Hello everyone,

I am new to this forum since I am currently running out of ideas...

Backgroung Informations:
I am currently trying to automate a very old wind turbine from the middle of the 90's, and one of my ways to gain further informations about the current status, power production etc. is to read out the internal, what I guess Modbus System.
This old power plant was using a MS-DOS System to communicate via the RS232 Port with the Windmills Main Processor Unit.
It was possible to see Informations like windspeed, overall status, wind direction, current power production, configurations etc.
Unfortunately there is no way to bring up the old system to any newer platform by virtualizing the software etc. (several failed tries, even with support from other forums aswell).
This Software is a SCADA Software

Current investigation status:
I managed to log the communication by using a saleae Logic Analyzer and found out that the protocol they are using might be a "proprietary" Modbus for communication.
Unfortunately I am stuck at this pointbecause it seems like no free Modbus application wants to communicate in the correct way with the Main Processor Unit (MPU). When the sent message is incorrect the MPU simply Ignores themessage and does not respond.

Like I said i were able to log the data lines RX/TX and I am able to present you this Data.
Serial settings as far as I know for sending: 9600 / 8 / M / 1
Receiving: unclear since the response cannot be translated correctly.

Analyzer settings TXD (from Scada PC)


Analyzer Settings from RXD (MPU):


First sent Message from SCADA PC:
0x01, 0x51, 0x6A, 0xBC 0x00

Response to this first Message from Windmills MPU:


______________________________________________________________________________________________

Second sent Message from SCADA PC:


Response to this second Message from Windmills MPU:



_____________________________________________________________________________________________________

Third Message:


Third Response:


_____________________________________________________________________________________________________

Fourth Message:


Response:


Next messages in another post due to upload limit.

 

Fifth Message:


Response:

No Response

and so on. There are multiple of the communication messages sent in a few seconds of communication.

My Interpretation of the first message:

Example from the first message: 0x01, 0x51, 0x6A, 0xBC 0x00

0x01 =Slave ID
0x51 = Custom function code
0x6A = (maybe some kind of data)
0xBC = weird crc checksum??? (not modbus conform maybe?)
0x00 = end of message indicator

But this is just my interpretation that could be very wrong, since I am new to Modbus, and tried to gain progress by reading the official modbus documentation.

My main questions are:

Is it Modbus what I see here, or another type of communication?

If it is Mobus, what do I need to do to sent exactly these kind of messages, with the same Data structure etc. to get atleast any kind of response back when I sent something inside?

Any help is appreciated.

 

I think you need a decoder ring



Joking, you need a proprietary protocol reference manual.

If the protocol in question uses proprietary function codes then it's not Modbus, it's a proprietary protocol.

There's lots of proprietary protocols. In the early internet days (late 1990's), a Dutch guy published a list of 'industrial protocols' that numbered about 4,000. I could add 7 Honeywell protocols that were not on his list, so multiply his listed number by some factor you're comfortable with and that's just 'industrial protocols'.

Maybe there's a windmill controls forum somewhere with an old guy who still participates who might have some knowledge of what's going on. Your sniffing software shows that the PC is clearly getting responses from the windmill, even if it's unintelligible without a decoder ring.

The sniffer looks to be doing its job. I decoded one word just to make sure the app decoding made sense. It's been long time since I decoded a scope image. I initially forgot the first bit is a start bit and the last bit is stop bit. Duh.

The second transmitted data word (0x51) reads 1 0111 0101 1, from left to right. Leading 1 and trailing 1 are start and stop bits.
The 8 bit data value is 0111 0101
When inverted, the 8 bit data value 0111 0101 becomes 1000 1010
When the 8 bit data inverted value 1000 1010 is read 'backwards' (least significant bit sent first) with the transmitted high order bit becoming the LSB, the data word becomes 0101 0001 or 0x51.

Whew, I'm glad the UART does the heavy lifting. I'm getting lazy in my old age and don't want to look up whether least significant bit sent first is the accepted Modbus serial standard but I'll go with it.

 

This doesn't look like Modbus at all, every message in either direction would have a CRC on it. I see nothing that resembles one. What's the brand of the MPU?

 

Fifth Message:
View attachment 4348

Response:

No Response

and so on. There are multiple of the communication messages sent in a few seconds of communication.

My Interpretation of the first message:

Example from the first message: 0x01, 0x51, 0x6A, 0xBC 0x00

0x01 =Slave ID
0x51 = Custom function code
0x6A = (maybe some kind of data)
0xBC = weird crc checksum??? (not modbus conform maybe?)
0x00 = end of message indicator

But this is just my interpretation that could be very wrong, since I am new to Modbus, and tried to gain progress by reading the official modbus documentation.

My main questions are:

Is it Modbus what I see here, or another type of communication?

If it is Mobus, what do I need to do to sent exactly these kind of messages, with the same Data structure etc. to get atleast any kind of response back when I sent something inside?

Any help is appreciated.

Maybe you should try
OmniServer Universal Device Server
From Software Toolbox - https://softwaretoolbox.com/omniserver/opc-da-ua-server-for-connecting-non-standard-devices