Phase 3 PR 55 -- Mitsubishi MELSEC Modbus TCP quirks research document. 451-line doc at docs/v2/mitsubishi.md mirroring the docs/v2/dl205.md template for the MELSEC family (Q-series + QJ71MT91, L-series + LJ71MT91, iQ-R + RJ71EN71, iQ-R built-in Ethernet, iQ-F FX5U built-in, FX3U + FX3U-ENET / FX3U-ENET-P502, FX3GE built-in). Like Siemens S7, MELSEC Modbus is a patchwork of per-site-configured add-on modules rather than a fixed firmware stack, but the MELSEC-specific traps are different enough to warrant their own document. Key findings worth flagging for the PR 58+ implementation track: (1) MODULE NAMING TRAP -- QJ71MB91 is SERIAL RTU, not TCP. The Q-series TCP module is QJ71MT91. Driver docs + config UI should surface this clearly because the confusion costs operators hours when they try to connect to an RS-232 module via Ethernet. (2) NO CANONICAL MAPPING -- every MELSEC Modbus site has a unique 'Modbus Device Assignment Parameter' block of up to 16 assignments (each binding a MELSEC device range like D0..D1023 to a Modbus-address range); the driver must treat the mapping as runtime config, not device-family profile. (3) X/Y BASE DEPENDS ON FAMILY -- Q/L/iQ-R use HEX notation for X/Y (X20 = decimal 32), FX/iQ-F use OCTAL (X20 = decimal 16, same as DL260); iQ-F has a GX Works3 project toggle that can flip this. Single biggest off-by-N source in MELSEC driver code -- driver address helper must take a family selector. (4) Word order CDAB across Q/L/iQ-R/iQ-F by default (CPU-level, not module-level) -- no user-configurable swap on the server side. FX5U's SWAP instruction is for CLIENT mode only. Driver Mitsubishi profile default must be ByteOrder.WordSwap, matching DL260 but OPPOSITE of Siemens S7. (5) D-registers are BINARY by default (opposite of DL205's BCD-by-default). FNC 18 BCD / FNC 19 BIN instructions confirm binary-by-default in the ladder. Caller must explicitly opt-in to Bcd16/Bcd32 tags when the ladder stores BCD, same pattern as DL205 but the default is inverted. (6) FX5U FIRMWARE GATE -- needs firmware >= 1.060 for native Modbus TCP server; older firmware is client-only. Surface a clear capability error on connect. (7) FX3U PORT 502 SPLIT -- the standard FX3U-ENET cannot bind port 502 (lower port range restricted on the firmware); only FX3U-ENET-P502 can. FX3U-ENET-ADP has no Modbus at all and is a common operator mis-purchase -- driver should surface 'module does not support Modbus' as a distinct error, not 'connection refused'. (8) QJ71MT91 does NOT support FC22 (Mask Write) or FC23 (Read-Write Multiple). iQ-R and iQ-F do. Driver bulk-read optimization must gate on module capability. (9) MAX CONNECTIONS -- 16 simultaneous on Q/L/iQ-R, 8 on FX5U and FX3U-ENET. (10) STOP-mode writes -- configurable on Q/L/iQ-R/iQ-F (default = accept writes even in STOP), always rejected with exception 04 on FX3U-ENET. Per-model test differentiation section names the tests Mitsubishi_QJ71MT91_*, Mitsubishi_FX5U_*, Mitsubishi_FX3U_ENET_*, with a shared Mitsubishi_Common_* fixture for CDAB-word-order + binary-not-BCD + standard-exception-codes tests. 17 cited references including primary Mitsubishi manuals (SH-080446 for QJ71MT91, JY997D56101 for FX5, SH-081259 for iQ-R Ethernet, JY997D18101 for FX3U-ENET) plus Ignition / Kepware / Fernhill / HMS third-party driver release notes. Three unconfirmed rumours flagged explicitly: iQ-R RJ71EN71 early firmware rumoured ABCD word order (no primary source), QJ71MT91 firmware < 2010-05 FC15 odd-byte-count truncation (forum report only), FX3U-ENET firmware < 1.14 out-of-order TxId echoes under load (unreproducible on bench). Pure documentation PR -- no code, no tests. Per-quirk implementation lands in PRs 58+. Research conducted 2026-04-18.

Merge pull request 'Phase 3 PR 53 -- Transport reconnect-on-drop + SO_KEEPALIVE (DL260 no-keepalive quirk)' (#52 ) from phase-3-pr53-dl205-reconnect into v2
Merge pull request 'Phase 3 PR 52 -- Modbus exception-code -> OPC UA StatusCode translation' (#51 ) from phase-3-pr52-dl205-exception-codes into v2
2026-04-18 22:51:28 -04:00 · 2026-04-18 22:35:40 -04:00 · 2026-04-18 22:35:33 -04:00 · 2026-04-18 22:35:25 -04:00 · 2026-04-18 22:35:18 -04:00 · 2026-04-18 22:32:13 -04:00
32 changed files with 3207 additions and 163 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ packages/
 # Claude Code (per-developer settings, runtime lock files, agent transcripts)
 .claude/
 .local/
--- a/docs/v2/dl205.md
+++ b/docs/v2/dl205.md
@@ -0,0 +1,295 @@
 # AutomationDirect DirectLOGIC DL205 / DL260 — Modbus quirks
 AutomationDirect's DirectLOGIC DL205 family (D2-250-1, D2-260, D2-262, D2-262M) and
 its larger DL260 sibling speak Modbus TCP (via the H2-ECOM100 / H2-EBC100 Ethernet
 coprocessors, and the DL260's built-in Ethernet port) and Modbus RTU (via the CPU
 serial ports in "Modbus" mode). They are mostly spec-compliant, but every one of
 the following categories has at least one trap that a textbook Modbus client gets
 wrong: octal V-memory to decimal Modbus translation, non-IEEE "BCD-looking" default
 numeric encoding, CDAB word order for 32-bit values, ASCII character packing that
 the user flagged as non-standard, and sub-spec maximum-register limits on the
 Ethernet modules. This document catalogues each quirk, cites primary sources, and
 names the ModbusPal integration test we'd write for it (convention from
 `docs/v2/modbus-test-plan.md`: `DL205_<behavior>`).
 ## Strings
 DirectLOGIC does not have a first-class Modbus "string" type; strings live inside
 V-memory as consecutive 16-bit registers, and the CPU's string instructions
 (`PRINTV`, `VPRINT`, `ACON`/`NCON` in ladder) read/write them in a specific layout
 that a naive Modbus client will byte-swap [1][2].
 - **Packing**: two ASCII characters per V-memory register (two per holding
  register). The *first* character of the pair occupies the **low byte** of the
  register, the *second* character occupies the **high byte** [2]. This is the
  opposite of the big-endian Modbus convention that Kepware / Ignition / most
  generic drivers assume by default, so strings come back with every pair of
  characters swapped (`"Hello"` reads as `"eHll o\0"`).
 - **Termination**: null-terminated (`0x00` in the character byte). There is no
  length prefix. Writes must pad the final register's unused byte with `0x00`.
 - **Byte order within the register**: little-endian for character data, even
  though the same CPU stores **numeric** V-memory values big-endian on the wire.
  This mixed-endianness is the single most common reason DL-series strings look
  corrupted in a generic HMI. Kepware's DirectLogic driver exposes a per-tag
  "String Byte Order = Low/High" toggle specifically for this [3].
 - **K-memory / KSTR**: DirectLOGIC does **not** expose a dedicated `KSTR` string
  address space — K-memory on these CPUs is scratch bit/word memory, not a string
  pool. Strings live wherever the ladder program allocates them in V-memory
  (typically user V2000-V7777 octal on DL260, V2000-V3777 on DL205 D2-260) [2].
 - **Maximum length**: bounded only by the V-memory region assigned. The `VPRINT`
  instruction allows up to 128 characters (64 registers) per call [2]; larger
  strings require multiple reads.
 - **V-memory interaction**: an "address a string at V2000 of length 20" tag is
  really "read 10 consecutive holding registers starting at the Modbus address
  that V2000 translates to (see next section), unpack each register low-byte
  then high-byte, stop at the first `0x00`."
 Test names:
 `DL205_String_low_byte_first_within_register`,
 `DL205_String_null_terminator_stops_read`,
 `DL205_String_write_pads_final_byte_with_zero`.
 ## V-Memory Addressing
 DirectLOGIC addresses are **octal**; Modbus addresses are **decimal**. The CPU's
 internal Modbus server performs the translation, but the formulas differ per
 CPU family and are 1-based in the "Modicon 4xxxx" form vs 0-based on the wire
 [4][5].
 Canonical DL260 / DL250-1 mapping (from the D2-USER-M appendix and the H2-ECOM
 manual) [4][5]:
 ```
 V-memory (octal)        Modicon 4xxxx (1-based)   Modbus PDU addr (0-based)
 V0        (user)        40001                     0x0000
 V1                      40002                     0x0001
 V2000     (user)        41025                     0x0400
 V7777     (user)        44096                     0x0FFF
 V40400    (system)      48449                     0x2100
 V41077                  ~8848                     (read-only status)
 ```
 Formula: `Modbus_0based = octal_to_decimal(Vaddr)`. So `V2000` octal = `1024`
 decimal = Modbus PDU address `0x0400`. The "4xxxx" Modicon view just adds 1 and
 prefixes the register bank digit.
 - **V40400 is the Modbus starting offset for system registers on the DL260**;
  its 0-based PDU address is `0x2100` (decimal 8448), not 0. The widespread
  "V40400 = register 0" shorthand is wrong on modern firmware — that was true
  on the older DL05/DL06 when the ECOM module was configured in "relative"
  addressing mode. On the H2-ECOM100 factory default ("absolute" mode), V40400
  maps to 0x2100 [5].
 - **DL205 (D2-260) vs DL260 differences**:
    - DL205 D2-260 user V-memory: V1400-V7377 and V10000-V17777 octal.
    - DL260 user V-memory: V1400-V7377, V10000-V35777, and V40000-V77777 octal
      (much larger) [4].
    - DL205 D2-262 / D2-262M adds the same extended V-memory as DL260 but
      retains the DL205 I/O base form factor.
    - Neither DL205 sub-model changes the *formula* — only the valid range.
 - **Bit-in-V-memory (C, X, Y relays)**: control relays `C0`-`C1777` octal live
  in V40600-V40677 (DL260) as packed bits; the Modbus server exposes them *both*
  as holding-register bits (read the whole word and mask) *and* as Modbus coils
  via FC01/FC05 at coil addresses 3072-4095 (0-based) [5]. `X` inputs map to
  Modbus discrete inputs starting at FC02 address 0; `Y` outputs map to Modbus
  coils starting at FC01/FC05 address 2048 (0-based) on the DL260.
 - **Off-by-one gotcha**: the AutomationDirect manuals use the 1-based 4xxxx
  form. Kepware, libmodbus, pymodbus, and the .NET stack all take the 0-based
  PDU form. When the manual says "V2000 = 41025" you send `0x0400`, not
  `0x0401`.
 Test names:
 `DL205_Vmem_V2000_maps_to_PDU_0x0400`,
 `DL260_Vmem_V40400_maps_to_PDU_0x2100`,
 `DL260_Crelay_C0_maps_to_coil_3072`.
 ## Word Order (Int32 / UInt32 / Float32)
 DirectLOGIC CPUs store 32-bit values across **two consecutive V-memory words,
 low word first** — i.e., `CDAB` when viewed as a Modbus register pair [1][3].
 Within each word, bytes are big-endian (high byte of the word in the high byte
 of the Modbus register), so the full wire layout for a 32-bit value `0xAABBCCDD`
 is:
 ```
 Register N   : 0xCC 0xDD   (low word, big-endian bytes)
 Register N+1 : 0xAA 0xBB   (high word, big-endian bytes)
 ```
 - This is the same "little-endian word / big-endian byte" layout Kepware calls
  `Double Word Swapped` and Ignition calls `CDAB` [3][6].
 - **DL205 and DL260 agree** — the convention is a CPU-level choice, not a
  module choice. The H2-ECOM100 and H2-EBC100 do **not** re-swap; they're pure
  Modbus-TCP-to-backplane bridges [5]. The DL260 built-in Ethernet port
  behaves identically.
 - **Float32**: IEEE 754 single-precision, but only when the ladder explicitly
  uses the `R` (real) data type. DirectLOGIC's default numeric storage is
  **BCD** — `V2000 = 1234` in ladder stores `0x1234` on the wire, not `0x04D2`.
  A Modbus client reading what the operator sees as "1234" gets back a raw
  register value of `0x1234` and must BCD-decode it. Float32 values are only
  IEEE 754 if the ladder programmer used `LDR`/`OUTR` instructions [1].
 - **Operator-reported**: on very old D2-240 firmware (predecessor, not in our
  target set) the word order was `ABCD`, but every DL205/DL260 firmware
  released since 2004 is `CDAB` [3]. _Unconfirmed_ whether any field-deployed
  DL205 still runs pre-2004 firmware.
 Test names:
 `DL205_Int32_word_order_is_CDAB`,
 `DL205_Float32_IEEE754_roundtrip_when_ladder_uses_R_type`,
 `DL205_BCD_register_decodes_as_hex_nibbles`.
 ## Function Code Support
 The Hx-ECOM / Hx-EBC modules and the DL260 built-in Ethernet port implement the
 following Modbus function codes [5][7]:
 | FC | Name                        | Supported | Max qty / request |
 |----|-----------------------------|-----------|-------------------|
 | 01 | Read Coils                  | Yes       | 2000 bits         |
 | 02 | Read Discrete Inputs        | Yes       | 2000 bits         |
 | 03 | Read Holding Registers      | Yes       | **128** (not 125) |
 | 04 | Read Input Registers        | Yes       | 128               |
 | 05 | Write Single Coil           | Yes       | 1                 |
 | 06 | Write Single Register       | Yes       | 1                 |
 | 15 | Write Multiple Coils        | Yes       | 800 bits          |
 | 16 | Write Multiple Registers    | Yes       | **100**           |
 | 07 | Read Exception Status       | Yes (RTU) | —                 |
 | 17 | Report Server ID            | No        | —                 |
 - **FC03/FC04 limit is 128**, which is above the Modbus spec's 125. Requesting
  129+ returns exception code `03` (Illegal Data Value) [5].
 - **FC16 limit is 100**, below the spec's 123. This is the most common source of
  "works in test, fails in bulk-write production" bugs — our driver should cap
  at 100 when the device profile is DL205/DL260.
 - **No custom function codes** are exposed on the Modbus port. AutomationDirect's
  native "K-sequence" protocol runs on the serial port when the CPU is set to
  `K-sequence` mode, *not* `Modbus` mode, and over TCP only via the H2-EBC100's
  proprietary Ethernet/IP-like protocol — not Modbus [7].
 Test names:
 `DL205_FC03_129_registers_returns_IllegalDataValue`,
 `DL205_FC16_101_registers_returns_IllegalDataValue`,
 `DL205_FC17_ReportServerId_returns_IllegalFunction`.
 ## Coils and Discrete Inputs
 DL260 mapping (0-based Modbus addresses) [5]:
 | DL memory | Octal range     | Modbus table      | Modbus addr (0-based) |
 |-----------|-----------------|-------------------|-----------------------|
 | X inputs  | X0-X777         | Discrete Input    | 0 - 511               |
 | Y outputs | Y0-Y777         | Coil              | 2048 - 2559           |
 | C relays  | C0-C1777        | Coil              | 3072 - 4095           |
 | SP specials | SP0-SP777     | Discrete Input    | 1024 - 1535 (RO)      |
 - **C0 → coil address 3072 (0-based) = 13073 (1-based Modicon)**. Y0 → coil
  2048 = 12049. These offsets are wired into the CPU and cannot be remapped.
 - **Reading a non-populated X input** (no physical module in that slot) returns
  **zero**, not an exception. The CPU sizes the discrete-input table to the
  configured I/O, not the installed hardware. Confirmed in the DL260 user
  manual's I/O configuration chapter [4].
 - **Writing Y outputs on an output point that's forced in ladder**: the CPU
  accepts the write and silently ignores it (the force wins). No exception is
  returned. _Operator-reported_, matches Kepware driver release notes [3].
 Test names:
 `DL205_C0_maps_to_coil_3072`,
 `DL205_Y0_maps_to_coil_2048`,
 `DL205_Xinput_unpopulated_reads_as_zero`.
 ## Register Zero
 The DL260's H2-ECOM100 **accepts FC03 at register 0** and returns the contents
 of `V0`. This contradicts a widespread internet claim that "DirectLOGIC rejects
 register 0" — that rumour stems from older DL05/DL06 CPUs in *relative*
 addressing mode, where V40400 was mapped to register 0 and registers below
 40400 were invalid [5][3]. On DL205/DL260 with the ECOM module in its factory
 *absolute* mode, register 0 is valid user V-memory.
