IntegraXor 3.6 SCADA Security Issue 20101222-0323 Vulnerability Note

Further to our earlier security note about buffer over flow, it seems the publication has drawn more interest from security researchers, Industrial Control System Cyber Emergency Team (ICS-CERT) has again contacted us on Directory Traversal attack. This vulnerability can be exploit by attacker to download files from the SCADA server. However, attack by deleting file is not possible, but we still took immediate action to patch this security issue with our latest official release 3.6.4000.1. It can be obtained from our download link at http://www.integraxor.com/download/igsetup.msi. We urge our user especially who open their SCADA for Internet access to upgrade to this latest version. And mean time please move any sensitive or confidential files away from the said SCADA server.

We take this opportunity to wish everyone Merry Christmas and Happy New Year!

Summary of Event
  • 22-Dec-2010: ICS CERT Contacted IntegraXor support team.
  • 22-Dec-2010: Technical report for the vulnerability is received.
  • 22-Dec-2010: Security fixed is issued as official release for general download.
  • 24-Dec-2010: Public announcement is made by IntegraXor support team.
  • 24-Dec-2010: Security researcher Luigi Auriemma confirmed the vulnerability issue has been fixed.
  1. + Added most waited innovative report module, allowing one time layout configuration for both display and printout at one go.
  2. + Added setSql() and getSql() for more convenient database interactions.
  3. + Added table import/export function for faster data entry work.
  4. + Added OPC server into standard release.
  5. ^ PE save tables based on proper dependency order.
  6. ^ PE file view auto refresh.
  7. ^ PE text editor supports code folding for html and script files.
  8. ^ PE fix problem openning projects from MRU when there is 1 or more table already opened.
  9. ^ Server GUI port monitor splitter pane is now resizable.
  10. ^ Support system tags as alarm and script trigger.
  11. ^ Server script won’t cause stack overflow when the script calls itself.
  12. ^ Improved comm. establishment for OPC driver connection.
  13. ^ Improved system stability.
  14. * Driver treats connection as disconnected only if timeout.
  15. * Fixed varios PE project saving bugs.
  16. * Fixed alarm task bugs.

3 steps report creation

A Simple Report Layout with Automated Archiving Interface Buttons

Earlier this October, the Industrial Control System Cyber Emergency Team (ICS-CERT), managed and operated by the United States Department of Homeland Security Control Systems Security Program, has received a report from an independent security researcher of a vulnerability in IntegraXor. ICS-CERT works in coordination with US-CERT, with a focus on control systems cyber security. Below is the contact details for additional information.
US CERT Contact Info

The independent security researcher, Jeremy Brown has indicated that previous versions (before 3.53900.10) of IntegraXor have a security vulnerability whereby an attacker may exploit the system on the SCADA server machine by using malware, badware or any type of viruses that specifically target IntegraXor. IntegraXor development team has immediately acknowledged and fixed the loophole, and the patched version has been released as “igsetup-3.5.3900.10.msi” and there after. Note that this security vulnerability has no impact on the client machine or Internet access.

As part of the procedure, we are making this public announcement on this vulnerability; however, before that we have requested a grace period from ICS-CERT and security researcher to announce this vulnerability by the end of 2010 so that our existing registered users can upgrade their previous version accordingly. We urge our existing registered users who are still using any version earlier than 3.5.3900.10 to download the latest version from our download page and migrate their existing project to the latest version ASAP so their SCADA system will not be exposed to this vulnerability. Meanwhile, please ensure that the SCADA machine is protected by an anti-virus system upgraded with latest virus pattern. We are truly sorry for the inconvenience caused and will support our users in migrating old project to current version of IntegraXor. Please contact [email protected] for any support issue.

Summary of Event
  • 06-Oct-2010: ICS CERT Contacted IntegraXor support team.
  • 07-Oct-2010: Technical report for the vulnerability is received.
  • 08-Oct-2010: Security fixed is issued as Release Candidate for inspection.
  • 14-Oct-2010: Security fixed is issued as official release for general download.
  • 15-Oct-2010: Security researcher confirmed the vulnerability issue has been fixed. Grace period of two month before public announcement is started.
  • 15-Dec-2010: Public announcement is made by IntegraXor support team.

