Modbus Write Protect

[Punt Systems]

Although it seems a common belief that you cannot block Modbus write due to the way it’s engineered in the Unitronics PLC's, there certainly is a way to achieve this.  
 

You have to look at SL11. where every Modbus command is processed. It looks like that the value in SL11 makes no sense at all, until you attach a “Vector fill” to it.
Then each Modbus function becomes a specific value in MI 1240 (example). 
After that, it’s very easy to specifically allow or block a command (both 'read' and 'write') or an entire function.

In this specific case you can read everything, but as soon as you give a write command, it must be 1 of the 8 values, otherwise the Modbus connection is stopped immediately, to prevent anyone from being able to continue.
After that you can decide to display or send out a warning (or whatever) 

The only small downside to this solution is . . . .  although it will be detected (for sure) . . . . . you could still make 1 'write command' mistake (If you hit the jackpot).

This is tested with Modbus TCP/IP only, if you have Modbus RTU, you probably will need to edit a couple of things (I did not test that yet)

There is a timer TD 153 (example) present, because of a timing issue, when switching from one Modbus function to another, to prevent unwanted blocking of the Modbus scan.
But if you don’t allow any Modbus write command, a timer is not needed and MB 1703 (example) can do the job for you.

 

Another tip:

For anyone who wants to use a Samba with an ethernet card and still wants to have the option of Modbus RTU or any other situation with only Modus TCP/IP supported, you can use a simple module TCP2RTU from papouch.com.

Example ladder with TCP2RTU:

 

[kratmel]

1 hour ago, Punt Systems said:

Although it seems a common belief that you cannot block Modbus write due to the way it’s engineered in the Unitronics PLC's

 

[Punt Systems]

Hi Kratmel,

Of course I have read that topic. 
The problem with the 'ModBus address access limitation' solution is, that it does not protect you against writing.
If you make an operand readable, you can also write to it, and that is a risk.

Best regards

George

 

[sgull]

Hi George

I think the idea of the "modbus address access limitation" is to copy addresses you want access to to the unprotected area.

therefore the external user can read and write to this area only.

since the data is only a copy of data used in the ladder it does not matter if someone writes in error to the address.

Regards

Denis

 

[Punt Systems]

Hi Denis,

You are right about that . . . .

But in the Samba for instance, there is very little space, you probably will need all the operands available (we sure do).
Now you don't have to copy/program any duplicate operands, you will save space and time,  and also get a warning when somebody executes a Modbus write command. 
And yes, in the V700 (space enough) we have used these duplicate values, So there is no risk (indeed),  but still we like the fact that we get a warning when somebody tries to execute an illegal Modbus write command to the PLC.

Best regards

George

 

[sgull]

Hi George

Very good point.

I also had forgotten about the limited space of the Samba,

Regards

Denis