Sniff & Inject: RS485 Modbus Add-On

Have you ever wanted to peer into the inner workings of industrial control systems? The Electronic Cats RS485 Modbus Add-On for Flipper Zero empowers you to do just that! The board grants the ability to sniff and inject packets on a Modbus network, potentially granting access to critical industrial data. But before we delve into its functionalities, let's establish a foundational understanding of Modbus and its significance.

What is Modbus?

Modbus is a serial communication protocol widely employed in industrial automation systems. It serves as a common language between various devices like programmable logic controllers (PLCs), sensors, and actuators.

Where is Modbus Used?

Modbus pervades a vast array of industrial settings, including:

• Factory automation: Assembly lines, robotics, and process control systems heavily rely on Modbus for communication.
• Building automation: Heating, ventilation, and air conditioning (HVAC) systems can utilize Modbus for monitoring and control.
• Power generation and distribution. Supervisory control and data acquisition (SCADA) systems often leverage Modbus for managing power grids.
• Infrastructure control.

Why is Modbus's low-security level important?

Here is the critical aspect: Modbus was designed for simplicity and ease of implementation, prioritizing functionality over robust security. This inherent weakness makes Modbus networks susceptible to eavesdropping and manipulation. This board can be a valuable asset for ethical security researchers to identify and address vulnerabilities in industrial networks since it can perform:

• Sniff data: Extract sensitive information like sensor readings, control commands, and system configurations.
• Inject packets: Tamper with data flowing through the network, potentially disrupting industrial processes or causing malfunctions.

Modbus and Flipper Zero

Let's move to the real purpose of this tutorial!

First, we must install the app in our Flipper to sniff and inject Modbus packages. For that, it is important toFlash unleashed firmware (version 071 or newer is recommended), to then install the Modbus app in your Flipper:

1. Go to the release section of the GitHub repository and download the latest .fap file.

2. Connect your Flipper to either qFlipper, Flipper Lab, or the Flipper mobile app (if Experimental Options are enabled).

3. Using the File Manager navigate to the Apps Folder.

4. Upload the .fap file to the path you prefer. It is recommended to create a new folder or use an existing folder as the “Misc” folder.

You are done! Now the app should appear in your Flipper Apps menu.

Setting up

Successful communication between the Flipper and Modbus will depend on the parameters, you must know how are they configured in the target Modbus network, wrong configurations will result in data loss or error messages. This includes baud rate selection, parity configuration, and output mode options, ensuring you can tailor the Add-On's behavior to seamlessly interact with your target network.

After everything is configured, we will find out what our flipper and the RS485 Modbus Add-On are capable of.

Sniffing Example

Note: The circuit built on the breadboard is merely to simulate devices on a Modbus network.

We will first look at the ability to sniff data.

In the above videos, the Flipper's screen displayed data being transmitted by a device to control LEDs based on specific dip switch settings.

Whenever the device sends data, the Flipper screen shows the individual data bits. These bits are essentially the building blocks of digital information, and they can be either high (represented as “ON”) or low (represented as “OFF”).

Essentially, you are acting as a network spy, peeking into the digital messages that control the LEDs.

Injection-based assault

The Flipper lets you specify the unique identifier (ID) of a peripheral device you want to communicate with.

RS485 allows communication with multiple devices on the same network, but you need to configure the Add-On to target the specific peripheral using its ID.

After selecting the ID we need to choose the task to perform.

Supported values are:

• Read Coils (0x01)
• Read Discrete Inputs (0x02)
• Read Holding Registers (0x03)
• Read Input Registers (0x04)
• Write Single Coil (0x05)
• Write Single Register(0x06)
• Write Multiple Coils (0x0F)
• Write Multiple Registers (0x10)

Variable fields in the packet include byte count, amount, value, byte, and register; these fields may appear based on the function that is specified. Hexadecimal input or buttons can be used to modify the other fields; the byte count is the only one that cannot be changed.

When the packet is ready to be sent, click the “Send packet” option. This will cause the scene to immediately switch to the output console, where the peripheral response is shown.

To summarize, it is easy to peer inner the industrial control systems with a simple board and a Flipper even if you are not familiar with Modbus.

And that it is! As you can see in the examples how easy it is to sniff in a Modbus network with the correct tools. As well as knowing a bit more about the instructions to communicate with the Modbus coils you can act as a Master device with only your Flipper and the Modbus Add-On (or you can simply check the data obtained while sniffing and reutilize them).

We invite you to explore our other tutorials for more!