<div>There's a ton of information on the Internet for Schneider/Modicon's modbus protocol, including modbus+., modbusrtu, and modbustcp... Specs are freely available <a href="http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf">
http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf</a>. If you spend 2 minutes with google you'll find more then you'll need. For example: <a href="http://www.modbus.pl/download/zxy66/v19/modbus_perl_client.zip">
http://www.modbus.pl/download/zxy66/v19/modbus_perl_client.zip</a>. Anyways, enjoy your research...</div>
<div><br> </div>
<div class="gmail_quote">On Jan 5, 2008 1:01 PM, gmaggro <<a href="mailto:gmaggro@rogers.com">gmaggro@rogers.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">OK, having done some digging a decent little chunk of industrial<br>automation gear has started coming my way; 1 of 6 pieces. All totaled,
<br>roughly under $1000. Small standalone stuff for now; the shipping on<br>populated PLC chassis like SLC-500 stuff is problematic.<br><br>If people have specific technical questions, want a script run against a<br>piece of gear or a custom protocol capture done I will entertain such
<br>requests. I am also willing to open the cases and pick up the soldering<br>iron, attempt rom/firmware dumps, etc.<br><br>Are there any particular tests or tools someone would like me to work<br>into my routine right from the start?
<br><br>Hardware piece #1 is a Kohler Power Systems modbus/ethernet converter,<br>pn# GM40165.<br><br>So far, nmap (4.52) has been detecting the modbus running on port<br>502/tcp as asa-appl-proto. There is not a great deal of information out
<br>there about this protocol. The email contact associated with the port in<br>some /etc/services files (<a href="mailto:ddube@modicon.com">ddube@modicon.com</a>) is disabled, and the domain<br>redirects to an industrial automation company (
<a href="http://telemecanique.com/" target="_blank">telemecanique.com</a>).<br>Running/OS details indicate Enerdis or Lantronix embedded. MAC prefix is<br>00:20:4A (Pronet Gmbh). I suppose I could have just posted the nmap
<br>output, but figured that might annoy people unduly.<br><br>Perhaps it would be worth renaming 'asa-appl-proto' on 502 to 'modbus'<br>or something related? Just a suggestion to make it clearer for some<br>
people. In any case, this is mitigated by scanning with the -C option<br>which grabs info from 80 and 161 clearly identifying it as being a<br>modbus related device, the sysDescr stating "Modbus/TCP to RTU Bridge".
<br>And oh yeah, it has a wide open text configuration interface on 9999.<br><br>Handy/Interesting modbus tcp/udp links:<br><br><a href="http://jamod.sourceforge.net/development/tcp_master_howto.html" target="_blank">http://jamod.sourceforge.net/development/tcp_master_howto.html
</a><br><a href="http://jamod.sourceforge.net/kbase/protocol.html" target="_blank">http://jamod.sourceforge.net/kbase/protocol.html</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.
<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">
http://secunia.com/</a><br></blockquote></div><br>