Legomaniac Posted March 5, 2017 Posted March 5, 2017 So I'm a dairy farmer, and a couple years ago we bought a pair of Lely A4 Astronaut milking robots. They work great and they milk cows pretty well but there are a few things that they don't let you do out of the box. Now for the cool part. They run Linux! I'm not exactly sure what's going on behind the scenes but according to their service techs the robot has a built in tablet running like Android 2 or something awful and ancient. Here's a screenshot. http://imgur.com/a/6CmiQ The robots are connected to a LAN. I fired up a port scanner and found an open VNC port, but unfortunately it is view only:. All is not lost however, Port 6000 is open! (and also unsecured) That's how I got this screenshot, Using xwd -root -screen -silent -display 10.4.1.102:0 > screenshot.xwd What I am asking you guys for help on, is taking over that X session remotely, so I can click those buttons on the screen from, well, not in front of the screen. I've spent about 5 hours reading but X11 terminology is really starting to wear by brain out, and it seems that 99.9% of examples deal with either SSH tunnelling (not an option) or using Xnest and XDMCP to start a new login session remotely, which is also not what I want to do. I think it seems like Xnest is along the lines of what I want, but the critical piece here is to connect to an existing "Client -Server session" ? Is that correct terminology? TL;DR: Port 6000 is open, I can grab frames from it but my goals are 1) stream it live to my PC. 2) use mouse&keyboard for input - Ideally get terminal access. There is what I suspect is a dropbear terminal running but Hydra hasn't produced any results yet on that front. Perhaps I need a dutch wordlist -_- Any input you guys have would be greatly appreciated. Will provide robot or cow pics on request Andrew
Just_a_User Posted March 5, 2017 Posted March 5, 2017 Fun and unusual project! It interested me enough to find and read a bit of the operating manual https://www.lely.com/techdocs/astronaut/a4/ In the T4C (Time for Cow) section there is some info on software and network. you probably have this already but I put here in case you hadn’t seen it or others are interested. There are also many lely android apps in the play store maybe one of those is a remote connect. I didn’t see any default passwords in the manual but I did see the system is using SQL. never thought I’d see a milking machine in hak5 forums :) edit: I think the e-link part is what you looking at.
Legomaniac Posted March 5, 2017 Author Posted March 5, 2017 Hey Just_a_User! Thanks for the reply. I do have that information already indeed. The "server" that is running T4C is physically accessible to us/me and I have snooped around it some. It is running IIS7 and whatever SQL server microsoft uses. I would really really really like to have raw SQL access too, so if you have any pointers on how to get those that would actually be pretty sweet too. Here's a port scan of the server Not shown: 984 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1027/tcp open IIS 1028/tcp open unknown 1047/tcp open neod1 1050/tcp open java-or-OTGfileshare 2222/tcp open EtherNetIP-1 2869/tcp open icslap 4242/tcp open vrml-multi-use 5800/tcp open vnc-http 5900/tcp open vnc 6969/tcp open acmsoda Its running a VNC server so I can access it over the LAN, T4C runs on port 80 and 443. 2222 is an ssh server(that I'm logged in over) Port 6969 is used by softEther VPN client (I have this machine connected to a VPN server I run on AWS, running NGINX as a reverse proxy ) so that I can access T4C on the public internet Note: I'm a bad person and mostly use security by obscurity so I won't tell you the IP
Just_a_User Posted March 5, 2017 Posted March 5, 2017 first and i cant stress this enough - I’m really not the person to help you. but maybe others reading this will chip in. I’m just curious. but having said that I have a couple of thoughts: - 1 hour ago, Legomaniac said: The "server" that is running T4C is physically accessible to us/me if you have physical access are there exposed ports? If not exposed maybe you have to open the enclosure. If there is a serial it might give you further access. just wondering how the manufacturers of the system initially set it up. Quote 2222 is an ssh server(that I'm logged in over) when you ssh in are you root? if so maybe the config files for the vnc could be overwritten or modified. Either way good luck and I will be watching to see if and how this progresses.
Legomaniac Posted March 6, 2017 Author Posted March 6, 2017 Oh sorry, I should've explained the architecture more. There's a windows 7 PC that runs Microsoft IIS7, and the SQL server and such. <That's the machine I have SSH and VNC access to. That's the system that runs the web interface so we can see how much milk our cows are making, and stuff like that. After every time it milks a cow, the robot sends an update over the LAN with the information it got, and then the server updates the web interface. I have about an hour worth of packets captured with wireshark but I can't really make sense of it. If anyone shows up that has experience with packet capturing I'll post that too. The robots themselves do have an open ssh port, but I have no information on how to connect. I'm running hydra against it but so far no dice. The generic passwords file isn't really good enough. The company probably programs them all with the same password, because each robot runs the same firmware, but even the service techs don't know what it is. Thanks for your interest. Keeping it bumped is appreciated :)
Legomaniac Posted March 6, 2017 Author Posted March 6, 2017 Update: I have managed to accomplish the exact OPPOSITE of what I want. if I open a terminal and type export DISPLAY=<IP here> then: xterm, an xterm appears on the robot screen. So for those who are unsure about what I want, Its the opposite of this. I want the robot screen on my laptop
Legomaniac Posted March 6, 2017 Author Posted March 6, 2017 5 hours ago, kdodge said: have you tried: uname -a lsb_release -a file /bin/ls df -h it all kinda depends what is already installed on it too I have no terminal access on the robot.
