B&K DAS240-BAT RoadTest-in-Depth: Ch4 – Remote Control Interfaces & Software

This section goes into depth regarding the various remote control and network access features of the DAS240-BAT, including the bundled software.

Ethernet (LAN) or 802.11b/g/n Wireless (Wi-Fi) Option

For remote control access, the DAS240-BAT offers an inbuilt 10/100Mbit/s Ethernet interface via an RJ-45 socket on the rear panel. While there are USB-A host connectors for connection to devices, the device does not offer a USB-B device-side connection for remote control.

Instead, it is possible to purchase a Wi-Fi adapter option from B&K Precision / Sefram under order code 902402000 which plugs into the USB-A connector and connects the recorder to a network via 2.4GHz 802.11 b/g/n Wi-Fi. While the manual does allude to its Wi-Fi connectivity, it’s interesting to note that this option is not listed on the datasheet itself, as if the option may have been depreciated. Unfortunately, this item does not seem widely available, being on backorder at most distributors at an expensive price with none shipping into Australia to my knowledge.

I was able, after some work, to obtain a compatible Wi-Fi adapter from a third-party to test the Wi-Fi connectivity feature. For more information regarding compatible Wi-Fi adapters, refer to Ch7 – Teardown post.

HTTP Server

The recorder can be accessed via a standard web browser (in this case, Mozilla Firefox) using the un-encrypted HTTP protocol on Port 80, where a file listing is presented.

Folders can be expanded to view their contents and files can be downloaded by clicking on them. No password is required, although there is no provision to delete or upload files, thus minimising the danger to potential unauthorised access to saved data and screenshots.

Download speeds from the recorder reached 4.8MB/s over Ethernet and 2.6MB/s over Wi-Fi.

FTP Server

The device offers an unencrypted FTP server on Port 21 for more flexible file management, permitting the downloading, uploading and deletion of files via an FTP client or through the operating system. Testing of FTP functionality was done with FileZilla.

Anonymous login is permitted, with no checks on the password. No FTPS is offered.

Data transfer rate was much faster than via HTTP, reaching 8.5MB/s on Ethernet and 2.9MB/s on Wi-Fi.

It was even possible to upload files into the storage of the device. This is perhaps not optimal, as it means that anyone on the network can download the files on the storage, delete them or fill up the storage without any credentials.

VNC Server

Virtual Network Computing (VNC) is a cross-platform remote framebuffer (RFB) protocol, ordinarily operating over TCP port 5900 which allows for sharing a remote screen while offering keyboard and mouse control capabilities. The DAS240-BAT offers a VNC server as a way to remotely interact with its touch-screen oriented interface. Access is secured by a password of up to eight characters. The server was tested with UltraVNC Viewer as the client.

Connecting via UltraVNC was successful, with the remote target reporting the name of “Colibri”. The device does not appear to plot its cursor, thus without a local cursor, it can be difficult to know where the mouse is. Screen updates come through fairly swiftly, with only a short delay and the occasional screen tearing. Long remote-control sessions were achieved with no problems.

The device itself displays the set VNC password when accessing the menu option to set the password. I don’t suggest setting a sensitive password, as it can be retried from the recorder. Initially, I received the recorder with a corrupted password that displayed as mostly squares – resetting the password to something sensible was necessary to allow VNC connections to be established.

If too many incorrect password attempts are registered, the VNC server will lock out any further connection attempts with a “Too many security failures” error until expiring its back-off timer or until the unit is restarted.

Modbus Server

For the remote reading of values, the DAS240-BAT offers a Modbus TCP Server which can be toggled on or off via the Setup menu. This server operates on port 502 using the de-facto standard Modbus protocol and requires a client to connect and read values from it.

B&K Precision’s Github page has a repository titled DAS220-BAT-and-DAS240-BAT. In the Modbus folder, there is a file named modbusTest.py, however, this looks like a minimally changed example from the uModbus documentation front page and does absolutely nothing specific for the DAS-series recorders. In fact, it calls tcp.read_multiple_coils function, even though the DAS has no coil data type and only implements register and discrete data types. As a result, it can be concluded that B&K Precision does not provide a Modbus client example at this time and users must develop their own.

