工控modBus TCP, 服务端或客户端, 均可以与PHP 通讯
一. 搭建socket服务器,地址是:192.168.18.83,端口是4444;
二. 或TCP网络助手, 地址是:192.168.18.83,端口是:4444;
三. 在PHP服务器中, cURL模拟发送POST, 请求参数为: {"a":"b"};
四. 请求一次PHP, 即可在网络助手中收到HEX数据包:
完整接收数据:
50 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 31 39 32 2E 31 36 38 2E 31 38 2E 38 33 3A 34 34 34 34 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 39 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 0D 0A 7B 22 61 22 3A 22 62 22 7D
五. 我们对上述HEX数据编码分析, 16进制 转 ASCII
https://tool.hiofd.com/hex-convert-ascii-online/
六. 得到:
POST / HTTP/1.1 Host: 192.168.18.83:4444 Accept: */* Content-Length: 9 Content-Type: application/x-www-form-urlencoded {"a":"b"}
总结: 工控modBus TCP, 服务端或客户端, 均可以与PHP 通讯.
问题:
我收到了modBus TCP 数据包, 怎么还原为明文字符串. 答案是AES解密为XML
68 68 16 16 F4 00 00 00 00 01 00 00 8D 80 DB 2E 20 85 CA DB 5F A6 8F DD 66 4D E4 33 89 08 C7 07 D9 B8 08 D2 30 40 DF 70 AC 3D 0C DE 1E CA 56 A6 BF 34 15 4F 2B F4 ED 6A E9 8E CB 58 02 49 3C 05 77 87 60 FC 5B 53 D3 3C 15 15 C8 B6 5D ED 01 B4 47 4E EE 58 01 F2 81 E9 95 93 AF FF 86 CD 93 AB B7 69 AE C2 B0 65 F2 D2 83 23 92 A9 7A 95 24 68 0F 8E 8A C3 B6 2B A3 3B 4C FC CD 65 A8 5B A8 8D B0 C5 91 70 79 3E 7F C4 E3 65 25 A0 BF 99 27 B2 6C 9E 25 F5 2B 86 11 64 C7 23 A6 83 CA 0F FC 67 7D 28 96 95 F8 90 F1 B0 16 0A 4B A4 D2 DA 85 11 A9 A9 2A BF F6 0E 01 3B 90 8B CF A7 81 E8 1E BB 94 4D 0C B1 7A FF BF AD F2 16 BF CC 89 B5 DD 5B 82 BD E7 F5 57 80 88 B7 AC D2 98 70 CC AA 46 D7 1A 79 A4 B0 E2 28 7F E6 4B 21 20 96 4A 1E E0 71 D7 67 61 D0 68 8E B3 28 20 9B 6A 40 AB 62 55 AA 55 AA
68 68 16 16 + F4 00 00 00 + 00 01 00 00 + 8D 80 DB 2E 20 85 CA DB 5F A6 8F DD 66 4D E4 33 89 08 C7 07 D9 B8 08 D2 30 40 DF 70 AC 3D 0C DE 1E CA 56 A6 BF 34 15 4F 2B F4 ED 6A E9 8E CB 58 02 49 3C 05 77 87 60 FC 5B 53 D3 3C 15 15 C8 B6 5D ED 01 B4 47 4E EE 58 01 F2 81 E9 95 93 AF FF 86 CD 93 AB B7 69 AE C2 B0 65 F2 D2 83 23 92 A9 7A 95 24 68 0F 8E 8A C3 B6 2B A3 3B 4C FC CD 65 A8 5B A8 8D B0 C5 91 70 79 3E 7F C4 E3 65 25 A0 BF 99 27 B2 6C 9E 25 F5 2B 86 11 64 C7 23 A6 83 CA 0F FC 67 7D 28 96 95 F8 90 F1 B0 16 0A 4B A4 D2 DA 85 11 A9 A9 2A BF F6 0E 01 3B 90 8B CF A7 81 E8 1E BB 94 4D 0C B1 7A FF BF AD F2 16 BF CC 89 B5 DD 5B 82 BD E7 F5 57 80 88 B7 AC D2 98 70 CC AA 46 D7 1A 79 A4 B0 E2 28 7F E6 4B 21 20 96 4A 1E E0 71 D7 67 61 D0 68 8E B3 28 20 9B 6A 40 + AB 62 + 55 AA 55 AA
AES 加密算法 CBC 模式,NOPadding key和 iv HEX格式,
AES : KEY:0102030405060708090a0b0c0d0e0f10; IV:0102030405060708090a0b0c0d0e0f10
得到:
<?xml version="1.0" encoding="UTF-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>request</type>
</common>
