Jump to content

Cow Milking Robot Hacks/Mods X11


Legomaniac

Recommended Posts

So I'm a dairy farmer, and a couple years ago we bought a pair of Lely A4 Astronaut milking robots. They work great and they milk cows pretty well but there are a few things that they don't let you do out of the box. 

Now for the cool part. They run Linux! I'm not exactly sure what's going on behind the scenes but according to their service techs the robot has a built in tablet running like Android 2 or something awful and ancient. Here's a screenshot. http://imgur.com/a/6CmiQ

The robots are connected to a LAN. I fired up a port scanner and found an open  VNC port, but unfortunately it is view only:. All is not lost however, Port 6000 is open! (and also unsecured) That's how I got this screenshot, Using
xwd -root -screen -silent -display 10.4.1.102:0 > screenshot.xwd

What I am asking you guys for help on, is taking over that X session remotely, so I can click those buttons on the screen from, well, not in front of the screen.  
I've spent about 5 hours reading but X11 terminology is really starting to wear by brain out, and it seems that 99.9% of examples deal with either SSH tunnelling (not an option) or using Xnest and XDMCP to start a new login session remotely, which is also not what I want to do. 

I think it seems like Xnest is along the lines of what I want, but the critical piece here is to connect to an existing "Client -Server session" ? Is that correct terminology?

TL;DR: Port 6000 is open, I can grab frames from it but my goals are 1) stream it live to my PC. 2) use mouse&keyboard for input - Ideally get terminal access. There is what I suspect is a dropbear terminal running but Hydra hasn't produced any results yet on that front. Perhaps I need a dutch wordlist -_-

Any input you guys have would be greatly appreciated. Will provide robot or cow pics on request

Andrew

Link to comment
Share on other sites

  • Replies 62
  • Created
  • Last Reply

Fun and unusual project! It interested me enough to find and read a bit of the operating manual https://www.lely.com/techdocs/astronaut/a4/

In the T4C (Time for Cow) section there is some info on software and network. you probably have this already but I put here in case you hadn’t seen it or others are interested. There are also many lely android apps in the play store maybe one of those is a remote connect. I didn’t see any default passwords in the manual but I did see the system is using SQL.

never thought I’d see a milking machine in hak5 forums :)

edit: I think the e-link part is what you looking at.

Link to comment
Share on other sites

Hey Just_a_User! Thanks for the reply. I do have that information already indeed. The "server" that is running T4C is physically accessible to us/me and I have snooped around it some. It is running IIS7 and whatever SQL server microsoft uses. I would really really really like to have raw SQL access too, so if you have any pointers on how to get those that would actually be pretty sweet too.  Here's a port scan of the server

Not shown: 984 closed ports                                                                                     
PORT     STATE SERVICE                                                                                          
80/tcp   open  http                                                                                             
135/tcp  open  msrpc                                                                                            
443/tcp  open  https                                                                                            
445/tcp  open  microsoft-ds                                                                                     
1025/tcp open  NFS-or-IIS                                                                                       
1026/tcp open  LSA-or-nterm                                                                                     
1027/tcp open  IIS                                                                                              
1028/tcp open  unknown                                                                                          
1047/tcp open  neod1                                                                                            
1050/tcp open  java-or-OTGfileshare                                                                             
2222/tcp open  EtherNetIP-1                                                                                     
2869/tcp open  icslap                                                                                           
4242/tcp open  vrml-multi-use                                                                                   
5800/tcp open  vnc-http                                                                                         
5900/tcp open  vnc                                                                                              
6969/tcp open  acmsoda  

Its running a VNC server so I can access it over the LAN, T4C runs on port 80 and 443. 2222 is an ssh server(that I'm logged in over) Port 6969 is used by softEther VPN client (I have this machine connected to a VPN server I run on AWS, running NGINX as a reverse proxy ) so that I can access T4C on the public internet Note: I'm a bad person and mostly use security by obscurity so I won't tell you the IP 

Link to comment
Share on other sites

first and i cant stress this enough - I’m really not the person to help you. but maybe others reading this will chip in. I’m just curious.

but having said that  I have a couple of thoughts: -

1 hour ago, Legomaniac said:

The "server" that is running T4C is physically accessible to us/me

if you have physical access are there exposed ports? If not exposed maybe you have to open the enclosure. If there is a serial it might give you further access. just wondering how the manufacturers of the system initially set it up.

Quote

2222 is an ssh server(that I'm logged in over)

when you ssh in are you root? if so maybe the config files for the vnc could be overwritten or modified.

Either way good luck and I will be watching to see if and how this progresses.

Link to comment
Share on other sites

Oh sorry, I should've explained the architecture more. There's a windows 7 PC that runs Microsoft IIS7, and the SQL server and such. <That's the machine I have SSH and VNC access to. That's the system that runs the web interface so we can see how much milk our cows are making, and stuff like that. 