During development of my own Modbus client, I discovered a discrepancy in the final address listing in the manual and reported this to B&K Precision for rectification.

My code uses PyModbus instead of uModbus and is as follows:

# Simple Modbus Client for B&K DAS240-BAT using PyModbus
# by Gough Lui - December 2019

# DAS240-BAT Modbus default port = 502
# Modbus Register Addresses
# Channel n is at address 6+2(n) MSB & 7+2(n) LSB for channels 1-204
# Logical channel is at address 7+n for channels 1-12

from pymodbus.client.sync import ModbusTcpClient as ModbusClient
import struct

# Connect to Client Address - Change to match your settings!
client = ModbusClient('192.168.0.100', port=502)
client.connect()


# Read and print all Analog Channels
for chan in range (1,21) :
  rb = client.read_input_registers(6+2*chan,2)
  assert(not rb.isError())
  value = struct.unpack('!f',struct.pack('!I',(rb.registers[0]<<16)|rb.registers[1]))[0]
  print("The value of channel "+str(chan)+" is "+str(value))

# Read and print all Functions Channels
for chan in range (201,205) :
  rb = client.read_input_registers(6+2*chan,2)
  assert(not rb.isError())
  value = struct.unpack('!f',struct.pack('!I',(rb.registers[0]<<16)|rb.registers[1]))[0]
  print("The value of channel "+str(chan)+" is "+str(value))

# Read and print Logical Data
for chan in range (1,13) :
  rb = client.read_discrete_inputs(7+chan,1)
  assert(not rb.isError())
  value = rb.bits[0]
  print("The value of logical channel "+str(chan)+" is "+str(value))

# Close Modbus Client when Done
client.close()

Reading values was successful and a modified version of this was used to automate instrument performance testing with SCPI-controlled instruments. One downside appears to be that the DAS240-BAT appears to return a full-scale value for out-of-range, making it impossible to determine if the return value is a true value or not. I have suggested that they implement out-of-range values as a NaN return value instead as some other instruments do this and the choice of an arbitrary value is often a poor choice.

An example for National Instruments LabVIEW is provided, although as I am not a LabVIEW user, I did not test it.

NTP Client

As an alternative to setting the time on the DAS240-BAT manually, it is possible to connect it to a network and synchronise time with an NTP server. To do this, an NTP server needs to be entered into the Settings of the recorder.

I found that this option seems to work fine, although only for NTP server IP addresses and not hostnames when used with a static IP configuration as no DNS configuration is accommodated within the recorder’s interface. I have noted this limitation to B&K Precision for potential improvement.

DASLab

The SeframViewer / DASLab package is a combined package that installs both programs in the one installation. At the time of writing, the combined package is V1.2 from Sefram’s website and V1.1 from B&K Precision’s website. Looking at the Software Updates page on Sefram’s site, there is a newer version of SeframViewer (V3.0) available that can be installed afterward. I have asked them to ensure versions are consistent into the future.

Installation went smoothly on a machine running Microsoft Windows 10.

Opening DASLaB greets you with a screen that has two choices – Pilot and Viewer. Selecting Pilot keeps you in DASLab, allowing you to remotely configure, view measurements and manage files, while selecting Viewer will instead launch SeframViewer. On my first launch, it was in the French language, which can be changed to English by selecting Language in the side hamburger menu.

The first step is to establish a connection with the DAS240-BAT which requires setting the IP address of the device. Initially, I was entering the IP address using all three digits in each section resulting in a connection error (as the software interprets octets entered as 008-099 as octal and makes a connection to the incorrect address). I was then informed by another reviewer that they managed to get it to work by pressing the right arrow key to skip unused places and that made it work just fine. This has been reported to B&K Precision for improvement.

Once a successful connection has been established, we are greeted with a description of the unit with a link to the manual and an opportunity to configure the attached number of channel modules.

