Skip to content

4. Flipper Add‐On: RS485 Modbus

Carlos Alatorre edited this page Jun 28, 2024 · 8 revisions

This plugin includes features to work with Modbus RTU networks. Now you can interact with industrial networks using the pocket-size device Flipper Zero, basic tasks like sniffing and injection are available, making easier to perform activities like analysis, error detection, and configuration of new peripherals to the network.


Modbus Flipper Add-On

What is RS485?

With the help of the multipoint RS485 communication protocol, numerous devices can talk with one another on the same bus and exchange data. Long-distance data transfer is possible with the RS485 communication protocol since it employs differential signal transmission, which has the qualities of high speed, long range, and strong reliability.

What is the Modbus Protocol & how does it work?

Modbus is an industrial protocol to make communication possible between automation devices.

A master-slave relationship is used to construct the request-response protocol known as Modbus. Communication in a master-slave relationship always takes place in pairs; one device must make the request and then watch for a response; each interaction must be started by the initiating device, or master. A sensor, programmable logic controller (PLC), or programmable automation controller (PAC) is typically the slave to a human machine interface (HMI) or Supervisory Control and Data Acquisition (SCADA) system. The various protocol levels determine the content of these requests and answers as well as the network layers these communications are transmitted across.

Requirements

  • Electronic Cats Flipper Add-on "Modbus"
  • Unleashed Firmware Installed on Flipper (Tested on unlshd-071e)


Flipper Firmware installation

Menus description

Main Menu


Flipper main menu options

Select what you wanna do by clicking one of the options on the screen:

  • Settings (Change general configurations)
  • Sniffer (Watch data traveling trought the Bus)
  • Sender (Send a packet request to any peripheral on the network)
  • Read LOG (Open and read a previous sniffing sesion stored in the SD)
  • About (See general information of the plugin)

Settings Menu

UartSettings AdditionalSettings
  • Baudrate (bits transmitted per second)
  • Data size (Character size in bits)
  • Stop bits (Number of bits indicating the end of the character)
  • Parity (Flag indicating if the set bits number is odd or even, none also is a valid value)
  • TimeOut (Maximum amount of time to wait a response packet)
  • Output Format ("Hex" format displays hexadecimal values and "Default" in a conventional way)
  • SaveLOG? (Stores all sniffed data in a LOG file, if it's enabled)

A succesfull comunication between flipper and Modbus will depend on these parameters, you must know how are they configured in the target Modbus network, wrong configurations will result in a data loss.

Sender Menu

SenderMenu
  • Manual Sender (Build a packet manually and send it)
  • Buffer Sender (A list with the most recent master sniffed requests, open any of them, modify it and send it)

Read LOG

OpeningLOG

Browse in your files, look for a LOG file and read it.

How to build a packet manually and send it

1. Click on Sender

OpeningLOG

2. Open the Manual Sender

OpeningLOG

3. Build the packet

  • Peripheral ID: Change the peripheral target by clicking the right or left button, also you can click the center button and enter the value in the Hexadecimal format, maximum value is 32 or 0x20.

OpeningLOG OpeningLOG

  • Function: Hexadecimal input is disbaled in this field. Supported values are:

    • Read Coils (0x01)
    • Read Discrete Inputs (0x02)
    • Read Holding Registers (0x03)
    • Read Input Registers (0x04)
    • Write Single Coil (0x05)
    • Write Single Register(0x06)
    • Write Multiple Coils (0x0F)
    • Write Multiple Registers (0x10)
  • Start address: Choose the start address of coils or registers that you want to read or write. Hexadecimal input available in this field.

OpeningLOG
  • Additional fields: The following fields of the packet are variable depending on the selected function, fields like byte count, quantity, value, byte and register may appear. Byte count is the unique field that can not be modified, the other fields can be modified using the buttons or the hexadecimal input.

OpeningLOG OpeningLOG OpeningLOG OpeningLOG

See the oficial Modbus documentation to learn more about the fields of a request packet in https://modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf, special attention on Function codes descriptions

4. Send the packet

Once the packet is complete, send it by clicking the "Send packet" button, this action change automatically the scene to the output console where you can see the peripheral response.

OpeningLOG OpeningLOG

In the right picture you can see the response, this response includes function, peripheral ID, byte count and the 4 values requested by the hub. See https://modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf to learn more about response structures.








Clone this wiki locally