 - Our driver's `ModbusProbeOptions.ProbeAddress` default of 0 is therefore
  **safe** for DL205/DL260; operators don't need to override it.
 - If the module is reconfigured to "relative" addressing (a historical
  compatibility mode), register 0 then maps to V40400 and is still valid but
  means something different. The probe will still succeed.
 Test name: `DL205_FC03_register_0_returns_V0_contents`.
 ## Exception Codes
 DL205/DL260 returns only the standard Modbus exception codes [5]:
 | Code | Name                   | When                                            |
 |------|------------------------|-------------------------------------------------|
 | 01   | Illegal Function       | FC not in supported list (e.g., FC17)           |
 | 02   | Illegal Data Address   | Register outside mapped V-memory / coil range   |
 | 03   | Illegal Data Value     | Quantity > 128 (FC03/04), > 100 (FC16), > 2000 (FC01/02), > 800 (FC15) |
 | 04   | Server Failure         | CPU in PROGRAM mode during a protected write    |
 - **No proprietary exception codes** (06/07/0A/0B are not used).
 - **Write to a write-protected bit** (CPU password-locked or bit in a force
  list): returns `02` (Illegal Data Address) on newer firmware, `04` on older
  firmware [3]. _Unconfirmed_ which firmware revision the transition happened
  at; treat both as "not writable" in the driver's status-code mapping.
 - **Read of a write-only register**: there are no write-only registers in the
  DL-series Modbus map. Every writable register is also readable.
 Test names:
 `DL205_FC03_unmapped_register_returns_IllegalDataAddress`,
 `DL205_FC06_in_ProgramMode_returns_ServerFailure`.
 ## Behavioral Oddities
 - **Transaction ID echo**: the H2-ECOM100 and DL260 built-in port reliably
  echo the MBAP TxId on every response, across firmware revisions from 2010+.
  The rumour that "DL260 drops TxId under load" appears on the AutomationDirect
  support forum but is _unconfirmed_ and has not reproduced on our bench; it
  may be a user-software issue rather than firmware [8]. Our driver's
  single-flight + TxId-match guard handles it either way.
 - **Concurrency**: the ECOM serializes requests internally. Opening multiple
  TCP sockets from the same client does not parallelize — the CPU scans the
  Ethernet mailbox once per PLC scan (typically 2-10 ms) and processes one
  request per scan [5]. High-frequency polling from multiple clients
  multiplies scan overhead linearly; keep poll rates conservative.
 - **Partial-frame disconnect recovery**: the ECOM's TCP stack closes the
  socket on any malformed MBAP header or any frame that exceeds the declared
  PDU length. It does not resynchronize mid-stream. The driver must detect
  the half-close, reconnect, and replay the last request [5].
 - **Keepalive**: the ECOM does **not** send TCP keepalives. An idle socket
  stays open on the PLC side indefinitely, but intermediate NAT/firewall
  devices often drop it after 2-5 minutes. Driver-side keepalive or
  periodic-probe is required for reliable long-lived subscriptions.
 - **Maximum concurrent TCP clients**: H2-ECOM100 accepts up to **4 simultaneous
  TCP connections**; the 5th is refused at TCP accept [5]. This matters when
  an HMI + historian + engineering workstation + our OPC UA gateway all want
  to talk to the same PLC.
 Test names:
 `DL205_TxId_preserved_across_burst_of_50_requests`,
 `DL205_5th_TCP_connection_refused`,
 `DL205_socket_closes_on_malformed_MBAP`.
 ## References
 1. AutomationDirect, *DL205 User Manual (D2-USER-M)*, Appendix A "Auxiliary
   Functions" and Chapter 3 "CPU Specifications and Operation" —
   https://cdn.automationdirect.com/static/manuals/d2userm/d2userm.html
 2. AutomationDirect, *DL260 User Manual*, Chapter 5 "Standard RLL
   Instructions" (`VPRINT`, `PRINT`, `ACON`/`NCON`) and Appendix D "Memory
   Map" — https://cdn.automationdirect.com/static/manuals/d2userm/d2userm.html
 3. Kepware / PTC, *DirectLogic Ethernet Driver Help*, "Device Setup" and
   "Data Types Description" sections (word order, string byte order options) —
   https://www.kepware.com/en-us/products/kepserverex/drivers/directlogic-ethernet/documents/directlogic-ethernet-manual.pdf
 4. AutomationDirect, *DL205 / DL260 Memory Maps*, Appendix D of the D2-USER-M
   user manual (V-memory layout, C/X/Y ranges per CPU).
 5. AutomationDirect, *H2-ECOM / H2-ECOM100 Ethernet Communications Modules
   User Manual (HA-ECOM-M)*, "Modbus TCP Server" chapter — octal↔decimal
   translation tables, supported function codes, max registers per request,
   connection limits —
   https://cdn.automationdirect.com/static/manuals/hxecomm/hxecomm.html
 6. Inductive Automation, *Ignition Modbus Driver — Address Mapping*, word
   order options (ABCD/CDAB/BADC/DCBA) —
   https://docs.inductiveautomation.com/docs/8.1/ignition-modules/opc-ua/drivers/modbus-v2
 7. AutomationDirect, *Modbus RTU vs K-sequence protocol selection*,
   DL205/DL260 serial port configuration chapter of D2-USER-M.
 8. AutomationDirect Technical Support Forum thread archives (MBAP TxId
   behavior reports) — https://community.automationdirect.com/ (search:
   "ECOM100 transaction id"). _Unconfirmed_ operator reports only.
--- a/docs/v2/lmx-followups.md
+++ b/docs/v2/lmx-followups.md
@@ -125,14 +125,29 @@ Shared secret + pipe name resolve from `OTOPCUA_GALAXY_SECRET` /
 `OTOPCUA_GALAXY_PIPE` env vars, falling back to reading the service's
 registry-stored Environment values (requires elevated test host).
-**Remaining**:
+**PR 40** added the write + subscribe facts targeting
- Install + run the `OtOpcUaGalaxyHost` + `OtOpcUa` services on the dev box
+`DelmiaReceiver_001.TestAttribute` (the writable Boolean UDA the dev Galaxy
-  (`scripts/install/Install-Services.ps1`) so the skip-on-unready tests
+ships under TestMachine_001) — write-then-read with a 5s scan-window poll +
-  actually execute and the smoke PR lands green.
+restore-on-finally, and subscribe-then-write asserting both an initial-value
- Subscribe-and-receive-data-change fact (needs a known tag that actually
+OnDataChange and a post-write OnDataChange. PR 39 added the elevated-shell
-  ticks; deferred until operators confirm a scratch tag exists).
+short-circuit so a developer running from an admin window gets an actionable
- Write-and-roundtrip fact (needs a test-only UDA or agreed scratch tag
+skip instead of `UnauthorizedAccessException`.
-  so we can't accidentally mutate a process-critical value).
+
 **Run the live tests** (from a NORMAL non-admin PowerShell):
 ```powershell
 $env:OTOPCUA_GALAXY_SECRET = Get-Content C:\Users\dohertj2\Desktop\lmxopcua\.local\galaxy-host-secret.txt
 cd C:\Users\dohertj2\Desktop\lmxopcua
 dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests --filter "FullyQualifiedName~LiveStackSmokeTests"
 ```
 Expected: 7/7 pass against the running `OtOpcUaGalaxyHost` service.
 **Remaining for #5 in production-grade form**:
 - Confirm the suite passes from a non-elevated shell (operator action).
 - Add similar facts for an alarm-source attribute once `TestMachine_001` (or
  a sibling) carries a deployed alarm condition — the current dev Galaxy's
  TestAttribute isn't alarm-flagged.
 ## 6. Second driver instance on the same server — **DONE (PR 32)**
--- a/docs/v2/mitsubishi.md
+++ b/docs/v2/mitsubishi.md
@@ -0,0 +1,451 @@
 # Mitsubishi Electric MELSEC — Modbus TCP quirks
 Mitsubishi's MELSEC family speaks Modbus TCP through a patchwork of add-on modules
 and built-in Ethernet ports, not a single unified stack. The module names are
 confusingly similar (`QJ71MB91` is *serial* RTU, `QJ71MT91` is the TCP/IP module
 [9]; `LJ71MT91` is the L-series equivalent; `RJ71EN71` is the iQ-R Ethernet module
 with a MODBUS/TCP *slave* mode bolted on [8]; `FX3U-ENET`, `FX3U-ENET-P502`,
 `FX3U-ENET-ADP`, `FX3GE` built-in, and `FX5U` built-in are all different code
 paths) — and every one of the categories below has at least one trap a textbook
 Modbus client gets wrong: hex-numbered X/Y devices colliding with decimal Modbus
 addresses, a user-defined "device assignment" parameter block that means *no two
 sites are identical*, CDAB-vs-ABCD word order driven by how the ladder built the
 32-bit value, sub-spec FC16 caps on the older QJ71MT91, and an FX3U port-502
 licensing split that makes `FX3U-ENET` and `FX3U-ENET-P502` different SKUs.
 This document catalogues each quirk, cites primary sources, and names the
 ModbusPal integration test we'd write for it (convention from
 `docs/v2/modbus-test-plan.md`: `Mitsubishi_<model>_<behavior>`).
 ## Models and server/client capability
 | Model                  | Family   | Modbus TCP server | Modbus TCP client | Source |
 |------------------------|----------|-------------------|-------------------|--------|
 | `QJ71MT91`             | MELSEC-Q | Yes (slave)       | Yes (master)      | [9]    |
 | `QJ71MB91`             | MELSEC-Q | **Serial only** — RS-232/422/485 RTU, *not TCP* | — | [1][3] |
 | `LJ71MT91`             | MELSEC-L | Yes (slave)       | Yes (master)      | [10]   |
 | `RJ71EN71` / `RnENCPU` | MELSEC iQ-R | Yes (slave)    | Yes (master)      | [8]    |
 | `RJ71C24` / `RJ71C24-R2` | MELSEC iQ-R | RTU (serial)  | RTU (serial)      | [13]   |
 | iQ-R built-in Ethernet | CPU      | Yes (slave)       | Yes (master)      | [7]    |
 | iQ-F `FX5U` built-in Ethernet | CPU | Yes, firmware ≥ 1.060 [11] | Yes | [7][11][12] |
 | `FX3U-ENET`            | FX3U bolt-on | Yes (slave), but **not on port 502** [5] | Yes | [4][5] |
 | `FX3U-ENET-P502`       | FX3U bolt-on | Yes (slave), port 502 enabled | Yes | [5] |
 | `FX3U-ENET-ADP`        | FX3U adapter | **No MODBUS** [5] | No MODBUS     | [5]    |
 | `FX3GE` built-in       | FX3GE CPU | No MODBUS (needs ENET module) [6] | No | [6] |
 | `FX3G` + `FX3U-ENET`   | FX3G | Yes via ENET module | Yes | [6] |
 - A common integration mistake is to buy `FX3U-ENET-ADP` expecting MODBUS —
  that adapter speaks only MC protocol / SLMP. Our driver should surface a clear
  capability error, not "connection refused", when the operator's device tag
  says `FX3U-ENET-ADP` [5].
 - Older forum threads assert the FX5U is "client only" [12] — that was true on
  firmware ≤ 1.040. Firmware 1.060 and later ship the parameter-driven MODBUS
  TCP server built-in and need no function blocks [11].
 ## Modbus device assignment (the parameter block)
 Unlike a DL260 where the CPU exposes a *fixed* V-memory-to-Modbus mapping, every
 MELSEC MODBUS-TCP module exposes a **Modbus Device Assignment Parameter** block
 that the engineer configures in GX Works2 / GX Configurator-MB / GX Works3.
 Each of the four Modbus tables (Coil, Input, Input Register, Holding Register)
 can be split into up to 16 independent "assignment" entries, each binding a
 contiguous Modbus address range to a MELSEC device head (`M0`, `D0`, `X0`,
 `Y0`, `B0`, `W0`, `SM0`, `SD0`, `R0`, etc.) and a point count [3][7][8][9].
 - **There is no canonical "MELSEC Modbus mapping"**. Two sites running the same
  QJ71MT91 module can expose completely different Modbus layouts. Our driver
  must treat the mapping as site-data (config-file-driven), not as a device
  profile constant.
 - **Default values do exist** — both GX Configurator-MB (for Q/L series) and
  GX Works3 (for iQ-R / iQ-F / FX5) ship a "dedicated pattern" default that is
  applied when the engineer does not override the assignment. Per the FX5
  MODBUS Communication manual (JY997D56101) and the QJ71MT91 manual, the FX5
  dedicated default is [3][7][11]:
  | Modbus table       | Modbus range (0-based) | MELSEC device | Head |
  |--------------------|------------------------|---------------|------|
  | Coil (FC01/05/15)  | 0 – 7679               | M             | M0   |
  | Coil               | 8192 – 8959            | Y             | Y0   |
  | Input (FC02)       | 0 – 7679               | M             | M0   |
  | Input              | 8192 – 8959            | X             | X0   |
  | Input Register (FC04) | 0 – 6143            | D             | D0   |
  | Holding Register (FC03/06/16) | 0 – 6143    | D             | D0   |
  This matches the widely circulated "FC03 @ 0 = D0" convention that shows up
  in Ubidots / Ignition / AdvancedHMI integration guides [6][12].
 - **X/Y in the default mapping occupy a second, non-zero Modbus range** (8192+
  on FX5; similar on Q/L/iQ-R). Driver users who expect "X0 = coil 0" will be
  reading M0 instead. Document this clearly.
 - **Assignment-range collisions silently disable the slave.** The QJ71MT91
  manual states explicitly that if any two of assignments 1-16 duplicate the
  head Modbus device number, the slave function is inactive with no clear
  error — the module just won't respond [9]. The driver probe will look like a
  simple timeout; the site engineer has to open GX Configurator-MB to diagnose.
 Test names:
 `Mitsubishi_FX5U_default_mapping_coil_0_is_M0`,
 `Mitsubishi_FX5U_default_mapping_holding_0_is_D0`,
 `Mitsubishi_QJ71MT91_duplicate_assignment_head_disables_slave`.
 ## X/Y addressing — hex on MELSEC, decimal on Modbus
 **MELSEC X (input) and Y (output) device numbers are hexadecimal on Q / L /
 iQ-R** and **octal** on FX / iQ-F (with a GX Works3 toggle) [14][15].
 - On a Q CPU, `X20` means decimal **32**, not 20. On an FX5U in default (octal)
  mode, `X20` means decimal **16**. GX Works3 exposes a project-level option to
  display FX5U X/Y in hex to match Q/L/iQ-R convention — the same physical
  input is then called `X10` [14].
 - The Modbus Device Assignment Parameter block takes the *head device* as a
  MELSEC-native number, which is interpreted in the CPU's native base
  (hex for Q/L/iQ-R, octal for FX/iQ-F). After that, **Modbus offsets from
  the head are plain decimal** — the module does not apply a second hex
  conversion [3][9].
 - Example (QJ71MT91 on a Q CPU): assignment "Coil 0 = X0, 512 points" exposes
  physical `X0` through `X1FF` (hex) as coils 0-511. A client reading coil 32
  gets the bit `X20` (hex) — i.e. the 33rd input, not the value at "input 20"
  that the operator wrote on the wiring diagram in decimal.
 - **Driver bug source**: if the operator's tag configuration says "read X20" and
  the driver helpfully converts "20" to decimal 20 → coil offset 20, the
  returned bit is actually `X14` (hex) — off by twelve. Our config layer must
  preserve the MELSEC-native base that the site engineer sees in GX Works.
 - Timers/counters (`T`, `C`, `ST`) are always decimal in MELSEC notation.
  Internal relays (`M`, `B`, `L`), data registers (`D`, `W`, `R`, `ZR`),
  and special relays/registers (`SM`, `SD`) also decimal. **Only `X` and `Y`
  (and on Q/L/iQ-R, `B` link relays and `W` link registers) use hex**, and
  the X/Y decision is itself family-dependent [14][15].
 Test names:
 `Mitsubishi_Q_X_address_is_hex_X20_equals_coil_offset_32`,
 `Mitsubishi_FX5U_X_address_is_octal_X20_equals_coil_offset_16`,
 `Mitsubishi_W_link_register_is_hex_W10_equals_holding_offset_16`.
 ## Word order for 32-bit values
 MELSEC stores 32-bit ladder values (`DINT`, `DWORD`, `REAL` / single-precision
 float) across **two consecutive D-registers, low word first** — i.e., `CDAB`
 when viewed as a Modbus register pair [2][6].
 ```
 D100 (low word)  : 0xCC 0xDD   (big-endian bytes within the word)
 D101 (high word) : 0xAA 0xBB
 ```
 A Modbus master reading D100/D101 as a `float` with default (ABCD) word order
 gets garbage. Ignition's built-in Modbus driver notes Mitsubishi as a "CDAB
 device" specifically for this reason [2].
 - **Q / L / iQ-R / iQ-F all agree** — this is a CPU-level convention, not a
  module choice. Both the QJ71MT91 manual and the FX5 MODBUS Communication
  manual describe 32-bit access by "reading the lower 16 bits from the start
  address and the upper 16 bits from start+1" [6][11].