The next feature is “Array of channels” which allows you to configure channel set-up via the PC. Unfortunately, reconfiguration on the computer is a little less straightforward than expected, as not all channel features are exposed in this view (e.g. math features, max/min range) and some entry boxes have values that are hidden outside of the viewable area (e.g. the boxes with m are actually 100m). There is no way to commit a bulk set of changes to all channels or ability to select hardware-appropriate range numbers from a selection. Changes made in this screen and the others that follow are not made immediately and instead need to be sent to the DAS once ready using the selection in the left hamburger menu.

The “Setup channels” feature allows for more specific channel feature configuration on a channel by channel basis. The “Trigger” menu allows for configuring the sampling rate for recording and start/stop trigger features.

The “Setup screen” menu allows for the configuration of the number of display screens and the inclusion of a given channel onto one of two custom screens. The “Files manager” option connects to the unit via FTP, allowing for files to be downloaded to the computer.

The “Channel monitoring” feature polls the recorder for values every update interval (set to 100ms by default) and either shows it on a numeric display (labelled “DMM”) or plots it locally on a chart. This is different to viewing the display remotely via VNC, as this retrieves the actual measurements and plots them rather than retrieving the screen as displayed on the unit.

It was discovered that the process of reading and sending the setup to the unit uses the Telnet Port 22 server on the device, with the command readsetup ? and SENDSET being used without any authentication. This implies that anyone on the network that can identify the IP address of your DAS-device could rewrite the configuration remotely.

Unfortunately, I attempted some reconfiguration of channel parameters using DASLaB, but when making numerous rather complex changes, it seems possible to create a corrupted configuration that would not completely load onto the DAS240-BAT or perform as expected. As a result, the software feels somewhat unrefined and unfinished, especially when combined with the strange localisation and IP address issues.

SeframViewer

SeframViewer is the other half of the software provided by B&K Precision / Sefram and is used for working with the .rec data files generated by the DAS240-BAT.

For testing, I used both Version 2.8 (as packaged with DASLaB V1.2) and Version 3.0. The software has poor English localisation throughout, resulting in “Contactener” instead of concatenate or join for example.

While loading a file, it is possible to configure several options including the range, whether each channel is plotted overlaid over another or on an individual plot and the ability to “undersample” the input file (i.e. decimate) to reduce the data volume. Note the extensive use of “Abort” and “Valid” instead of cancel and OK. The loaded data is displayed in a scope-trace like display.

It is possible to make measurements on the data using cursors and calculation features. It is also possible to add annotations to the graph, which can be saved and exported. Some of the menus are oddly transparent for some reason.

It is possible to perform basic mathematical operations on traces as well. A HTML help is included, although it is very basic and contains copious translation issues as well.

The display can be further customised through the tabbed dialogue of options. The screen can be printed or exported to bitmap through the menu.

Export to a number of formats including Excel, .csv and Text is available, which takes a while on longer data files. The recorded .rec files appear to be encoded or compressed in some way, thus cannot seem to be opened by anything else. Export to Excel is limited to 1048000 rows, although no warning is provided during export to indicate the export is incomplete.

Export to .csv under Version 2.8 were unusable, as the delimiter was a period ‘.’ while the decimal point was also ‘.’ thus making it impossible to distinguish. In Version 3.0, a feature was added to change the .CSV delimiter, although attempting to configure or export a .csv file would result in a crash. This has been reported to B&K Precision for rectification. Export to Text results in a tab-delimited file which contains the full array of data and can be imported to other software.

FlexPro

The Sefram website also lists FlexPro 2019 for download under the DAS240 page. This is a third-party data analysis package from Weisang GmbH.

The software installation does not come with a license, however, a 30-day evaluation license is available. I didn’t feel it was worth cluttering my system with yet another data analysis package that I would have to learn, as I am already quite happy with Microsoft Excel, MATLAB, Python and R-Studio. As this was not software from B&K Precision or Sefram, I did not do any further testing of it.

Security Testing & Concerns

While using and testing the unit, a number of issues and concerns were discovered regarding the instrument’s network connectivity features.