It has been quite a while that we hold IntegraXor users to work on Inkscape 0.46. Finally our SAGE developer Teow has managed to spend some times to migrate SAGE to the latest version of Inkscape 0.48.

Spray is not the only feature that added into Inkscape 0.48 release, there are a lot more to discover, but if you think you have had enough tool to draw a SCADA mimic, then you will still be able to enjoy more stability. Anyhow, as it turns out and we discovered, many users do not just use Inkscape SAGE for SCADA, so just download this latest version of Inkscape and start spraying some snowflakes now!

Season's Greetings

Credits:

Snowflakes drawn by: molumen.
Snowman drawn by: TheresaKnott.

S.I. engineers need to be conservative, below are some best practices.

  1. Backup and Write Changelog

    Needless to say, creating backup is a very basic surviving skill in project life. Not only you should create a backup before leaving site. You should also create a backup upon arrival, before making any changes, while the work reaching one stage, despite still more to go. Create a “version.txt” or “changelog.txt” in your project directory. Name your backup file with date: YYYYMMDD-HHMM.zip.

  2. Proper Naming and Documentation

    This sounds so easy yet so little people doing it right. Proper naming is needed in all aspects, from tagname, filename, directory name, project name to everything. To understand proper naming, look at some keywords in bad naming examples: “new”, “old”, “latest”, “test”. These types of description only relevant for few days, it will become confusing after that.

    Additional project documentation is not “allowed” in most conditions, so you need to create the tag name in a descriptive manner. Add in description wherever possible, as if you are trying to explain the system flow to your colleague, whoever takeover will appreciate it. And you will love it when you need to revisit the site 3~4 years later.

  3. Restrict Operator Access

    Plant operator working life can be boring at times, especially when working at night shift. The SCADA system that sitting idle can be very tempting for them to use it as game console, movie player or use it to print some documents since SCADA system normally equipped with a report printer. We don’t really mind they leave the SCADA system running at the background, but what we dislike is they insert a USB drive which infected with malware or any type of virus into the system and mess up the SCADA before the end of warranty period.

    Running the SCADA with fullscreen mimic will not work, you will need sometimes to acquire the skill to restrict the operator access. Learn How To Use the Group Policy Editor to Manage Local Computer Policy in Windows XP.

  4. Install Antivirus Software

    No project budget? “Proven antivirus protection for free? that’s what I need.” Microsoft has released a free antivirus software, Security Essentials. S.I. Engineer should install it and at least patch it with the latest virus pattern before shipping the system to site. Project development stage and commissioning stage is the time that the system will exposed to most threats, this is the time you need the protection most.

    Most of the time the end user may not want to connect the server to the internet to avoid any misuse. As such the Antivirus software may no longer be up to date after a while. However, this is still better than nothing and very likely it’s recent enough to sustain for one year to block most threats. You don’t want to receive call because of virus/malware slow down the system or hogging the network during the warranty period.

  5. Backup Disk Image

    Backing data and Restricting user’s access do not guarantee that the system will not corrupt. Reinstalling the OS, patching security fixes, setting up programs, tools, database are tedious, time consuming and totally no fun, and you can’t be sure you or your colleague can restore the system to the original working state, after leaving the site for a year or even more.

    In order to ensure the original working condition can be restored, you will need to save the drive partition image, this is the best way to put things back to exactly how it was left. This Taiwanese made tood is our favorite: Clonezilla, however, be aware this is Linux based program and you may need some times to learn up. Otherwise, go for commercial package.

  6. Split System and Data Partition

    Operating System and Program Files is always good to be stored separately from Data Files. Data Files can be stored in a separated partition or simply another disk. So that when the the operating system corrupted or behaved strangely, S.I. engineers can simply restore the System partition without worrying of data, and it’s normally more convenient to do it before rather than after the problem has occurred. For instance, you can easily restore previously backup Drive partition into the System partition without overwritting the accumulating data.

    A newly purchased PC do not normally split into two partition in advance. So you will need a good tool to “Make your life easy!” Check out EASEUS Partition Master.

  7. Avoid Changes at Site

    The rule of thumb is “If it doesn’t break, don’t fix it.”, this sounds like the SI engineer is incapable of handling the work. However, the fact is human make mistake, especially in the rush, under pressure, in unfamiliar working environment, noisy site etc.

