I am trying to learn the protocol used between airport utility and airport express. I am curious to know the underlying protocol and port number used for communication. Is there any spec for this available?
null-OTHER
Nothing is revealed.
Apple has unique system for connecting to the airport.. so as to avoid using HTML pages.
The Airports contain a command interpreter.
The protocol may be called ACP.
see https://tools.ietf.org/html/draft-kaaps-acp-01
But it is very proprietary and no info leaks out of apple on such things.
Inside that is a huge amount of information. I can link you to it.. but it is not easy.
First of all learn about the natutil
Terminal command to check Apple router status. natutil
That actually gives a lot of insight into what is happening.
Apple do not actually open port 23 for telnet.. it is opened on port 5001
Port Scan has started…
Port Scanning host: 192.168.2.201
Open TCP Port: 5001 commplex-link
Open TCP Port: 5009 winfs
Port Scan has completed…
Do the port scan yourself.. just use the network utility.
Then you can explore deeper by soldering in a console port.
http://embeddedideation.com/2014/03/dissecting-the-airport-express/
And when you do that you will come face to face with the dragon.
aegen5router# acp
acp [-q] <code>[=<value>] ...
acp acpprop [match] -- Search or list an ACP property by code or name
acp corrupt_hfs
acp crash [align]
acp error [match] -- Search or list an error code by number or name
acp monotime
acp notelisten [name] -- Listen for distributed notifications
acp notepost <name> [...params] -- Post distributed notifications
acp postevent <code> [string]
acp remove <code>
acp setplistvalue prop path value -- Sets <value> inside <prop> plist at <path>
acp rpc functionName [name:type:value] ...
acp rc name [cmd] -- Remote Control
acp rs name [cmd] -- Remote Show
acp static [[-remove] variable[=value]]
acp stdlog
acp sysctl <process> <variable>[=<new value>]
showrpcs -- Show all RPCs and their states
If you actually put in a command like
aegen5router# acp static
apple-minver=76000.14
apple-sn=C0PJF05xxxx
apple-sku=APAC
ethaddr=70:73xxxxx
And if you want to see all commands type acp prop
There are hundreds of commands..
Extract the setup from the Airport by using export configuration in the airport utility and you can see what some of the values are.
I forgot to add.. some of this is being dumped by airport utility to apple on your behalf.
You can see it only on the latest airports.. and only via the airport utility in ipad.
As you can see these keep repeating with different time stamps.. open one of the documents.
Plenty of info.. and somehow you agreed for apple to get it all.. natty eh how that got missed by 99.999% of people.
Thanks LaPastenague for all the information. Let me try this out and update.
I played with the airport extreme and these are my findings:
1. Is the protocol used by natutil and airport utility to talk to the airport express encrypted? I think it is encrypted but would like you to confirm it.
2. Is it possible to talk to airport express from a non apple computer?
3. The only way to gain access is to open the airport express and connect to the header and get console access. Is this correct?
4. when i did a port scan i saw that port 5001 is not open.
Starting Nmap 6.40 ( http://nmap.org ) at 2015-08-18 19:00 PDT
Nmap scan report for 10.0.1.1
Host is up (0.0016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
5000/tcp open rtsp Apple AirTunes rtspd 105.1 (Apple TV)
| rtsp-methods:
|_ ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, TEARDOWN, OPTIONS, GET_PARAMETER, SET_PARAMETER, POST, GET
5009/tcp open airport-admin Apple AirPort or Time Capsule admin
10000/tcp open snet-sensor-mgmt?
| ndmp-version:
|_ ERROR: Failed to get host information from server
Service Info: OS: Mac OS X; Device: media device; CPE: cpe:/o:apple:mac_os_x
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.81 seconds
Thanks to you help I am learning new stuff.
I played with the airport extreme and these are my findings:
1. Is the protocol used by natutil and airport utility to talk to the airport express encrypted? I think it is encrypted but would like you to confirm it.
2. Is it possible to talk to airport express from a non apple computer?
3. The only way to gain access is to open the airport express and connect to the header and get console access. Is this correct?
4. when i did a port scan i saw that port 5001 is not open.
Starting Nmap 6.40 ( http://nmap.org ) at 2015-08-18 19:00 PDT
Nmap scan report for 10.0.1.1
Host is up (0.0016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
5000/tcp open rtsp Apple AirTunes rtspd 105.1 (Apple TV)
| rtsp-methods:
|_ ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, TEARDOWN, OPTIONS, GET_PARAMETER, SET_PARAMETER, POST, GET
5009/tcp open airport-admin Apple AirPort or Time Capsule admin
10000/tcp open snet-sensor-mgmt?
| ndmp-version:
|_ ERROR: Failed to get host information from server
Service Info: OS: Mac OS X; Device: media device; CPE: cpe:/o:apple:mac_os_x
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.81 seconds
On a separate topic: I think I am have similar interests like you as far as working with routers and gateways are concerned. Is there a way we can connect to discuss about it. I do not want to use this forum for discussion about other routers and modems.
Thanks
1. Is the protocol used by natutil and airport utility to talk to the airport express encrypted? I think it is encrypted but would like you to confirm it.
Could be.. I have not used wireshark on it.. but i would not be surprised.
2. Is it possible to talk to airport express from a non apple computer?
Yes, the airport utility is available for windows.. the natutil is exclusive to Mac though.
3. The only way to gain access is to open the airport express and connect to the header and get console access. Is this correct?
Yes.. but once in.. well some more options are open to you.. !!
4. when i did a port scan i saw that port 5001 is not open.
Sorry I am getting lost perhaps on that one. It is hard to figure which port can be used.. 445 and 5009 are both to do with the MS file system. or directory services.
I reset a TC to factory..
Port Scan has started…
Port Scanning host: 10.0.1.1
Open TCP Port: 53 domain
Open TCP Port: 139 netbios-ssn
Open TCP Port: 445 microsoft-ds
Open TCP Port: 548 afpovertcp
Open TCP Port: 5009 winfs
Port Scan has completed…
Not sure ..
You can contact me via email in my website.
https://sites.google.com/site/lapastenague/a-deconstruction-of-routers-and-modem s
5001 is used by media for streaming to Roku from internet.. Sorry I completely messed that one.
ACP is using 5009.
protocol used by airport express and airport utility
