defcon.klaxon
Lifetime Supporting Member
Hey guys,
I'm working on an existing system for a client where a GE RX3i at a tank/pump station is sending data to their office HMI through a RedLion DSPLE, through the internet. Everything was working just fine but their system got ransomwared, and unfortunately they didn't have backups. Luckily this system is reasonably simple and read only, so I'm trying to reverse engineer it to figure out what data was being sent to the HMI.
I've learned a lot after going out there a few times but I still have a few questions, and after doing some searching through the forum I haven't quite found what I'm looking for.
The way the RX3i communicates to the Red Lion is through the serial port on the CPE305 (thus, not Modbus TCP and there is no code specifically for the purpose for communicating Modbus). I've been able to extract the code from both the RX3i and the Red Lion, and I'm trying to make heads or tails of what has been set up.
It looks like there are three blocks of Registers that are designed to be read from the RX3i, and made available to the RedLion. One is a 32 bit array of discrete values, starting at Modbus register 003000 (source is RX3i). Second is a 16 bit array analog values, starting at Modbus register 403000. Lastly, the third is another 16 bit array of analog values, starting at Modbus register 404000. All three are read only.
The weird thing is, when I check the CPE305 the serial port is indeed set up as a Modbus slave but I don't see anything about how the registers are being mapped to Modbus type addresses. If I check the Modbus Address Space Mapping Type in the CPE305 configuration, it's disabled. So how these registers are being setup as Modbus addressable is totally unknown to me, and thus I'm not even sure if it's set up correctly (all I know is, the system was supposedly running just fine before the malware attack so all I can assume is that it was indeed running).
Most of my searching for GE RX3i Modbus related info focuses on Modbus TCP/IP and COM_REQ commands, which doesn't apply to me with this particular project.
If anyone can suggest some things to look into to unravel the mystery of this Modbus addressing, I would certainly appreciate it. One thing I can do is use some Modbus simulation software to poll the data from the Redlion DSPLE on the network and see if it's getting updated info to verify operation, but that doesn't help me figure out what register is what.
Thanks guys!
I'm working on an existing system for a client where a GE RX3i at a tank/pump station is sending data to their office HMI through a RedLion DSPLE, through the internet. Everything was working just fine but their system got ransomwared, and unfortunately they didn't have backups. Luckily this system is reasonably simple and read only, so I'm trying to reverse engineer it to figure out what data was being sent to the HMI.
I've learned a lot after going out there a few times but I still have a few questions, and after doing some searching through the forum I haven't quite found what I'm looking for.
The way the RX3i communicates to the Red Lion is through the serial port on the CPE305 (thus, not Modbus TCP and there is no code specifically for the purpose for communicating Modbus). I've been able to extract the code from both the RX3i and the Red Lion, and I'm trying to make heads or tails of what has been set up.
It looks like there are three blocks of Registers that are designed to be read from the RX3i, and made available to the RedLion. One is a 32 bit array of discrete values, starting at Modbus register 003000 (source is RX3i). Second is a 16 bit array analog values, starting at Modbus register 403000. Lastly, the third is another 16 bit array of analog values, starting at Modbus register 404000. All three are read only.
The weird thing is, when I check the CPE305 the serial port is indeed set up as a Modbus slave but I don't see anything about how the registers are being mapped to Modbus type addresses. If I check the Modbus Address Space Mapping Type in the CPE305 configuration, it's disabled. So how these registers are being setup as Modbus addressable is totally unknown to me, and thus I'm not even sure if it's set up correctly (all I know is, the system was supposedly running just fine before the malware attack so all I can assume is that it was indeed running).
Most of my searching for GE RX3i Modbus related info focuses on Modbus TCP/IP and COM_REQ commands, which doesn't apply to me with this particular project.
If anyone can suggest some things to look into to unravel the mystery of this Modbus addressing, I would certainly appreciate it. One thing I can do is use some Modbus simulation software to poll the data from the Redlion DSPLE on the network and see if it's getting updated info to verify operation, but that doesn't help me figure out what register is what.
Thanks guys!
