Robot hacking, leads to many questions about X11

Ok so I have a pair of Lely a4 milking robots, about 4 years old. Here’s a video if you want to see what they do https://www.youtube.com/watch?v=En5IQYw75mc
This thread is the story of how I persistently prodded the system until it (sort of) delivered the functionality I wanted, and a request to you, dear viewer, for any advise you might have on achieving the last 5%

When we bought these robots I was disappointed that it didn’t come with tools to let you do stuff remotely, like clear errors, reboot the robot etc. So naturally I installed Kali linux, plugged my laptop into the robot LAN, and fired up NMAP.

Starting Nmap 7.40 ( https://nmap.org ) at 2019-02-25 12:08 
Eastern Standard Time                               
Nmap scan report for 10.4.1.102                                                                                   
Host is up (0.0019s latency).                                                                                   
Not shown: 996 closed ports                                                                                     
PORT     STATE SERVICE                                                                                          
22/tcp   open  ssh                                                                                              
5900/tcp open  vnc                                                                                              
6000/tcp open  X11                                                                                              
8080/tcp open  http-proxy                                                                                       
MAC Address: 00:12:FF:01:A4:0C (Lely Industries N.V.)                                                           
Device type: general purpose                                                                                    
Running: Linux 2.6.X|3.X                                                                                        
OS CPE: cpe:/o:linux:linux_kernel:2.6 
cpe:/o:linux:linux_kernel:3                                               
OS details: Linux 2.6.32 - 3.10                                                                                 
Network Distance: 1 hop                                                                                         

So this is interesting… It has a VNC port open. Fire up VNC:

Very nice! Unsecured VNC! It shows the same stuff as the touchscreen on the robot.
On the other hand. Bummer! It seems to be view only I can’t do stuff, just watch.

But what’s that? An open X11 port on 6000?
This is where I start to get out of my depth. I really don’t understand the X11 client/server model. Is it backwards, is it forwards? Do clients listen with open ports? Do servers display stuff on screens? I have no idea.

What I DO know is if i type:
export DISPLAY=10.4.1.102
xterm

Then the xterm window shows up on the robot screen

So clearly this port 6000 is also unsecured!
At this point I spent days trying to understand what was going on. I can capture the frames from the robot screen using xwd(which is pretty cool) and I eventually discovered a pretty neat utility called ‘xdotool’ which allows me to send keystrokes, mouse movement and mouse click over the network to port 6000. We’re in like Flynn! If I “xdotool click 1” while the mouse is over the button in the bottom right, the actions menu comes up, and I can initiate a cleaning cycle, put the robot into or out of operation, or divert that cow’s milk to a holding pail to be fed to calves (red buttons on the right)

If you’ve made it this far, thanks for reading! And if you know how X11 works please enlighten me as to how this functionality is possible, and if there is a slightly less ‘bodged’ way to do this.
Ideally what I’d like to do is ‘connnect to the x session’ if such a thing is possible. Exactly like how you would VNC into a machine. It kind of seems to me this is exactly what X was designed to do?

Bonus points:
You may have noticed there’s also an ssh port open. About that:
It appears to accept password logins, and I have tried all the obvious ones. I’m 99% sure it is running a hella old version of openssh that probably has documented vulnerabilities but again that’s out of my wheelhouse unfortunately. It has been a while since I tried the ssh but I seem to recall having to allow an encryption method that isn’t even supported normally anymore.

Bonus bonus:
There’s a single open USB port on the thing, so naturally I plugged in a keyboard and pressed Ctrl+alt+F3
And yes! it gets me a login screen, but again I have no idea the credentials

Any feedback would be greatly appreciated!
Calf tax:

uhhhhhh

see if xtogo sees it thats all I got.

also smooch a baby moo nose for me I love cows <3

You guessed right, it’s doing what it’s supposed to do. Xorg acts as a server for remote management. Taken from man page:

TCP/IP
Xorg listens on port 6000+n, where n is the display number. This
connection type is usually disabled by default, but may be enabled
with the -listen option (see the Xserver(1) man page for details).

Seems like it’s using host-based access control, hence no login needed. Most likely configured to accept all connections from the LAN, or who knows, the whole internet.

Is there a way of “Streaming” mouse inputs and clicks from my machine to the robot, rather than entering them discretely from the terminal?

Can’t say why it’s not forwarding your inputs, tho best practice would be to forward X through ssh anyway. Having Xserver ports open is terrible from a security standpoint. It’s quite interesting that the manufacturer left those ports accessible like that, whatever the reasons might be. There’s better ways to remote machines, it’s not 1995 anymore.
Maybe you could call them and ask what’s up with that?

