Adventures in Pwning/Owning your own robots

Mandrewoid · March 4, 2020, 2:11pm

I made a thread years ago about my milking robots, and my attempt to get more “Bare metal” type access to the system for remote management purposes (and for “science”)

[Pointers] X11 Servers, connecting to existing connections -hacking Linux

So I'm a dairy farmer, and a couple years ago we bought a pair of Lely A4 Astronaut milking robots. They work great and they milk cows pretty well but there are a few things that they don't let you do out of the box. Now for the cool part. They run Linux! I'm not exactly sure what's going on behind the scenes but according to their service techs the robot has a built in tablet running like Android 2 or something awful and ancient. Here's a screenshot. http://imgur.com/a/6CmiQ The robots are connected to a LAN. I fired up a port scanner and found an open VNC port, but unfortunately it is view only:. All is not lost however, Port 6000 is open! (and also unsecured) That's how I got this screenshot, Using xwd -root -screen -silent -display 10.4.1.102:0 > screenshot.xwd What I am asking you guys for help on, is taking over that X session remotely, so I can click those buttons on the screen from, well, not in front of the screen. I've spent about 5 hours reading but X11 terminology is really starting to wear by brain out, and it seems that 99.9% of examples deal with either SSH tunnelling (not an option) or using Xnest and XDMCP to start a new login session remotely, which is also not what I want to do. I think it seems like Xnest is along the lines of what I want, but the critical piece here is to connect to an existing "Client -Server session" ? Is that correct terminology? TL;DR: Port 6000 is open, I can grab frames from it but my goals are 1) stream it live to my PC. 2) use mouse&keyboard for input Any input you guys have would be greatly appreciated. Will provide robot or cow pics on request Andrew

To avoid Necro-ing that thread, and considering I just made a Significant leap forward, I have created this new thread. (mods feel free to smack me if I shouldn’t have)

Where we left off before:
The robots had an exposed ssh server on port 22
a read-only VNC session (no password) on port 5900
and port 6000 was open.

I was able to connect to the vnc server, and then send mouse commands by using ‘xdotool’ and pointing it at $IPADDR:6000
this was slow but workable in emergencies, but it always felt very rube-goldberg.

Recently I have been gifted the password for a root shell over ssh

Naturally I logged in and fired up x11vnc…
well, first I had to find it ./usr/Lely/vnc/x11vnc
and then a simple LD_LIBRARY_PATH=/usr/Lely/vnc was required as well.

Now I have a x11vnc session on port 5901 as well.
Unfortunately, it seems to also be read-only.
The startup of x11vnc provides a lot of information, including:

04/03/2020 08:50:08 WARNING: XTEST extension not available (either missing from
04/03/2020 08:50:08 display or client library libXtst missing at build time).
04/03/2020 08:50:08 MOST user input (pointer and keyboard) will be DISCARDED.
04/03/2020 08:50:08 If display does have XTEST, be sure to build x11vnc with
04/03/2020 08:50:08 a working libXtst build environment (e.g. libxtst-dev,
04/03/2020 08:50:08 or other packages).
04/03/2020 08:50:08 No XTEST extension, switching to -xwarppointer mode for
04/03/2020 08:50:08 pointer motion input.

Am I right to assume that missing XTEST is causing my clicks not to register? > More imortantly, how would one go about installing that on an embedded system…
The good news is I do have 458 Megabytes of available space.

TheCakeIsNaOH · March 4, 2020, 3:24pm

First, the thing to figure out is what type of Linux it is, and what CPU architecture it is.
Things to try, idk what will be available.
uname -a
lsb_release -a
hostnamectl

List content of these files, if they exist, cat is easy to do so with.
/proc/version
/etc/os-release

Adubs · March 4, 2020, 4:15pm

this is the correct use of creating a new thread and linking to the old one.

you have the stamp of adubs approval.

also neat thread.

Mandrewoid · March 6, 2020, 6:09am

Ask and I shall provide!
~ # cat /proc/version
Linux version 3.3.0-rc2+ (david@archvile) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #233 PREEMPT Wed May 23 15:59:09 CEST 2012

~ # uname -a
Linux lelxdh1 3.3.0-rc2+ #233 PREEMPT Wed May 23 15:59:09 CEST 2012 armv7l unknown

~ # lsb_release -a
Distributor ID: Angstrom
Description: Angstrom GNU/Linux 2010.7-test-20101213 (foo)
Release: 2010.7-test-20101213
Codename: foo

hostnamectl

Also I noticed It has opkg installed. Here’s the output of opkg list-installed.