    Any single minor or major changes must be tested in its functionality. For instance, if your change a report layout, although just a title, just print it before you leave. Who knows if you accidentally disturbed the structure of the report and break the entire report generation?

    If the customer do not mind to pay for you to standby for monitoring one more day at site, do it. Otherwise, try to convince your boss to allow you to check in hotel and stay till check out time. Stay one more night is normally cheaper than traveling back to site. Prepare yourself with book, video or anything to fill up your time like preparing claim form. This will give more buffer for the operator to test run the system after your site service. Give a call to control room before you check out hotel, they will appreciate it. And because you know you will be eating your own dog food, this will force yourself to carefully do an extremely great job when you are at site.

  8. Use Remote Access Program

    If the site has Internet connection, train the site operator to start up TeamViewer. Otherwise, spend a little budget to insall a modem at site so you can call operator to plug in the phone line and dial in to check what’s going on at site. This is far cheaper than traveling to site.

  9. Don’t trust site personnel completely

    When you have to talk to operator either at site or over the phone, do your own judgment. Use system event log to track what had happened. You can’t expect the operator who has messed up the system to tell you the truth. Firstly s(he) doesn’t want to be scolded by boss, secondly they don’t want to void the warranty.

    And when you have to ask question, especially over the phone, ensure you ask Open Question. Don’t ask “can you see the button on the top right corner?”, a better question is: “What can you see on the top right corner?”. If the operator answer a Blue Tank, then you know he could be on the wrong screen.

  10. Stick Name Card on Site PC

    Do not try to avoid calls from customer, this is like avoid to face the problem if any. What a good engineer should do is to stick his/her business namecard onto the site PC to make him/herself very accessible to customer. This is a simple good marketing channel and you will gain good reputation by doing this. And the best way to avoid the customer to call you for problem is to do a good job.

Disclaimer: All listed methods or tools are not associated with nor warrantied by ECAVA or IntegraXor. You shall take your very own full responsibility for using anyone of them.

256 colors are not necessary required in most cases. Enter 6 digits (256bit) color code and check out the outcome in 3 digits (16bit). If the difference is acceptable, you can save 3 characters every time a color is used.

Type Code Preview
256 bit Color #

16 bit Color #

Below are steps to create IntegraXor database in Microsoft SQL Server Express 2008, replace “project_id” with desired name in the steps:

  1. Create a folder for database storage, for instance “c:\ecava\database\project_id”.
  2. Execute the following script in SQL Server Management Studio to create the database:

    USE [master]
    GO
    CREATE DATABASE [project_id] ON PRIMARY
    ( NAME = N'project_id', FILENAME = N'C:\Ecava\Database\project_id\project_id.mdf' , SIZE = 266240KB , MAXSIZE = UNLIMITED, FILEGROWTH = 1024KB )
    LOG ON
    ( NAME = N'project_id_log', FILENAME = N'C:\Ecava\Database\project_id\project_id.ldf' , SIZE = 219264KB , MAXSIZE = 2048GB , FILEGROWTH = 10%)
    COLLATE SQL_Latin1_General_CP1_CI_AS
    GO

  3. Lastly execute the following script to create the needed tables:

    -----------------------------------------------------------------------
    -- table
    -----------------------------------------------------------------------

    --drop table alarm;
    CREATE TABLE alarm (
    time_stamp datetime NOT NULL,
    event_id int NOT NULL,
    tag_id int NOT NULL,
    tag_name varchar(64),
    group_name varchar(64),
    description varchar(255),
    state int,
    data_type int,
    nvalue float,
    old_nvalue float,
    svalue varchar(255),
    old_svalue varchar(255),
    [message] varchar(255),
    inactive_timestamp datetime,
    ack_timestamp datetime,
    ack_user varchar(64),
    constraint alarm_pk PRIMARY KEY (time_stamp, event_id, tag_id)
    );

    CREATE INDEX all_alarm ON alarm (state, ack_timestamp);
    CREATE INDEX updated_alarm ON alarm (state, ack_timestamp, time_stamp, inactive_timestamp);
    create index purge_alarm on alarm (time_stamp);