 - **Byte order within each register is big-endian** (Modbus standard). The
  module does not byte-swap.
 - **Configurable?** The MODBUS modules themselves do **not** expose a word-
  order toggle; the behavior is fixed to how the CPU laid out the value in the
  two D-registers. If the ladder programmer used an `SWAP` instruction or a
  union-style assignment, the word order can be whatever they made it — but
  for values produced by the standard `D→DBL` and `FLT`/`FLT2` instructions
  it is always CDAB [2].
 - **FX5U quirk**: the FX5 MODBUS Communication manual tells the programmer to
  use the `SWAP` instruction *if* the remote Modbus peer requires
  little-endian *byte* ordering (BADC) [11]. This is only relevant when the
  FX5U is the Modbus *client*, but it confirms the FX5U's native wire layout
  is big-endian-byte / little-endian-word (CDAB) on the server side too.
 - **Rumoured exception**: a handful of MrPLC forum threads report iQ-R
  RJ71EN71 firmware < 1.05 returning DWORDs in `ABCD` order when accessed via
  the built-in Ethernet port's MODBUS slave [8]. _Unconfirmed_; treat as a
  per-site test.
 Test names:
 `Mitsubishi_Float32_word_order_is_CDAB`,
 `Mitsubishi_Int32_word_order_is_CDAB`,
 `Mitsubishi_FX5U_SWAP_instruction_changes_byte_order_not_word_order`.
 ## BCD vs binary encoding
 **MELSEC stores integer values in D-registers as plain binary two's-complement**,
 not BCD [16]. This is the opposite of AutomationDirect DirectLOGIC, where
 V-memory defaults to BCD and the ladder must explicitly request binary.
 - A ladder `MOV K1234 D100` stores `0x04D2` (1234 decimal) in D100, not
  `0x1234`. The Modbus master reads `0x04D2` and decodes it as an integer
  directly — no BCD conversion needed [16].
 - **Timer / counter current values** (`T0` current value, `C0` count) are
  stored in binary as word devices on Q/L/iQ-R/iQ-F. The ladder preset
  (`K...`) is also binary [16][17].
 - **Timer / counter preset `K` operand in FX3U / earlier FX**: also binary when
  loaded from a D-register or a `K` constant. The older A-series CPUs had BCD
  presets on some timer types, but MELSEC-Q, L, iQ-R, iQ-F, and FX3U all use
  binary presets by default [17].
 - The FX3U programming manual dedicates `FNC 18 BCD` and `FNC 19 BIN` to
  explicit conversion — their existence confirms that anything in D-registers
  that came from a `BCD` instruction output is BCD, but nothing is BCD by
  default [17].
 - **7-segment display registers** are a common site-specific exception — many
  ladders pack `BCD D100` into a D-register so the operator panel can drive
  a display directly. Our driver should not assume; expose a per-tag
  "encoding = binary | BCD" knob.
 Test names:
 `Mitsubishi_D_register_stores_binary_not_BCD`,
 `Mitsubishi_FX3U_timer_current_value_is_binary`.
 ## Max registers per request
 From the FX5 MODBUS Communication manual Chapter 11 [11]:
 | FC | Name                       | FX5U (built-in) | QJ71MT91     | iQ-R (RJ71EN71 / built-in) | FX3U-ENET |
 |----|----------------------------|-----------------|--------------|-----------------------------|-----------|
 | 01 | Read Coils                 | 1-2000          | 1-2000 [9]   | 1-2000 [8]                  | 1-2000    |
 | 02 | Read Discrete Inputs       | 1-2000          | 1-2000       | 1-2000                      | 1-2000    |
 | 03 | Read Holding Registers     | **1-125**       | 1-125 [9]    | 1-125 [8]                   | 1-125     |
 | 04 | Read Input Registers       | 1-125           | 1-125        | 1-125                       | 1-125     |
 | 05 | Write Single Coil          | 1               | 1            | 1                           | 1         |
 | 06 | Write Single Register      | 1               | 1            | 1                           | 1         |
 | 0F | Write Multiple Coils       | 1-1968          | 1-1968       | 1-1968                      | 1-1968    |
 | 10 | Write Multiple Registers   | **1-123**       | 1-123        | 1-123                       | 1-123     |
 | 16 | Mask Write Register        | 1               | not supported | 1                          | not supported |
 | 17 | Read/Write Multiple Regs   | R:1-125, W:1-121 | not supported | R:1-125, W:1-121          | not supported |
 - **The FX5U / iQ-R native-port limits match the Modbus spec**: 125 for FC03/04,
  123 for FC16 [11]. No sub-spec caps like DL260's 100-register ceiling.
 - **QJ71MT91 does not support FC16 (0x16, Mask Write Register) or FC17
  (0x17, Read/Write Multiple)** — requesting them returns exception `01`
  Illegal Function [9]. FX5U and iQ-R *do* support both.
 - **QJ71MT91 device size**: 64k points (65,536) for each of Coil / Input /
  Input Register / Holding Register, plus up to 4086k points for Extended
  File Register via a secondary assignment range [9].
 - **FX3U-ENET / -P502 function code list is a strict subset** of the common
  eight (FC01/02/03/04/05/06/0F/10). FC16 and FC17 not supported [4].
 Test names:
 `Mitsubishi_FX5U_FC03_126_registers_returns_IllegalDataValue`,
 `Mitsubishi_FX5U_FC16_124_registers_returns_IllegalDataValue`,
 `Mitsubishi_QJ71MT91_FC16_MaskWrite_returns_IllegalFunction`,
 `Mitsubishi_QJ71MT91_FC23_ReadWrite_returns_IllegalFunction`.
 ## Exception codes
 MELSEC MODBUS modules return **only the standard Modbus exception codes 01-04**;
 no proprietary exception codes are exposed on the wire [8][9][11]. Module-
 internal diagnostics (buffer-memory error codes like `7380H`) are logged but
 not returned as Modbus exceptions.
 | Code | Name                 | MELSEC trigger                                          |
 |------|----------------------|---------------------------------------------------------|
 | 01   | Illegal Function     | FC17 or FC16 on QJ71MT91/FX3U; FC08 (Diagnostics); FC43 |
 | 02   | Illegal Data Address | Modbus address outside any assignment range             |
 | 03   | Illegal Data Value   | Quantity out of per-FC range (see table above); odd coil-byte count |
 | 04   | Server Device Failure | See below                                              |
 - **04 (Server Failure) triggers on MELSEC**:
    - CPU in STOP or PAUSE during a write to an assignment whose "Access from
      External Device" permission is set to "Disabled in STOP" [9][11].
      *With the default "always enabled" setting the write succeeds in STOP
      mode* — another common trap.
    - CPU errors (parameter error, watchdog) during any access.
    - Assignment points to a device range that is not configured (e.g. write
      to `D16384` when CPU D-device size is 12288).
 - **Write to a "System Area" device** (e.g., `SD` special registers that are
  CPU-reserved read-only) returns `04`, not `02`, on QJ71MT91 and iQ-R — the
  assignment is valid, the device exists, but the CPU rejects the write [8][9].
 - **FX3U-ENET / -P502** returns `04` on any write attempt while the CPU is in
  STOP, regardless of permission settings — the older firmware does not
  implement the "Access from External Device" granularity that Q/L/iQ-R/iQ-F
  expose [4].
 - **No rumour of proprietary codes 05-0B** from MELSEC; operators sometimes
  report "exception 0A" but those traces all came from a third-party gateway
  sitting between the master and the MELSEC module.
 Test names:
 `Mitsubishi_QJ71MT91_STOP_mode_write_with_Disabled_permission_returns_ServerFailure`,
 `Mitsubishi_QJ71MT91_STOP_mode_write_with_default_permission_succeeds`,
 `Mitsubishi_SD_system_register_write_returns_ServerFailure`,
 `Mitsubishi_FX3U_STOP_mode_write_always_returns_ServerFailure`.
 ## Connection behavior
 Max simultaneous Modbus TCP clients, per module [7][8][9][11]:
 | Model                | Max TCP connections | Port 502 | Keepalive | Source |
 |----------------------|---------------------|----------|-----------|--------|
 | `QJ71MT91`           | 16 (shared with master role) | Yes | No | [9]    |
 | `LJ71MT91`           | 16                  | Yes      | No        | [10]   |
 | iQ-R built-in / `RJ71EN71` | 16            | Yes      | Configurable (KeepAlive = ON in parameter) | [8] |
 | iQ-F `FX5U` built-in | 8                   | Yes      | Configurable | [7][11] |
 | `FX3U-ENET`          | 8 TCP, but **not port 502** | No (port < 1024 blocked) | No | [4][5] |
 | `FX3U-ENET-P502`     | 8, port 502 enabled | Yes      | No        | [5]    |
 - **QJ71MT91's 16 is total connections shared between slave-listen and
  master-initiated sockets** [9]. A site that uses the same module as both
  master to downstream VFDs and slave to upstream SCADA splits the 16 pool.
 - **FX3U-ENET port-502 gotcha**: if the engineer loads a configuration with
  port 502 into a non-P502 ENET module, GX Works shows the download as
  successful; on next power cycle the module enters error state and the
  MODBUS listener never starts. This is documented on third-party FX3G
  integration guides [6].
 - **CPU STOP → RUN transition**: does **not** drop Modbus connections on any
  MELSEC family. Existing sockets stay open; outstanding requests during the
  transition may see exception 04 for a few scans but then resume [8][9].
 - **CPU reset (power cycle or `SM1255` forced reset)** drops all Modbus
  connections and the module re-listens after typically 5-10 seconds.
 - **Idle timeout**: QJ71MT91 and iQ-R have a per-connection "Alive-Check"
  (idle timer) parameter, default 0 (disabled). If enabled, default 10 s
  probe interval, 3 retries before close [8][9]. FX5U similar defaults.
 - **Keep-alive (TCP-level)**: only iQ-R / iQ-F expose a TCP keep-alive option
  (parameter "KeepAlive" in the Ethernet settings); QJ71MT91 and FX3U-ENET
  do not — so NAT/firewall idle drops require driver-side pinging.
 Test names:
 `Mitsubishi_QJ71MT91_17th_connection_refused`,
 `Mitsubishi_FX5U_9th_connection_refused`,
 `Mitsubishi_STOP_to_RUN_transition_preserves_socket`,
 `Mitsubishi_CPU_reset_closes_all_sockets`.
 ## Behavioral oddities
 - **Transaction ID echo**: QJ71MT91 and iQ-R reliably echo the MBAP TxId on
  every response across firmware revisions; no reports of TxId drops under
  load [8][9]. FX3U-ENET has an older, less-tested TCP stack; at least one
  MrPLC thread reports out-of-order TxId echoes under heavy polling on
  firmware < 1.14 [4]. _Unconfirmed_ on current firmware.
 - **Per-connection request serialization**: all MELSEC slaves serialize
  requests within a single TCP connection — a new request is not processed
  until the prior response has been sent. Pipelining multiple requests on one
  socket causes the module to queue them in buffer memory and respond in
  order, but **the queue depth is 1** on QJ71MT91 (a second in-flight request
  is held on the TCP receive buffer, not queued) [9]. Driver should treat
  Mitsubishi slaves as strictly single-flight per socket.
 - **Partial-frame handling**: QJ71MT91 and iQ-R close the socket on malformed
  MBAP length fields. FX5U resynchronises at the next valid MBAP header
  within 100 ms but will emit an error to `SD` diagnostics [11]. Driver must
  reconnect on half-close and replay.
 - **FX3U UDP vs TCP**: `FX3U-ENET` supports both UDP and TCP MODBUS transports;
  UDP is lossy and reorders under load. Default is TCP. Some legacy SCADA
  configurations pinned the module to UDP for multicast discovery — do not
  select UDP unless the site requires it [4].
 - **Known firmware-revision variants**:
    - QJ71MT91 ≤ firmware 10052000000 (year-month format): FC15 with coil
      count that forces byte-count to an odd value silently truncates the
      last coil. Fixed in later revisions [9]. _Operator-reported_.
    - FX5U firmware < 1.060: no native MODBUS TCP server — only accessible via
      a predefined-protocol function block hack. Firmware ≥ 1.060 ships
      parameter-based server. Our capability probe should read `SD203`
      (firmware version) and flag < 1.060 as unsupported for server mode [11][12].
    - iQ-R RJ71EN71 early firmware: possible ABCD word order (rumoured,
      unconfirmed) [8].
 - **SD (special-register) reads during assignment-parameter load**: while
  the CPU is loading a new MODBUS device assignment parameter (~1-2 s), the
  slave returns exception 04 Server Failure on every request. Happens after
  a parameter write from GX Configurator-MB [9].
 - **iQ-R "Station-based block transfer" collision**: if the RJ71EN71 is also
  running CC-Link IE Control on the same module, a MODBUS/TCP request that
  arrives during a CCIE cyclic period is delayed to the next scan — visible
  as jittery response time, not a failure [8].
 Test names:
 `Mitsubishi_QJ71MT91_single_flight_per_socket`,
 `Mitsubishi_FX5U_malformed_MBAP_resync_within_100ms`,
 `Mitsubishi_FX3U_TxId_preserved_across_burst`,
 `Mitsubishi_FX5U_firmware_below_1_060_reports_no_server_mode`.
 ## Model-specific differences for test coverage
 Summary of which quirks differ per model, so test-class naming can reflect them:
 | Quirk                                    | QJ71MT91 | LJ71MT91 | iQ-R (RJ71EN71 / built-in) | iQ-F (FX5U) | FX3U-ENET(-P502) |
 |------------------------------------------|----------|----------|----------------------------|-------------|------------------|
 | FC16 Mask-Write supported                | No       | No       | Yes                        | Yes         | No               |
 | FC17 Read/Write Multiple supported       | No       | No       | Yes                        | Yes         | No               |
 | Max connections                          | 16       | 16       | 16                         | 8           | 8                |
 | X/Y numbering base                       | hex      | hex      | hex                        | octal (default) | octal        |
 | 32-bit word order                        | CDAB     | CDAB     | CDAB (firmware-dependent rumour of ABCD) | CDAB | CDAB    |
 | Port 502 supported                       | Yes      | Yes      | Yes                        | Yes         | P502 only        |
 | STOP-mode write permission configurable  | Yes      | Yes      | Yes                        | Yes         | No (always blocks) |
 | TCP keep-alive parameter                 | No       | No       | Yes                        | Yes         | No               |
 | Modbus device assignment — max entries   | 16       | 16       | 16                         | 16          | 8                |
 | Server via parameter (no FB)             | Yes      | Yes      | Yes                        | Yes (fw ≥ 1.060) | Yes         |
 - **Test file layout**: `Mitsubishi_QJ71MT91_*`, `Mitsubishi_LJ71MT91_*`,
  `Mitsubishi_iQR_*`, `Mitsubishi_FX5U_*`, `Mitsubishi_FX3U_ENET_*`,
  `Mitsubishi_FX3U_ENET_P502_*`. iQ-R built-in Ethernet and the RJ71EN71
  behave identically for MODBUS/TCP slave purposes and can share a file
  `Mitsubishi_iQR_*`.
 - **Cross-model shared tests** (word order CDAB, binary not BCD, standard
  exception codes, 125-register FC03 cap) can live in a single
  `Mitsubishi_Common_*` fixture.
