After researching things further, and getting pointed in the right direction by Fenstergucker and shapirus, here's an updated / corrected list of what network ports the DHO800/900 exposes over Ethernet. Most folks here already know these but this compiled list could be useful for new folks.
- TCP port 21 = FTP (internal storage only, no USB stick support). Handled by tcpsvcd.
- TCP port 22 = SSH for shell access (and related technologies like scp should also work). Handled by sshd.
- TCP port 80 = HTTP. Handled by WebControl.apk.
- TCP and UDP port 111 = Port Mapper (use by LXI/VXI clients to find the LXI/VXI port). Handled by pmapService.
- TCP port 5555 = Raw SCPI. Handled by Sparrow.apk.
- TCP port 8080 = HTTPS. Handled by WebControl.apk.
- TCP ports 9001-9004 = WebSocket support for SCPI? Handled by WebControl.apk.
- TCP and UDP port 20712 = LXI / VXI remote proceedure call (RPC). This supports prognums for VXI Core, Async, and Interrupt interfaces (prognums 0x0607AF thru 0x0607B1). Handled by Sparrow.apk.
- TCP port 55555 = adb (Android Debug Bridge) for shell access, keystroke injection, pull/push files from/to the scope, etc. Handled by adbd.
FTP comments:
As mentioned, FTP only provides access to the internal storage location where users can save/load files (i.e., the "C:" drive). The FTP daemon is launched by
/rigol/shell/start_rigol_app.sh via one script line of
tcpsvd 0:21 ftpd ftpd -w /data/UserData/ &. It looks like it would be easy to run a 2nd FTP daemon on a non-standard TCP port to offer access to a USB drive. The only wrinkle would be putting it in a script that 1) first checks whether the USB is present and 2) uses the correct path since it varies from USB drive to USB drive (specifically, it varies by the USB VID and PID IDs of the drive).
pmapService comments:
pmapService (a.k.a. port mapper service) appears to be a simpler implementation of the typical port mapper. Rigol ships this program in its FW update file. It's so cut down that it doesn't list what programs are registered with it (i.e. DUMP command to prognum 100000 fails). It does support finding the LXI/VXI port (i.e. GETPORT returns port 20712) but it doesn't bother even checking what program number is being requested. You want the LXI/VXI Core program? It replies with port 20712. You want the grandma-recipes program? It also replies with port 20712. Hmmm. It's not a server-grade implementation... but then again it doesn't need to be and it gets the job done.
Raw SCPI comments:
Raw connections work best, such as Putty's Raw socket feature (or whatever client you prefer on your OS). Telnet clients can be used as a backup, but avoid binary transfers since the telnet client might misinterpret or mangle the data.
ADB comments:
The ADB client is a "Swiss Army knife" of tools. For example, if you want to use the scope's physical USB port for a USB drive instead of a USB keyboard and don't have a USB hub, you can run
adb input keyevent <keycode> to inject keystrokes into the scope's Android UI, including special keys. One example is
adb shell input keyevent KEYCODE_APP_SWITCH which will let you switch from one Android app to another. By default, Sparrow.apk is the only running app, but you can launch a WWW browser using
adb shell input keyevent KEYCODE_EXPLORER and then use KEYCODE_APP_SWITCH to switch back and forth. There is a great adb cheatsheet at
https://gist.github.com/Pulimet/5013acf2cd5b28e55036c82c91bd56d8#file-adbcommandsMisc comments:
Looks like there is NsdServiceInfo (mDNS?) filled out for
_http._tcp.,
_lxi._tcp.,
_scpi-raw._tcp., and
_vxi-11._tcp. setup on port 80. I didn't investigate deeply on these.
Home
Help
Search
Login
Register
Topic: Hacking the Rigol DHO800/900 Scope (Read 1606719 times)