    --drop table audit;
    CREATE TABLE audit (
    time_stamp datetime NOT NULL,
    event_id int NOT NULL,
    tag_id int NOT NULL,
    tag_name varchar(64),
    group_name varchar(64),
    description varchar(255),
    state int,
    data_type int,
    nvalue float,
    old_nvalue float,
    svalue varchar(255),
    old_svalue varchar(255),
    [message] varchar(255),
    inactive_timestamp datetime,
    ack_timestamp datetime,
    ack_user varchar(64),
    constraint audit_pk PRIMARY KEY (time_stamp, event_id, tag_id)
    );

    CREATE INDEX all_audit ON audit (state, ack_timestamp);
    CREATE INDEX updated_audit ON audit (state, ack_timestamp, time_stamp, inactive_timestamp);
    create index purge_audit on audit (time_stamp);

    --drop table [log];
    CREATE TABLE [log] (
    time_stamp datetime NOT NULL,
    tag_name varchar(64) NOT NULL,
    tag_id int,
    state int,
    data_type int,
    nvalue float,
    svalue varchar(255),
    unit varchar(16),
    constraint log_pk PRIMARY KEY (time_stamp, tag_name)
    );

    CREATE INDEX trend ON [log] (nvalue, state, time_stamp, tag_name);
    create index purge_log on [log] (time_stamp);

    --drop table persistence;
    CREATE TABLE persistence (
    time_stamp datetime NOT NULL,
    tag_name varchar(64) NOT NULL,
    tag_id int,
    state int,
    data_type int,
    nvalue float,
    svalue varchar(255),
    unit varchar(16),
    constraint persistence_pk PRIMARY KEY (time_stamp, tag_name)
    );

    CREATE INDEX tag_name ON persistence (tag_name);

    --drop table userdata;
    CREATE TABLE userdata (
    [name] varchar(128) NOT NULL,
    data_type int,
    nvalue float,
    svalue text,
    constraint userdata_pk PRIMARY KEY ([name])
    );
    CREATE INDEX UDIndex ON [userdata] ([name]);

  • Updated front-end Alarm Viewer for faster loading over slow Internet connection.
  • Updated minor section of documentation.
  • Fixed stability issue for specific add-in module.

Recently we found that Firefox has changed the type of object of a function. Below is the test code:

<DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>FX function status test</title>
</head>
<body>
    <script type="text/javascript">
        function hello() {
            this.hello = "hello";
            this.world = "world";
            this.status = "status";
 
            var txt = this.constructor;
            txt += this.hello + " " + this.world + " " + this.status;
            document.getElementsByTagName('body')[0].innerHTML = txt;
        }
        hello();
    </script>
</body>
</html>

This test attempted to show what type of constructor the function ‘hello’ is on browser, and also the properties ‘hello’, ‘world’ and ‘status’. As the screen shot shown, different browser treats the function object differently, especially Firefox. Latest Firefox (in this case, version 4 beta 6) treated it as an Object. but previous version of Firefox (3.6.3 or older) treated it as an object Window and note that ‘status’ is missing from Firefox’s output as compare to other browsers. This mean Firefox prohibited the usage of property name of “status”. A property name that called “status” can only be used when it is in a Javascript class.

result in various browsers

On the other hand, one foolproof practice is to convert a function object into a new Javascript class like below:

function myFunc() {
    if (!(this instanceof Object)) {
        return new myFunc();
    }
 
    this.hello = "hello";
    this.world = "world";
    this.status = "status";
    return this;
}


This code will fail since Firefox 3.6.8+ updated its instance to Object (as shown in screen shot). As a result, developer need to remove this interlocking code as it’s no longer useful, but the workaround is to call it as a new function class when using it.

  • Added find and replace.
  • Added always on top option.
  • Added email output support, which allows alarm to be sent via email.
  • Added Modbus driver string data type support and fixed ASCII mode bug.
  • Added interval timer support, configured via Timer table.
  • Added tooltip help for each column header in all table grid.
  • Added configuration for all drivers within PE.
  • Added right click on grid row header while no row selected will select the entire row.
  • Added reloading persist tag upon database reconnect when tag not in memory.
  • Added web server retry during startup.
  • Removed millisecond support for schedule timer (replaced by new Interval Timer).
  • Removed or hided lengthy alarm statuses.
  • Fixed opc driver async configuration mixed up.
  • Fixed opc driver async mode reading.
  • Fixed timer issue with millisecond only contain a single number.
  • Fixed PE crash when trying to retrieve OPC servers list.
  • Fixed printer output issue.
  • Fixed front-end user login issue.
  • Fixed unnecessary alarm logging during project startup.
  • Improved OPC server DCOM setting not removed after OPC server is closed.
  • Improved OPC server does not overwrite existing DCOM setting if the setting already exist.
  • Improved output task so it shall close faster if printer output is invalid.

