No registers?

[serain]

Sorry for what is probably a dumb question and I'm not sure it's the right place to ask but I didn't think there'd be an active conpot community anywhere else.

I'm coding a simple SCADA enumerator for one of my undergrad projects. I have access to a Tofino demo setup at uni but I can rarely use it as the lab is generally taken and then shut after 5pm. So I've set up conpot hoping to be able to use it for some enumeration tests.

I can gather Slave IDs and Device Info no problem but my input and holding register "brute forcer" is always getting Exception 2 (ILLEGAL DATA ADDRESS) for every single possible register value.

Are there no registers setup on the device on the default configuration? Is this not emulated?

[glaslos]

Perfect place to ask. Can you give more details on your Modbus request? Is your code public?

[serain]

Hey glaslos, thanks for the rapid response!

My code is still early and messy but here's a Wireshark capture for a request: http://imgur.com/t1SG863

And for a response: http://imgur.com/Fefyb4d

I've made sure everything is visible on the screenshots. I get the same response for every register value 1-65535 for both Read Holding Registers (0x03) and Read Input Registers (0x04).

(PS: I didn't modify the default configuration)

[glaslos]

What slave id are you using?

[serain]

From what I can tell it responds to both Slave ID 1 and 2 (If I understood the protocol correctly this is what Wireshark calls "Unit ID" in the screens above)

I've tried both Slave ID 1 and 2

If you want to take a look, I've uploaded my current code at: http://alexkaskasoli.com/mbetool.tar.gz It's python and the file to launch is mbetool.py (you will need to change TCP_IP var near the top of the file). It will first scan for valid Slave IDs then attempt to read input registers.

On the Tofino demo station at my uni this successfully reads registers 0 - 12

Out of curiosity, which registers should be valid on the default conpot configuration?

[glaslos]

Check this section: https://github.com/glastopf/conpot/blob/master/conpot/templates/default.xml#L99

[serain]

Hey glaslos,

According to the default config you pointed out, Slave 1 uses input registers 10001 - 10032.

I've made a very short and simple python script that sends a packet with function 0x03 (also tried 0x04) to read those registers and displays the result. You can see the script here: http://pastebin.com/auxsNShT

Capturing the packets with Wireshark I can confirm that both the request and the response are valid Modbus packets and, according to Wireshark at least, I'm asking for start register 10001 and 32 registers. My response from conpot is still always an Illegal Data Address exception.

I've also copied conpot's output here: http://pastebin.com/uT8xNWiD The last five lines show my request from conpot's point of vue.

I've tested this on the Wago PLC at my Uni and it's returning values without exceptions when I request starting address 12288 and 100 registers.

[glaslos]

I just tried with plcscan: https://code.google.com/p/plcscan/ using python plcscan.py --ports=502 localhost --modbus-uid=1 which returns:

Scan start...                          
localhost:502 Modbus/TCP               
  Unit ID: 1
    Device: Siemens SIMATIC S7-200 
Scan complete

[glaslos]

I'm looking into your feedback now...

[glaslos]

Exception code 2 stands for ILLEGAL_DATA_ADDRESS

[glaslos]

You are trying to query in input register with function code 3 which stands for 'Read holding registers' what you want for 10001 - 100032 is 4: 'Read input registers'

[glaslos]

Seems like the memory of the virtual PLC is not populated with the block types 3 and 4:

{
1: [<conpot.protocols.modbus.modbus_block_databus_mediator.ModbusBlockDatabusMediator instance at 0x4683908>], 
2: [<conpot.protocols.modbus.modbus_block_databus_mediator.ModbusBlockDatabusMediator instance at 0x4683950>], 
3: [], 
4: []
}

[glaslos]

This is definitely an issue on the Conpot side. I will investigate tomorrow.

[serain]

Yes I tried both func. 3 and 4 just to be sure. Illegal Data Address on both.

I've also tried func. 43/14 (Get Device ID) and I get the same output as you get with plcscan: Siemens SIMATIC S7-200 so function 43/14 is definitely working OK.

Thanks for confirming the issue on func. 4 !

[glaslos]

I'm currently trying to find and fix the issue.

[glaslos]

Can you run the following tests:

python plcscan.py --ports=5002 --modbus-uid=2 --modbus-function=4 --modbus-data='\x75\x31\x00\x08' localhost
python plcscan.py --ports=5002 --modbus-uid=2 --modbus-function=3 --modbus-data='\x9C\x41\x00\x08' localhost
python plcscan.py --ports=5002 --modbus-uid=1 --modbus-function=1 --modbus-data='\x00\x01\x00\x80' localhost

[glaslos]

Or try this slightly modified version of your script:

import socket,struct,binascii

TCP_IP = "127.0.0.1"
TCP_PORT = 502

trans_id = 999
protocol_id = 0
length = 6
unit_id = 2
function_code = 3
starting_address = 40001
qty_registers = 1

payload = struct.pack  ('!HHHBBHH', trans_id, protocol_id, length, unit_id, function_code, starting_address, qty_registers)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(payload)
data = s.recv(1024)
s.close()

print binascii.hexlify(data)

[glaslos]

We merged the fixes into the master branch, please let me know if this solves your problems.

[serain]

Thanks I will take a look this evening and get back to you!

[johnnykv]

@alexksak any updates on this?

[glaslos]

@alexksak I'm going to close this issue. Please add a comment here anyway if you have the time to investigate.

[serain]

@glaslos, @johnnykv my apologies for the long delay, exams + holiday away from cpu

I've just tested this now and can indeed confirm the issue is resolved.

I look forward to working with conpot this semester :)