For one, it appeared to be exposing an SMB1 share of some sort, although the password and username for access is not known. This is a depreciated protocol and should no longer be used.

It was also possible to crash the operating software remotely, allowing access to the underlying Windows Embedded Compact (CE) 7 operating system via VNC or connected USB keyboard and mouse.

There, it was also determined that the device issued DHCPv6 address requests and configured itself for a SLAAC IPv6 link-local address, announcing this to the network, despite having no user interface choices for IPv6 capability or to disable it. This could lead to the device registering and obtaining an internet-routed address and being subject to attack via the internet.

Despite appearing to allocate itself an IPv6 address, many of the services were not available or operating correctly over IPv6. However, it became possible to crash the IP stack entirely via the network, knocking the recorder offline from both IPv4 and IPv6 networks until it is rebooted.

While the unit has its operating system and software images in Flash, mounted as ROM to minimise the chances for permanent damage or alteration of the system itself, such observed behaviour does suggest that the operating system and application software is perhaps not as safe or as robust as necessary to enable connection to untrusted networks to avoid potential risk to the network’s security or to the measurement task being undertaken. These findings have been reported to B&K Precision, although a response has not yet been received.

A more comprehensive look at the results of a network scan can be found in Ch7 - Teardown.

Conclusion

The recorder features an inbuilt 10/100Mbit/s Ethernet interface with the option for a USB 802.11b/g/n Wi-Fi interface. Configuration of the interface is available via DHCP or static IPv4 addressing. Over this connection, the DAS240-BAT provides access to files via HTTP (web browser) at up to 4.8MB/s over Ethernet and 2.6MB/s over Wi-Fi and via FTP at up to 8.5MB/s over Ethernet and 2.9MB/s over Wi-Fi. Access to the screen and user interface is provided via VNC server, which is protected by a password up to 8-characters (visible in the configuration menu), allowing for remote front-panel operation. A Modbus Server allows for access to channel readings directly via a de-facto standards protocol. An inbuilt NTP client allows for time synchronisation over the network as well. This arrangement generally works well to allow the device to be used and accessed remotely.

The unit is supported by DASLaB and SeframViewer. The DASLaB package allows for remote re-configuration of the device, file management and plotting of values. The SeframViewer application allows for reading the .rec files generated by the recorder, plotting the data, performing basic analysis and annotations and exporting the data for analysis in third party applications. Unfortunately, I ran into problems with both software packages including problems with IP-address configuration issues, recorder set-up corruption and incomplete displays in DASLaB; and some semi-transparent windows and .csv export issues with SeframViewer. Both software packages lack polish and suffer from numerous localisation errors when used in the English language. The downloads on both B&K Precision and Sefram’s sites differ in versions, so it can be hard to ensure you have the latest version of the software. The downloadable FlexPro software listed on their site is a third-party data analysis package without any supplied license and testing of this software was not undertaken. Their GitHub provides sample code for Modbus connection using National Instruments LabVIEW and Python, although it seems the Python example using umodbus was not actually customised for the DAS at all. The LabVIEW code was not tested, however, the specifications were sufficient to design your own Modbus client noting a minor error in address calculations in the documentation.

Unfortunately, it seems that the network connectivity is not as robust or as secure as it should be. Aside from the password-less access via HTTP to the stored data, the FTP anonymous access allows for file modification, deletion and upload as well. The recorder’s Modbus server does not appear to report over/under-range conditions properly, while the NTP client does not appear to work with hostnames when a static IP is configured as no DNS servers can be entered. Even more interesting, the unit serves an unauthenticated Telnet-style interface for configuration pulls and pushes, participates in SMBv1 sharing with an unknown username and password, requests and configures its own IPv6 address (which may expose it to the internet directly in some cases). Add to this the fact that I was able to crash the software running on the DAS240-BAT and crash the networking stack, taking the recorder offline entirely, this does not suggest that the unit would be safe to connect to networks containing untrusted peers.

---

This post is part of the B&K Precision/Sefram DAS240-BAT Multi-Channel Recorder RoadTest Review.