Summary

~ # opkg list-installed
alsa-conf-base - 1.0.24.1-r0.6
alsa-utils-alsamixer - 1.0.24.2-r0.6
angstrom-feed-configs - 1.0-r11.6
angstrom-locale-en-feed-config - 1.0-r11.6
angstrom-version - 1:2010.7-test-20101213-r6.6
busybox - 1.13.2-r38.3.6
busybox-mdev - 1.13.2-r38.3.6
busybox-mountall - 1.13.2-r38.3.6
busybox-syslog - 1.13.2-r38.3.6
chromium-browser - 8.0.552.237
db - 5.1.19-r2.6
dbus - 1.2.24-r19.1.6
dbus-x11 - 1.2.24-r20.1.6
devmem2 - 1.0-r3.6
dropbear - 0.52-r7.0.6
eggdbus - 0.6-r0.6
eject - 2.1.5-r0.6
encodings - 1:1.0.3-r2.1.6
fbset - 2.1-r4.6
fbset-modes - 0.1.0-r5.6
font-update-common - 0.1-r1.6
font-util - 1:1.2.0-r2.0.6
gamin - 0.1.10-r0.6
gconf - 2.28.0-r2.6
gdk-pixbuf-loader-gif - 2.20.1-r10.4.6
gdk-pixbuf-loader-jpeg - 2.20.1-r10.4.6
gdk-pixbuf-loader-png - 2.20.1-r10.4.6
gdk-pixbuf-loader-xpm - 2.20.1-r10.4.6
glibc-binary-localedata-en-us - 2.9-r37.4.6
glibc-gconv - 2.9-r37.4.6
glibc-gconv-iso8859-1 - 2.9-r37.4.6
gtk+ - 2.20.1-r10.4.6
hal - 0.5.14-r2+gitr6dccf8e3ad181e8f56b1d2a994ec50a1953a1c2d.6
hal-info - 20090414-r0.6
hicolor-icon-theme - 0.11-r1.6
initscripts - 1.0-r124.6
iproute2 - 2.6.35.1-r4.0.6
iptables - 1.4.9.1-r7.1.6
kernel - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-2.6.32 - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-image-2.6.32 - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-ip-tables - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-ipt-masquerade - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-iptable-filter - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-iptable-nat - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-nf-conntrack - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-nf-conntrack-ipv4 - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-nf-defrag-ipv4 - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-nf-nat - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
kernel-module-x-tables - 2.6.32-r91+gitr5fc29e7b2a76a64a739f857858ef0b98294aa155.6
libasound2 - 1.0.24.1-r0.6
libatk-1.0-0 - 1.30.0-r1.6
libblkid1 - 2.17-r34.3.6
libbz2-1 - 1.0.6-r0.6
libc6 - 2.9-r37.4.6
libcairo2 - 1.10.0-r1.6
libcidn1 - 2.9-r37.4.6
libcrypto1.0.0 - 1.0.0b-r13.1.6
libdbus-1-3 - 1.2.24-r19.1.6
libdbus-glib-1-2 - 0.86-r2.1.6
libdrm2 - 1:2.4.23-r6.0.6
libexpat1 - 2.0.1-r3.6
libfontconfig1 - 2.8.0-r0.6
libfontenc1 - 1:1.1.0-r9.0.6
libformw - 5.7+20110115-r16.6
libfreetype6 - 2.4.3-r0.6
libgcc1 - 4.3.3-r22.1.6
libgio-2.0-0 - 2.24.1-r2.6
libgl1 - 2:7.6-r11.1.6
libgles-omap3 - 4.00.00.01-r9.6
