Writing Modbus Passwords from Babel Buster SPX, BB2-6010, or Modbus Gateways In General


How to write a Modbus password using Babel Buster SPX (or BB2-6010)

There is sometimes a requirement to write a ‘password’ or some sort of unlock code to a Modbus device. This unlocking usually requires writing a series of registers in one single request, generally with function code 16. The Babel Buster SPX includes the options necessary to accomplish this. While the SPX is illustrated here, the examples are applicable the Babel Buster BB2-6010 and most Control Solutions products with Modbus gateway capability.

First, determine the number of registers you will need to write. If the Modbus device talks about a "16-character” password, that means 8 registers with 2 characters per register. In the example that follows, we are assuming a 16-character password. This means we need to define 8 consecutive write maps. We will illustrate RTU, but the same principle applies to TCP.

SPX write map list

You can enter almost everything you will need from the map list page illustrated above. Once you have created your series of registers, proceed to modify as illustrated in the following screen shot.

Note: It is important that consecutive registers be defined in consecutive write maps, and that the next write map following the password is NOT in consecutive order, otherwise more than the password will be sent in that single request.

The SPX (and all Control Solutions gateways) will attempt to send multiple registers in a single write request when they are found to be consecutive in the list of write maps.For purposes of multiple registers per write request, ‘consecutive’ means contiguous in the list of write maps, but also means the same device or slave address, and consecutively incrementing register numbers.

SPX write map details

The goal is to get a series of 8 registers written in a single request, but only once, and only upon update of a single Modbus register. Getting the SPX to write only once, and only on demand, requires setting each of the 8 write maps as illustrated above. Pay attention to the check boxes – only the box illustrated as checked (ticked) should be checked, and all others should be left off. Also be sure to select the correct radio button after "Repeat this process”. It should say "no more than every 0.0 seconds”.

The combination of "changed by 0.0” and "no more than every 0.0 seconds” is a special case that tells the SPX (or BB2-6010) to only write to Modbus when an update is received via Modbus or SNMP, and write to Modbus regardless of whether Modbus or SNMP actually changed any values.

You will need to write the correct password value to at least the first register in the series of registers that create the password. But the remaining registers can be predefined using the ‘Constant’ Action Rules as illustrated below:

SPX constants

 

The screen shot above shows a 16-character password set up as default values for a series of registers (registers 1-8 in this case). These values form the string ‘ABCDEFGHIJKLMNOP’.

The result of writing the value 16706 to register 1 (either via Modbus TCP or SNMP), with the write maps defined as first illustrated above, will be writing a series of 8 registers to Modbus using function code 16, illustrated in the following traffic capture on the RTU network:

Modbus traffic

The bytes 41, 42, 43, etc, are the hexadecimal values for A, B, C, etc. Since two characters will be sent per single Modbus register, you must calculate a value the corresponds to two ASCII characters (assuming the password has been defined as an ASCII string – otherwise use whatever code you are instructed to use by the Modbus device manufacturer).

The letters AB are hexadecimal values 41 and 42. The first character will be in the high order byte. This means the concatenated value will be hex 4142 (or represented often as 0x4142 or 4142H). Now convert this to decimal using a hex to decimal calculator (or use your PC’s calculator, enter in hex, and switch to decimal). The decimal number is 16706.

You can also calculate character codes in decimal. The letter A is decimal 65, and B is 66. To calculate the 16-bit value to write via the Modbus register, you would multiply the first character times 256, then add the second character as follows:

(65 * 256) + 66 = 16706

You can find ASCII code charts by simply doing a web search for "ASCII”, or go to http://en.wikipedia.org/wiki/ASCII where you will find information including the following chart:

ASCII chart from Wikipedia



Article ID: 1
Created On: Thu, Dec 6, 2012 at 10:58 PM
Last Updated On: Wed, May 20, 2015 at 2:06 PM

Online URL: https://info.csimn.com/article.php?id=1