 ## References
 1. Mitsubishi Electric, *MODBUS Interface Module User's Manual — QJ71MB91*
   (SH-080578ENG), RS-232/422/485 MODBUS RTU serial module for MELSEC-Q —
   https://dl.mitsubishielectric.com/dl/fa/document/manual/plc/sh080578eng/sh080578engk.pdf
 2. Inductive Automation, *Ignition Modbus Driver — Mitsubishi Q / iQ-R word
   order*, documents CDAB convention —
   https://docs.inductiveautomation.com/docs/8.1/ignition-modules/opc-ua/drivers/modbus-v2
   and forum discussion https://forum.inductiveautomation.com/t/modbus-tcp-device-word-byte-order/65984
 3. Mitsubishi Electric, *Programmable Controller User's Manual QJ71MB91 MODBUS
   Interface Module*, Chapter 7 "Parameter Setting" describing the Modbus
   Device Assignment Parameter block (assignments 1-16, head-device
   configuration) —
   https://www.lcautomation.com/dbdocument/29156/QJ71MB91%20Users%20manual.pdf
 4. Mitsubishi Electric, *FX3U-ENET User's Manual* (JY997D18101), Chapter on
   MODBUS/TCP communication; function code support and connection limits —
   https://dl.mitsubishielectric.com/dl/fa/document/manual/plc_fx/jy997d18101/jy997d18101h.pdf
 5. Venus Automation, *Mitsubishi FX3U-ENET-P502 Module — Open Port 502 for
   Modbus TCP/IP* —
   https://venusautomation.com.au/mitsubishi-fx3u-enet-p502-module-open-port-502-for-modbus-tcp-ip/
   and FX3U-ENET-ADP user manual (JY997D45801), which confirms the -ADP
   variant does not support MODBUS —
   https://dl.mitsubishielectric.com/dl/fa/document/manual/plc_fx/jy997d45801/jy997d45801h.pdf
 6. XML Control / Ubidots integration notes, *FX3G Modbus* — port-502 trap,
   D-register mapping default, word order reference —
   https://sites.google.com/site/xmlcontrol/archive/fx3g-modbus
   and https://ubidots.com/blog/mitsubishi-plc-as-modbus-tcp-server/
 7. FA Support Me, *Modbus TCP on Built-in Ethernet port in iQ-F and iQ-R* —
   confirms 16-connection limit on iQ-R, 8 on iQ-F, parameter-driven
   configuration via GX Works3 —
   https://www.fasupportme.com/portal/en/kb/articles/modbus-tcp-on-build-in-ethernet-port-in-iq-f-and-iq-r-en
 8. Mitsubishi Electric, *MELSEC iQ-R Ethernet User's Manual (Application)*
   (SH-081259ENG) and *MELSEC iQ-RJ71EN71 User's Manual* Chapter on
   "Communications Using Modbus/TCP" —
   https://www.allied-automation.com/wp-content/uploads/2015/02/MITSUBISHI_manual_plc_iq-r_ethernet_users.pdf
   and https://www.manualslib.com/manual/1533351/Mitsubishi-Electric-Melsec-Iq-Rj71en71.html?page=109
 9. Mitsubishi Electric, *MODBUS/TCP Interface Module User's Manual — QJ71MT91*
   (SH-080446ENG), exception codes page 248, device assignment parameter
   pages 116-124, duplicate-assignment-disables-slave note —
   https://dl.mitsubishielectric.com/dl/fa/document/manual/plc/sh080446eng/sh080446engj.pdf
 10. Mitsubishi Electric, *MELSEC-L Network Features* — LJ71MT91 documented as
    L-series equivalent of QJ71MT91 with identical MODBUS/TCP behavior —
    https://us.mitsubishielectric.com/fa/en/products/cnt/programmable-controllers/melsec-l-series/network/features/
 11. Mitsubishi Electric, *MELSEC iQ-F FX5 User's Manual (MODBUS Communication)*
    (JY997D56101), Chapter 11 "Modbus/TCP Communication Specifications" —
    function code max-quantity table, frame specification, device assignment
    defaults —
    https://dl.mitsubishielectric.com/dl/fa/document/manual/plcf/jy997d56101/jy997d56101h.pdf
 12. MrPLC forum, *FX5U Modbus-TCP Server (Slave)*, firmware ≥ 1.60 enables
    native server via parameter; earlier firmware required function block —
    https://mrplc.com/forums/topic/31883-fx5u-modbus-tcp-server-slave/
    and Industrial Monitor Direct's "FX5U MODBUS TCP Server Workaround"
    article (reflects older firmware behavior) —
    https://industrialmonitordirect.com/blogs/knowledgebase/mitsubishi-fx5u-modbus-tcp-server-configuration-workaround
 13. Mitsubishi Electric, *MELSEC iQ-R MODBUS and MODBUS/TCP Reference Manual —
    RJ71C24 / RJ71C24-R2* (BCN-P5999-1060) — RJ71C24 is serial RTU only,
    not TCP —
    https://dl.mitsubishielectric.com/dl/fa/document/manual/plc/bcn-p5999-1060/bcnp59991060b.pdf
 14. HMS Industrial Networks, *eWON and Mitsubishi FX5U PLC* (KB-0264-00) —
    documents that FX5U X/Y are octal in GX Works3 but hex when viewed as a
    Q-series PLC through eWON; the project-level hex/octal toggle —
    https://hmsnetworks.blob.core.windows.net/www/docs/librariesprovider10/downloads-monitored/manuals/knowledge-base/kb-0264-00-en-ewon-and-mitsubishi-fx5u-plc.pdf
 15. Fernhill Software, *Mitsubishi Melsec PLC Data Address* — documents
    hex-vs-octal device numbering split across MELSEC families —
    https://www.fernhillsoftware.com/help/drivers/mitsubishi-melsec/data-address-format.html
 16. Inductive Automation support, *Understanding Mitsubishi PLCs* — D registers
    store signed 16-bit binary, not BCD; DINT combines two consecutive D
    registers —
    https://support.inductiveautomation.com/hc/en-us/articles/16517576753165-Understanding-Mitsubishi-PLCs
 17. Mitsubishi Electric, *FXCPU Structured Programming Manual [Device &
    Common]* (JY997D26001) — FNC 18 BCD and FNC 19 BIN explicit-conversion
    instructions confirm binary-by-default storage —
    https://dl.mitsubishielectric.com/dl/fa/document/manual/plc_fx/jy997d26001/jy997d26001l.pdf
--- a/docs/v2/modbus-test-plan.md
+++ b/docs/v2/modbus-test-plan.md
@@ -13,55 +13,61 @@ confirmed DL205 quirk lands in a follow-up PR as a named test in that project.
 ## Harness
-**Chosen simulator: ModbusPal** (Java, scriptable). Rationale:
+**Chosen simulator: pymodbus 3.13.0** (`pip install 'pymodbus[simulator]==3.13.0'`).
- Scriptable enough to mimic device-specific behaviors (non-standard register
+Replaced ModbusPal in PR 43 — see `tests/.../Pymodbus/README.md` for the
-  layouts, custom exception codes, intentional response delays).
+trade-off rationale. Headline reasons:
 - Runs locally, no CI dependency. Tests skip when `localhost:502` (or the configured
  simulator endpoint) isn't reachable.
 - Free + long-maintained — physical PLC bench is unavailable in most dev
  environments, and renting cloud PLCs isn't worth the per-test cost.
-**Setup pattern** (not yet codified in a script — will land alongside the integration
+- **Headless** pure-Python CLI; no Java GUI, runs cleanly on a CI runner.
-test project):
+- **Maintained** — current stable 3.13.0; ModbusPal 1.6b is abandoned.
-1. Install ModbusPal, load the per-device `.xmpp` profile from
+- **All four standard tables** (HR, IR, coils, DI) configurable; ModbusPal
-   `tests/Driver.Modbus.IntegrationTests/ModbusPal/` (TBD directory).
+  1.6b only exposed HR + coils.
-2. Start the simulator listening on `localhost:502` (or override via
+- **Built-in actions** (`increment`, `random`, `timestamp`, `uptime`) +
-   `MODBUS_SIM_ENDPOINT` env var).
+  optional custom-Python actions for declarative dynamic behaviors.
-3. `dotnet test` the integration project — tests auto-skip when the endpoint is
+- **Per-register raw uint16 seeding** — encoding the DL205 string-byte-order
-   unreachable, so forgetting to start the simulator doesn't wedge CI.
+  / BCD / CDAB-float quirks stays explicit (the quirk math lives in the
  `_quirk` JSON-comment fields next to each register).
 - Pip-installable on Windows; sidesteps the privileged-port admin
  requirement by defaulting to TCP **5020** instead of 502.
 **Setup pattern**:
 1. `pip install "pymodbus[simulator]==3.13.0"`.
 2. Start the simulator with one of the in-repo profiles:
   `tests\.../Pymodbus\serve.ps1 -Profile standard` (or `-Profile dl205`).
 3. `dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` —
   tests auto-skip when the endpoint is unreachable. Default endpoint is
   `localhost:5020`; override via `MODBUS_SIM_ENDPOINT` for a real PLC on its
   native port 502.
 ## Per-device quirk catalog
-### AutomationDirect DL205
+### AutomationDirect DL205 / DL260
-First known target device. Quirks to document and cover with named tests (to be
+First known target device family. **Full quirk catalog with primary-source citations
-filled in when user validates each behavior in ModbusPal with a DL205 profile):
+and per-quirk integration-test names lives at [`dl205.md`](dl205.md)** — that doc is
 the reference; this section is the testing roadmap.
- **Word order for 32-bit values**: _pending_ — confirm whether DL205 uses ABCD
+Confirmed quirks (priority order — top items are highest-impact for our driver
-  (Modbus TCP standard) or CDAB (Siemens-style word-swap) for Int32/UInt32/Float32.
+and ship first as PR 41+):
  Test name: `DL205_Float32_word_order_is_CDAB` (or `ABCD`, whichever proves out).
 - **Register-zero access**: _pending_ — some DL205 configurations reject FC03 at
  register 0 with exception code 02 (illegal data address). If confirmed, the
  integration test suite verifies `ModbusProbeOptions.ProbeAddress` default of 0
  triggers the rejection and operators must override; test name:
  `DL205_FC03_at_register_0_returns_IllegalDataAddress`.
 - **Coil addressing base**: _pending_ — DL205 documentation sometimes uses 1-based
  coil addresses; verify the driver's zero-based addressing matches the physical
  PLC without an off-by-one adjustment.
 - **Maximum registers per FC03**: _pending_ — Modbus spec caps at 125; some DL205
  models enforce a lower limit (e.g., 64). Test name:
  `DL205_FC03_beyond_max_registers_returns_IllegalDataValue`.
 - **Response framing under sustained load**: _pending_ — the driver's
  single-flight semaphore assumes the server pairs requests/responses by
  transaction id; at least one DL205 firmware revision is reported to drop the
  TxId under load. If reproduced in ModbusPal we add a retry + log-and-continue
  path to `ModbusTcpTransport`.
 - **Exception code on coil write to a protected bit**: _pending_ — some DL205
  setups protect internal coils; the driver should surface the PLC's exception
  PDU as `BadNotWritable` rather than `BadInternalError`.
-_User action item_: as each quirk is validated in ModbusPal, replace the _pending_
+| Quirk | Driver impact | Integration-test name |
-marker with the confirmed behavior and file a named test in the integration suite.
+|---|---|---|
 | **String packing**: 2 chars/register, **first char in low byte** (opposite of generic Modbus) | `ModbusDataType.String` decoder must be configurable per-device family — current code assumes high-byte-first | `DL205_String_low_byte_first_within_register` |
 | **Word order CDAB** for Int32/UInt32/Float32 | Already configurable via `ModbusByteOrder.WordSwap`; default per device profile | `DL205_Int32_word_order_is_CDAB` |
 | **BCD-as-default** numeric storage (only IEEE 754 when ladder uses `R` type) | New decoder mode — register reads as `0x1234` for ladder value `1234`, not as decimal `4660` | `DL205_BCD_register_decodes_as_hex_nibbles` |
 | **FC16 capped at 100 registers** (below the spec's 123) | Bulk-write batching must cap per-device-family | `DL205_FC16_101_registers_returns_IllegalDataValue` |
 | **FC03/04 capped at 128** (above the spec's 125) | Less impactful — clients that respect the spec's 125 stay safe | `DL205_FC03_129_registers_returns_IllegalDataValue` |
 | **V-memory octal-to-decimal addressing** (V2000 octal → 0x0400 decimal) | New address-format helper in profile config so operators can write `V2000` instead of computing `1024` themselves | `DL205_Vmem_V2000_maps_to_PDU_0x0400` |
 | **C-relay → coil 3072 / Y-output → coil 2048** offsets | Hard-coded constants in DL205 device profile | `DL205_C0_maps_to_coil_3072`, `DL205_Y0_maps_to_coil_2048` |
 | **Register 0 is valid** (rejects-register-0 rumour was DL05/DL06 relative-mode artefact) | None — current default is safe | `DL205_FC03_register_0_returns_V0_contents` |
 | **Max 4 simultaneous TCP clients** on H2-ECOM100 | Connect-time: handle TCP-accept failure with a clearer error message | `DL205_5th_TCP_connection_refused` |
 | **No TCP keepalive** | Driver-side periodic-probe (already wired via `IHostConnectivityProbe`) | _Covered by existing `ModbusProbeTests`_ |
 | **No mid-stream resync on malformed MBAP** | Already covered — single-flight + reconnect-on-error | _Covered by existing `ModbusDriverTests`_ |
 | **Write-protect exception code: `02` newer / `04` older** | Translate either to `BadNotWritable` | `DL205_FC06_in_ProgramMode_returns_ServerFailure` |
 _Operator-reported / unconfirmed_ — covered defensively in the driver but no
 integration tests until reproduced on hardware:
 - TxId drop under load (forum rumour; not reproduced).
 - Pre-2004 firmware ABCD word order (every shipped DL205/DL260 since 2004 is CDAB).
 ### Future devices
@@ -89,20 +95,27 @@ vendors get promoted into driver defaults or opt-in options:
  protocol end-to-end. The in-memory `FakeTransport` from the unit test suite is
  deliberately not used here — its value is speed + determinism, which doesn't
  help reproduce device-specific issues.
- **Don't depend on ModbusPal state between tests.** Each test resets the
+- **Don't depend on simulator state between tests.** Each test resets the
  simulator's register bank or uses a unique address range. Avoid relying on
  "previous test left value at register 10" setups that flake when tests run in
-  parallel or re-order.
+  parallel or re-order. Either the test mutates the scratch ranges and restores
  on finally, or it uses pymodbus's REST API to reset state between facts.
 ## Next concrete PRs
 - **PR 30 — Integration test project + DL205 profile scaffold** — **DONE**.
  Shipped `tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` with
  `ModbusSimulatorFixture` (TCP-probe, skips with a clear `SkipReason` when the
-  endpoint is unreachable), `DL205/DL205Profile.cs` (tag map stub — one
+  endpoint is unreachable), `DL205/DL205Profile.cs` (tag map stub), and
-  writable holding register at address 100), and `DL205/DL205SmokeTests.cs`
+  `DL205/DL205SmokeTests.cs` (write-then-read round-trip).
-  (write-then-read round-trip). `ModbusPal/` directory holds the README
+- **PR 41 — DL205 quirk catalog doc** — **DONE**. `docs/v2/dl205.md`
-  pointing at the to-be-committed `DL205.xmpp` profile.
+  documents every DL205/DL260 Modbus divergence with primary-source citations.
- **PR 31+**: one PR per confirmed DL205 quirk, landing the named test + any
+- **PR 42 — ModbusPal `.xmpp` profiles** — **SUPERSEDED by PR 43**. Replaced
-  driver-side adjustment (e.g., retry on dropped TxId) needed to pass it. Drop
+  with pymodbus JSON because ModbusPal 1.6b is abandoned, GUI-only, and only
-  the `DL205.xmpp` profile into `ModbusPal/` alongside the first quirk PR.
+  exposes 2 of the 4 standard tables.
 - **PR 43 — pymodbus JSON profiles** — **DONE**. `Pymodbus/standard.json` +
  `Pymodbus/dl205.json` + `Pymodbus/serve.ps1` runner. Both bind TCP 5020.
 - **PR 44+**: one PR per confirmed DL205 quirk, landing the named test + any
  driver-side adjustment (string byte order, BCD decoder, V-memory address
  helper, FC16 cap-per-device-family) needed to pass it. Each quirk's value
  is already pre-encoded in `Pymodbus/dl205.json`.
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/DirectLogicAddress.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/DirectLogicAddress.cs
@@ -0,0 +1,165 @@
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
 /// <summary>
 ///     AutomationDirect DirectLOGIC address-translation helpers. DL205 / DL260 / DL350 CPUs
 ///     address V-memory in OCTAL while the Modbus wire uses DECIMAL PDU addresses — operators
 ///     see "V2000" in the PLC ladder-logic editor but the Modbus client must write PDU 0x0400.
 ///     The formulas differ between user V-memory (simple octal-to-decimal) and system V-memory
 ///     (fixed bank mappings), so the two cases are separate methods rather than one overloaded
 ///     "ToPdu" call.
 /// </summary>
 /// <remarks>
 ///     See <c>docs/v2/dl205.md</c> §V-memory for the full CPU-family matrix + rationale.
 ///     References: D2-USER-M appendix (DL205/D2-260), H2-ECOM-M §6.5 (absolute vs relative
 ///     addressing), AutomationDirect forum guidance on V40400 system-base.
 /// </remarks>
 public static class DirectLogicAddress
 {
    /// <summary>
    ///     Convert a DirectLOGIC user V-memory address (octal) to a 0-based Modbus PDU address.
    ///     Accepts bare octal (<c>"2000"</c>) or <c>V</c>-prefixed (<c>"V2000"</c>). Range
    ///     depends on CPU model — DL205 D2-260 user memory is V1400-V7377 + V10000-V17777
    ///     octal, DL260 extends to V77777 octal.