Nowadays many gurus and web developers are so obsessed with fast performance web site. One of the common techniques used is to compress almost everything that will deliver through the Internet connections. Other than multimedia data, Internet data is still very much ASCII or text oriented, so it’s very much about shortening the string when come to compression. We are also concerned about separating static content as cookiesless domain. After looking into all these techniques, the name of the items involved seems to start by letter ‘s’. To prevent wasting any single byte for naming, it make sense to name everything as ‘s’ but leave the extension to differentiate them.

Item Name Description
script s.js JavaScript files need to be compressed and combined into one, the name is shorten as s.js, whereby ‘s’ stands for script.
style s.css CSS files need to be compressed and combined into one, so the name also shorten as s whereby ‘s’ stands for style.
shortcut icon s.ico In order to make favicon.ico cacheable, we can’t just name it as favicon.ico and leave it in the root directory, we will also need to shorten the name to s.ico and store it in the static domain, where by ‘s’ stands for ‘shortcut icon’.
static s.domain.com In order to create a cookiesless domain, a static directory needs to be created for storing the above contents and also screens or images. So we might as well create a subdomain as s.domain.com, and put almost everything except html files into this directory. ‘s’ is for static, ‘s’ is for screens, ‘s’ is a sum for all.
Note: This article is meant for IGX system that didn’t use Internet Gateway module. Internet Gateway will completely remove all described cumbersome steps. Write to technical support to learn how!

IntegraXor web server was designed to be accessible via Internet despite it was used in Intranet basis or simply desktop application in most cases. This article will walk you through the step by step guide on how to setup the broadband network for operator to access the SCADA remotely without having the needs of fixed IP, just like how our LIVE DEMO page being done.

There are two essential works need to be done before being able to access to the IntegraXor web server, they are port forwarding configuration; and host name registration.

Port Forwarding

IntegraXor uses a distinctive port number which is 7131 in avoiding clashing with any other application. Normally, routers blocked most of the network ports by default for security reason. Therefore user will need to configure the router, to redirect all the connections from a specific port to the PC with IntegraXor Server. This step is call port forwarding. Below are the steps of port forwarding for a router.

  1. First of all, to change the router configuration, open a web browser and enter the standard IP address in the address bar. This is usually 192.168.1.1 or 192.168.0.1. If you are not sure about this, you can open a command prompt and enter ipconfig and look for Default Gateway.

  2. Router program shall prompt a security window, enter username and password to login. Refer to router’s user guide for default UID and PWD if the default setting is being used especially when the router is new.
  3. Look for menu or link to port forwarding (some routers called it virtual server). This may vary, depending on type of router you use. If you couldn’t find the port forward or virtual server in your router, check out http://portforward.com/. This website compiles screenshots of common routers in market.
  4. Then enter the IP address of the IntegraXor server in LAN and port 7131 into the respective columns. Below is a sample screen shot on a Buffalo brand router.

  5. Depending on your routher, ensure you press the ‘save’ or ‘add’ button to save the port forwarding configuration.
  6. As an additional step, below are some hints on confirming if the port forwarding has done correctly. Use
    http://www.canyouseeme.org/
    to check if the port has been forwarded. This tool will help you to check whether the port is forwarded to the local server PC.

    • Enter the port 7131 in the port box and then click ‘check’ button. A message will be shown on below to tell you the test result.

    • If this message shows, obviously it means your port 7131 is not forwarded. You need go back to your router and check the port configuration.
    • Otherwise, voila! Port is forwarded!

Note: You may not be able to access the server locally using WAN IP. In another word, you may not be able to use any of the PC connecting to the same router. You might need some help from your external colleagues or friends who are using separate ISP link to test it out for you. So it’s best to have two ISP links while setting up port forwarding.