libgles-omap3-blitwsegl - 4.00.00.01-r9.6
libgles-omap3-flipwsegl - 4.00.00.01-r9.6
libgles-omap3-frontwsegl - 4.00.00.01-r9.6
libgles-omap3-linuxfbwsegl - 4.00.00.01-r9.6
libglib-2.0-0 - 2.24.1-r2.6
libglu1 - 2:7.6-r11.1.6
libgmodule-2.0-0 - 2.24.1-r2.6
libgobject-2.0-0 - 2.24.1-r2.6
libgthread-2.0-0 - 2.24.1-r2.6
libice6 - 1:1.0.7-r9.0.6
libidl-2-0 - 0.8.13-r0.6
libjpeg8 - 8b-r1.6
libmenuw - 5.7+20110115-r16.6
libncursesw5 - 5.9-r0.6
libopkg0 - 0.1.8+svnr587-r3.6
libpam - 1.1.1-r2.6
libpam-base-files - 1.0-r7.6
libpam-meta - 1.1.1-r2.6
libpanelw5 - 5.9-r0.6
libpciaccess0 - 0.12.0-r9.0.6
libphonon4 - 4.6.3-r21.7.6
libpixman-1-0 - 0.21.2-r5.1.6
libpng12-0 - 1.2.44-r2.0.6
libpthread-stubs0 - 0.2-r2.0.6
libpython2.6-1.0 - 2.6.5-ml12.2.6
libqt-mt3 - 3.3.7-r3.6
libqtassistantclient4 - 4.6.3-r21.7.6
libqtclucene4 - 4.6.3-r21.7.6
libqtcore4 - 4.6.3-r21.7.6
libqtdbus4 - 4.6.3-r21.7.6
libqtgui4 - 4.6.3-r21.7.6
libqthelp4 - 4.6.3-r21.7.6
libqtnetwork4 - 4.6.3-r21.7.6
libqtopengl4 - 4.6.3-r21.7.6
libqtsql4 - 4.6.3-r21.7.6
libqtsvg4 - 4.6.3-r21.7.6
libqtwebkit4 - 4.6.3-r21.7.6
libqtxml4 - 4.6.3-r21.7.6
libreadline5 - 5.2-r8.6
libsm6 - 1:1.2.0-r9.0.6
libsqlite3-0 - 3.7.3-r3.0.6
libssl1.0.0 - 1.0.0b-r13.1.6
libstartup-notification-1-0 - 0.9-r2.6
libstdc++6 - 4.3.3-r22.1.6
libtinfo5 - 5.9-r0.6
libts-1.0-0 - 1.0-r28.6.6prt1
libusb-0.1-4 - 1:0.1.3-r0.6
libusb-1.0-0 - 1.0.8-r0.6
libuuid1 - 2.17-r34.3.6
libx11-6 - 1:1.4.0-r9.0.6
libxau6 - 1:1.0.6-r9.0.6
libxcb1 - 1.6-r4.1.6
libxcomposite1 - 1:0.4.3-r9.0.6
libxcursor1 - 1:1.1.11-r9.0.6
libxdamage1 - 1:1.1.3-r9.0.6
libxdmcp6 - 1:1.1.0-r9.0.6
libxext6 - 1:1.2.0-r9.1.6
libxfixes3 - 1:4.0.5-r9.0.6
libxfont1 - 1:1.4.3-r9.0.6
libxft2 - 1:2.2.0-r9.0.6
libxinerama1 - 1:1.1.1-r9.0.6
libxkbfile1 - 1:1.0.7-r9.0.6
libxml2 - 2.7.8-r9.1.6
libxmu6 - 1:1.1.0-r9.0.6
libxpm4 - 1:3.5.9-r9.0.6
libxrandr2 - 1:1.3.1-r9.0.6
libxrender1 - 1:0.9.6-r9.0.6
libxss1 - 1:1.2.1-r9.0.6
libxt6 - 1:1.0.9-r9.0.6
libxxf86vm1 - 1:1.1.1-r9.0.6
libz1 - 1.2.3-r7.0.6
locale-base-en-us - 2.9-r37.4.6
makedevs - 1.0.0-r9.6
mkfontdir - 1:1.0.6-r5.0.6
mkfontscale - 1.0.8-r5.0.6
module-init-tools-depmod - 3.4-r6.6
ncurses-terminfo-base - 5.7+20100501-r15.6
nspr - 4.7.1-r1.5
nss - 3.12.6-r2.5
omap3-sgx-modules - 1.4.14.2616-r91h.6
openbox - 3.4.7.2-r0.6
openbox-theme-clearlooks - 3.4.7.2-r0.6
opkg - 0.1.8+svnr587-r3.6
orbit2 - 2.14.17-r0.6
pam-plugin-access - 1.1.1-r2.6
pam-plugin-debug - 1.1.1-r2.6
pam-plugin-deny - 1.1.1-r2.6
pam-plugin-echo - 1.1.1-r2.6
pam-plugin-env - 1.1.1-r2.6
pam-plugin-exec - 1.1.1-r2.6