<id_validate operation="request">
</id_validate>
</root>
modBus 指令:
'68681616' + '数据长度(4位)' + '指令(4位)' + 'xml密文(AES-CBC-NoPadding,额外多4个字节)' + 'CRC校验(2位)' + '55AA55AA';
//其中 CRC校验= CRC('指令(4位)' + 'xml密文(AES-CBC-NoPadding,额外多4个字节)')
给出加密和解密案例: (注意:xml转为GB2312后加密, 解密后也是需要转回UTF-8)
<?xml version="1.0" encoding="UTF-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>request</type>
</common>
<id_validate operation="request">
</id_validate>
</root>
数据长度:244字节
指令序号:00010000
密文HEX:68681616 F4000000 00010000 8D80DB2E2085CADB5FA68FDD664DE4338908C707D9B808D23040DF70AC3D0CDE1ECA56A6BF34154F2BF4ED6AE98ECB5802493C05778760FC5B53D33C1515C8B65DED01B4474EEE5801F281E99593AFFF86CD93ABB769AEC2B065F2D2832392A97A9524680F8E8AC3B62BA33B4CFCCD65A85BA88DB0C59170793E7FC4E36525A0BF9927B26C9E25F52B861164C723A683CA0FFC677D289695F890F1B0160A4BA4D2DA8511A9A92ABFF60E013B908BCFA781E81EBB944D0CB17AFFBFADF216BFCC89B5DD5B82BDE7F5578088B7ACD29870CCAA46D71A79A4B0E2287FE64B212096D36455B0A1B59D0953566CBDA58DF2AD 4316 55AA55AA
原数据:68681616F4000000000100008D80DB2E2085CADB5FA68FDD664DE4338908C707D9B808D23040DF70AC3D0CDE1ECA56A6BF34154F2BF4ED6AE98ECB5802493C05778760FC5B53D33C1515C8B65DED01B4474EEE5801F281E99593AFFF86CD93ABB769AEC2B065F2D2832392A97A9524680F8E8AC3B62BA33B4CFCCD65A85BA88DB0C59170793E7FC4E36525A0BF9927B26C9E25F52B861164C723A683CA0FFC677D289695F890F1B0160A4BA4D2DA8511A9A92ABFF60E013B908BCFA781E81EBB944D0CB17AFFBFADF216BFCC89B5DD5B82BDE7F5578088B7ACD29870CCAA46D71A79A4B0E2287FE64B2120964A1EE071D76761D0688EB328209B6A40AB6255AA55AA
数据长度:244
指令:00010000
CRC:AB62
footer:55AA55AA
解密内容(xml):<?xml version="1.0" encoding="UTF-8" ?> <root> <common> <building_id>330102A008</building_id> <gateway_id>02</gateway_id> <type>request</type> </common> <id_validate operation="request"> </id_validate> </root>
解密内容(JSON):
{ "common": { "building_id": "330102A008", "gateway_id": "02", "type": "request" }, "id_validate": { "@attributes": { "operation": "request" } } }
指令集
采集装置请求身份验证(数据采集装置发送OK)
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>request</type>
</common>
<id_validate operation="request"></id_validate>
</root>
PHP服务器发送一串随机序列(PHP服务器发送OK)
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>sequence</type>
</common>
<id_validate operation="sequence"><sequence>23456789</sequence></id_validate>
</root>
采集装置发送计算的 MD5(数据采集装置发送OK)
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>md5</type>
</common>
<id_validate operation="md5"><md5>123456789</md5></id_validate>
</root>
PHP服务器发送验证结果后发送授时信息(PHP服务器发送OK)
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>result</type>
