Yamaha R-N500 Network Receiver Port Scan

During my analysis of Apple AirPlay connections to my Yamaha Network Receiver I was also interested in which TCP/UDP ports are opened on this audio device at all. Hence I did a basic port scan with Nmap for both transport layer protocols. (In an upcoming blogpost I am analyzing a packet capture from the Yamaha receiver which will show more details about the used ports and outgoing connections.) At first here are the Nmap results:

Lab Setup

I used Nmap version 7.60 from a Ubuntu server 16.04.3 LTS laptop which was on the same layer 2 network as the receiver, both plugged in via cables. The Yamaha device was a R-N500 Network Receiver with firmware version 1.13. In summary I did four scans:

  • 2x while the receiver was in standby mode, one with default speed timing (T3) and one with a slower speed -T2 to be sure that the IoT device is not overloaded, and
  • 2x while the receiver was on though nothing actively playing, again with both timing templates.

Since I used TCP & UDP scanning, my Nmap commands looked like that:

Nmap Results

There were no differences between the “standby” and the “on” scan, nor between the two timing scans, except an added sentence about the “Aggressive OS guesses” at the -T2 run. And a single port difference for RTSP which I will explain after the results:

Nmap found only open TCP ports (which is quite common since UDP is stateless). That is:

    • TCP Port 80, HTTP: A small web server on which you can rename the host, set the IPv4 address, and perform a firmware update.
    • TCP Port 1029 or 1030, RTSP: As you can see in the Nmap output: Apple AirPlay is listening here with certain methods. Note that one scan revealed port 1029 while some other scans showed port 1030. Don’t know why.
    • TCP Port 1900: tcpwrapped. Hm, difficult to say since it is denied.
    • TCP Port 8080, HTTP-ALT: There is a web server which only answers with a header “PRESENTATION PAGE” without any content when queried via a web browser. To my mind this has something to do with either UPnP or with the Yamaha App for iPhone from which the user can control the receiver. (More to come on my subsequent blogpost.)
    • TCP Port 50000: I have absolutely no idea. ?

The OS guessing from Nmap is quite good since it lists Yamaha among others. The HTTP header itself reveals the model of this device: “R-N500”.

Featured image “Constitución Plaza” by Tom Bradnock is licensed under CC BY-NC-ND 2.0.

4 thoughts on “Yamaha R-N500 Network Receiver Port Scan

  1. Hi, do you have any idea how can I access my Yamaha r-n303d from the world? Not locally.
    I want to use Yamaha Extend Control to power it on/off when I am outside of my home

    1. I haven’t tried something like this by myself. If the remote protocol is unicast based (rather than multicast/broadcast) it might work through a VPN. If you have a working remote access VPN to your home (either through IPsec or WireGuard or similar), you can give it a try.

Leave a Reply

Your email address will not be published. Required fields are marked *