by

Modscan64



While exchanging with our customers on the best ways to interface industrial controllers, we noticed that nowadays the small secrets enabling you to use an RS485 interface were sometimes unknown from engineers implementing computer or internet based automation. So here is a quick remedial course...

What is RS485?

Welcome to WeMadeKit. WeMadeKit is a young and dynamic organization. We focus on creating the most innovative and reliable industrial utility to make your intouch easier to use and control. In the PC end, i am running ModScan64 software to read the data. I have only used the TA and TB port of Cb 1241 for communication. Problem: In ModScan64 software it is showing Received invalid Response to MODBUS Query. I can't understand where is the problem. I am reading Holding registers from 40001 to 40100 but I am not getting any value.

Modscan64


RS485 is a serial transmission standard, a little bit like RS232, but using other electric signals. An important advantage of RS485 is that you can put several RS485 devices on the same bus. Therefore, you don't have to multiply RS485 interfaces on the host to question several devices. However, there is a small trick to do so: at each end of the bus, you must put a bus terminator. Sometimes this means that you must screw a small resistance on a terminal, or simply move a switch in the adequate position.

Mesta, We are using ModScan64.exe (Wintech). It’s working fine in our environment (i.e. Using our IP and Port number). It is 3 rd party software and we are facing some data issue while using that software. This software reading Holding register data accurately except one value. So as my analyze hardware already configured with Modbus. Note: Does anyone have keygen Modscan64 - It able to assign the UID of Modbus TCP. This is a good software for read data & simulator. At least one serial port. Tutorial on how to use MODSCAN used.

Modscan64


An RS485 bus is often made of just two wires and a resistor at the extremities...


RS485 and RS232 are not directly compatible: you must use the correct type of interface, or the signals won't go through. There are indeed RS232 to RS485 gateways, but they are not interesting nowadays: it's as easy to use an RS485 to USB, to Ethernet, or to GSM directly. It's cheaper and it's one less component in the system.
The main particularity when using RS485 is in the format of the exchanged data. While with RS232 many devices simply use text (ASCII) protocols, with RS485 most devices use the MODBUS protocol. You must therefore know a minimum of MODBUS to interface an RS485 device.

What is MODBUS?


MODBUS is a protocol between a host (master) and devices (slaves) to access the configuration of the devices and to read the measures. MODBUS messages correspond to relatively simple operations to read and write 16 bit words and binary registers (often called 'coils'). The host systematically initiates the exchange and the 'slave' device answers. The slave doesn't sent any message before the host requests it.
As there can be several devices connected in parallel on the RS485 bus, each slave device must use a unique MODBUS Slave ID on the bus. Each MODBUS request starts with the Slave ID of the intended device, each answer starts with Slave ID of the slave sending it. So, in order for the MODBUS communication to work, you must check in the device configuration its Slave ID and change it if necessary. On the way, check also communication speed and parity (same principle as RS232).
You cannot easily craft MODBUS messages 'by hand', as you would have done with ASCII protocols used on RS232: each MODBUS message ends with a checksum code, computed from the full content of the message. To exchange MODBUS messages, you must therefore use:

  • either a specific program provided by the device vendor, with a compatible interface;
  • or a simple RS485 interface with a programming library which encodes and decodes MODBUS messages;
  • or a smart RS485 interface able to encode and decode by itself the MODBUS messages, such as the Yocto-RS485.


Note as well that there are two variants of the MODBUS protocol: the MODBUS ASCII mode, where messages are exchanged as lines of hexadecimal codes, and the MODBUS RTU mode, where messages are exchanged directly as binary frames. To talk with a MODBUS device, you must imperatively use the same mode as configured in the device. All the devices which truly follow the standard support the MODBUS RTU mode. In real life, its always this latter mode which is used: MODBUS ASCII has no advantage as all the messages are in any case difficult to code by hand.

Modscan64 software, free download


A small temperature controller with built-in PID, fuzzy logic, ... and a MODBUS interface on RS485


Accessing MODBUS registers


When you have theoretically understood how to exchange information, you still must know which register to request to obtain measures, and which registers to change to configure the device. At this level, register addresses change from one device to another, but there are MODBUS conventions useful to know to understand technical user guides, which are often not as clear as one could hope.
There are 4 types of MODBUS registers:

  • The coils, corresponding to on/off binary outputs, such as relays.
  • The input bits, corresponding to binary inputs (read only).
  • The input registers, corresponding to analog inputs (read only).
  • The holding registers, corresponding to analog parameters which can be changed.


