Request a bit of help getting a Modbus TCP write working correctly

kawarau

Hi all.
I'm a newbie to Mango, and am putting together a small implementation to get it talking to multiple remote machines for a power company here in New Zealand.
All these bits of equipment talk Modbus (TCP) and I've been having quite good success with several of them.
One thing that's giving me a bit of grief however is that one control unit I would like to talk to, and of course it's one of the more popular ones, requires a certain password is written to it before it allows modbus reads, and if there is no activity within 15 seconds then it terminates the connection.
So I have two issues.

1. How to perform this particular write within Mango
2. How to then monitor the communications and at startup or loss of coms send the password to re-initiate.

I guess the answer to 2) is to simply preface every message with the password? but then how do I get that working?

From the manual (Unit is a Comap IG-NTC-BB generator controller , information is at www.comap.cz if anyone is interested) the instructions are:

/Manual

Modbus/TCP access code
Every Modbus/TCP session has to be started with writing the access code from the modbus/tcp client
to the controller. If the session is closed and reopened again the access code must be written again.
The session can be closed by the client or the controller closes the session automatically if there is no
activity from the client side for 15s.

• There are new dedicated registers for entering the AccessCode via Modbus/TCP.
• The register numbers are 46339-46346 (register address 6338-6345).
• The previous method using register address 24535 remains working as well. [*NB: I am still looking for documentation on this application as it may be easier to implement]
• Example of the Modbus message is following (in HEX):
  01 10 18 C2 00 08 10 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FE F3
  01 Controller address
  10 Modbus function (16dec – Write multiple registers)
  18C2 Register address (18C2hex = 6338dec = register 46339)
  0008 Number of registers
  10 Length of the data (Number of registers x 2B) [* not sure about this either, what is 2B and how does it relate to the registers?]
  30000000... Access code string (16 chars, null-terminated, ASCII, here “0”) [*another mystery, what is the '3' for? if the password is '0' wouldn't all the characters be 0?]
  FEF3 CRC

Some devices do not support the modbus function 16. In this case can be the access code
writen in controller as one register No. 46339 using the function 6. The access code has to
be the number in the range 0 to 65535. [* This seems like a great idea but it seems Mango has only implemented functions 3 and 16]

/Manual

Any assistance, advice or pointers in the right direction would be greatly appreciated.
My apologies if these are a little simplistic.

Cheers

Kawarau

phildunlap

This may be entirely useless, but I'm wondering what happens if...

1. Create a modbus point that is your access point. I'm guessing it's a HOLDING_REGISTER at 6339 from the document, alphanumeric
2. Create a script that runs every 15s and sets the access code to that point. (or a virtual point tied to a point link)
3. Mission success?

kawarau

Hi phildunlap.

Thanks for your answer :)
That sounds like what I was aiming for too. Unfortunately I can't even get the write to work at this point so that's the first hurdle.
I can write a two byte unsigned(edit: or signed) to 6338, but only with the data as "0" anything else is being rejected as 'illegal data address'
(Quick edit, writing to 6339/6337 and others has the same issue but Mango is 0 adjusted for modbus regs so I think 6338 is the right place. Writing anything but two bytes also causes 'illegal data address')
I may make up a script and work out how to do this anyway, it will be good practice, and test it on a Modbus RTU unit that I have working.
I will try and track down more info on how Modbus is implemented in Mango, see if that gives any pointers.

Again thanks for your assistance! Its good to know there is help out there when I'm stuck.

Cheers

Ian

phildunlap

It strikes me as odd the device cannot be set to remove the arbitrary restriction. Unless the transmission of this access code is encrypted (and then we're missing part of the puzzle) it seems a little bizarre. Edit: I'm somewhat of a novice to the wider world of modbus devices, for full disclosure. But I do try to help :)

kawarau

Hi phildunlap

It is a little odd, unfortunately these devices are proprietary and i'm stuck with what they give me.
Just had success reading and writing from a stand alone Modbus simulator, and the device accepted a single write in both modes 6 and 16 to kick off the coms, so i'm not sure why this same technique is not working in Mango.
The controller also rejected any data but '0' from the stand alone module so that's encouraging.
Mango writes ok, but then won't read. That strikes me as odd so maybe i'm doing something else wrong.
I tried writing the password with the modbus program then reading with mango, it didn't work but i suspect it requires both requests from the same IP.
Anyhow, thanks again for looking at this. A bit more brute ignorance applied to this may get it working and I may end up learning something in the process.

Cheers

Ian

phildunlap

You may want to experiment with lowering the max read and write registers, possibly to 1 for the points to write.

JoelHaggar

Here are a couple other things you could try.

If you are using the latest version of Mango and Modbus there is a Write Test tool on the data source settings. See if can write to the password register there. If not then you have other issues.

When adding the data point make it a Write Only registers. I'm assuming that you can't read this register and by setting as write only it should prevent Mango from trying to read it at every poll.

Set your Max Write Register count to 1. This will insure your write commands come across and individual commands.

First try the test tool and let us know if that works.

