Reading 3x RS232 legacy machines via a single Gateway to Node-RED

Hello everyone, I need to collect data from plastic injection molding machines and I'm facing the following problem.

The scenario: We have a production line with 3 independent machines. They are controlled by Techmation A80 series PLCs and HMIs. My goal is to extract operational data (production count, machine status, alarms, and cycle times) from these three units, process the data in Node-RED, and send it via MQTT to a ThingsBoard control panel.

The challenge: The only available communication port on this HMI is an RS232 serial interface, which is also connected to the only network output of the RS232 controller.

Has anyone implemented this type of RS232 bridge before? I don't know the memory addresses or the protocol used (the manufacturer doesn't provide this information either). I thought about capturing network traffic (sniffing) and decoding the controller's response to the HMI.

I appreciate any information in advance!

You could look at one of the dual port (or 4 port depending on colocation of the devices) - Ethernet to Serial gateways

I use this https://www.aliexpress.com/item/4001021845924.html?spm=a2g0o.productlist.main.42.7b5afAxifAxiBN&algo_pvid=e93d7d19-5d8d-49f2-a3a0-ccf13e9573ba&pdp_ext_f={"order"%3A"6"%2C"eval"%3A"1"%2C"fromPage"%3A"search"}&utparam-url=scene%3Asearch|query_from%3A|x_object_id%3A4001021845924|_p_origin_prod%3A

I use this for RS485 (Modbus) to various meters and Solar devices around my place (i have 3 of these boxes) and have never had a single issue with them - note i have not tried the RS232 so you would need to investigate that.

I run all my Node Red as Virtual Machines and use this to translate from Modbus/TCP to Modbus/RTU

Craig

Thank you for the equipment recommendation.

However, my biggest concern at the moment is whether this type of sniffer on the RS232 network will work without losing communication with the current HMI, and how to translate the data collected from this communication, since it is not an open communication protocol like Modbus. I believe it is ASCII.

I have used a passive inline serial interface in a similar capacity/environment.

IIRC, i made this: An RS232 "spy" cable

But I also used com0com/ hub4com and created virtual com ports

For linux world, I am pretty sure you could achieve something similar using socat or interceptty (should run fine on a PI with 2 cheap USB Serial interfaces)

However that was all a long time ago - today, I believe it would be as simple as Node-RED proxies the data bewtween the 2 serial ports:

[serial in - ttyUSB0 (DEVICE)]  →  [serial out - ttyUSB1 (HMI)]
                             ↘
                          [debug / function / mqtt / whatever node]

[serial in - ttyUSB1 (HMI)] →  [serial out - ttyUSB0 (DEVICE)]
                             ↘
                          [debug / function / mqtt / whatever node]

This would of course require you to disconnect serial from the device, connect it to an active hardware (like a Raspberry Pi or computer) then connect to serial port 2 to pass the serial on - so not exactly passive pass through (more of an active pass through)- depends what you are comfortable doing.

This is a very interesting approach! I believe it will work well and is certainly a great low-cost solution.

However, I have two main concerns regarding a production environment:

Latency/Timeout: Since we are introducing an active intermediary, communication will naturally have a slight delay. The controller may be strict about polling times, interpret this delayed response as a communication failure, and trigger a timeout error.

Single point of failure: If my Node-RED instance crashes or the host computer restarts for any reason, the physical connection between the PLC and the HMI will be completely broken, causing the machine to stop immediately.

Will it though? Is this something you know already / experienced already?
Personally note: I consider any HMI failure that actually stops production to be a pretty poor design! (in my automotive days, something I often asked (when we bought or designed systems) was "will it stop the facility if it breaks"). Not saying it doesnt happen or doesnt have merit (in some cases), just that it ideally, it should not! e.g. When a machine is setup and running, the HMI is pretty much just eye candy (get it replaced/fixed while the run continues). I've even seen me input raw bits and bytes into the PLC memory areas for the next run while a suitable HMI replacement was sorted!

Obviously a test will be necessary. I estimate you would add <=10ms into responses. If this is not a protocol that depends on well timed gaps (looking at you Modbus RTU/DeviceNet/PROFIBUS) then I dont think this will be an issue.