Host name registration

This registration is optional but most of the time required, as the purpose is to replace the IP address with a easy to remember and constant URL for operator or end users. In this section, we will be using No-IP as our example. Below is the steps on creating a free host name using www.no-ip.com.

    1. Download the No-IP client and install it into the same PC where IntegraXor is installed.
    2. Register an account with No-IP.com. Once registered, the activation mail will be sent to the registered email and ask for activation.
    3. Once the account is activated, key in the email and password to log into the No-IP account.

    1. Click the Hosts/Redirects link to host name configuration.
    2. Enter your desired host name in the host name box. Then click the “Create Host” button at the bottom to complete the host name creation.
    3. Run No-IP client on the server PC to link with the host name which created in the previous step. This client will automatically update your IP address to No-IP server, thus redirect the internet users to your IntegraXor server. You may want to keep this client running in case of disconnection, and put it into auto start up upon Windows restart.

You may try to access using this host name at this stage. Just replace the IP address with the host name. For example, , should be replaced with http://integraxor.servehttp.com:7131/demo/ by now. As mentioned above, you may need to use another internet connection to access.

Note: This article is meant for IGX system that didn’t opt for Internet Gateway module. Internet Gateway will completely remove all described cumbersome steps. Grab a free download of latest version to learn how!

It’s too common that a C++ program crashes, or hang-up and get terminated by user. Both cases will normally pop up a standard message prompting user to send the dump file as crash report. When thing like this happen, should a user “Send” or “Don’t send”? “Please tell Microsoft about this problem”? even this program is not from Microsoft?

Screen shot prompt to send crash dump

If you use the program regulary, you should make your effort in helping the programmer to find the memory leak. So most of the time, it should be simply sent off since it’s quite an easy job, and so that the program publisher/creator could be notified and rectify it. However, we need to ensure we don’t keep on sending something useless or deliver to noone. Below is the flow chart showing how to determine send or don’t send.

flow chart in deciding send or don't send

Is program crashed?

How to tell if a program crash or hungup? You should know it when a program crashes, which means a program terminated abnormally and could cause lost of data. A program hungup means it’s no longer responsive or it takes longer than usual time to complete a task. You can see more after clicking “To see what data this error report contains”, another popup shall show. You can see that szModName is “hungapp” and the offset is zeroes “00000000”. You don’t have to send this report as the programmer can’t tell much other than the currently used version may hang. It’s better you try to figure out what causes hang and write to the publisher.

a hungup scenario

What if you find it actually crashes but the address offset is still zeroes? The result and action shall be same as hungup. Sending address offset of zeroes will not give much hint to the programmer. Only when you find that the address offset is of some hexa values, what you encounter can be easily resolved by programmer if you submit this complete report. In fact, the key decision to send is to check if the address offset is of some values and not a series of zeroes.

Is program digitally signed?

Why is this step needed? As it’s prompted “Please tell Microsoft about this problem” that the report will be sent to Microsoft and now we need to check if the publisher have the access to Microsoft crash dump database. And only a Verisign registrant will get to access what you are sending.

A digitally signed file's properties

Now how do we determine if a publisher have digitally signed the program? Just right click on the insallter to check out its file properties, a signed computer file shall have additional “Digital Signatures” tab and the content shall show the details of the signer. And you can now confirm your crash report can safely reach the publisher when you choose to send, otherwise you need to manually collect the report and email to the publisher.

Manually collect crash report

Collecting crash report manually involve copying two contents. Firstly simply capture and produce the print screen when you “Click here” “To see what data this error report contains”, i.e. the second pop up that consist of address offset figures. And then further “Click here” on this page “To view technical information about the error report” to get the next screen:

appcompact.txt

Highlight the second line which showing the path of ‘appcompat.txt’. Copy the path by pressing Ctrl+C and then open up Windows Explorer and paste it on to address bar. The file shall be open in notepad and you could then save it into different path say “My documents”. Attach the screen shot and this crash file and email to the publisher and the recipient will appreciate you a lot. You may even receive a free professional license if you describe the steps to reproduce the problem. 😉

Open dump file in Windows Explorer

You shall see the following message once you successfully send out the report.

Sending error report completed

If you are lucky, you may get notified by the publisher that new update is already available. Below is the web site shown when you click on ‘More information’ upon completion of error reporting on Adobe Reader 9.1.2’s crash.