While you’re at it you could also ask, but you’re most likely not gonna get, creds for the box to ssh into with - ofc you could locally access the machine and change passwords and configure ssh by different methods but really you shouldn’t mess with the system at all since it’s not a testing environment.

It is very strange that they leave the ports open, I think it is a holdover from testing/dev but I cant be 100% sure. These are 1/4 of a million dollar robots. Typical of companies like this, their response to any technical questions like that are “We aren’t going to tell you” Despite the fact that it’s my hardware. (Stallman intensifies)
I agree I’d like to get terminal access just to see what the heck the system looks like on the software side.

I have been told by a service tech that this touchscreen is an ARM tablet running android 2. You’ll recognize the GUI on it from the screenshots above. This tabley has 2 plugs on it. One proprietary waterproof connector with a bunch of conductors, approximately 12 or so, and a USB port. The fancy cable goes to this board

Which has what I think is an ARM SOC in the middle, and then it has a whole bunch of CANBUS connectors and logic outputs (for running relays to open and close valves etc) The network connects just above that ARM chip

I can’t tell whether the screen is a separate system running its own os just do do the display, or if that other connector is a proprietary waterproof VGA + power, for example. I do have physical access to the machine obviously, but there’s no removable storage devices

I do have local access to the device but I have no idea how I’d go about changing the passwords without any command line access, or any harddrives I could dig into and change config files
There is a DB9 port that I believe could be used as a serial console, but I don’t have requisite hardware to plug into it, and I’m afraid it might be 5V or something. I don’t want to fry the motherboard. Also there’s still a pretty good probability I would still have to log in on the serial right?

x2x should be able to do what you wanted in regards to control. It’s typically used over SSH, and allows you to share your keyboard and mouse pointer with another X server(You don’t need to use it over SSH though!). I think it requires the xtest extension, but that’s fairly default. Other than that, you could possibly start a VNC server on the X server(Even from another machine!) with normal mouse/keyboard support(You want a VNC server for a running X Server, not a VNC Server with a built-in X Server).

Also, you should be able to check the SSH version, by simply:
nc -vvv 127.0.0.1 22
Or you can just connect with SSH and the verbose output, also tells what other authentication methods the server supports, among a lot of other things. If you report that here, someone might be able to look at CVE’s for those versions, and might be able to provide you with a working exploit.

Besides, X was never a secure protocol. it should be fairly easy to exploit. Never done that though.

Oh, this image looks very promising! There are 2 connectors commonly used for serial access on the board. The one in the lower-right is just straight up a standard serial port. The connector in the top could be a RJ-45, possibly ethernet, or maybe a serial port like on a switch! I think with that kind of access it should be very possible to get a shell running on that thing!

One quick note though, I don’t know if poking around in the software is permitted by software licenses, or if there are other legal or warranty hazards you need to look at.
I think the chance of a hardware fault because of this is very small, but again, I don’t know enough about this to be sure. Proceed with care!

Bruh kevin mitnick straight up stole sunOS in the 80’s and screwed around with it however he wanted.

You bought them they’re yours / your companies.

Thanks for the interest and the reply!
That Ethernet port is the robot network(normally plugged in) It was unplugged for the picture because we had a switch burn out so I took the picture mid swap.
I saw the serial port on the board. I have been thinking of picking up a USB to serial cable to try it out and see what I get, but for now I dont have one.
In the meantime, here is some selected output from nmap -A -vvv:
Kinda interesting that lely has their own MAC

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 Dropbear sshd 0.52 (protocol 2.0)
| ssh-hostkey:
| 1040 be:44:a8:36:71:ec:1e:b9:df:28:23:d3:c9:eb:b6:8a (RSA)

MAC Address: 00:12:FF:01:A8:11 (Lely Industries N.V.)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10

So it seems to be running dropbear 0.52. There is a CVE which allows username enumeration https://security-tracker.debian.org/tracker/CVE-2013-4434
so that’s kinda interesting, but even then I’d have to bruteforce passwords

So today I was back in a city with an adequate computer store. Picked up a USB-RS232 cable (and a null-modem adaptor in case I need it) Will try on the weekend and see what happens when I plug it in. Might have to do a reboot and see if the bootloader does any serial output.
Now for the reason I did a bump without any serious progress updates…
Is there any way to do an automated sort of ‘scan’ or ‘sweep’ of serial port settings? I’ll try the most common 9600 8n1 and 115200 8n1, and maybe I’m overthinking it, but aren’t there huge numbers of possible combinations? I’m worried about the possibility that I get the settings wrong and get no output, even if the robot is outputting actively.