 

After every time it milks a cow, the robot sends an update over the LAN with the information it got, and then the server updates the web interface. I have about an hour worth of packets captured with wireshark but I can't really make sense of it. If anyone shows up that has experience with packet capturing I'll post that too.

The robots themselves do have an open ssh port, but I have no information on how to connect. I'm running hydra against it but so far no dice. The generic passwords file isn't really good enough. The company probably programs them all with the same password, because each robot runs the same firmware, but even the service techs don't know what it is.

Thanks for your interest. Keeping it bumped is appreciated :) 

 

Link to comment
Share on other sites

Update: I have managed to accomplish the exact OPPOSITE of what I want.

if I open a terminal and type export DISPLAY=<IP here>

then: xterm, an xterm appears on the robot screen. 

So for those who are unsure about what I want, Its the opposite of this. I want the robot screen on my laptop

Link to comment
Share on other sites

I have no terminal access on robot. There is no built in command line interface on the robot. I have no ssh credentials for it either.

I am connecting via a Kali linux laptop on the same LAN. Since my last update I have made a bit of progress. (still no terminal though)

I have discovered that I can use xdotool (on my linux laptop, after I have done export DISPLAY= 10.4.1.101:0)

to move the mouse pointer and click stuff.  It is pretty rudimentary but it does allow remote access. Since the buttons are always in the same place on the screen I can write scripts to reliably click on them. Using this I have taken the robot in and out of operation (which isn't normally doable remotely) and I even gave a cow some extra feed :) 

Link to comment
Share on other sites

  • 2 months later...

Do you have an update on your situation? Fellow dairy farmer here trying to get the same thing accomplished... hate when I have to go back out and put it back in opperation after I change a filter and forget to say filter has been exchanged...

Link to comment
Share on other sites

On 14/05/2017 at 9:39 PM, CheeseBall said:

Do you have an update on your situation? Fellow dairy farmer here trying to get the same thing accomplished... hate when I have to go back out and put it back in opperation after I change a filter and forget to say filter has been exchanged...

I am wondering whether you mean telling the CRS+ that you changed the filter, or whether it is on your robot screen? So far I only have access to the touchpad on the robot itself, not the CRS. I'm working on it, though. 

Link to comment
Share on other sites

  • 4 weeks later...
On 2017-3-5 at 0:56 PM, Legomaniac said:

So I'm a dairy farmer, and a couple years ago we bought a pair of Lely A4 Astronaut milking robots. They work great and they milk cows pretty well but there are a few things that they don't let you do out of the box. 

...

Andrew

Hello Andrew ,

if i read the post correct, You want acces to the E(X)-link on your home pc/ portable Tablet ?
so when you need to modify some settings that you now only can do in on the E(X)-link you can do it remotly ?

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • 4 weeks later...

It's more simpel then you think. At the XLink of your Robot is an USB Port.
That's all you need. Just go there an connect a keyboard. Then you can open a terminal.
Ther is allredy VNC Insalled you just need to chage it from view only.

Thats it.

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

Does "alt+f2" bring up a prompt to run/search? If so, type term, terminal or xterm, or whatever the default OS terminal is.

Link to comment
Share on other sites

On 8/2/2017 at 5:40 PM, Help4Tec said:

It's more simpel then you think. At the XLink of your Robot is an USB Port.
That's all you need. Just go there an connect a keyboard. Then you can open a terminal.
Ther is allredy VNC Insalled you just need to chage it from view only.

Thats it.

Hey guys! Sorry for the delay I didn't realize there was this much demand. I do have a semi-useful (functional but cludgey) remote access to the robot. Now that Help4Tec has said to just plug in a keyboard I am going to try that and I will post a video showing what happens.

Thanks everyone!

Link to comment
Share on other sites

On 29-8-2017 at 6:20 AM, Legomaniac said:

Hey guys! Sorry for the delay I didn't realize there was this much demand. I do have a semi-useful (functional but cludgey) remote access to the robot. Now that Help4Tec has said to just plug in a keyboard I am going to try that and I will post a video showing what happens.

Thanks everyone!

And how did it go ?

 
Link to comment
Share on other sites

 Hi Everyone, update time. I plugged in a keyboard and it did do interesting things, sort of. Ctrl + Alt + FX (X != 2 ) directs you to a console login. I tried all the obvious-ish default passwords. Lely, Password, 123456, etc. It is quite slow on the password denied response, so perhaps I need to buy a rubber ducky and let it go all night long or something. The good news is it does keep milking cows while messing with it, you just have to remember to CtrlAltF2 before you unplug the keyboard. 

Video: 

I haven't done a hard reboot, I think that's the next step, remove power and see what shows up during boot. 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...