pam-plugin-faildelay - 1.1.1-r2.6
pam-plugin-filter - 1.1.1-r2.6
pam-plugin-ftp - 1.1.1-r2.6
pam-plugin-group - 1.1.1-r2.6
pam-plugin-issue - 1.1.1-r2.6
pam-plugin-keyinit - 1.1.1-r2.6
pam-plugin-lastlog - 1.1.1-r2.6
pam-plugin-limits - 1.1.1-r2.6
pam-plugin-listfile - 1.1.1-r2.6
pam-plugin-localuser - 1.1.1-r2.6
pam-plugin-loginuid - 1.1.1-r2.6
pam-plugin-mail - 1.1.1-r2.6
pam-plugin-mkhomedir - 1.1.1-r2.6
pam-plugin-motd - 1.1.1-r2.6
pam-plugin-namespace - 1.1.1-r2.6
pam-plugin-nologin - 1.1.1-r2.6
pam-plugin-permit - 1.1.1-r2.6
pam-plugin-pwhistory - 1.1.1-r2.6
pam-plugin-rhosts - 1.1.1-r2.6
pam-plugin-rootok - 1.1.1-r2.6
pam-plugin-securetty - 1.1.1-r2.6
pam-plugin-shells - 1.1.1-r2.6
pam-plugin-stress - 1.1.1-r2.6
pam-plugin-succeed-if - 1.1.1-r2.6
pam-plugin-tally - 1.1.1-r2.6
pam-plugin-tally2 - 1.1.1-r2.6
pam-plugin-time - 1.1.1-r2.6
pam-plugin-timestamp - 1.1.1-r2.6
pam-plugin-umask - 1.1.1-r2.6
pam-plugin-unix - 1.1.1-r2.6
pam-plugin-userdb - 1.1.1-r2.6
pam-plugin-warn - 1.1.1-r2.6
pam-plugin-wheel - 1.1.1-r2.6
pam-plugin-xauth - 1.1.1-r2.6
pango - 1.24.4-r1.1.6
pango-module-basic-fc - 1.24.4-r1.1.6
pango-module-basic-x - 1.24.4-r1.1.6
pointercal - 0.0-r22.6
policykit - 0.96-r3.6
python-codecs - 2.6.5-ml12.2.6
python-core - 2.6.5-ml12.2.6
python-fcntl - 2.6.5-ml12.2.6
python-io - 2.6.5-ml12.2.6
python-lang - 2.6.5-ml12.2.6
python-math - 2.6.5-ml12.2.6
python-pickle - 2.6.5-ml12.2.6
python-re - 2.6.5-ml12.2.6
python-readline - 2.6.5-ml12.2.6
python-stringold - 2.6.5-ml12.2.6
python-subprocess - 2.6.5-ml12.2.6
python-xlib - 0.14-r1.3
qt-x11-qvfb - 3.3.7-r3.6
qt4-demos - 4.6.3-r21.7.6
qt4-plugin-imageformat-jpeg - 4.6.3-r21.7.6
qt4-plugin-imageformat-svg - 4.6.3-r21.7.6
rgb - 1:1.0.4-r5.0.6
rxvt-unicode - 9.07-r0.6
strace - 4.5.14-r9.6
sysvinit - 2.86-r62.6
sysvinit-inittab - 2.86-r62.6
sysvinit-pidof - 2.86-r62.6
sysvinit-utils - 2.86-r62.6
tinylogin - 1.4-r7.6
tslib-calibrate - 1.0-r28.6.6
tslib-conf - 1.0-r28.6.6
tslib-tests - 1.0-r28.6.6
ttf-dejavu-common - 2.23-r3.6
ttf-dejavu-sans - 2.23-r3.6
ttf-dejavu-serif - 2.23-r3.6
ttf-sazanami-gothic - 20040629-r4.3
udev-utils - 151-r22.6
update-modules - 1.0-r10.6
update-rc.d - 0.7-r2.6
xf86-input-keyboard - 1:1.5.0-r14.0.6
xf86-input-tslib - 0.0.6-r14.1.6
xf86-video-fbdev - 1:0.4.2-r14.1.6
xf86-video-omapfb - 1:0.1.1+r14.0+gitrdb636c8436265c3d86c5b8e00785e45d55825c80-r14.0.6
xkbcomp - 1.2.0-r5.0.6
xkeyboard-config - 1.8-r0.6
xorg-minimal-fonts - 1.0-1.5
xserver-security-policy - 1:1.4.2-r3.2
xserver-xorg - 2:1.7.4-r18.2.6
xserver-xorg-conf - 0.1-r37.6

