1 Like
I have not tried contacting China this week.
Rumor has it they are closed.
COVID + CNY is the tell.
I had comms drop about a week back.
I’m also being sent pictures of multiple VFD from a corner of the warehouse that I apparently need to explore…
Given I have a replacement, I’m now free to try shorting random terminals…
Will document if I win.
4 Likes
Please do. Something else for me to worry about
1 Like
My thinking is that if I can make one computer talk to the VFD while running this you can modify the dictionary file to just work within your parameters numerically - getting the VFD to accept/understand the data is the hard part to know how and where.
Yes it says wireless, but there’s a suite of tools within that which are built just for bruteforcin`
4 Likes
Damn fuckin` straight
6 Likes
There are a couple of protocols it may be using for com, which are documented in the fine manual.
I’d rather run ABB’s anyway…but getting by this password might still be a useful trick
1 Like
I figured it’d be a useful thing to have in a toolkit down the road because god knows this type of shit takes awhile to get down
I don’t have this model, I think I have much dumber VFDs - I’ll have to get something that’s a bit smarter so I can play with it
That vfd I have for sale is an ABB
1 Like
@thesk8nmidget just sent me pictures of multiple “surplus” ABB that we have on site…
Issue then becomes “no brakes!!”
Which is solvable….(and might even qualify as fun)
2 Likes
Right on. Glad you’ve got spares. We keep 3 or 4 just in case. All in all they just work and keep working.
1 Like
It looks like the password address on modbus is 1F00, and the VFD returns 8888 if you supply it the correct one.
It’s likely at address 01
Modbus write single register command is 06
So a brute force command sequence that looks something like this might work:
Header - VFD address/command/data address
01
06
1F
00
— 0000 through FFFF ----
CRC01
CRC02
Would probably get you there. Send new passwords until you get an 8888 data response.
If 01 isn’t correct, cycle through addresses until you get it.
Shouldn’t take more than 5 minutes of communication time.
7 Likes
Thank you. “WhatsApp” is a good reminder for all in this sort of situation. I had not dug that deep this time round.
figured I’d start here while waiting for the search for the drives rumored to be onsite to complete.
2 Likes
THANK YOU!!
I had seen that…but would have had to unlearn something to get to the point of leveraging it.
…assuming it is playing modbus at the moment.
Which it might be.
Although my local guy reports they play modbus weird.
That checks out. We’ve run into more than one oddball modbus implementation coming from china.
I’m guessing at the 06 command, which is “write to a single register” which is definitely not what is actually being done but is the only command that makes sense based on what they’ve specified.
RTU/ASCII Master Test Software | Simply Modbus Software would probably be an acceptable tool to use to figure out “does it talk” and “just how weird does it talk” if you’ve got a USB to RS485 dongle floating around and a windows laptop.
3 Likes
I think Jan 22 starts cny this year. I’m sweating right now with a container in port. Doubt it gets out.
1 Like
Correct, CNY is jan 22nd
1 Like
thank you!
I was actually just about to ask: “ok, so now I know what to say to it, how do I go about saying it?!?” 
1 Like
Well we determined that was a lie! 5 minute timer went off a while ago… lol
Faster @cyclopath FASTER!
5 Likes