</common>
<id_validate operation="result"><result>pass</result></id_validate>
</root>
心跳数据包,采集装置定期给PHP服务器发送存活通知(数据采集装置发送OK)
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>notify</type>
</common>
<heart_beat operation="notify"></heart_beat>
</root>
PHP服务器在收到存活通知后发送应答信息(PHP服务器发送OK)
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>time</type>
</common>
<id_validate operation="time"><time>20251105090638</time></id_validate>
</root>
设备验证及数据上报数据包,PHP服务器查询数据采集装置OK
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>query</type>
</common>
<data operation="query"></data>
</root>
定时监测数据应答包:由PHP服务器发送给采集装置OK
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>report_ack</type>
</common>
<report_config operation="report_ack"><report_ack>pass</report_ack></report_config>
</root>
每续传数据包接收完成后,PHP服务器对断点续传的应答OK
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>continuous_ack</type>
</common>
<data operation="continuous_ack"><continuous_ack>当前包变量</continuous_ack></data>
</root>
PHP服务器对采集装置采集周期的配置OK
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>period</type>
</common>
<config operation="period"><period>PHP服务器对采集装置采集的周期变量</period></config>
</root>
采集装置对PHP服务器采集周期的配置的应答OK
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>period_ack</type>
</common>
<config operation="period_ack"></config>
</root>
服务端接收设备成功信息(PHP服务器发送)
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>device_ack</type>
</common>
<device operation="device_ack"><device_ack>pass</device_ack></device>
</root>
设备信息上报(数据采集装置发送)
<?xml version="1.0" encoding="utf-8" ?>
<root>
<common>
<building_id>330102A008</building_id>
<gateway_id>02</gateway_id>
<type>device</type>
</common>
<device operation="device">
<build_name>测试建筑</build_name>
<build_no>001</build_no>
<dev_no>01</dev_no>
<factory>测试厂家</factory>
<hardware>V1.0</hardware>
<software>V2.0</software>
<mac>00:11:22:33:44:55</mac>
<ip>192.168.1.100</ip>
<mask>255.255.255.0</mask>
<gate>192.168.1.1</gate>
<server>192.168.18.83</server>
<port>9999</port>
<host>localhost</host>
<com>1</com>
<dev_num>10</dev_num>
<period>30</period>
<begin_time>20250101000000</begin_time>
<address>测试地址</address>
</device>
</root>