Legomaniac Posted March 8, 2017 Author Posted March 8, 2017 I have no terminal access on robot. There is no built in command line interface on the robot. I have no ssh credentials for it either. I am connecting via a Kali linux laptop on the same LAN. Since my last update I have made a bit of progress. (still no terminal though) I have discovered that I can use xdotool (on my linux laptop, after I have done export DISPLAY= 10.4.1.101:0) to move the mouse pointer and click stuff. It is pretty rudimentary but it does allow remote access. Since the buttons are always in the same place on the screen I can write scripts to reliably click on them. Using this I have taken the robot in and out of operation (which isn't normally doable remotely) and I even gave a cow some extra feed :)
CheeseBall Posted May 15, 2017 Posted May 15, 2017 Do you have an update on your situation? Fellow dairy farmer here trying to get the same thing accomplished... hate when I have to go back out and put it back in opperation after I change a filter and forget to say filter has been exchanged...
Legomaniac Posted May 22, 2017 Author Posted May 22, 2017 On 14/05/2017 at 9:39 PM, CheeseBall said: Do you have an update on your situation? Fellow dairy farmer here trying to get the same thing accomplished... hate when I have to go back out and put it back in opperation after I change a filter and forget to say filter has been exchanged... I am wondering whether you mean telling the CRS+ that you changed the filter, or whether it is on your robot screen? So far I only have access to the touchpad on the robot itself, not the CRS. I'm working on it, though.
CheeseBall Posted May 23, 2017 Posted May 23, 2017 Yes just at the local robot, each robot has a separate filter and it times out user interaction if it is left half way through filter exchange.
LivingDodo Posted June 17, 2017 Posted June 17, 2017 On 2017-3-5 at 0:56 PM, Legomaniac said: So I'm a dairy farmer, and a couple years ago we bought a pair of Lely A4 Astronaut milking robots. They work great and they milk cows pretty well but there are a few things that they don't let you do out of the box. ... Andrew Hello Andrew , if i read the post correct, You want acces to the E(X)-link on your home pc/ portable Tablet ? so when you need to modify some settings that you now only can do in on the E(X)-link you can do it remotly ?
corbinmills73 Posted June 30, 2017 Posted June 30, 2017 Just stumbled across this thread while trying to do the same thing with our A4. Anybody ever figure something out?
user_1577 Posted July 10, 2017 Posted July 10, 2017 @Legomaniac this is exactly what I'm looking for, have you figured it out?
Help4Tec Posted August 2, 2017 Posted August 2, 2017 It's more simpel then you think. At the XLink of your Robot is an USB Port. That's all you need. Just go there an connect a keyboard. Then you can open a terminal. Ther is allredy VNC Insalled you just need to chage it from view only. Thats it.
LivingDodo Posted August 3, 2017 Posted August 3, 2017 close vncviewer and stop uvnc_service look ultravnc.ini and find this line LocalInputsDisabled=0 <-- read/write, control allowed LocalInputsDisabled=1 <-- read only, view only `
corbinmills73 Posted August 14, 2017 Posted August 14, 2017 How would I open a terminal once the keyboard is connected? Is there a keyboard shortcut of some kind?
corbinmills73 Posted August 23, 2017 Posted August 23, 2017 Just now, corbinmills73 said: CTRL+ALT+T does not work.
digip Posted August 23, 2017 Posted August 23, 2017 Does "alt+f2" bring up a prompt to run/search? If so, type term, terminal or xterm, or whatever the default OS terminal is.
Legomaniac Posted August 29, 2017 Author Posted August 29, 2017 On 8/2/2017 at 5:40 PM, Help4Tec said: It's more simpel then you think. At the XLink of your Robot is an USB Port. That's all you need. Just go there an connect a keyboard. Then you can open a terminal. Ther is allredy VNC Insalled you just need to chage it from view only. Thats it. Hey guys! Sorry for the delay I didn't realize there was this much demand. I do have a semi-useful (functional but cludgey) remote access to the robot. Now that Help4Tec has said to just plug in a keyboard I am going to try that and I will post a video showing what happens. Thanks everyone!
LivingDodo Posted September 4, 2017 Posted September 4, 2017 On 29-8-2017 at 6:20 AM, Legomaniac said: Hey guys! Sorry for the delay I didn't realize there was this much demand. I do have a semi-useful (functional but cludgey) remote access to the robot. Now that Help4Tec has said to just plug in a keyboard I am going to try that and I will post a video showing what happens. Thanks everyone! And how did it go ?
Legomaniac Posted September 11, 2017 Author Posted September 11, 2017 Hi Everyone, update time. I plugged in a keyboard and it did do interesting things, sort of. Ctrl + Alt + FX (X != 2 ) directs you to a console login. I tried all the obvious-ish default passwords. Lely, Password, 123456, etc. It is quite slow on the password denied response, so perhaps I need to buy a rubber ducky and let it go all night long or something. The good news is it does keep milking cows while messing with it, you just have to remember to CtrlAltF2 before you unplug the keyboard. Video: I haven't done a hard reboot, I think that's the next step, remove power and see what shows up during boot.
user_1577 Posted September 11, 2017 Posted September 11, 2017 @Legomaniac I was able to login with username: lely password: lely no root access though
Recommended Posts
Archived
This topic is now archived and is closed to further replies.