New update is available


Credit: the above flow chart is produced by using Open Office Calc.

On top of basic communication port setting, it’s necessary to understand basic Modbus protocol before trying to establish a Modbus link. Unlike other documentation for Modbus, this document focus on the knowledge needed for establishing the communication rather than implementing it. This perspective will be more relevant for System Integrator Engineer.

Modbus is a very old protocol that has too many interpretations and implementations by various vendors, making it one of the widely used but complicated protocol to establish at the beginning. Too many aspects need to be of concern hence plug and play is almost impossible for two applications from different vendors for the first time. If the system allow, user should start by trying 1 or 2 tags/data with basic data type like Holding Register (int16) or Output Coil (bool), and slowly adding more tags before advancing to more complicated data type like real32 or long32.

Several terminologies have been used in industry to refer to the same thing which created more confusion. This document used the most precise and non-ambiguous term, but other vendor terms will also be mentioned. Below are 10 areas that you need to check to narrow down your scope of troubleshooting:

1. RTU/ASCII Mode
Modbus can be used in RTU or ASCII communication mode. RTU is mostly used as compare to ASCII since it’s transmitted in binary and hence faster. On the other hand ASCII mode is rarely being used and will only be chosen when the communication speed (baud rate) can’t go too fast due to distance or communication device (e.g. modem) limitation. They cannot be mixed and used concurrently in one network. It’s also important to note that the data byte size for COM Port setting is 8 for RTU and 7 for ASCII.
2. Master/Slave(s)
The relationship of Master and Slave in Modbus context is like Client and Server in computer network. Modbus network in serial communication can only have one Master with one, or many other Slaves where it’s called “Multidrop” network. Normally the Master is a PC or PLC and the slave(s) could be some measuring devices or sensors. The Master will initiate all data polling or writing sequence and the Slave being called will then respond accordingly. This is totally opposite of computer network whereby normally one server will serves many other clients, despite it’s similar that the client will initiate all the transactions.

Note that single master restriction only applicable to Serial Communication like RS232/422/485. Modbus over TCP/IP network could support multiple Masters and of course multiple Slaves. Multidrop network topology only available for RS485 & RS422 network configuration, standard physical layer of RS232 do not support multidrop network.

3. Node ID
Modbus device can be connected in multi-drop (series) network. And every Modbus device must be assigned with an ID for identification, even if there’s only one device is being connected. Normally it’s default to 1.

Note that ‘Node ID’ also being called Device ID, Slave ID, Device Address, Slave Address or even Modbus Address. Some devices may even contain several Node Addresses (within one physical hardware), which being called virtual device or virtual node address.

4. Data Address
Every data must has its own address. Data Address also being called as Register or simply as Address. Data Address indexing may be different from one vendor to another, in another word, address 1000 for one vendor might be 1001 or 999 for another vendor. Offset value of +1 or -1 need to be entered.
5. Address Arrangement
The address arrangement is flexible in Modbus devices. The starting address for any data type is not fixed, for instance it can be 1, 1000, 4000 or any other value. There’s no fixed pattern on how’s the addresses will be arranged. And the addresses are not necessary need to be put into one range, they can be scattered around like 1000~2000 and 4000~10000. The address arrangement is completely depends on the device manufacturer and must refer to its documentation.
6. Data Type
They are only four fundamental data types in Modbus, i.e. Output Coil (0x), Input Coil (1x), Holding Register (4x) & Input Register (3x). Both Output Coil (aka status) & Input Coil (aka status) are also boolean but further split into input and output type. Similarly both Input Register & Output Register are also 16 bit Integer but further split into input and output category. Input Coil and Input Register are strictly tied to device’s physical wire connection, on the other hand, Output Coil and Output Register can be tied or not tied to device’s physical wire connection. When an address is not tied to physical link, it’s treated as memory variable. So most of the time the addresses being used are output type.

In order to get more than four fundamental types of data, like floating point (float32) and long analogue (int32), two Output Registers need to be used to achieve this purpose. When a list of floating point data or long analogue data being listed in sequence, some devices like Modicon PLC will have the addresses skipped in even number or odd number, but some may just have it in sequence without any skipping of address. User must figure this out based on the device’s manual or even trial & error.