The technical user guide of a MODBUS device usually contains a list of all the available registers, listed by type. For each type of register corresponds a range of register numbers, following this convention:

  • The coils are numbered from 00001 onward
  • The input bits are numbered from 10001 onward
  • The input registers are numbered from 30001 onward
  • The holding registers are numbered from 40001 onward


Note that when one uses this convention, the first register of each category always ends by digit 1 (zero is not used).
Sometimes, rather than indicating the unique register number, the vendor indicates the type of register with the identifier of the MODBUS function which allows you to read them:

  • 01h for the coils
  • 02h for the input bits
  • 04h for the input registers
  • 03h for the holding registers


In this case, it's often the relative position of the register in its group which is indicated, with the 0 position for the first element. Thus, register 0 of the 04h function corresponds to the first input register, which you can also call register 30001. Take care not to be confused by the incoherence between register ranges which do not correspond to the MODBUS function identifiers, and the incoherence of relative positions starting at 0 while absolute positions start at 1...
When you know which register to access, you must still know how to interpret it. As analog registers are coded using 16 bits, there are usually two conventions. The first one consists in using a value range defined in the device configuration, and to make an linear mapping of the 0-65535 register value to this value range. The second consists in storing directly the value in decimal fixed point, in engineering unit: for example, 2345 represents 23.45 degrees Celsius. Some vendors provide simultaneously the values in the two formats: for example, register 30001 for the version proportional to the defined range and register 31001 for the decimal version.

A concrete example


Let's see concretely how you can access the temperature measurement and the setpoint value of a Schneider Electric Zelio REG48 temperature controller. Here is an extract of the technical user guide:

Modscan64 License


Extract of the register table of the Zelio REG48 controller


If you have paid attention, you have understood that this table describes input registers. The base register use the proportional format, and the one at offset +1000 is in decimal form (engineering unit). If you use a Yocto-RS485 you can thus access it with the modbusReadRegisters() function. Beware, as indicated in the documentation, this function uses the relative position of the register (indexed from zero):

// Retrieve our RS485 interface
var serial =YSerialPort.FindSerialPort('RS485-REG48');
// Read first two registers, in 'engineering unit'
var slaveID =1;
var firstRegs = serial.modbusReadInputRegisters(slaveID,1000,2);
// Decode fixed point decimal number
var processVal = firstRegs[0]/10;
var setpointVal = firstRegs[1]/10;


Another possibility of use with the Yocto-RS485: you can configure it with the web interface so that it automatically reads those registers, without needing you to interact with a computer to trigger the measures.


A job to periodically read a register


Thanks to this, the Yocto-RS485 can serve as a data logger to store the measures received by RS485 on its flash memory (up to 500'000 measures).
You can go even farther: if you connect the Yocto-RS485 on a YoctoHub-Ethernet and if you load on it a small web page with some JavaScript, you can transform this simple RS485 temperature controller based on technology from the 70's into a connected product in the fashion of the Internet of Things. Any browser running on a tablet can then connect to the interface and interact with the temperature controller:

Modscan


Neat, isn't it?

If you're interested in playing around with the Modbus protocol, you probably want to start with free, or preferably, open source tools. Here are the ones I've found useful:

Linux

Modscan64

  • Metasploit - Everyone's favourite penetration testing tool has by default a bunch of modules which are helpful for analyzing Modbus services. I often use the modbusdetect and modbusclient modules for checking to see if a service is actually a valid Modbus service and triggering IDS' like Snort which are using Modbus rules.
  • Modscan - This basic tool allows you to check if a service is an actual Modbus service, like the Metasploit modules, but is a simple, self-contained Python script so you don't need to install the entire Metasploit framework to see if a service is an actual Modbus service or not. I can also reliably crash my test PLC hardware with a couple of scans from this script, so be careful! :-)
  • PLCscan - This script allows you to also probe a Modbus service to see if it's genuine, but I found it personally to not be as useful as the previous two tools. It does have some specific, non-Modbus, functionality for Siemens PLCs which may be of use to you, however.
  • Wireshark - The best network sniffer around, bar none. Contains modbus decoding modules.
  • Nmap - The best port scanner around, bar none. Useful if you need to quickly check for open ports.

Windows

Modscan For Windows 10

  • Modscan64 (not to be confused with the Modscan tool above) - This tool is free, but could be more accurately classified as nagware. It's great for dumping all the registers of a Modbus service and seeing what is laid out in the memory of PLC, but it's a bit awkward to use.
  • CAS Modbus Scanner - This tool is completely free but I personally found to not be as useful at revealing the internals of a Modbus service as Modscan64.

Honeypots

  • Digital Bond SCADA HoneyNet - The good folks at Digital Bond have created a SCADA Honeypot which emulates Modbus, HTTP, FTP and SNMP for a Modicon PLC. The instructions that come with it are for the old version of VMWare Server, so if you want to run it with the new VMWare Server, be prepared for a struggle. However, you can just extract the protocol simulators (like Modbus) which are just standard Java programs and run them yourself. The system that you can download provides you with an emulated PLC and the networking infrastructure around it for you to monitor any potential attacks. It is not being actively developed, AFAICT.
  • ConPot - A new SCADA/ICS honeypot which currently emulates Modbus and SNMP. It is much simpler to setup than the Digital Bond SCADA HoneyNet but has pretty much the same functionality. It is currently under active development.
Obviously: only use these tools against a network that you are authorized to assess!

Modscan 64