/tcp open  vrml-multi-use                                                                                   
5800/tcp open  vnc-http                                                                                         
5900/tcp open  vnc                                                                                              
6969/tcp open  acmsoda  

Its running a VNC server so I can access it over the LAN, T4C runs on port 80 and 443. 2222 is an ssh server(that I'm logged in over) Port 6969 is used by softEther VPN client (I have this machine connected to a VPN server I run on AWS, running NGINX as a reverse proxy ) so that I can access T4C on the public internet Note: I'm a bad person and mostly use security by obscurity so I won't tell you the IP 

0

Share this post


Link to post
Share on other sites

first and i cant stress this enough - I’m really not the person to help you. but maybe others reading this will chip in. I’m just curious.

but having said that  I have a couple of thoughts: -

1 hour ago, Legomaniac said:

The "server" that is running T4C is physically accessible to us/me

if you have physical access are there exposed ports? If not exposed maybe you have to open the enclosure. If there is a serial it might give you further access. just wondering how the manufacturers of the system initially set it up.

Quote

2222 is an ssh server(that I'm logged in over)

when you ssh in are you root? if so maybe the config files for the vnc could be overwritten or modified.

Either way good luck and I will be watching to see if and how this progresses.

0

Share this post


Link to post
Share on other sites

Posted (edited)

Oh sorry, I should've explained the architecture more. There's a windows 7 PC that runs Microsoft IIS7, and the SQL server and such. <That's the machine I have SSH and VNC access to. That's the system that runs the web interface so we can see how much milk our cows are making, and stuff like that. 

 

After every time it milks a cow, the robot sends an update over the LAN with the information it got, and then the server updates the web interface. I have about an hour worth of packets captured with wireshark but I can't really make sense of it. If anyone shows up that has experience with packet capturing I'll post that too.

The robots themselves do have an open ssh port, but I have no information on how to connect. I'm running hydra against it but so far no dice. The generic passwords file isn't really good enough. The company probably programs them all with the same password, because each robot runs the same firmware, but even the service techs don't know what it is.

Thanks for your interest. Keeping it bumped is appreciated :) 

 

Edited by Legomaniac
0

Share this post


Link to post
Share on other sites

Update: I have managed to accomplish the exact OPPOSITE of what I want.

if I open a terminal and type export DISPLAY=<IP here>

then: xterm, an xterm appears on the robot screen. 

So for those who are unsure about what I want, Its the opposite of this. I want the robot screen on my laptop

0

Share this post


Link to post
Share on other sites

have you tried:
uname -a
lsb_release -a
file /bin/ls
df -h

it all kinda depends what is already installed on it too

0

Share this post


Link to post
Share on other sites
5 hours ago, kdodge said:

have you tried:
uname -a
lsb_release -a
file /bin/ls
df -h

it all kinda depends what is already installed on it too

I have no terminal access on the robot.

0

Share this post


Link to post
Share on other sites

when you say "open a terminal and type export DISPLAY=", from what device are you doing that from? the Windows machine? and are you in putty or hyper-terminal?

0

Share this post


Link to post
Share on other sites

I have no terminal access on robot. There is no built in command line interface on the robot. I have no ssh credentials for it either.

I am connecting via a Kali linux laptop on the same LAN. Since my last update I have made a bit of progress. (still no terminal though)

I have discovered that I can use xdotool (on my linux laptop, after I have done export DISPLAY= 10.4.1.101:0)

to move the mouse pointer and click stuff.  It is pretty rudimentary but it does allow remote access. Since the buttons are always in the same place on the screen I can write scripts to reliably click on them. Using this I have taken the robot in and out of operation (which isn't normally doable remotely) and I even gave a cow some extra feed :) 

1

Share this post


Link to post
Share on other sites

Do you have an update on your situation? Fellow dairy farmer here trying to get the same thing accomplished... hate when I have to go back out and put it back in opperation after I change a filter and forget to say filter has been exchanged...

0

Share this post


Link to post
Share on other sites

Salt of the earth you people are.

0

Share this post


Link to post
Share on other sites
On 14/05/2017 at 9:39 PM, CheeseBall said:

Do you have an update on your situation? Fellow dairy farmer here trying to get the same thing accomplished... hate when I have to go back out and put it back in opperation after I change a filter and forget to say filter has been exchanged...

I am wondering whether you mean telling the CRS+ that you changed the filter, or whether it is on your robot screen? So far I only have access to the touchpad on the robot itself, not the CRS. I'm working on it, though. 

0

Share this post


Link to post
Share on other sites

Yes just at the local robot, each robot has a separate filter and it times out user interaction if it is left half way through filter exchange.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.