    /// </summary>
    /// <exception cref="ArgumentException">Input is null / empty / contains non-octal digits (8,9).</exception>
    /// <exception cref="OverflowException">Parsed value exceeds ushort.MaxValue (0xFFFF).</exception>
    public static ushort UserVMemoryToPdu(string vAddress)
    {
        if (string.IsNullOrWhiteSpace(vAddress))
            throw new ArgumentException("V-memory address must not be empty", nameof(vAddress));
        var s = vAddress.Trim();
        if (s[0] == 'V' || s[0] == 'v') s = s.Substring(1);
        if (s.Length == 0)
            throw new ArgumentException($"V-memory address '{vAddress}' has no digits", nameof(vAddress));
        // Octal conversion. Reject 8/9 digits up-front — int.Parse in the obvious base would
        // accept them silently because .NET has no built-in base-8 parser.
        uint result = 0;
        foreach (var ch in s)
        {
            if (ch < '0' || ch > '7')
                throw new ArgumentException(
                    $"V-memory address '{vAddress}' contains non-octal digit '{ch}' — DirectLOGIC V-addresses are octal (0-7)",
                    nameof(vAddress));
            result = result * 8 + (uint)(ch - '0');
            if (result > ushort.MaxValue)
                throw new OverflowException(
                    $"V-memory address '{vAddress}' exceeds the 16-bit Modbus PDU address range");
        }
        return (ushort)result;
    }
    /// <summary>
    ///     DirectLOGIC system V-memory starts at octal V40400 on DL260 / H2-ECOM100 in factory
    ///     "absolute" addressing mode. Unlike user V-memory, the mapping is NOT a simple
    ///     octal-to-decimal conversion — the CPU relocates the system bank to Modbus PDU 0x2100
    ///     (decimal 8448). This helper returns the CPU-family base plus a user-supplied offset
    ///     within the system bank.
    /// </summary>
    public const ushort SystemVMemoryBasePdu = 0x2100;
    /// <param name="offsetWithinSystemBank">
    ///     0-based register offset within the system bank. Pass 0 for V40400 itself; pass 1 for
    ///     V40401 (octal), and so on. NOT an octal-decoded value — the system bank lives at
    ///     consecutive PDU addresses, so the offset is plain decimal.
    /// </param>
    public static ushort SystemVMemoryToPdu(ushort offsetWithinSystemBank)
    {
        var pdu = SystemVMemoryBasePdu + offsetWithinSystemBank;
        if (pdu > ushort.MaxValue)
            throw new OverflowException(
                $"System V-memory offset {offsetWithinSystemBank} maps past 0xFFFF");
        return (ushort)pdu;
    }
    // Bit-memory bases per DL260 user manual §I/O-configuration.
    // Numbers after X / Y / C / SP are OCTAL in DirectLOGIC notation. The Modbus base is
    // added to the octal-decoded offset; e.g. Y017 = Modbus coil 2048 + octal(17) = 2048 + 15 = 2063.
    /// <summary>
    ///     DL260 Y-output coil base. Y0 octal → Modbus coil address 2048 (0-based).
    /// </summary>
    public const ushort YOutputBaseCoil = 2048;
    /// <summary>
    ///     DL260 C-relay coil base. C0 octal → Modbus coil address 3072 (0-based).
    /// </summary>
    public const ushort CRelayBaseCoil = 3072;
    /// <summary>
    ///     DL260 X-input discrete-input base. X0 octal → Modbus discrete input 0.
    /// </summary>
    public const ushort XInputBaseDiscrete = 0;
    /// <summary>
    ///     DL260 SP special-relay discrete-input base. SP0 octal → Modbus discrete input 1024.
    ///     Read-only; writing SP relays is rejected with Illegal Data Address.
    /// </summary>
    public const ushort SpecialBaseDiscrete = 1024;
    /// <summary>
    ///     Translate a DirectLOGIC Y-output address (e.g. <c>"Y0"</c>, <c>"Y17"</c>) to its
    ///     0-based Modbus coil address on DL260. The trailing number is OCTAL, matching the
    ///     ladder-logic editor's notation.
    /// </summary>
    public static ushort YOutputToCoil(string yAddress) =>
        AddOctalOffset(YOutputBaseCoil, StripPrefix(yAddress, 'Y'));
    /// <summary>
    ///     Translate a DirectLOGIC C-relay address (e.g. <c>"C0"</c>, <c>"C1777"</c>) to its
    ///     0-based Modbus coil address.
    /// </summary>
    public static ushort CRelayToCoil(string cAddress) =>
        AddOctalOffset(CRelayBaseCoil, StripPrefix(cAddress, 'C'));
    /// <summary>
    ///     Translate a DirectLOGIC X-input address (e.g. <c>"X0"</c>, <c>"X17"</c>) to its
    ///     0-based Modbus discrete-input address. Reading an unpopulated X returns 0, not an
    ///     exception — the CPU sizes the table to configured I/O, not installed modules.
    /// </summary>
    public static ushort XInputToDiscrete(string xAddress) =>
        AddOctalOffset(XInputBaseDiscrete, StripPrefix(xAddress, 'X'));
    /// <summary>
    ///     Translate a DirectLOGIC SP-special-relay address (e.g. <c>"SP0"</c>) to its 0-based
    ///     Modbus discrete-input address. Accepts <c>"SP"</c> prefix case-insensitively.
    /// </summary>
    public static ushort SpecialToDiscrete(string spAddress)
    {
        if (string.IsNullOrWhiteSpace(spAddress))
            throw new ArgumentException("SP address must not be empty", nameof(spAddress));
        var s = spAddress.Trim();
        if (s.Length >= 2 && (s[0] == 'S' || s[0] == 's') && (s[1] == 'P' || s[1] == 'p'))
            s = s.Substring(2);
        return AddOctalOffset(SpecialBaseDiscrete, s);
    }
    private static string StripPrefix(string address, char expectedPrefix)
    {
        if (string.IsNullOrWhiteSpace(address))
            throw new ArgumentException("Address must not be empty", nameof(address));
        var s = address.Trim();
        if (s.Length > 0 && char.ToUpperInvariant(s[0]) == char.ToUpperInvariant(expectedPrefix))
            s = s.Substring(1);
        return s;
    }
    private static ushort AddOctalOffset(ushort baseAddr, string octalDigits)
    {
        if (octalDigits.Length == 0)
            throw new ArgumentException("Address has no digits", nameof(octalDigits));
        uint offset = 0;
        foreach (var ch in octalDigits)
        {
            if (ch < '0' || ch > '7')
                throw new ArgumentException(
                    $"Address contains non-octal digit '{ch}' — DirectLOGIC I/O addresses are octal (0-7)",
                    nameof(octalDigits));
            offset = offset * 8 + (uint)(ch - '0');
        }
        var result = baseAddr + offset;
        if (result > ushort.MaxValue)
            throw new OverflowException($"Address {baseAddr}+{offset} exceeds 0xFFFF");
        return (ushort)result;
    }
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriver.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriver.cs
@@ -37,7 +37,7 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
    private CancellationTokenSource? _probeCts;
    private readonly ModbusDriverOptions _options = options;
    private readonly Func<ModbusDriverOptions, IModbusTransport> _transportFactory =
-        transportFactory ?? (o => new ModbusTcpTransport(o.Host, o.Port, o.Timeout));
+        transportFactory ?? (o => new ModbusTcpTransport(o.Host, o.Port, o.Timeout, o.AutoReconnect));
    private IModbusTransport? _transport;
    private DriverHealth _health = new(DriverState.Unknown, null, null);
@@ -141,9 +141,16 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
                results[i] = new DataValueSnapshot(value, 0u, now, now);
                _health = new DriverHealth(DriverState.Healthy, now, null);
            }
            catch (ModbusException mex)
            {
                results[i] = new DataValueSnapshot(null, MapModbusExceptionToStatus(mex.ExceptionCode), null, now);
                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, mex.Message);
            }
            catch (Exception ex)
            {
-                results[i] = new DataValueSnapshot(null, StatusBadInternalError, null, now);
+                // Non-Modbus-layer failure: socket dropped, timeout, malformed response. Surface
                // as communication error so callers can distinguish it from tag-level faults.
                results[i] = new DataValueSnapshot(null, StatusBadCommunicationError, null, now);
                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, ex.Message);
            }
        }
@@ -171,11 +178,14 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
            {
                var quantity = RegisterCount(tag);
                var fc = tag.Region == ModbusRegion.HoldingRegisters ? (byte)0x03 : (byte)0x04;
-                var pdu = new byte[] { fc, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF),
+                // Auto-chunk when the tag's register span exceeds the caller-configured cap.
-                                       (byte)(quantity >> 8), (byte)(quantity & 0xFF) };
+                // Affects long strings (FC03/04 > 125 regs is spec-forbidden; DL205 caps at 128,
-                var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                // Mitsubishi Q caps at 64). Non-string tags max out at 4 regs so the cap never
-                // resp = [fc][byte-count][data...]
+                // triggers for numerics.
-                var data = new ReadOnlySpan<byte>(resp, 2, resp[1]);
+                var cap = _options.MaxRegistersPerRead == 0 ? (ushort)125 : _options.MaxRegistersPerRead;
                var data = quantity <= cap
                    ? await ReadRegisterBlockAsync(transport, fc, tag.Address, quantity, ct).ConfigureAwait(false)
                    : await ReadRegisterBlockChunkedAsync(transport, fc, tag.Address, quantity, cap, ct).ConfigureAwait(false);
                return DecodeRegister(data, tag);
            }
            default:
@@ -183,6 +193,33 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
        }
    }
    private async Task<byte[]> ReadRegisterBlockAsync(
        IModbusTransport transport, byte fc, ushort address, ushort quantity, CancellationToken ct)
    {
        var pdu = new byte[] { fc, (byte)(address >> 8), (byte)(address & 0xFF),
                               (byte)(quantity >> 8), (byte)(quantity & 0xFF) };
        var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
        // resp = [fc][byte-count][data...]
        var data = new byte[resp[1]];
        Buffer.BlockCopy(resp, 2, data, 0, resp[1]);
        return data;
    }
    private async Task<byte[]> ReadRegisterBlockChunkedAsync(
        IModbusTransport transport, byte fc, ushort address, ushort totalRegs, ushort cap, CancellationToken ct)
    {
        var assembled = new byte[totalRegs * 2];
        ushort done = 0;
        while (done < totalRegs)
        {
            var chunk = (ushort)Math.Min(cap, totalRegs - done);
            var chunkBytes = await ReadRegisterBlockAsync(transport, fc, (ushort)(address + done), chunk, ct).ConfigureAwait(false);
            Buffer.BlockCopy(chunkBytes, 0, assembled, done * 2, chunkBytes.Length);
            done += chunk;
        }
        return assembled;
    }
    // ---- IWritable ----
    public async Task<IReadOnlyList<WriteResult>> WriteAsync(
@@ -208,6 +245,10 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
                await WriteOneAsync(transport, tag, w.Value, cancellationToken).ConfigureAwait(false);
                results[i] = new WriteResult(0u);
            }
            catch (ModbusException mex)
            {
                results[i] = new WriteResult(MapModbusExceptionToStatus(mex.ExceptionCode));
            }
            catch (Exception)
            {
                results[i] = new WriteResult(StatusBadInternalError);
@@ -239,8 +280,13 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
                }
                else
                {
-                    // FC 16 (Write Multiple Registers) for 32-bit types
+                    // FC 16 (Write Multiple Registers) for 32-bit types.
                    var qty = (ushort)(bytes.Length / 2);
                    var writeCap = _options.MaxRegistersPerWrite == 0 ? (ushort)123 : _options.MaxRegistersPerWrite;
                    if (qty > writeCap)
                        throw new InvalidOperationException(
                            $"Write of {qty} registers to {tag.Name} exceeds MaxRegistersPerWrite={writeCap}. " +
                            $"Split the tag (e.g. shorter StringLength) — partial FC16 chunks would lose atomicity.");
                    var pdu = new byte[6 + 1 + bytes.Length];
                    pdu[0] = 0x10;
                    pdu[1] = (byte)(tag.Address >> 8); pdu[2] = (byte)(tag.Address & 0xFF);
@@ -404,8 +450,8 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
    /// </summary>
    internal static ushort RegisterCount(ModbusTagDefinition tag) => tag.DataType switch
    {
-        ModbusDataType.Int16 or ModbusDataType.UInt16 or ModbusDataType.BitInRegister => 1,
+        ModbusDataType.Int16 or ModbusDataType.UInt16 or ModbusDataType.BitInRegister or ModbusDataType.Bcd16 => 1,
-        ModbusDataType.Int32 or ModbusDataType.UInt32 or ModbusDataType.Float32 => 2,
+        ModbusDataType.Int32 or ModbusDataType.UInt32 or ModbusDataType.Float32 or ModbusDataType.Bcd32 => 2,
        ModbusDataType.Int64 or ModbusDataType.UInt64 or ModbusDataType.Float64 => 4,
        ModbusDataType.String => (ushort)((tag.StringLength + 1) / 2), // 2 chars per register
        _ => throw new InvalidOperationException($"Non-register data type {tag.DataType}"),
@@ -435,6 +481,17 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
        {
            case ModbusDataType.Int16: return BinaryPrimitives.ReadInt16BigEndian(data);
            case ModbusDataType.UInt16: return BinaryPrimitives.ReadUInt16BigEndian(data);
            case ModbusDataType.Bcd16:
            {
                var raw = BinaryPrimitives.ReadUInt16BigEndian(data);
                return (int)DecodeBcd(raw, nibbles: 4);
            }
            case ModbusDataType.Bcd32:
            {
                var b = NormalizeWordOrder(data, tag.ByteOrder);
                var raw = BinaryPrimitives.ReadUInt32BigEndian(b);
                return (int)DecodeBcd(raw, nibbles: 8);
            }
            case ModbusDataType.BitInRegister:
            {
                var raw = BinaryPrimitives.ReadUInt16BigEndian(data);
@@ -472,13 +529,21 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
            }
            case ModbusDataType.String:
            {
-                // ASCII, 2 chars per register, packed high byte = first char.
+                // ASCII, 2 chars per register. HighByteFirst (standard) packs the first char in
-                // Respect the caller's StringLength (truncate nul-padded regions).
+                // the high byte of each register; LowByteFirst (DL205/DL260) packs the first char
                // in the low byte. Respect StringLength (truncate nul-padded regions).
                var chars = new char[tag.StringLength];
                for (var i = 0; i < tag.StringLength; i++)
                {
-                    var b = data[i];
+                    var regIdx = i / 2;
-                    if (b == 0) { return new string(chars, 0, i); }
+                    var highByte = data[regIdx * 2];
                    var lowByte  = data[regIdx * 2 + 1];
                    byte b;
                    if (tag.StringByteOrder == ModbusStringByteOrder.HighByteFirst)
                        b = (i % 2 == 0) ? highByte : lowByte;
                    else
                        b = (i % 2 == 0) ? lowByte : highByte;
                    if (b == 0) return new string(chars, 0, i);
                    chars[i] = (char)b;
                }
                return new string(chars);
@@ -502,6 +567,21 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
                var v = Convert.ToUInt16(value);
                var b = new byte[2]; BinaryPrimitives.WriteUInt16BigEndian(b, v); return b;
            }
            case ModbusDataType.Bcd16:
            {
                var v = Convert.ToUInt32(value);
                if (v > 9999) throw new OverflowException($"BCD16 value {v} exceeds 4 decimal digits");
                var raw = (ushort)EncodeBcd(v, nibbles: 4);
                var b = new byte[2]; BinaryPrimitives.WriteUInt16BigEndian(b, raw); return b;
            }
            case ModbusDataType.Bcd32:
            {
                var v = Convert.ToUInt32(value);
                if (v > 99_999_999u) throw new OverflowException($"BCD32 value {v} exceeds 8 decimal digits");
                var raw = EncodeBcd(v, nibbles: 8);
                var b = new byte[4]; BinaryPrimitives.WriteUInt32BigEndian(b, raw);
                return NormalizeWordOrder(b, tag.ByteOrder);
            }
            case ModbusDataType.Int32:
            {
                var v = Convert.ToInt32(value);
@@ -543,7 +623,14 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
                var s = Convert.ToString(value) ?? string.Empty;
                var regs = (tag.StringLength + 1) / 2;
                var b = new byte[regs * 2];
-                for (var i = 0; i < tag.StringLength && i < s.Length; i++) b[i] = (byte)s[i];
+                for (var i = 0; i < tag.StringLength && i < s.Length; i++)
                {
                    var regIdx = i / 2;
                    var destIdx = tag.StringByteOrder == ModbusStringByteOrder.HighByteFirst
                        ? (i % 2 == 0 ? regIdx * 2 : regIdx * 2 + 1)
                        : (i % 2 == 0 ? regIdx * 2 + 1 : regIdx * 2);
                    b[destIdx] = (byte)s[i];
                }
                // remaining bytes stay 0 — nul-padded per PLC convention
                return b;
            }
@@ -564,15 +651,77 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
        ModbusDataType.Float32 => DriverDataType.Float32,
        ModbusDataType.Float64 => DriverDataType.Float64,
        ModbusDataType.String => DriverDataType.String,
        ModbusDataType.Bcd16 or ModbusDataType.Bcd32 => DriverDataType.Int32,
        _ => DriverDataType.Int32,
    };
    /// <summary>
    ///     Decode an N-nibble binary-coded-decimal value. Each nibble of <paramref name="raw"/>
    ///     encodes one decimal digit (most-significant nibble first). Rejects nibbles &gt; 9 —
    ///     the hardware sometimes produces garbage during transitions and silent non-BCD reads
    ///     would quietly corrupt the caller's data.