Thanks,
Joel.

kawarau

Hi phildunlap and JoelHaggar

Thanks for your help on this, I missed your replies the other week and have spent a bit of time trying to sort this out.
After using wireshark to look at the packets being sent from a modbus sim and then from Mango it got especially confusing as the packets being sent to write the password were functionally identical and were accepted and verified, but when the packets were sent to read a value they too were identical but one was accepted and the mango one was rejected. Just nuts.
Anyhow after a bit more work and using the official modbus testing tool from the company whose controller i'm trying to talk to it looks like the official method of writing a password to this control in not currently supported by Mango.
This is to write a 16 byte unsigned reversed to address 6338 or address 24534 with a value of 12288.
As Mango tops out at an 8 byte then this method won't work.
Its a shame as this has a lot of potential as a nice application.
Once again thanks for your help and if I can get it working with 2byte verification (it really should) i'll let you know.

Next step: the next brand controller in the group of them. Hope this one is easier.

Cheers

phildunlap

Yikes, how confounding... I don't suppose their program has an api?

kawarau

Hi phildunlap

Thanks for still taking an interest.
I don't think an API has been written for this, or at least not released. They tend to limit coms from outside their proprietary software to Modbus with various commercial modbus to CanBus/ProfiBus/SNMP converters being the favored means of connection.
You may know, is there any information about on modbus specific commands available for scriptimg?

Cheers

phildunlap

I'm not sure. After reading modbus i/o logs, my first instinct would be to turn to extending the modbus4j library for the 16 byte data type, if I thought that would solve it, but then, I'm not too versed in modbus.

Well, happy hacking :D

JoelHaggar

Sounds like this device has deviated quite a bit from standard modbus protocol so it would probably be better to write a datasource specific for it.

kawarau

Hi JoelHaggar

Thanks for that, when you talk of writing a datasource I take it that's not at my level of ability.
How would I go about getting this done? Would I need a developer?

Cheers

JoelHaggar

It's something we could probably develop for you with out too much trouble. Feel free to contact me directly to discuss. http://infiniteautomation.com/index.php/contact-us

Thanks,
Joel.

kawarau

Hi Joel

Thanks for that, I've emailed you.

Cheers

jeremyh

If you are using Modbus TCP then I would assume you are using the IB-Lite interface card?

If so then I have found that you can disable the password feature which I think will solve your problem.
You can do this via a non-obvious list of settings found at: {IP of IB-Lite}/SP_CONFIG.html. The default password is 'comap'.

Also, it's worth pointing out (this took me longer than it should have to work out..) that Comap use a different address offset to Mango, so you need to point Mango to the register 'before' the one you wish to read.
For example, if the Comap document says that a parameter is at register 40227, then Mango should be pointed at register 226.

Hope this helps.

kawarau

Hi there,
Thanks for your reply!
I know the units you are talking about and have installed them for a few clients, unfortunately this project is only about generators that synchronise so I'm talking to Woodward Easygen 3xxx, Comap IG/IS-NT (BB) and some of the newer Deep Sea (~8xxx).
However Its a great tip about the IB-lite and I'm certain to come across the need for it one of these days as these are getting more popular for BMS integration.
It seems the major issue is that the password for Comap is a 32 byte write and Mango at the moment can only do a 16 bit write due to the libraries it is currently using.
I'm looking to see if I can work around it with a modbus IP/RTU converter at the moment, not ideal but at this point I'll take what works.
Thanks for your help, its appreciated.

phildunlap

Thanks for contributing that Jeremy!

Kawaru, the possibility does exist to extend the Modbus4j library to have that custom data type.

Between the two of you, are operations on 32 bytes something that would be otherwise useful to put into Modbus4j?

jeremyh

Ah, yes - Seems the IS-NT BB has its own onboard ethernet module. I realised after posting (when I skimmed through the IG/IS-NT BB reference guide) that this was so but wondered whether the 'hidden' service page still existed.

Coincidentally, I was just on the phone to Comap Australia and asked whether it is possible to disable the password on the IS-NT BB - [size=18]the answer is yes, it is possible, and it is done in the same way as on the IB-Lite..[/size] :D

Hope this helps!

@phildunlap said:

Between the two of you, are operations on 32 bytes something that would be otherwise useful to put into Modbus4j?
I appreciate the thought in asking, but I can't really offer any input - I'm really only just dipping my toes into Modbus myself. I haven't had any need to write any registers beyond basic binary bits.

Jeremy

kawarau

Hi jeremyh

Awesome, thanks for that, very keen to try that now.
I'm away from home on another project at the moment but will be back mid next week, will try it and get back to you and let you know how it goes.
Thanks so much again, if there is anything I can do to help out in the future let me know.
I may still try and leave password protection in place where I can as having an open connection that someone can use to open a site mains breaker makes me more than a little uncomfortable.
Security by obscurity is fine till someone figures it out and I'm sure there is someone out there at the moment researching these types of vulnerabilities, and it probably can't be too hard to write a script to ping port 502 around the place and fiddle with the addresses you get replies from.
Still its a great workaround if i need one, superb :D

phildunlap

That's a great question, but I can't answer it at the moment, I'd like to look through all the controllers I'd like to talk to and see if any other use this data type (my feeling is they don't).
I can't recall seeing it anywhere else to date.
I'll start poking at the manuals when I get home next week

Thanks all for the support, it really is appreciated.