//第一种 68 68 16 16 F4 00 00 00 00 01 00 00 8D 80 DB 2E 20 85 CA DB 5F A6 8F DD 66 4D E4 33 89 08 C7 07 D9 B8 08 D2 30 40 DF 70 AC 3D 0C DE 1E CA 56 A6 BF 34 15 4F 2B F4 ED 6A E9 8E CB 58 02 49 3C 05 77 87 60 FC 5B 53 D3 3C 15 15 C8 B6 5D ED 01 B4 47 4E EE 58 01 F2 81 E9 95 93 AF FF 86 CD 93 AB B7 69 AE C2 B0 65 F2 D2 83 23 92 A9 7A 95 24 68 0F 8E 8A C3 B6 2B A3 3B 4C FC CD 65 A8 5B A8 8D B0 C5 91 70 79 3E 7F C4 E3 65 25 A0 BF 99 27 B2 6C 9E 25 F5 2B 86 11 64 C7 23 A6 83 CA 0F FC 67 7D 28 96 95 F8 90 F1 B0 16 0A 4B A4 D2 DA 85 11 A9 A9 2A BF F6 0E 01 3B 90 8B CF A7 81 E8 1E BB 94 4D 0C B1 7A FF BF AD F2 16 BF CC 89 B5 DD 5B 82 BD E7 F5 57 80 88 B7 AC D2 98 70 CC AA 46 D7 1A 79 A4 B0 E2 28 7F E6 4B 21 20 96 4A 1E E0 71 D7 67 61 D0 68 8E B3 28 20 9B 6A 40 AB 62 55 AA 55 AA //第二种 0x68 0x68 0x16 0x16 0xF4 0x00 0x00 0x00 0x00 0x01 0x00 0x00 0x8D 0x80 0xDB 0x2E 0x20 0x85 0xCA 0xDB 0x5F 0xA6 0x8F 0xDD 0x66 0x4D 0xE4 0x33 0x89 0x08 0xC7 0x07 0xD9 0xB8 0x08 0xD2 0x30 0x40 0xDF 0x70 0xAC 0x3D 0x0C 0xDE 0x1E 0xCA 0x56 0xA6 0xBF 0x34 0x15 0x4F 0x2B 0xF4 0xED 0x6A 0xE9 0x8E 0xCB 0x58 0x02 0x49 0x3C 0x05 0x77 0x87 0x60 0xFC 0x5B 0x53 0xD3 0x3C 0x15 0x15 0xC8 0xB6 0x5D 0xED 0x01 0xB4 0x47 0x4E 0xEE 0x58 0x01 0xF2 0x81 0xE9 0x95 0x93 0xAF 0xFF 0x86 0xCD 0x93 0xAB 0xB7 0x69 0xAE 0xC2 0xB0 0x65 0xF2 0xD2 0x83 0x23 0x92 0xA9 0x7A 0x95 0x24 0x68 0x0F 0x8E 0x8A 0xC3 0xB6 0x2B 0xA3 0x3B 0x4C 0xFC 0xCD 0x65 0xA8 0x5B 0xA8 0x8D 0xB0 0xC5 0x91 0x70 0x79 0x3E 0x7F 0xC4 0xE3 0x65 0x25 0xA0 0xBF 0x99 0x27 0xB2 0x6C 0x9E 0x25 0xF5 0x2B 0x86 0x11 0x64 0xC7 0x23 0xA6 0x83 0xCA 0x0F 0xFC 0x67 0x7D 0x28 0x96 0x95 0xF8 0x90 0xF1 0xB0 0x16 0x0A 0x4B 0xA4 0xD2 0xDA 0x85 0x11 0xA9 0xA9 0x2A 0xBF 0xF6 0x0E 0x01 0x3B 0x90 0x8B 0xCF 0xA7 0x81 0xE8 0x1E 0xBB 0x94 0x4D 0x0C 0xB1 0x7A 0xFF 0xBF 0xAD 0xF2 0x16 0xBF 0xCC 0x89 0xB5 0xDD 0x5B 0x82 0xBD 0xE7 0xF5 0x57 0x80 0x88 0xB7 0xAC 0xD2 0x98 0x70 0xCC 0xAA 0x46 0xD7 0x1A 0x79 0xA4 0xB0 0xE2 0x28 0x7F 0xE6 0x4B 0x21 0x20 0x96 0x4A 0x1E 0xE0 0x71 0xD7 0x67 0x61 0xD0 0x68 0x8E 0xB3 0x28 0x20 0x9B 0x6A 0x40 0xAB 0x62 0x55 0xAA 0x55 0xAA //第三种 68681616F4000000000100008D80DB2E2085CADB5FA68FDD664DE4338908C707D9B808D23040DF70AC3D0CDE1ECA56A6BF34154F2BF4ED6AE98ECB5802493C05778760FC5B53D33C1515C8B65DED01B4474EEE5801F281E99593AFFF86CD93ABB769AEC2B065F2D2832392A97A9524680F8E8AC3B62BA33B4CFCCD65A85BA88DB0C59170793E7FC4E36525A0BF9927B26C9E25F52B861164C723A683CA0FFC677D289695F890F1B0160A4BA4D2DA8511A9A92ABFF60E013B908BCFA781E81EBB944D0CB17AFFBFADF216BFCC89B5DD5B82BDE7F5578088B7ACD29870CCAA46D71A79A4B0E2287FE64B2120964A1EE071D76761D0688EB328209B6A40AB6255AA55AA
问题:
已经拿到解密后的数据, 但与网页或电表上的数据,有一定误差;
知道原因的大牛,请教(注意历史数据,服务器长期运行,将全部接收;也可以根据时间查询.)
总结, 拿到这个设备上的数据, 有三种方式可以实现:
1.用modBus客户端去连接502端口, 发送指令返回单条数据;
2.搭建一台socket服务器,设备上去配置, 坐等设备批量上传;
3.爬虫模式, 该设备有一个web控制端, headers中,携带Authorization: Basic base64(admin:密码)就可以爬到table->tr->td数据格式, new DOMDocument()一个方法, 就可以拿到json数据了;
浙公网安备 33010602011771号