Control Solutions Knowledgebase

How to write a Modbus password from BACnet using a Babel Buster BB2-7010

How to write a Modbus password from BACnet using a Babel Buster BB2-7010

There is sometimes a requirement to write a ‘password’ or some sort of unlock code to a Modbus device. This unlocking usually requires writing a series of registers in one single request, generally with function code 16. The BB2-7010 includes the options necessary to accomplish this.

First, determine the number of registers you will need to write. If the Modbus device talks about a "16-character” password, that means 8 registers with 2 characters per register. In the example that follows, we are assuming a 16-character password. This means we need to define 8 consecutive write maps. We will illustrate RTU, but the same principle applies to TCP.

BACnet AO object list

You can enter almost everything you will need from the map list page illustrated above. Once you have created your series of registers, proceed to modify as illustrated in the following screen shot.

Note: It is important that consecutive registers be defined in consecutive write maps, and that the next write map following the password is NOT in consecutive order, otherwise more than the password will be sent in that single request.

The BB2-7010 (and all Control Solutions gateways) will attempt to send multiple registers in a single write request when they are found to be consecutive in the list of write maps. For purposes of multiple registers per write request, ‘consecutive’ means contiguous in the list of write maps, but also means the same device or slave address, and consecutively incrementing register numbers.

BB2-7010 write map

The goal is to get a series of 8 registers written in a single request, but only once, and only upon update of a BACnet object. Getting the BB2-7010 to write only once, and only on demand, requires setting each of the 8 write maps as illustrated above. Pay attention to the check boxes – only the box illustrated as checked (ticked) should be checked, and all others should be left off. Also be sure to select the correct radio button after "Repeat this process”. It should say "no more than every 0.0 seconds”.

The combination of "changed by 0.0” and "no more than every 0.0 seconds” is a special case that tells the BB2-7010 to only write to Modbus when an update is received via BACnet, and write to Modbus regardless of whether BACnet actually changed any values.

The object types used for passwords can be either Analog Values or Analog Output objects. However, there is a particular advantage to using the Analog Output. If you set the configured relinquish default value to contain the password to be written, then you only need to write to the first object in the series to cause the entire series to be sent out via Modbus. Furthermore, because the Modbus password is contained within the relinquish default values, you can get away with only writing Null (or relinquish) to the first output object in the series. The BACnet device doing the update does not even need to know the Modbus password. (If you cannot get your BACnet client to write Null or relinquish on demand, then simply write the actual password value to the first output object. The rest of the password will be filled in by the relinquish default values in the rest of the output objects, assuming they have not been written by anybody and are still in the relinquish state.)

AO data list

The screen shot above shows a 16-character password set to be written to Modbus. The relinquish default values in the 8 consecutive output objects form ‘ABCDEFGHIJKLMNOP’. Click on the object number in the first column to gain access to setting the relinquish default value as illustrated below. When all of the initial relinquish defaults have been entered, go to the Config File page and click ‘Save’ to retain those values. (You will also need to go to the Config File page and click ‘Save’ to retain all of your write map definitions.)

AO object information

The following screen shots illustrate writing a null, or relinquish, to Analog Output 1.

BACbeat screen 1

BACbeat screen 2

The result of writing the Null to Analog Output 1, with the write maps defined as first illustrated above, will be writing a series of 8 registers to Modbus using function code 16, illustrated in the following traffic capture on the RTU network:

Modbus traffic

The bytes 41, 42, 43, etc, are the hexadecimal values for A, B, C, etc. Since two characters will be sent per single Modbus register, you must calculate a value the corresponds to two ASCII characters (assuming the password has been defined as an ASCII string – otherwise use whatever code you are instructed to use by the Modbus device manufacturer).

The letters AB are hexadecimal values 41 and 42. The first character will be in the high order byte. This means the concatenated value will be hex 4142 (or represented often as 0x4142 or 4142H). Now convert this to decimal using a hex to decimal calculator (or use your PC’s calculator, enter in hex, and switch to decimal). The decimal number is 16706.

You can also calculate character codes in decimal. The letter A is decimal 65, and B is 66. To calculate the 16-bit value to write via the Modbus register, you would multiply the first character times 256, then add the second character as follows:

(65 * 256) + 66 = 16706

You can find ASCII code charts by simply doing a web search for "ASCII”, or go to where you will find information including the following chart:

ASCII chart from Wikipedia

Attached Files
There are no attachments for this article.