    /// </summary>
    internal static uint DecodeBcd(uint raw, int nibbles)
    {
        uint result = 0;
        for (var i = nibbles - 1; i >= 0; i--)
        {
            var digit = (raw >> (i * 4)) & 0xF;
            if (digit > 9)
                throw new InvalidDataException(
                    $"Non-BCD nibble 0x{digit:X} at position {i} of raw=0x{raw:X}");
            result = result * 10 + digit;
        }
        return result;
    }
    /// <summary>
    ///     Encode a decimal value as N-nibble BCD. Caller is responsible for range-checking
    ///     against the nibble capacity (10^nibbles - 1).
    /// </summary>
    internal static uint EncodeBcd(uint value, int nibbles)
    {
        uint result = 0;
        for (var i = 0; i < nibbles; i++)
        {
            var digit = value % 10;
            result |= digit << (i * 4);
            value /= 10;
        }
        return result;
    }
    private IModbusTransport RequireTransport() =>
        _transport ?? throw new InvalidOperationException("ModbusDriver not initialized");
    private const uint StatusBadInternalError = 0x80020000u;
    private const uint StatusBadNodeIdUnknown = 0x80340000u;
    private const uint StatusBadNotWritable = 0x803B0000u;
    private const uint StatusBadOutOfRange = 0x803C0000u;
    private const uint StatusBadNotSupported = 0x803D0000u;
    private const uint StatusBadDeviceFailure = 0x80550000u;
    private const uint StatusBadCommunicationError = 0x80050000u;
    /// <summary>
    ///     Map a server-returned Modbus exception code to the most informative OPC UA
    ///     StatusCode. Keeps the driver's outward-facing status surface aligned with what a
    ///     Modbus engineer would expect when reading the spec: exception 02 (Illegal Data
    ///     Address) surfaces as BadOutOfRange so clients can distinguish "tag wrong" from
    ///     generic BadInternalError, exception 04 (Server Failure) as BadDeviceFailure so
    ///     operators see a CPU-mode problem rather than a driver bug, etc. Per
    ///     <c>docs/v2/dl205.md</c>, DL205/DL260 returns only codes 01-04 — no proprietary
    ///     extensions.
    /// </summary>
    internal static uint MapModbusExceptionToStatus(byte exceptionCode) => exceptionCode switch
    {
        0x01 => StatusBadNotSupported,     // Illegal Function — FC not in supported list
        0x02 => StatusBadOutOfRange,       // Illegal Data Address — register outside mapped range
        0x03 => StatusBadOutOfRange,       // Illegal Data Value — quantity over per-FC cap
        0x04 => StatusBadDeviceFailure,    // Server Failure — CPU in PROGRAM mode during protected write
        0x05 or 0x06 => StatusBadDeviceFailure, // Acknowledge / Server Busy — long-running op / busy
        0x0A or 0x0B => StatusBadCommunicationError, // Gateway path unavailable / target failed to respond
        _ => StatusBadInternalError,
    };
    public void Dispose() => DisposeAsync().AsTask().GetAwaiter().GetResult();
    public async ValueTask DisposeAsync()
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriverOptions.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriverOptions.cs
@@ -25,6 +25,37 @@ public sealed class ModbusDriverOptions
    ///     <see cref="IHostConnectivityProbe"/>.
    /// </summary>
    public ModbusProbeOptions Probe { get; init; } = new();
    /// <summary>
    ///     Maximum registers per FC03 (Read Holding Registers) / FC04 (Read Input Registers)
    ///     transaction. Modbus-TCP spec allows 125; many device families impose lower caps:
    ///     AutomationDirect DL205/DL260 cap at <c>128</c>, Mitsubishi Q/FX3U cap at <c>64</c>,
    ///     Omron CJ/CS cap at <c>125</c>. Set to the lowest cap across the devices this driver
    ///     instance talks to; the driver auto-chunks larger reads into consecutive requests.
    ///     Default <c>125</c> — the spec maximum, safe against any conforming server. Setting
    ///     to <c>0</c> disables the cap (discouraged — the spec upper bound still applies).
    /// </summary>
    public ushort MaxRegistersPerRead { get; init; } = 125;
    /// <summary>
    ///     Maximum registers per FC16 (Write Multiple Registers) transaction. Spec maximum is
    ///     <c>123</c>; DL205/DL260 cap at <c>100</c>. Matching caller-vs-device semantics:
    ///     exceeding the cap currently throws (writes aren't auto-chunked because a partial
    ///     write across two FC16 calls is no longer atomic — caller must explicitly opt in
    ///     by shortening the tag's <c>StringLength</c> or splitting it into multiple tags).
    /// </summary>
    public ushort MaxRegistersPerWrite { get; init; } = 123;
    /// <summary>
    ///     When <c>true</c> (default) the built-in <see cref="ModbusTcpTransport"/> detects
    ///     mid-transaction socket failures (<see cref="System.IO.EndOfStreamException"/>,
    ///     <see cref="System.Net.Sockets.SocketException"/>) and transparently reconnects +
    ///     retries the PDU exactly once. Required for DL205/DL260 because the H2-ECOM100
    ///     does not send TCP keepalives — intermediate NAT / firewall devices silently close
    ///     idle sockets and the first send after the drop would otherwise surface as a
    ///     connection error to the caller even though the PLC is up.
    /// </summary>
    public bool AutoReconnect { get; init; } = true;
 }
 public sealed class ModbusProbeOptions
@@ -55,6 +86,12 @@ public sealed class ModbusProbeOptions
 /// <param name="ByteOrder">Word ordering for multi-register types. Ignored for Bool / Int16 / UInt16 / BitInRegister / String.</param>
 /// <param name="BitIndex">For <c>DataType = BitInRegister</c>: which bit of the holding register (0-15, LSB-first).</param>
 /// <param name="StringLength">For <c>DataType = String</c>: number of ASCII characters (2 per register, rounded up).</param>
 /// <param name="StringByteOrder">
 ///     Per-register byte order for <c>DataType = String</c>. Standard Modbus packs the first
 ///     character in the high byte (<see cref="ModbusStringByteOrder.HighByteFirst"/>).
 ///     AutomationDirect DirectLOGIC (DL205/DL260) and a few legacy families pack the first
 ///     character in the low byte instead — see <c>docs/v2/dl205.md</c> §strings.
 /// </param>
 public sealed record ModbusTagDefinition(
    string Name,
    ModbusRegion Region,
@@ -63,7 +100,8 @@ public sealed record ModbusTagDefinition(
    bool Writable = true,
    ModbusByteOrder ByteOrder = ModbusByteOrder.BigEndian,
    byte BitIndex = 0,
-    ushort StringLength = 0);
+    ushort StringLength = 0,
    ModbusStringByteOrder StringByteOrder = ModbusStringByteOrder.HighByteFirst);
 public enum ModbusRegion { Coils, DiscreteInputs, InputRegisters, HoldingRegisters }
@@ -82,6 +120,18 @@ public enum ModbusDataType
    BitInRegister,
    /// <summary>ASCII string packed 2 chars per register, <see cref="ModbusTagDefinition.StringLength"/> characters long.</summary>
    String,
    /// <summary>
    ///     16-bit binary-coded decimal. Each nibble encodes one decimal digit (0-9). Register
    ///     value <c>0x1234</c> decodes as decimal <c>1234</c> — NOT binary <c>0x04D2 = 4660</c>.
    ///     DL205/DL260 and several Mitsubishi / Omron families store timers, counters, and
    ///     operator-facing numerics as BCD by default.
    /// </summary>
    Bcd16,
    /// <summary>
    ///     32-bit (two-register) BCD. Decodes 8 decimal digits. Word ordering follows
    ///     <see cref="ModbusTagDefinition.ByteOrder"/> the same way <see cref="Int32"/> does.
    /// </summary>
    Bcd32,
 }
 /// <summary>
@@ -95,3 +145,17 @@ public enum ModbusByteOrder
    BigEndian,
    WordSwap,
 }
 /// <summary>
 ///     Per-register byte order for ASCII strings packed 2 chars per register. Standard Modbus
 ///     convention is <see cref="HighByteFirst"/> — the first character of each pair occupies
 ///     the high byte of the register. AutomationDirect DirectLOGIC (DL205, DL260, DL350) and a
 ///     handful of legacy controllers pack <see cref="LowByteFirst"/>, which inverts that within
 ///     each register. Word ordering across multiple registers is always ascending address for
 ///     strings — only the byte order inside each register flips.
 /// </summary>
 public enum ModbusStringByteOrder
 {
    HighByteFirst,
    LowByteFirst,
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusTcpTransport.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusTcpTransport.cs
@@ -8,33 +8,83 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
 ///     support concurrent transactions, but the single-flight model keeps the wire trace
 ///     easy to diagnose and avoids interleaved-response correlation bugs.
 /// </summary>
 /// <remarks>
 ///     <para>
 ///         Survives mid-transaction socket drops: when a send/read fails with a socket-level
 ///         error (<see cref="IOException"/>, <see cref="SocketException"/>, <see cref="EndOfStreamException"/>)
 ///         the transport disposes the dead socket, reconnects, and retries the PDU exactly
 ///         once. Deliberately limited to a single retry — further failures bubble up so the
 ///         driver's health surface reflects the real state instead of masking a dead PLC.
 ///     </para>
 ///     <para>
 ///         Why this matters for DL205/DL260: the AutomationDirect H2-ECOM100 does NOT send
 ///         TCP keepalives per <c>docs/v2/dl205.md</c> §behavioral-oddities, so any NAT/firewall
 ///         between the gateway and PLC can silently close an idle socket after 2-5 minutes.
 ///         Also enables OS-level <c>SO_KEEPALIVE</c> so the driver's own side detects a stuck
 ///         socket in reasonable time even when the application is mostly idle.
 ///     </para>
 /// </remarks>
 public sealed class ModbusTcpTransport : IModbusTransport
 {
    private readonly string _host;
    private readonly int _port;
    private readonly TimeSpan _timeout;
    private readonly bool _autoReconnect;
    private readonly SemaphoreSlim _gate = new(1, 1);
    private TcpClient? _client;
    private NetworkStream? _stream;
    private ushort _nextTx;
    private bool _disposed;
-    public ModbusTcpTransport(string host, int port, TimeSpan timeout)
+    public ModbusTcpTransport(string host, int port, TimeSpan timeout, bool autoReconnect = true)
    {
        _host = host;
        _port = port;
        _timeout = timeout;
        _autoReconnect = autoReconnect;
    }
    public async Task ConnectAsync(CancellationToken ct)
    {
-        _client = new TcpClient();
+        // Resolve the host explicitly + prefer IPv4. .NET's TcpClient default-constructor is
        // dual-stack (IPv6 first, fallback to IPv4) — but most Modbus TCP devices (PLCs and
        // simulators like pymodbus) bind 0.0.0.0 only, so the IPv6 attempt times out and we
        // burn the entire ConnectAsync budget before even trying IPv4. Resolving first +
        // dialing the IPv4 address directly sidesteps that.
        var addresses = await System.Net.Dns.GetHostAddressesAsync(_host, ct).ConfigureAwait(false);
        var ipv4 = System.Linq.Enumerable.FirstOrDefault(addresses,
            a => a.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork);
        var target = ipv4 ?? (addresses.Length > 0 ? addresses[0] : System.Net.IPAddress.Loopback);
        _client = new TcpClient(target.AddressFamily);
        EnableKeepAlive(_client);
        using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
        cts.CancelAfter(_timeout);
-        await _client.ConnectAsync(_host, _port, cts.Token).ConfigureAwait(false);
+        await _client.ConnectAsync(target, _port, cts.Token).ConfigureAwait(false);
        _stream = _client.GetStream();
    }
    /// <summary>
    ///     Enable SO_KEEPALIVE with aggressive probe timing. DL205/DL260 doesn't send keepalives
    ///     itself; having the OS probe the socket every ~30s lets the driver notice a dead PLC
    ///     or broken NAT path long before the default 2-hour Windows idle timeout fires.
    ///     Non-fatal if the underlying OS rejects the option (some older Linux / container
    ///     sandboxes don't expose the fine-grained timing levers — the driver still works,
    ///     application-level probe still detects problems).
    /// </summary>
    private static void EnableKeepAlive(TcpClient client)
    {
        try
        {
            client.Client.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.KeepAlive, true);
            client.Client.SetSocketOption(SocketOptionLevel.Tcp, SocketOptionName.TcpKeepAliveTime, 30);
            client.Client.SetSocketOption(SocketOptionLevel.Tcp, SocketOptionName.TcpKeepAliveInterval, 10);
            client.Client.SetSocketOption(SocketOptionLevel.Tcp, SocketOptionName.TcpKeepAliveRetryCount, 3);
        }
        catch { /* best-effort; older OSes may not expose the granular knobs */ }
    }
    public async Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
    {
        if (_disposed) throw new ObjectDisposedException(nameof(ModbusTcpTransport));
@@ -43,43 +93,18 @@ public sealed class ModbusTcpTransport : IModbusTransport
        await _gate.WaitAsync(ct).ConfigureAwait(false);
        try
        {
-            var txId = ++_nextTx;
+            try
            // MBAP: [TxId(2)][Proto=0(2)][Length(2)][UnitId(1)] + PDU
            var adu = new byte[7 + pdu.Length];
            adu[0] = (byte)(txId >> 8);
            adu[1] = (byte)(txId & 0xFF);
            // protocol id already zero
            var len = (ushort)(1 + pdu.Length); // unit id + pdu
            adu[4] = (byte)(len >> 8);
            adu[5] = (byte)(len & 0xFF);
            adu[6] = unitId;
            Buffer.BlockCopy(pdu, 0, adu, 7, pdu.Length);
            using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
            cts.CancelAfter(_timeout);
            await _stream.WriteAsync(adu.AsMemory(), cts.Token).ConfigureAwait(false);
            await _stream.FlushAsync(cts.Token).ConfigureAwait(false);
            var header = new byte[7];
            await ReadExactlyAsync(_stream, header, cts.Token).ConfigureAwait(false);
            var respTxId = (ushort)((header[0] << 8) | header[1]);
            if (respTxId != txId)
                throw new InvalidDataException($"Modbus TxId mismatch: expected {txId} got {respTxId}");
            var respLen = (ushort)((header[4] << 8) | header[5]);
            if (respLen < 1) throw new InvalidDataException($"Modbus response length too small: {respLen}");
            var respPdu = new byte[respLen - 1];
            await ReadExactlyAsync(_stream, respPdu, cts.Token).ConfigureAwait(false);
            // Exception PDU: function code has high bit set.
            if ((respPdu[0] & 0x80) != 0)
            {
-                var fc = (byte)(respPdu[0] & 0x7F);
+                return await SendOnceAsync(unitId, pdu, ct).ConfigureAwait(false);
-                var ex = respPdu[1];
+            }
-                throw new ModbusException(fc, ex, $"Modbus exception fc={fc} code={ex}");
+            catch (Exception ex) when (_autoReconnect && IsSocketLevelFailure(ex))
            {
                // Mid-transaction drop: tear down the dead socket, reconnect, resend. Single
                // retry — if it fails again, let it propagate so health/status reflect reality.
                await TearDownAsync().ConfigureAwait(false);
                await ConnectAsync(ct).ConfigureAwait(false);
                return await SendOnceAsync(unitId, pdu, ct).ConfigureAwait(false);
            }
            return respPdu;
        }
        finally
        {
@@ -87,6 +112,68 @@ public sealed class ModbusTcpTransport : IModbusTransport
        }
    }
    private async Task<byte[]> SendOnceAsync(byte unitId, byte[] pdu, CancellationToken ct)
    {
        if (_stream is null) throw new InvalidOperationException("Transport not connected");
        var txId = ++_nextTx;
        // MBAP: [TxId(2)][Proto=0(2)][Length(2)][UnitId(1)] + PDU
        var adu = new byte[7 + pdu.Length];
        adu[0] = (byte)(txId >> 8);
        adu[1] = (byte)(txId & 0xFF);
        // protocol id already zero
        var len = (ushort)(1 + pdu.Length); // unit id + pdu
        adu[4] = (byte)(len >> 8);
        adu[5] = (byte)(len & 0xFF);
        adu[6] = unitId;
        Buffer.BlockCopy(pdu, 0, adu, 7, pdu.Length);
        using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
        cts.CancelAfter(_timeout);
        await _stream.WriteAsync(adu.AsMemory(), cts.Token).ConfigureAwait(false);
        await _stream.FlushAsync(cts.Token).ConfigureAwait(false);
        var header = new byte[7];
        await ReadExactlyAsync(_stream, header, cts.Token).ConfigureAwait(false);
        var respTxId = (ushort)((header[0] << 8) | header[1]);
        if (respTxId != txId)
            throw new InvalidDataException($"Modbus TxId mismatch: expected {txId} got {respTxId}");
        var respLen = (ushort)((header[4] << 8) | header[5]);
        if (respLen < 1) throw new InvalidDataException($"Modbus response length too small: {respLen}");
        var respPdu = new byte[respLen - 1];
        await ReadExactlyAsync(_stream, respPdu, cts.Token).ConfigureAwait(false);
        // Exception PDU: function code has high bit set.
        if ((respPdu[0] & 0x80) != 0)
        {
            var fc = (byte)(respPdu[0] & 0x7F);
            var ex = respPdu[1];
            throw new ModbusException(fc, ex, $"Modbus exception fc={fc} code={ex}");
        }
        return respPdu;
    }
    /// <summary>
    ///     Distinguish socket-layer failures (eligible for reconnect-and-retry) from
    ///     protocol-layer failures (must propagate — retrying the same PDU won't help if the
    ///     PLC just returned exception 02 Illegal Data Address).