Yes, comes with the active vs passive territory. It depends on the application and/or risk aversion. Its a balance between needs/wants/efforts and such.

For example, you could always go passive (build or buy an adaptor) and connect to the middle leg to a serial connection! You may even find an ethernet based one with spy/sniffing however I did not find a suitable device when i was doing this like 10/15y ago.

To clarify the situation with the machine: all interaction is done exclusively through this HMI (Human-Machine Interface). The operator performs several necessary operations during the machine's cycle. If the connection is interrupted, the machine can technically continue executing its current physical process, but it will exhibit a "malfunction" from a production standpoint, as we lose all ability to change parameters, send commands, or monitor alarms. This is why a stable connection is crucial.

Regarding latency, the protocol is entirely proprietary to the manufacturer and is not open. Because of this, only a practical test can determine if the additional latency of an active Node-RED bridge will cause a timeout error in the controller.

There is also another possible obstacle with the active bridge approach (USB 1 -> Node-RED -> USB 2). I checked the controller board and the DB9 port has 7 active traces, which means it likely relies on hardware flow control (RTS/CTS, DTR/DSR). From what I understand, the Node-RED Node Serialport forwards the data perfectly, but it doesn't replicate the states of the electrical control pins between the two ports. If the PLC waits for a "Release to Send" (CTS) electrical signal that Node-RED doesn't generate, communication will simply be interrupted.

I've researched professional RS232 data analyzers/snap-throughs (like the Advantech Data Taps), but they are very expensive (US$400 to US$500) and, unfortunately, difficult to find, as they require international import to Brazil.

Due to these risks, another possibility I'm considering is developing a custom passive analyzer based on a half-duplex spy cable diagram. Using a 1N4148 diode and a 2.2kΩ resistor, I could safely combine the PLC's TX line and the HMI's TX line into a single RX port on my gateway. This would allow me to passively 'listen' to the traffic without interrupting the physical connection or dealing with communication problems between the hardware components.

But I'm still considering performing a test with this approach (USB 1 -> Node-RED -> USB 2).

Has anyone here done any kind of passive analysis like the one I mentioned above?

sniffer rs2321484×747 53.4 KB

Yes (as far as the old grey matter remembers anyhow)

But not with Node-RED (this was pre-node-red) I used a serial logger for the breakout. There is always the risk that it could introduce noise through impedance (or bad workmanship) and be unreliable but testing should reveal that. However, listening to the breakout using Node-RED should be no different / have no impact.

About the diode and resistor and breakout cable - they may introduces a small RC effect that softens signal edges. At the usual slow baud rates of older systems (9600, 19200) this is probably a non-issue, but worth confirming on a scope if the machine runs at anything higher. Note, there are far cleverer electronics guys who lurk this forum - they may have better feedback.

You can use DSLogic Series - DreamSourceLab. I used for RS232 (for the printer and the entire label) and RS485 (modbus) for listening. It's less intuitive and records temporarily. If you have an oscilloscope, you can connect it as long as it supports protocols decoding.

AaquThanks for the replies, gentlemen.

Aaqu, the solution seems good, but it's geared towards diagnostics; afterwards, I would still have to buy hardware to run the readings permanently, which I also found a bit complex.

I will continue trying to replicate the Spy's RS232 by buying the components and assembling the cable, and if that doesn't work, I will try the approach suggested by Steve (USB 1 -> Node-RED -> USB 2).

Again, if anyone in the electronics field or anyone who has done this before could share more details, I would be very grateful. Thank you.

Great thread! I've done something similar with legacy injection molding machines — the RS232 sniffing approach is absolutely the right starting point for unknown protocols.

A few things that helped me in similar projects:

1. Passive RS232 spy — it works, but mind the baud rate

The spy cable approach @Steve-Mcl described is solid. One practical tip: Techmation A80 series typically communicates at 9600 or 19200 baud, 8N1 — so signal integrity shouldn't be an issue at those speeds even with a simple resistor/diode split. I'd start with 9600 and work up.

