During my analysis of Apple AirPlay connections to my Yamaha Network Receiver I was also interested in which TCP/UDP ports are opened on this audio device at all. Hence I did a basic port scan with Nmap for both transport layer protocols. (In an upcoming blogpost I am analyzing a packet capture from the Yamaha receiver which will show more details about the used ports and outgoing connections.) At first here are the Nmap results:
Lab Setup
I used Nmap version 7.60 from a Ubuntu server 16.04.3 LTS laptop which was on the same layer 2 network as the receiver, both plugged in via cables. The Yamaha device was a R-N500 Network Receiver with firmware version 1.13. In summary I did four scans:
- 2x while the receiver was in standby mode, one with default speed timing (T3) and one with a slower speed -T2 to be sure that the IoT device is not overloaded, and
- 2x while the receiver was on though nothing actively playing, again with both timing templates.
Since I used TCP & UDP scanning, my Nmap commands looked like that:
1 |
nmap -sS -sU -A -oN Yamaha-standby.txt 192.168.7.12 |
Nmap Results
There were no differences between the “standby” and the “on” scan, nor between the two timing scans, except an added sentence about the “Aggressive OS guesses” at the -T2 run. And a single port difference for RTSP which I will explain after the results:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# Nmap 7.60 scan initiated Thu Nov 30 10:14:09 2017 as: nmap -T2 -sS -sU -A -oN Yamaha-on-T2.txt 192.168.7.12 Nmap scan report for 192.168.7.12 Host is up (0.00073s latency). Not shown: 1995 closed ports PORT STATE SERVICE VERSION 80/tcp open http Yamaha AV receiver web ui 3.1 (model: R-N500) |_http-server-header: AV_Receiver/3.1 (R-N500) |_http-title: Site doesn't have a title (text/html). 1029/tcp open rtsp Apple AirTunes rtspd 141.9 (Apple TV) |_rtsp-methods: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, TEARDOWN, OPTIONS, GET_PARAMETER, SET_PARAMETER, POST, GET 1900/tcp open tcpwrapped 8080/tcp open http Pioneer VSX-921, Denon DNP-720AE, or Marantz AV7005 AV receiver http config |_http-open-proxy: Proxy might be redirecting requests |_http-title: Site doesn't have a title (text/html). 50000/tcp open ibm-db2? MAC Address: 00:A0:DE:DE:54:13 (Yamaha) Aggressive OS guesses: Denon CEOL RDC-N8 audio system (98%), Yamaha RX-S600 or Denon AVR-1912 or AVR-2312 audio receiver (98%), Audio receiver: Bose Soundtouch 20, Bowers & Wilkins Zeppelin Air, Denon AVR-1900-series, Marantz NR1602, or Pioneer VSX-921 (94%), Denon AVR-2113 audio receiver (93%), Yamaha RX-A2040 AV receiver (92%), D-Link DWL-G810 WAP (92%), D-Link DWL-900AP+, Planet WAP-1966, or USRobotics USR5450 WAP (90%), Denon AVR-3808CI audio/video receiver, Philips SLA5500 or SLA5520 Wireless Music Adapter or WAK3300 wireless alarm clock, or Terratec NOXON audio system (90%), TRENDnet TEW-432BRP WAP (ThreadX) (90%), Polycom VSX 8000 video conferencing system (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Mac OS X; Device: media device; CPE: cpe:/h:yamaha:r-n500, cpe:/o:apple:mac_os_x TRACEROUTE HOP RTT ADDRESS 1 0.73 ms 192.168.7.12 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Nov 30 10:31:27 2017 -- 1 IP address (1 host up) scanned in 1039.05 seconds |
Nmap found only open TCP ports (which is quite common since UDP is stateless). That is:
-
- TCP Port 80, HTTP: A small web server on which you can rename the host, set the IPv4 address, and perform a firmware update.
- TCP Port 1029 or 1030, RTSP: As you can see in the Nmap output: Apple AirPlay is listening here with certain methods. Note that one scan revealed port 1029 while some other scans showed port 1030. Don’t know why.
- TCP Port 1900: tcpwrapped. Hm, difficult to say since it is denied.
- TCP Port 8080, HTTP-ALT: There is a web server which only answers with a header “PRESENTATION PAGE” without any content when queried via a web browser. To my mind this has something to do with either UPnP or with the Yamaha App for iPhone from which the user can control the receiver. (More to come on my subsequent blogpost.)
- TCP Port 50000: I have absolutely no idea. ?
The OS guessing from Nmap is quite good since it lists Yamaha among others. The HTTP header itself reveals the model of this device: “R-N500”.
Featured image “Constitución Plaza” by Tom Bradnock is licensed under CC BY-NC-ND 2.0.
this http://g33ksblog.blogspot.com/2013/08/yamaha-network-control.html
and this one might be interesting for you
http://www.sdu.se/blog/remote-control-for-yamaha-receiver/
Port 50000 is for Yamaha’s YNCA protocol. You can telnet to the port and issue YNCA commands.
Hi, do you have any idea how can I access my Yamaha r-n303d from the world? Not locally.
I want to use Yamaha Extend Control to power it on/off when I am outside of my home
I haven’t tried something like this by myself. If the remote protocol is unicast based (rather than multicast/broadcast) it might work through a VPN. If you have a working remote access VPN to your home (either through IPsec or WireGuard or similar), you can give it a try.