Request a bit of help getting a Modbus TCP write working correctly
-
It strikes me as odd the device cannot be set to remove the arbitrary restriction. Unless the transmission of this access code is encrypted (and then we're missing part of the puzzle) it seems a little bizarre. Edit: I'm somewhat of a novice to the wider world of modbus devices, for full disclosure. But I do try to help :)
-
Hi phildunlap
It is a little odd, unfortunately these devices are proprietary and i'm stuck with what they give me.
Just had success reading and writing from a stand alone Modbus simulator, and the device accepted a single write in both modes 6 and 16 to kick off the coms, so i'm not sure why this same technique is not working in Mango.
The controller also rejected any data but '0' from the stand alone module so that's encouraging.
Mango writes ok, but then won't read. That strikes me as odd so maybe i'm doing something else wrong.
I tried writing the password with the modbus program then reading with mango, it didn't work but i suspect it requires both requests from the same IP.
Anyhow, thanks again for looking at this. A bit more brute ignorance applied to this may get it working and I may end up learning something in the process.Cheers
Ian
-
You may want to experiment with lowering the max read and write registers, possibly to 1 for the points to write.
-
Here are a couple other things you could try.
If you are using the latest version of Mango and Modbus there is a Write Test tool on the data source settings. See if can write to the password register there. If not then you have other issues.
When adding the data point make it a Write Only registers. I'm assuming that you can't read this register and by setting as write only it should prevent Mango from trying to read it at every poll.
Set your Max Write Register count to 1. This will insure your write commands come across and individual commands.
First try the test tool and let us know if that works.
Thanks,
Joel. -
Hi phildunlap and JoelHaggar
Thanks for your help on this, I missed your replies the other week and have spent a bit of time trying to sort this out.
After using wireshark to look at the packets being sent from a modbus sim and then from Mango it got especially confusing as the packets being sent to write the password were functionally identical and were accepted and verified, but when the packets were sent to read a value they too were identical but one was accepted and the mango one was rejected. Just nuts.
Anyhow after a bit more work and using the official modbus testing tool from the company whose controller i'm trying to talk to it looks like the official method of writing a password to this control in not currently supported by Mango.
This is to write a 16 byte unsigned reversed to address 6338 or address 24534 with a value of 12288.
As Mango tops out at an 8 byte then this method won't work.
Its a shame as this has a lot of potential as a nice application.
Once again thanks for your help and if I can get it working with 2byte verification (it really should) i'll let you know.Next step: the next brand controller in the group of them. Hope this one is easier.
Cheers
-
Yikes, how confounding... I don't suppose their program has an api?
-
Hi phildunlap
Thanks for still taking an interest.
I don't think an API has been written for this, or at least not released. They tend to limit coms from outside their proprietary software to Modbus with various commercial modbus to CanBus/ProfiBus/SNMP converters being the favored means of connection.
You may know, is there any information about on modbus specific commands available for scriptimg?Cheers
-
I'm not sure. After reading modbus i/o logs, my first instinct would be to turn to extending the modbus4j library for the 16 byte data type, if I thought that would solve it, but then, I'm not too versed in modbus.
Well, happy hacking :D
-
Sounds like this device has deviated quite a bit from standard modbus protocol so it would probably be better to write a datasource specific for it.
-
Hi JoelHaggar
Thanks for that, when you talk of writing a datasource I take it that's not at my level of ability.
How would I go about getting this done? Would I need a developer?Cheers
-
It's something we could probably develop for you with out too much trouble. Feel free to contact me directly to discuss. http://infiniteautomation.com/index.php/contact-us
Thanks,
Joel. -
Hi Joel
Thanks for that, I've emailed you.
Cheers
-
If you are using Modbus TCP then I would assume you are using the IB-Lite interface card?
If so then I have found that you can disable the password feature which I think will solve your problem.
You can do this via a non-obvious list of settings found at: {IP of IB-Lite}/SP_CONFIG.html. The default password is 'comap'.Also, it's worth pointing out (this took me longer than it should have to work out..) that Comap use a different address offset to Mango, so you need to point Mango to the register 'before' the one you wish to read.
For example, if the Comap document says that a parameter is at register 40227, then Mango should be pointed at register 226.Hope this helps.
-
Hi there,
Thanks for your reply!
I know the units you are talking about and have installed them for a few clients, unfortunately this project is only about generators that synchronise so I'm talking to Woodward Easygen 3xxx, Comap IG/IS-NT (BB) and some of the newer Deep Sea (~8xxx).
However Its a great tip about the IB-lite and I'm certain to come across the need for it one of these days as these are getting more popular for BMS integration.
It seems the major issue is that the password for Comap is a 32 byte write and Mango at the moment can only do a 16 bit write due to the libraries it is currently using.
I'm looking to see if I can work around it with a modbus IP/RTU converter at the moment, not ideal but at this point I'll take what works.
Thanks for your help, its appreciated. -
Thanks for contributing that Jeremy!
Kawaru, the possibility does exist to extend the Modbus4j library to have that custom data type.
Between the two of you, are operations on 32 bytes something that would be otherwise useful to put into Modbus4j?
-
Ah, yes - Seems the IS-NT BB has its own onboard ethernet module. I realised after posting (when I skimmed through the IG/IS-NT BB reference guide) that this was so but wondered whether the 'hidden' service page still existed.
Coincidentally, I was just on the phone to Comap Australia and asked whether it is possible to disable the password on the IS-NT BB - [size=18]the answer is yes, it is possible, and it is done in the same way as on the IB-Lite..[/size] :D
Hope this helps!
@phildunlap said:
Between the two of you, are operations on 32 bytes something that would be otherwise useful to put into Modbus4j?
I appreciate the thought in asking, but I can't really offer any input - I'm really only just dipping my toes into Modbus myself. I haven't had any need to write any registers beyond basic binary bits.Jeremy
-
Hi jeremyh
Awesome, thanks for that, very keen to try that now.
I'm away from home on another project at the moment but will be back mid next week, will try it and get back to you and let you know how it goes.
Thanks so much again, if there is anything I can do to help out in the future let me know.
I may still try and leave password protection in place where I can as having an open connection that someone can use to open a site mains breaker makes me more than a little uncomfortable.
Security by obscurity is fine till someone figures it out and I'm sure there is someone out there at the moment researching these types of vulnerabilities, and it probably can't be too hard to write a script to ping port 502 around the place and fiddle with the addresses you get replies from.
Still its a great workaround if i need one, superb :Dphildunlap
That's a great question, but I can't answer it at the moment, I'd like to look through all the controllers I'd like to talk to and see if any other use this data type (my feeling is they don't).
I can't recall seeing it anywhere else to date.
I'll start poking at the manuals when I get home next weekThanks all for the support, it really is appreciated.
-
@kawarau said:
I may still try and leave password protection in place where I can as having an open connection that someone can use to open a site mains breaker makes me more than a little uncomfortable.
Security by obscurity is fine till someone figures it out and I'm sure there is someone out there at the moment researching these types of vulnerabilities, and it probably can't be too hard to write a script to ping port 502 around the place and fiddle with the addresses you get replies from.Have you considered changing your Modbus TCP server port from 502 to something non-standard? If you are accessing it behind a router you can usually set up a Dst-NAT rule for port forwarding which means you don't even need to touch the ComAp.
We use a VPN for all our remote sites and all the SIMS get IPs that are behind carrier-grade NAT. So devices are only reachable from inside our network. You can also get M2M SIMs (via M2MOne in Australia) that are provisioned with a private APN that automatically joins the modem to a VPN at the carrier level, no VPN client or router required :D
-
How did you go Ian?