    /// </summary>
    private static bool IsSocketLevelFailure(Exception ex) =>
        ex is EndOfStreamException
        || ex is IOException
        || ex is SocketException
        || ex is ObjectDisposedException;
    private async Task TearDownAsync()
    {
        try { if (_stream is not null) await _stream.DisposeAsync().ConfigureAwait(false); }
        catch { /* best-effort */ }
        _stream = null;
        try { _client?.Dispose(); } catch { }
        _client = null;
    }
    private static async Task ReadExactlyAsync(Stream s, byte[] buf, CancellationToken ct)
    {
        var read = 0;
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackFixture.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackFixture.cs
@@ -1,3 +1,6 @@
 using System.Runtime.InteropServices;
 using System.Runtime.Versioning;
 using System.Security.Principal;
 using System.Threading;
 using System.Threading.Tasks;
 using Xunit;
@@ -40,6 +43,25 @@ public sealed class LiveStackFixture : IAsyncLifetime
    public async ValueTask InitializeAsync()
    {
        // 0. Elevated-shell short-circuit. The OtOpcUaGalaxyHost pipe ACL allows the configured
        //    SID but explicitly DENIES Administrators (decision #76 — production hardening).
        //    A test process running with a high-integrity token (any elevated shell) carries the
        //    Admins group in its security context, so the deny rule trumps the user's allow and
        //    the pipe connect returns UnauthorizedAccessException — technically correct but
        //    the operationally confusing failure mode that ate most of the PR 37 install
        //    debugging session. Surfacing it explicitly here saves the next operator the same
        //    five-step diagnosis. ParityFixture has the same skip with the same rationale.
        if (IsElevatedAdministratorOnWindows())
        {
            SkipReason =
                "Test host is running with elevated (Administrators) privileges, but the " +
                "OtOpcUaGalaxyHost named-pipe ACL explicitly denies Administrators per the IPC " +
                "security design (decision #76 / PipeAcl.cs). Re-run from a NORMAL (non-admin) " +
                "PowerShell window — even when your user is already in the pipe's allow list, " +
                "the elevated token's Admins group membership trumps the allow rule.";
            return;
        }
        // 1. AVEVA + OtOpcUa service state — actionable diagnostic if anything is missing.
        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
        PrerequisiteReport = await AvevaPrerequisites.CheckAllAsync(
@@ -111,6 +133,28 @@ public sealed class LiveStackFixture : IAsyncLifetime
    {
        if (SkipReason is not null) Assert.Skip(SkipReason);
    }
    private static bool IsElevatedAdministratorOnWindows()
    {
        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) return false;
        return CheckWindowsAdminToken();
    }
    [SupportedOSPlatform("windows")]
    private static bool CheckWindowsAdminToken()
    {
        try
        {
            using var identity = WindowsIdentity.GetCurrent();
            return new WindowsPrincipal(identity).IsInRole(WindowsBuiltInRole.Administrator);
        }
        catch
        {
            // Probe shouldn't crash the test; if we can't determine elevation, optimistically
            // continue and let the actual pipe connect surface its own error.
            return false;
        }
    }
 }
 [CollectionDefinition(Name)]
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackSmokeTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackSmokeTests.cs
@@ -117,6 +117,141 @@ public sealed class LiveStackSmokeTests(LiveStackFixture fixture)
            $"Investigate: the Host service's logs at {System.Environment.GetFolderPath(System.Environment.SpecialFolder.CommonApplicationData)}\\OtOpcUa\\Galaxy\\logs.");
    }
    [Fact]
    public async Task Write_then_read_roundtrips_a_writable_Boolean_attribute_on_TestMachine_001()
    {
        // PR 40 — finishes LMX #5. Targets DelmiaReceiver_001.TestAttribute, the writable
        // Boolean attribute on the TestMachine_001 hierarchy that the dev Galaxy was deployed
        // with for exactly this kind of integration testing. We invert the current value and
        // assert the new value comes back, then restore the original so the test is effectively
        // idempotent (Galaxy holds the value across runs since it's a deployed UDA).
        fixture.SkipIfUnavailable();
        const string fullRef = "DelmiaReceiver_001.TestAttribute";
        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
        // Read current value first — gives the cleanup path the right baseline. Galaxy may
        // return Uncertain quality until the Engine has scanned the attribute at least once;
        // we don't read into a strongly-typed bool until Status is Good.
        var before = (await fixture.Driver!.ReadAsync([fullRef], cts.Token))[0];
        before.StatusCode.ShouldNotBe(0x80020000u, $"baseline read failed for {fullRef}: {before.Value}");
        var originalBool = Convert.ToBoolean(before.Value ?? false);
        var inverted = !originalBool;
        try
        {
            // Write the inverted value via IWritable.
            var writeResults = await fixture.Driver!.WriteAsync(
                [new(fullRef, inverted)], cts.Token);
            writeResults.Count.ShouldBe(1);
            writeResults[0].StatusCode.ShouldBe(0u,
                $"WriteAsync returned status 0x{writeResults[0].StatusCode:X8} for {fullRef} — " +
                $"check the Host service log at %ProgramData%\\OtOpcUa\\Galaxy\\.");
            // The Engine's scan + acknowledgement is async — read in a short loop with a 5s
            // budget. Galaxy's attribute roundtrip on a dev box is typically sub-second but
            // we give headroom for first-scan after a service restart.
            DataValueSnapshot after = default!;
            var deadline = DateTime.UtcNow.AddSeconds(5);
            while (DateTime.UtcNow < deadline)
            {
                after = (await fixture.Driver!.ReadAsync([fullRef], cts.Token))[0];
                if (after.StatusCode == 0u && Convert.ToBoolean(after.Value ?? false) == inverted) break;
                await Task.Delay(200, cts.Token);
            }
            after.StatusCode.ShouldBe(0u, "post-write read failed");
            Convert.ToBoolean(after.Value ?? false).ShouldBe(inverted,
                $"Wrote {inverted} but Galaxy returned {after.Value} after the scan window.");
        }
        finally
        {
            // Restore — best-effort. If this throws the test still reports its primary result;
            // we just leave a flipped TestAttribute on the dev box (benign, name says it all).
            try { await fixture.Driver!.WriteAsync([new(fullRef, originalBool)], cts.Token); }
            catch { /* swallow */ }
        }
    }
    [Fact]
    public async Task Subscribe_fires_OnDataChange_with_initial_value_then_again_after_a_write()
    {
        // Subscribe + write is the canonical "is the data path actually live" test for
        // an OPC UA driver. We subscribe to the same Boolean attribute, expect an initial-
        // value callback within a couple of seconds (per ISubscribable's contract — the
        // driver MAY fire OnDataChange immediately with the current value), then write a
        // distinct value and expect a second callback carrying the new value.
        fixture.SkipIfUnavailable();
        const string fullRef = "DelmiaReceiver_001.TestAttribute";
        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
        // Capture every OnDataChange notification for this fullRef onto a thread-safe queue
        // we can poll from the test thread. Galaxy's MXAccess advisory fires on its own
        // thread; we don't want to block it.
        var notifications = new System.Collections.Concurrent.ConcurrentQueue<DataValueSnapshot>();
        void Handler(object? sender, DataChangeEventArgs e)
        {
            if (string.Equals(e.FullReference, fullRef, StringComparison.OrdinalIgnoreCase))
                notifications.Enqueue(e.Snapshot);
        }
        fixture.Driver!.OnDataChange += Handler;
        // Read current value so we know which value to write to force a transition.
        var before = (await fixture.Driver!.ReadAsync([fullRef], cts.Token))[0];
        var originalBool = Convert.ToBoolean(before.Value ?? false);
        var toWrite = !originalBool;
        ISubscriptionHandle? handle = null;
        try
        {
            handle = await fixture.Driver!.SubscribeAsync(
                [fullRef], TimeSpan.FromMilliseconds(250), cts.Token);
            // Wait for initial-value notification — typical < 1s on a hot Galaxy, give 5s.
            await WaitForAsync(() => notifications.Count >= 1, TimeSpan.FromSeconds(5), cts.Token);
            notifications.Count.ShouldBeGreaterThanOrEqualTo(1,
                $"No initial-value OnDataChange for {fullRef} within 5s. " +
                $"Either MXAccess subscription failed silently or the Engine hasn't scanned yet.");
            // Drain the initial-value queue before writing so we count post-write deltas only.
            var initialCount = notifications.Count;
            // Write the toggled value. Engine scan + advisory fires the second callback.
            var w = await fixture.Driver!.WriteAsync([new(fullRef, toWrite)], cts.Token);
            w[0].StatusCode.ShouldBe(0u);
            await WaitForAsync(() => notifications.Count > initialCount, TimeSpan.FromSeconds(8), cts.Token);
            notifications.Count.ShouldBeGreaterThan(initialCount,
                $"OnDataChange did not fire after writing {toWrite} to {fullRef} within 8s.");
            // Find the post-write notification carrying the toggled value (initial value may
            // appear multiple times before the write commits — search the tail).
            var postWrite = notifications.ToArray().Reverse()
                .FirstOrDefault(n => n.StatusCode == 0u && Convert.ToBoolean(n.Value ?? false) == toWrite);
            postWrite.ShouldNotBe(default,
                $"No OnDataChange carrying the toggled value {toWrite} appeared in the queue: " +
                string.Join(",", notifications.Select(n => $"{n.Value}@{n.StatusCode:X8}")));
        }
        finally
        {
            fixture.Driver!.OnDataChange -= Handler;
            if (handle is not null)
            {
                try { await fixture.Driver!.UnsubscribeAsync(handle, cts.Token); } catch { /* swallow */ }
            }
            // Restore baseline.
            try { await fixture.Driver!.WriteAsync([new(fullRef, originalBool)], cts.Token); } catch { /* swallow */ }
        }
    }
    private static async Task WaitForAsync(Func<bool> predicate, TimeSpan budget, CancellationToken ct)
    {
        var deadline = DateTime.UtcNow + budget;
        while (DateTime.UtcNow < deadline)
        {
            if (predicate()) return;
            await Task.Delay(100, ct);
        }
    }
    /// <summary>
    ///     Minimal <see cref="IAddressSpaceBuilder"/> implementation that captures every
    ///     Variable() call into a flat list so tests can inspect what discovery produced
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205BcdQuirkTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205BcdQuirkTests.cs
@@ -0,0 +1,56 @@
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 /// <summary>
 ///     Verifies DL205/DL260 binary-coded-decimal register handling against the
 ///     <c>dl205.json</c> pymodbus profile. HR[1072] = 0x1234 on the profile represents
 ///     decimal 1234 (BCD nibbles). Reading it as <see cref="ModbusDataType.Int16"/> would
 ///     return 0x1234 = 4660; the <see cref="ModbusDataType.Bcd16"/> path decodes 1234.
 /// </summary>
 [Collection(ModbusSimulatorCollection.Name)]
 [Trait("Category", "Integration")]
 [Trait("Device", "DL205")]
 public sealed class DL205BcdQuirkTests(ModbusSimulatorFixture sim)
 {
    [Fact]
    public async Task DL205_BCD16_decodes_HR1072_as_decimal_1234()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping (standard profile does not seed HR[1072]).");
        }
        var options = new ModbusDriverOptions
        {
            Host = sim.Host,
            Port = sim.Port,
            UnitId = 1,
            Timeout = TimeSpan.FromSeconds(2),
            Tags =
            [
                new ModbusTagDefinition("DL205_Count_Bcd",
                    ModbusRegion.HoldingRegisters, Address: 1072,
                    DataType: ModbusDataType.Bcd16, Writable: false),
                new ModbusTagDefinition("DL205_Count_Int16",
                    ModbusRegion.HoldingRegisters, Address: 1072,
                    DataType: ModbusDataType.Int16, Writable: false),
            ],
            Probe = new ModbusProbeOptions { Enabled = false },
        };
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-bcd");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["DL205_Count_Bcd", "DL205_Count_Int16"],
            TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        results[0].Value.ShouldBe(1234, "DL205 BCD register 0x1234 represents decimal 1234 per the DirectLOGIC convention");
        results[1].StatusCode.ShouldBe(0u);
        results[1].Value.ShouldBe((short)0x1234, "same register read as Int16 returns the raw 0x1234 = 4660 value — proves BCD path is distinct");
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205CoilMappingTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205CoilMappingTests.cs
@@ -0,0 +1,109 @@
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 /// <summary>
 ///     Verifies DL260 I/O-memory coil mappings against the <c>dl205.json</c> pymodbus profile.
 ///     DirectLOGIC Y-outputs and C-relays are exposed to Modbus as FC01/FC05 coils, but at
 ///     non-zero base addresses that confuse operators used to "Y0 is the first coil". The sim
 ///     seeds Y0 → coil 2048 = ON and C0 → coil 3072 = ON as fixed markers.
 /// </summary>
 [Collection(ModbusSimulatorCollection.Name)]
 [Trait("Category", "Integration")]
 [Trait("Device", "DL205")]
 public sealed class DL205CoilMappingTests(ModbusSimulatorFixture sim)
 {
    [Fact]
    public async Task DL260_Y0_maps_to_coil_2048()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping.");
        }
        var coil = DirectLogicAddress.YOutputToCoil("Y0");
        coil.ShouldBe((ushort)2048);
        var options = BuildOptions(sim, [
            new ModbusTagDefinition("DL260_Y0",
                ModbusRegion.Coils, Address: coil,
                DataType: ModbusDataType.Bool, Writable: false),
        ]);
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-y0");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["DL260_Y0"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        results[0].Value.ShouldBe(true, "dl205.json seeds coil 2048 (Y0) = ON");
    }
    [Fact]
    public async Task DL260_C0_maps_to_coil_3072()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping.");
        }
        var coil = DirectLogicAddress.CRelayToCoil("C0");
        coil.ShouldBe((ushort)3072);
        var options = BuildOptions(sim, [
            new ModbusTagDefinition("DL260_C0",
                ModbusRegion.Coils, Address: coil,
                DataType: ModbusDataType.Bool, Writable: false),
        ]);
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-c0");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["DL260_C0"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        results[0].Value.ShouldBe(true, "dl205.json seeds coil 3072 (C0) = ON");
    }
    [Fact]
    public async Task DL260_scratch_Crelay_supports_write_then_read()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping.");
        }
        // Scratch C-relay at coil 4000 (per dl205.json _quirk note) is writable. Write=true then
        // read back to confirm FC05 round-trip works against the DL-mapped coil bank.
        var options = BuildOptions(sim, [
            new ModbusTagDefinition("DL260_C_Scratch",
                ModbusRegion.Coils, Address: 4000,
                DataType: ModbusDataType.Bool, Writable: true),
        ]);
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-cscratch");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var writeResults = await driver.WriteAsync(
            [new(FullReference: "DL260_C_Scratch", Value: true)],
            TestContext.Current.CancellationToken);
        writeResults[0].StatusCode.ShouldBe(0u);
        var readResults = await driver.ReadAsync(["DL260_C_Scratch"], TestContext.Current.CancellationToken);
        readResults[0].StatusCode.ShouldBe(0u);
        readResults[0].Value.ShouldBe(true);
    }
    private static ModbusDriverOptions BuildOptions(ModbusSimulatorFixture sim, IReadOnlyList<ModbusTagDefinition> tags)
        => new()
        {
            Host = sim.Host,
            Port = sim.Port,
            UnitId = 1,
            Timeout = TimeSpan.FromSeconds(2),
            Tags = tags,
            Probe = new ModbusProbeOptions { Enabled = false },
        };
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205ExceptionCodeTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205ExceptionCodeTests.cs
@@ -0,0 +1,53 @@
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 /// <summary>
 ///     Verifies the driver's Modbus-exception → OPC UA StatusCode translation end-to-end
 ///     against the dl205.json pymodbus profile. pymodbus returns exception 02 (Illegal Data
 ///     Address) for reads outside the configured register ranges, matching real DL205/DL260
 ///     firmware behavior per <c>docs/v2/dl205.md</c> §exception-codes. The driver must surface
 ///     that as <c>BadOutOfRange</c> (0x803C0000) — not <c>BadInternalError</c> — so the
 ///     operator sees a tag-config diagnosis instead of a generic driver-fault message.