Some devices can further support double floating point (float64) or double long integer (int64), the address skipping issue is again depends on the device’s manufacturer. Moreover, some manufacturers even have proprietary data type like Time Element that contains up to 8 integers for one single address.

Note that some device manufacturers like Schneider uses leading numerical digit as data type differentiation, that is, 4xxxx for holding register, 3xxxx for input register, 1xxxx for input coil and 0xxxx for output coil. This may not be the case for many software implementation. For instance, 40100 shall be entered as 100 with integer type, or 30123 may need to entered as 123 with read-only integer.

7. RW or RO
One data location can be implemented as Read/Write enabled, or just Read Only. This is totally depends on the individual vendor and must refer its documentation. Normally Input Register (3x) and Input Coil (1x) shall be implemented as Read Only.
8. Word Swapping
For user that uses either floating point or long data type, they need to understand swapping of words (int16) (or even bytes (int8) for some devices) in Modbus communication since both float and long data type constitute of two or more registers (int16). Different vendor has different implementation on handling binary data sorting, which is either Little Endian or Big Endian. This mean float or long data type can be sorted in the form of A+B or B+A whereby A and B are int16. And for double float or long, the combination could be extended to A+B+C+D, B+A+D+C, C+D+A+B or D+C+B+A.

Since the term used for the definition of the condition is different from all vendors, user need not to have deep understanding of scenario but simply need to try out swapped or direct setting and observe the outcome.

It’s important to be awared that mismatched of data swapping will not trigger any Modbus communication error but the data polled or sent could be showing non-readable values.

9. Batch Data Transmission
Batch Optimization also being called Block/Contiguous optimization, it is needed when a project has big entry of tags. In fact, almost all Modbus entry requires ‘Batch Optimization’ regardless of project tag count. Modbus data can be transmitted in batch (one big chunk that sorted contiguously) to speed up the communication. The data address of this batch of data must be in same type and same length. For instance, address 4000, 4001, 4002, 4003 can all be either read or written in one transmission.
10. Third party tool
When you suspect one of the vendor didn’t do the job correctly, you may download a free copy of Ecava IGX SCADA and use it for your useful troubleshooting tool. It can act as both Modbus Master and Slave, and support all possible datatypes with any word swapping combination. Furthermore its tag watch window serves as the perfect channel to see your polled values instantly. And if you need to look into technical details in bits and bytes, the built-in communication port monitoring will be your best friend. Check out this short youtube video to see how easy things can be done.

Everyone will need to produce screen shot from time to time. This article describes the best way to produce screen shot imaging file for any purpose, ‘best’ as in simple, convenient, fast, efficient and producing small but loss-less outcome without using additional tool. The working environment is in Windows XP but shall be more or less the same for Vista & Seven.

Many times user only interested in creating screen shot for an event that happen in particular application. So user must hold down Alternate (Alt) key to avoid the whole screen including desktop/background being copied, so can avoid the unnecessary image cropping work. Remember to hold down the function (Fn) key as well when working on laptop.

Most people are aware of jpg or gif format as we’ve been receiving screen shot in such formats in email attachment, but they are only suitable for photo and the image quality is compromised. The more well known loss-less format is Windows bitmap *.bmp but its file size is unnecessary huge. And in fact the only widely supported loss-less format left is PNG (pronounced ‘ping’) which still many computer users not aware of. The information of PNG is widely available and will not be discussed here.

To produce screen shot in PNG format is easy, simply call up Accessories » Paint and paste the clipboard content as usual, but save as PNG format. Click the file type and choose PNG at far bottom. Feel free to save as bmp to check out the huge difference.

Up till now that’s all for producing a tiny and loss-less file for use. However, being needed to choose the png file format is not convenient enough. Furthermore, Windows XP’s Paint keeps the last used image size forces user to resize (Ctrl+E) or even crop it off. What we could do is to create a template of 1×1 size png file and store it into ‘My Pictures’ or your commonly working folder. So instead of right click on empty space to create ‘New’ » ‘Bitmap Image’, user could right click on the 1×1 size of png file, choose ‘Edit’ to open then paste the screen shot onto it, finally save as another desired filename.

Last but not least, BMP format should be avoided unless an application specifically required this format. As a reminder PNG format is not suitable for photo content as JPG could compress photo content better. And obviously screen shots shown in this page are in PNG format. 🙂