Update. Connected to serial 38400 baud. Upon bootup the robot outputs a bunch of diagnostic crap. Unfortunately I don’t think any of it is interesting for the purpose of getting to the command line.
https://pastebin.com/sm453vun

Oh boy, and i thought i was the only one in the world trying to figure this out !
I’ve been doing the same for the A5 robot and was able to log in with Putty to the IP address of the robot (10.4.1.10x) , and then i could open another SSH tunnel to the terminal from there. But that’s how far i’ve got.

I might have to look back into it.

I own two Lely A5 and I try to get remote access, too. That way I found this thread in this forum. When I say robot, an automated milking system (AMS) is ment.
Lely wires an own network for the robots and all stuff, that is needed to run them (10.1.4.x). In that network is a PC (10.1.4.1) that is corrected also to my internet-lan. So the robots are not directly connected to the internet.
Each robot has the IP 10.1.4.10x. X is the number of the robot. Each robot has an own Lan with three devices (10.1.5.1-3)
On every robot runs a VNC-server, but only in view mode There is no password.
I connected via SSH on the machine, it runs on Debian 8, but I hat no root. This Is also 10.1.5.1. From there you can use SSH to get to 10.1.5.2 and 10.1.5.3.
Till now, I don’t know which IP the display is. It has an usb port, but I found no usb tools like lsusb on any machine. I did not see where an usb stick is mounted, but service technicians use an stick with an fiele (servicekey) to get service access. So it must be mounted to some directory.

You could maybe use nmap to scan the whole network segment.
Try something like nmap [options] 10.1.0-255.0-255.
You should be able to see every device and open port(I don’t know how the display device would look in this scan, but you seem to have figured out a lot of other devices, so maybe you can just guess.

If not, you can try to do some action on the tablet, and listen for corresponding packets on the network. Even if they are encrypted/have some unknown protocol, you should be able to correlate the timing.
Might need to create a monitor port on the switch first, and use a promiscuous-mode network interface.

You said you can connect to a part of the machine via SSH, that’s very cool! What part of the machine exactly do you think? Did you guess the credentials, are they documented somewhere, or did “somebody tell you in private” :D? (No need to answer if you can’t, I’m just curious, I don’t own any milk robots.)
Escalating to root should be very possible, did you try just su as well? Maybe you’re lucky.

If anybody can provide me with a firmware dump of the device I’m sure I could find some way to root it

If you only want a way to view the display and click some buttons, you can probably get away with using the VNC for view, and xdotool mousemove/xdotool click.
As part of my Devember project I’ve actually done something related: A website X11 viewer for an X11 server using ffmpeg, with control over xdotool.
ffmpeg/xdotool is only required on the encoding side, not on the X11 server side.
If you want, I can probably make you a small web tool that streams the content of your X11 servers in a similar way.

EDIT: Also even as a non-root user you have access to /etc/passwd. Check that for other users maybe, and if you can try read it, try cracking passwords from /etc/shadow.

EDIT2: I’ve tried display shadowing via ffmpeg/xdotool and my devember scripts, and it works just fine with a container. My guess is that you could use my devember project directly.
It would act only as a working(including input) alternative to the read-only X11 server.
Again, it would not be much effort to put this into a seperately-installable application, let me know if you need something like that.

Hi Max, I’ve been away quite a time… Farming can be like that.

#1 ) your Devember project sounds very cool, and likely would do exactly what many guys would want.

#2) my robots are running angstrom apparently, and I do have root access (PW was lely123 LOL) but the VNC binary is missing the required libs to allow vnc with control.

I did notice it has opkg installed, but I don’t really have the expertise to build packages for it, and I’m not sure what the underlying architecture is? Definitely wouldn’t be able to compile on hardware because the storage space is pretty limited and the processing capacity is too.

~ # cat /proc/version
Linux version 3.3.0-rc2+ (david@archvile) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #233 PREEMPT Wed May 23 15:59:09 CEST 2012

~ # uname -a
Linux lelxdh1 3.3.0-rc2+ #233 PREEMPT Wed May 23 15:59:09 CEST 2012 armv7l unknown

~ # lsb_release -a
Distributor ID: Angstrom
Description: Angstrom GNU/Linux 2010.7-test-20101213 (foo)
Release: 2010.7-test-20101213
Codename: foo

Hey again!

#1 ) I’ll try to create a dependency-free(-er) version in the future, with easy deployment. As a bonus, it shouldn’t require any modifications to any hardware or software not in your control(just “client-side”; on your computer). I’ll get back to you on that!

#2 ) Regarding building packages. I guess step 1 would be to acquire a toolchain/SDK. From the string in /proc/version, it seems they used a older pre-built toolchain: Sourcery G++ Lite 2010q1-202.
Might be enough to build a statically-linked VNC server. Since this is just an armv7l platform, you shouldn’t have too much trouble. I don’t know what it takes to integrate such a toolchain for building OpenEmbedded/Yocto packages(SDK), but it can’t be that hard.