0

I have a device connected via ethernet cable to the network. Its manual says it accepts modbusTCP communication protocol and indeed nmap in the configured port shows that a modbus service is open (nmap output at the end). I am no modbus expert but i found the pyModbusTCP python module to try and establish a first connection. Based on tutorials and documentation, the code i am trying to use is saved as modbus_client.py and goes like:

#!/usr/bin/python3

import sys
from pyModbusTCP.client import ModbusClient
client = ModbusClient(host="device_IP", port = 502, auto_open=True,debug=True)
client.open()
client.read_holding_registers(int(sys.argv[1]),int(sys.argv[2]))

I am focusing in the read_holding_registers function mainly because the device manual says that implemented modbus functions are Read Holding Registers (0x03), Write Multiple Registers (0x10) and Write Single Register (0x06) and i have the registers map of the device.

Acording to the registers map (image below), i tried executing the script with

./modbus_client.py 4096 32

and

./modbus_client.py 4096 16

but all i get as output is:

Tx
[59 50 00 00 00 06 01] 03 0F FF 00 20
timeout error

I also noticed every time i execute the code the numbers inside the brackets change while the last ones outside the brackets stay the same. Changing the port to any other generates connection refused, so i think i am connecting to the right port but i have no idea what am i doing wrong after that.

Any ideas on how to debug this? Is there an easier approach to check modbusTCP communication with device? Thanks in advance.

OBS1: image of the register i am trying to access. The manual says a single word is 16-bit. modbus registers map

OBS2: nmap output in two different ports:

$ nmap -p 502 device_IP
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-12 21:21 -03
Nmap scan report for device_IP
Host is up (0.028s latency).

PORT    STATE SERVICE
502/tcp open  mbap

Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds

and

$ nmap -p 503 device_IP
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-12 21:22 -03
Nmap scan report for device_IP
Host is up (0.027s latency).

PORT    STATE  SERVICE
503/tcp closed intrinsa

Nmap done: 1 IP address (1 host up) scanned in 0.64 seconds
Marco Montevechi Filho
  • 127
  • 1
  • 11
  • Are you able to provide device info (manufacturer/model)? It appears that you are opening a connection to the device and sending a valid request but not getting a response (you might find it easier working with a command line tool like [mbpoll](https://github.com/epsilonrt/mbpoll)/[modpoll](https://www.modbusdriver.com/modpoll.html)). Perhaps try requesting a single register (some, badly behaved, devices only respond to requests for set ranges) and also check the docs for anything re the Unit identifier (probably not an issue but....). – Brits Jul 13 '22 at 03:02
  • @Brits the device is the neg power mini: https://www.saesgetters.com/sites/default/files/NEG%20POWER%20MINI_NEG%20POWER%20MULTICONTROLLER.pdf however ai got its registers map and manual from the manufacturer so i dont have links to its manual. This pyModbusTCP doest seem to have a read_single_register function. I tried read_holding_registers with the number of registers set to 1, but bothing changed. I am looking for other modules. Using `mbpoll ` printed a seris of `-- Polling slave 1... Read output (holding) register failed: Connection timed out`. – Marco Montevechi Filho Jul 13 '22 at 11:53
  • I also just noticed that besides the device I.P. there is a "gateway I.P." which i can set. I have no idea what is this but i will try to connect to it too. – Marco Montevechi Filho Jul 13 '22 at 11:54
  • 1
    OK - `Connection timed out` points towards an issue with the networking setup (using `pyModbusTCP` with `auto_open=true` hides this because it connects then sends the packet). If you don't know what the Gateway IP is then I'm going to guess that the issue is that you have not configured the unit with an IP on your local subnet and that is the issue (networking can get complex and is not really something that can be explained in the comments; there are heaps of tutorials online that could help). – Brits Jul 13 '22 at 19:59
  • Thanks, @Brits. I will ask the local network guys for some help. I have configured the static I.P. address to a value that should be in my subnet and is reserved via DHCP to the device but it is still mysterious to me if the DHCP protocol deals nicely with the device. Will post clarification if i find it. – Marco Montevechi Filho Jul 14 '22 at 00:38

1 Answers1

1

Turns out it was a problem with the netmask. The equipment's netmask was configured to 24 but i was trying to access it from an I.P. out of that range.

In my case, i was trying to access the I.P. 10.20.41.90 from a computer with an I.P. of 10.0.X.Y.

I configured the netmask to 8 and it all worked.

Marco Montevechi Filho
  • 127
  • 1
  • 11