Once you're sniffing, capture raw bytes in Node-RED using the serial in node set to "binary buffer" output mode. Don't try to parse yet — just log everything to a file for 10-15 minutes of normal machine operation. You'll need full transaction context (both HMI→PLC and PLC→HMI directions) to reverse the protocol.

2. Protocol decoding strategy for proprietary ASCII/binary

From experience with Chinese-brand injection molding PLCs, the protocol is often a simple request-response pattern:

• HMI sends a short "read request" frame (often starts with 0x02 STX or a specific ASCII command byte)
• PLC responds with a fixed-length frame containing the data

In Node-RED, use a function node to log both timestamp and hex representation:

const hex = Buffer.from(msg.payload).toString('hex');
node.warn(`[${Date.now()}] RX: ${hex}`);
return msg;

After capturing, look for repeating patterns. Production count and cycle time are usually 16-bit or 32-bit integers at fixed offsets. Status/alarm bits are often packed into a bitmask byte.

3. Scaling to 3 machines — the RS232 multiplexer problem

This is where it gets interesting. Once you've decoded the protocol, you still have the problem of 3 separate RS232 ports going to a single Node-RED instance. A few options:

• 3x USB-RS232 adapters into the Pi/PC running Node-RED — simplest, works well if machines are close
• Multi-port serial server (Ethernet-to-serial, 4-port) — good if machines are spread across the floor. Gives you TCP socket access to each machine independently
• Wireless RS232 bridge — if running cables is difficult, there are RS232-to-LoRa or RS232-to-WiFi modules that expose a transparent serial-over-TCP connection

For the last option, I've used a device called WS-PLCMU700 in a similar factory setting — it's a wireless PLC communication unit that supports RS232/RS485 transparent bridge over LoRa or WiFi. Worked well for us when adding new wiring wasn't an option. Just mentioning it as one of the approaches we tried; there are other similar products too.

4. After decoding — MQTT to ThingsBoard

Once you have the data in Node-RED, the MQTT → ThingsBoard part is pretty standard. ThingsBoard accepts JSON telemetry on v1/devices/me/telemetry. Make sure to configure unique device tokens for each machine so you can distinguish them on the dashboard.

Good luck with the reverse engineering! The sniffing phase is the fun part. If you share some of the captured hex bytes here, happy to help interpret them — I've seen a few Techmation variants before.

solution architecture1337×751 128 KB

ascii1600×899 395 KB

data1600×900 659 KB

solution architecture1337×751 128 KB

Hello everyone again, I have some news.

I performed a test at home with 3 laptops, 2 laptops communicating via RS232 and a third laptop monitoring. The test was successful. I managed to perform the monitoring with the circuit using a resistor and a diode. After that, I felt brave and confident and went to perform the test at the company that owns the injection molding machines, but I was unsuccessful.

Details about the test I performed with the machine:

The architecture I used is in the image above. When connecting the COM output of the Spy laptop to the Node-RED, I obtained several data points. The problem is that they all seemed to be communication garbage, regardless of the format (HEX, ASCII) I selected. I kept switching between communication speeds and parameters such as parity, data bits, and stop bits; the data changed, but still nothing in a legitimate readable format. I used the Docklight software and changed the reading parameters there as well, but still without success... I left it recording for a few minutes at various speeds and sent the collected logs and the data present on the HMI to Gemini, but I couldn't find a pattern or decode this data. In fact, Gemini couldn't identify if the data is real or just communication garbage. I've attached some images of the collected data.

While researching, I came up with a few questions:

1 - Since the communication protocol isn't open like Modbus or something similar, could the data be transmitted in a format that only the machine's equipment can interpret, making all this work pointless?

2 - If I use an oscilloscope to read the data, will I be able to get the correct baud rate? But what about the other settings?

I've searched extensively and haven't found anything about this controller's communication, and the manufacturer doesn't provide any information either. The machine and controller manuals don't provide details on how the communication is performed.

DafaLin, could you provide more details on how you performed the tests you mentioned? Communication parameters used, the data format, manufacturer and model of the controller... In short, more details would be greatly appreciated. It would be a great help, my friend.

Hello everyone again.

Can someone help me with this topic? I'll be doing some more testing on Friday and I don't have many new ideas. I know there are many experienced people here who might be able to help, any help is welcome.