Kinda neat that it has stuff like python… sad about the 2.6 version though

TheCakeIsNaOH · March 7, 2020, 3:47pm

Well, it is good that it has a package manager, however, the repository might be down now. http://feeds.angstrom-distribution.org/feeds/ does not have 2010.7, but only newer versions. Hopefully, there is a feed URL in a file in /etc/opkg/that is still up.

XTEST support in x11vnc seems to be a compile time option from the output above. So to get support for it, you will have to recompile x11vnc with libxtst available. The package is probably called libxtst-dev.

If this version was custom compiled, the default angstrom linux build of x11vnc may support xtest. In this case, you can just install that over the original binary.

Also, this point is a great opportunity to get a backup of the drive before any changes are made. There are a number of ways to do so, not sure what commands are available (SCP, tar, rsync, dd, others).

Mandrewoid · March 9, 2020, 12:44am

There are a lot of feeds apparenty.
/etc/opkg # ls
arch.conf debug-feed.conf noarch-feed.conf sdk-feed.conf
base-feed.conf gstreamer-feed.conf perl-feed.conf
beagleboard-feed.conf locale-en-feed.conf python-feed.conf

/etc/opkg # cat *.conf
arch all 1
arch any 6
arch noarch 11
arch arm 16
arch armv4 21
arch armv4t 26
arch armv5te 31
arch armv6 36
arch armv7 41
arch armv7a 46
arch beagleboard 51
src/gz base http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/base
src/gz beagleboard http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/machine/beagleboard
src/gz debug http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/debug
src/gz gstreamer http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/gstreamer
src/gz locale-en-feed http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/locales/en
src/gz no-arch http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/all
src/gz perl http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/perl
src/gz python http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/python
#src/gz sdk http://www.angstrom-distribution.org/feeds/unstable/ipk/glibc/sdk

TheCakeIsNaOH · March 10, 2020, 2:55am

All of those urls are dead, however, it looks like they just changed it to a subdomain. The versioning of the unstable instead of an actual version is not ideal, but most of the packages have late 2010 - early 2011 upload dates. So they should be for the same version you have, and not a constantly updated version like say Debian unstable.

Replace all instances of www.angstrom-distribution.org with feeds.angstrom-distribution.org to make it work.

libxtst-dev is available at http://feeds.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/base/libxtst-dev_1.2.0-r9.0.6_armv7a.ipk and should be easily installable with opkg.

Mandrewoid · March 11, 2020, 3:59am

Thanks! I’ll give it a shot and see how it goes!

Mandrewoid · March 11, 2020, 4:56am

My robots are not connect to the internets. There is a PC on the robot network that is, but it isn’t set up to forward packets, and I’d rather not (Sigh, windows) I downloaded http://feeds.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/base/libxtst-dev_1.2.0-r9.0.6_armv7a.ipk

on my laptop, and plugged it into the robot network. Copied the .ipk file with SCP onto the robot.
Naturally, it decided there were dependencies. libxi6, libxtst6, recordproto, recordproto-dev, utilmacros-dev (libxtst-dev didn’t depend on all of them, but the dependencies had dependencies)

I downloaded a lot of these relevant files as well, but it seems to more dependies I download, the more I require.

Is there an easy way to batch download and package all the ones I need (on my laptop), and then transfer them all to the robot without downloading and mirrioring the whole http://feeds.angstrom-distribution.org/feeds/unstable/ipk/glibc/armv7a/ repo?

If not, do I just download it all onto my PC, and shove it ito a folder served by apache, ? then replace my feeds with http://my-ip/feeds/unstable/ipg … etc?

TheCakeIsNaOH · March 11, 2020, 9:29pm

Not that I know of, sorry.

I think so. I have done that with Debian repositories, and opkg uses parts from Debian package management.

Sandman1 · January 26, 2021, 10:33pm

Hi Mandrewoid, did you get any further here? I’ve been scratching my head on this for over a year as well (2 A4’s, one running Angström, the other Debian it seems, since a cow demolished the original touchscreen). I have terminal root access, I’ve altered config files as far as I deemed safe, but can’t get it to work yet.

We’ve been working on it on the hak5 forums as well, but no luck yet…

Cheers!

happy_Farm · May 3, 2023, 6:22am

if you have debian on robot screen that you can edit VNC.start file to enable remote control by deleting -viewonly parametr

schmijo · December 31, 2023, 9:20am

Did you get it working at your robots? I can’t login as root / lely123. Do you have any tipps?