 /// </summary>
 [Collection(ModbusSimulatorCollection.Name)]
 [Trait("Category", "Integration")]
 [Trait("Device", "DL205")]
 public sealed class DL205ExceptionCodeTests(ModbusSimulatorFixture sim)
 {
    [Fact]
    public async Task DL205_FC03_at_unmapped_register_returns_BadOutOfRange()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping.");
        }
        // Address 16383 is the last cell of hr-size=16384 in dl205.json; address 16384 is
        // beyond the configured HR range. pymodbus validates and returns exception 02
        // (Illegal Data Address).
        var options = new ModbusDriverOptions
        {
            Host = sim.Host,
            Port = sim.Port,
            UnitId = 1,
            Timeout = TimeSpan.FromSeconds(2),
            Tags =
            [
                new ModbusTagDefinition("Unmapped",
                    ModbusRegion.HoldingRegisters, Address: 16383,
                    DataType: ModbusDataType.UInt16, Writable: false),
            ],
            Probe = new ModbusProbeOptions { Enabled = false },
        };
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-exc");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["Unmapped"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0x803C0000u,
            "DL205 returns exception 02 for an FC03 at an unmapped register; driver must translate to BadOutOfRange (not BadInternalError)");
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205FloatCdabQuirkTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205FloatCdabQuirkTests.cs
@@ -0,0 +1,64 @@
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 /// <summary>
 ///     Verifies DL205/DL260 CDAB word ordering for 32-bit floats against the
 ///     <c>dl205.json</c> pymodbus profile. DirectLOGIC stores IEEE-754 singles with the low
 ///     word at the lower register address (CDAB) rather than the high word (ABCD). Reading
 ///     <c>HR[1056..1057]</c> with <see cref="ModbusByteOrder.BigEndian"/> produces a tiny
 ///     denormal (~5.74e-41) instead of the intended 1.5f — a silent "value is 0" bug in the
 ///     field unless the caller opts into <see cref="ModbusByteOrder.WordSwap"/>.
 /// </summary>
 [Collection(ModbusSimulatorCollection.Name)]
 [Trait("Category", "Integration")]
 [Trait("Device", "DL205")]
 public sealed class DL205FloatCdabQuirkTests(ModbusSimulatorFixture sim)
 {
    [Fact]
    public async Task DL205_Float32_CDAB_decodes_1_5f_from_HR1056()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping (standard profile does not seed HR[1056..1057]).");
        }
        var options = new ModbusDriverOptions
        {
            Host = sim.Host,
            Port = sim.Port,
            UnitId = 1,
            Timeout = TimeSpan.FromSeconds(2),
            Tags =
            [
                new ModbusTagDefinition("DL205_Float_CDAB",
                    ModbusRegion.HoldingRegisters, Address: 1056,
                    DataType: ModbusDataType.Float32, Writable: false,
                    ByteOrder: ModbusByteOrder.WordSwap),
                // Control: same address, BigEndian — proves the default decode produces garbage.
                new ModbusTagDefinition("DL205_Float_ABCD",
                    ModbusRegion.HoldingRegisters, Address: 1056,
                    DataType: ModbusDataType.Float32, Writable: false,
                    ByteOrder: ModbusByteOrder.BigEndian),
            ],
            Probe = new ModbusProbeOptions { Enabled = false },
        };
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-cdab");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["DL205_Float_CDAB", "DL205_Float_ABCD"],
            TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        results[0].Value.ShouldBe(1.5f, "DL205 Float32 with WordSwap (CDAB) must decode HR[1056..1057] as 1.5f");
        // The BigEndian read of the same wire bytes should differ — not asserting the exact
        // denormal value (that couples the test to IEEE-754 bit math) but the two decodes MUST
        // disagree, otherwise the word-order flag is a no-op.
        results[1].StatusCode.ShouldBe(0u);
        results[1].Value.ShouldNotBe(1.5f);
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205Profile.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205Profile.cs
@@ -1,26 +1,30 @@
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 /// <summary>
-///     Tag map for the AutomationDirect DL205 device class. Mirrors what the ModbusPal
+///     Tag map for the AutomationDirect DL205 device class. Mirrors what the pymodbus
-///     <c>.xmpp</c> profile in <c>ModbusPal/DL205.xmpp</c> exposes (or the real PLC, when
+///     <c>dl205.json</c> profile in <c>Pymodbus/dl205.json</c> exposes (or the real PLC, when
 ///     <see cref="ModbusSimulatorFixture"/> is pointed at one).
 /// </summary>
 /// <remarks>
 ///     This is the scaffold — each tag is deliberately generic so the smoke test has stable
 ///     addresses to read. Device-specific quirk tests (word order, max-register, register-zero
 ///     access, etc.) will land in their own test classes alongside this profile as the user
-///     validates each behavior in ModbusPal; see <c>docs/v2/modbus-test-plan.md</c> §per-device
+///     validates each behavior in pymodbus; see <c>docs/v2/modbus-test-plan.md</c> §per-device
 ///     quirk catalog for the checklist.
 /// </remarks>
 public static class DL205Profile
 {
-    /// <summary>Holding register the smoke test reads. Address 100 sidesteps the DL205
+    /// <summary>
-    /// register-zero quirk (pending confirmation) — see modbus-test-plan.md.</summary>
+    ///     Holding register the smoke test writes + reads. Address 200 is the first cell of the
-    public const ushort SmokeHoldingRegister = 100;
+    ///     scratch HR range in both <c>Pymodbus/standard.json</c> (HR[200..209] = 0) and
    ///     <c>Pymodbus/dl205.json</c> (HR[4096..4103] added in PR 43 for the same purpose), so
    ///     the smoke test runs identically against either simulator profile. Originally
    ///     targeted HR[100] — moved to HR[200] when the standard profile claimed HR[100] as
    ///     the auto-incrementing register that drives subscribe-and-receive tests.
    /// </summary>
    public const ushort SmokeHoldingRegister = 200;
-    /// <summary>Expected value the ModbusPal profile seeds into register 100. When running
+    /// <summary>Value the smoke test writes then reads back to assert round-trip integrity.</summary>
    /// against a real DL205 (or a ModbusPal profile where this register is writable), the smoke
    /// test seeds this value first, then reads it back.</summary>
    public const short SmokeHoldingValue = 1234;
    public static ModbusDriverOptions BuildOptions(string host, int port) => new()
@@ -32,7 +36,7 @@ public static class DL205Profile
        Tags =
        [
            new ModbusTagDefinition(
-                Name: "DL205_Smoke_HReg100",
+                Name: "Smoke_HReg200",
                Region: ModbusRegion.HoldingRegisters,
                Address: SmokeHoldingRegister,
                DataType: ModbusDataType.Int16,
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205SmokeTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205SmokeTests.cs
@@ -38,13 +38,13 @@ public sealed class DL205SmokeTests(ModbusSimulatorFixture sim)
        // zeroed at simulator start, and tests must not depend on prior-test state per the
        // test-plan conventions.
        var writeResults = await driver.WriteAsync(
-            [new(FullReference: "DL205_Smoke_HReg100", Value: (short)DL205Profile.SmokeHoldingValue)],
+            [new(FullReference: "Smoke_HReg200", Value: (short)DL205Profile.SmokeHoldingValue)],
            TestContext.Current.CancellationToken);
        writeResults.Count.ShouldBe(1);
        writeResults[0].StatusCode.ShouldBe(0u, "write must succeed against the ModbusPal DL205 profile");
        var readResults = await driver.ReadAsync(
-            ["DL205_Smoke_HReg100"],
+            ["Smoke_HReg200"],
            TestContext.Current.CancellationToken);
        readResults.Count.ShouldBe(1);
        readResults[0].StatusCode.ShouldBe(0u);
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205StringQuirkTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205StringQuirkTests.cs
@@ -0,0 +1,81 @@
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 /// <summary>
 ///     Verifies the DL205/DL260 low-byte-first ASCII string packing quirk against the
 ///     <c>dl205.json</c> pymodbus profile. Standard Modbus packs the first char of each pair
 ///     in the high byte of the register; DirectLOGIC packs it in the low byte instead. Without
 ///     <see cref="ModbusStringByteOrder.LowByteFirst"/> the driver decodes "eHllo" garbage
 ///     even though the bytes on the wire are identical.
 /// </summary>
 /// <remarks>
 ///     <para>
 ///         Requires the dl205 profile (<c>Pymodbus\serve.ps1 -Profile dl205</c>). The standard
 ///         profile does not seed HR[1040..1042] with string bytes, so running this against the
 ///         standard profile returns <c>"\0\0\0\0\0"</c> and the test fails. Skip when the env
 ///         var <c>MODBUS_SIM_PROFILE</c> is not set to <c>dl205</c>.
 ///     </para>
 /// </remarks>
 [Collection(ModbusSimulatorCollection.Name)]
 [Trait("Category", "Integration")]
 [Trait("Device", "DL205")]
 public sealed class DL205StringQuirkTests(ModbusSimulatorFixture sim)
 {
    [Fact]
    public async Task DL205_string_low_byte_first_decodes_Hello_from_HR1040()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping (standard profile does not seed HR[1040..1042]).");
        }
        var options = new ModbusDriverOptions
        {
            Host = sim.Host,
            Port = sim.Port,
            UnitId = 1,
            Timeout = TimeSpan.FromSeconds(2),
            Tags =
            [
                new ModbusTagDefinition(
                    Name: "DL205_Hello_Low",
                    Region: ModbusRegion.HoldingRegisters,
                    Address: 1040,
                    DataType: ModbusDataType.String,
                    Writable: false,
                    StringLength: 5,
                    StringByteOrder: ModbusStringByteOrder.LowByteFirst),
                // Control: same address, HighByteFirst, to prove the driver would have decoded
                // garbage without the quirk flag.
                new ModbusTagDefinition(
                    Name: "DL205_Hello_High",
                    Region: ModbusRegion.HoldingRegisters,
                    Address: 1040,
                    DataType: ModbusDataType.String,
                    Writable: false,
                    StringLength: 5,
                    StringByteOrder: ModbusStringByteOrder.HighByteFirst),
            ],
            Probe = new ModbusProbeOptions { Enabled = false },
        };
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-string");
        await driver.InitializeAsync(driverConfigJson: "{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["DL205_Hello_Low", "DL205_Hello_High"],
            TestContext.Current.CancellationToken);
        results.Count.ShouldBe(2);
        results[0].StatusCode.ShouldBe(0u);
        results[0].Value.ShouldBe("Hello", "DL205 low-byte-first ordering must produce 'Hello' from HR[1040..1042]");
        // The high-byte-first read of the same wire bytes should differ — not asserting the
        // exact garbage string (that would couple the test to the ASCII byte math) but the two
        // decodes MUST disagree, otherwise the quirk flag is a no-op.
        results[1].StatusCode.ShouldBe(0u);
        results[1].Value.ShouldNotBe("Hello");
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205VMemoryQuirkTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205VMemoryQuirkTests.cs
@@ -0,0 +1,91 @@
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 /// <summary>
 ///     Verifies the DL205/DL260 V-memory octal addressing quirk end-to-end: use
 ///     <see cref="DirectLogicAddress.UserVMemoryToPdu"/> to translate <c>V2000</c> octal into
 ///     the Modbus PDU address actually dispatched, then read the marker the dl205.json profile
 ///     placed at that address. HR[0x0400] = 0x2000 proves the translation was performed
 ///     correctly — a naïve caller treating "V2000" as decimal 2000 would read HR[2000] (which
 ///     the profile leaves at 0) and miss the marker entirely.
 /// </summary>
 [Collection(ModbusSimulatorCollection.Name)]
 [Trait("Category", "Integration")]
 [Trait("Device", "DL205")]
 public sealed class DL205VMemoryQuirkTests(ModbusSimulatorFixture sim)
 {
    [Fact]
    public async Task DL205_V2000_user_memory_resolves_to_PDU_0x0400_marker()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping (standard profile does not seed V-memory markers).");
        }
        var pdu = DirectLogicAddress.UserVMemoryToPdu("V2000");
        pdu.ShouldBe((ushort)0x0400);
        var options = new ModbusDriverOptions
        {
            Host = sim.Host,
            Port = sim.Port,
            UnitId = 1,
            Timeout = TimeSpan.FromSeconds(2),
            Tags =
            [
                new ModbusTagDefinition("DL205_V2000",
                    ModbusRegion.HoldingRegisters, Address: pdu,
                    DataType: ModbusDataType.UInt16, Writable: false),
            ],
            Probe = new ModbusProbeOptions { Enabled = false },
        };
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-vmem");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["DL205_V2000"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        results[0].Value.ShouldBe((ushort)0x2000, "dl205.json seeds HR[0x0400] with marker 0x2000 (= V2000 value)");
    }
    [Fact]
    public async Task DL205_V40400_system_memory_resolves_to_PDU_0x2100_marker()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping.");
        }
        // V40400 is system memory on DL260 / H2-ECOM100 absolute mode; it does NOT follow the
        // simple octal-to-decimal formula (40400 octal = 16640 decimal, which would read HR[0x4100]).
        // The CPU places the system bank at PDU 0x2100 instead. Proving the helper routes there.
        var pdu = DirectLogicAddress.SystemVMemoryToPdu(0);
        pdu.ShouldBe((ushort)0x2100);
        var options = new ModbusDriverOptions
        {
            Host = sim.Host,
            Port = sim.Port,
            UnitId = 1,
            Timeout = TimeSpan.FromSeconds(2),
            Tags =
            [
                new ModbusTagDefinition("DL205_V40400",
                    ModbusRegion.HoldingRegisters, Address: pdu,
                    DataType: ModbusDataType.UInt16, Writable: false),
            ],
            Probe = new ModbusProbeOptions { Enabled = false },
        };
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-sysv");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["DL205_V40400"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        results[0].Value.ShouldBe((ushort)0x4040, "dl205.json seeds HR[0x2100] with marker 0x4040 (= V40400 value)");
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205XInputTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205XInputTests.cs
@@ -0,0 +1,71 @@
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 /// <summary>
 ///     Verifies the DL260 X-input discrete-input mapping against the <c>dl205.json</c>
 ///     pymodbus profile. X-inputs are FC02 discrete-input-only (Modbus doesn't allow writes
 ///     to discrete inputs), and the DirectLOGIC convention is X0 → DI 0 with octal offsets
 ///     for subsequent addresses. The sim seeds X20 octal (= DI 16) = ON so the test can
 ///     prove the helper routes through to the right cell.
 /// </summary>
 /// <remarks>
 ///     X0 / X1 / …X17 octal all share cell 0 (DI 0-15 → cell 0 bits 0-15) which conflicts
 ///     with the V0 uint16 marker; we can't seed both types at cell 0 under shared-blocks
 ///     semantics. So the test uses X20 octal (first address beyond the cell-0 boundary) which
 ///     lands cleanly at cell 1 bit 0 and leaves the V0 register-zero quirk intact.
 /// </remarks>
 [Collection(ModbusSimulatorCollection.Name)]
 [Trait("Category", "Integration")]
 [Trait("Device", "DL205")]
 public sealed class DL205XInputTests(ModbusSimulatorFixture sim)
 {
    [Fact]
    public async Task DL260_X20_octal_maps_to_DiscreteInput_16_and_reads_ON()
    {
        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
        if (!string.Equals(Environment.GetEnvironmentVariable("MODBUS_SIM_PROFILE"), "dl205",
                StringComparison.OrdinalIgnoreCase))
        {
            Assert.Skip("MODBUS_SIM_PROFILE != dl205 — skipping.");
        }
        // X20 octal = decimal 16 = DI 16 per the DL260 convention (X-inputs start at DI 0).
        var di = DirectLogicAddress.XInputToDiscrete("X20");
        di.ShouldBe((ushort)16);
        var options = BuildOptions(sim, [
            new ModbusTagDefinition("DL260_X20",
                ModbusRegion.DiscreteInputs, Address: di,
                DataType: ModbusDataType.Bool, Writable: false),
            // Unpopulated-X control: pymodbus returns 0 (not exception) for any bit in the
            // configured DI range that wasn't explicitly seeded — per docs/v2/dl205.md
            // "Reading a non-populated X input ... returns zero, not an exception".
            new ModbusTagDefinition("DL260_X21_off",
                ModbusRegion.DiscreteInputs, Address: DirectLogicAddress.XInputToDiscrete("X21"),
                DataType: ModbusDataType.Bool, Writable: false),
        ]);
        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-xinput");
        await driver.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await driver.ReadAsync(["DL260_X20", "DL260_X21_off"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        results[0].Value.ShouldBe(true, "dl205.json seeds cell 1 bit 0 (X20 octal = DI 16) = ON");
        results[1].StatusCode.ShouldBe(0u, "unpopulated X inputs must read cleanly — DL260 does NOT raise an exception");
        results[1].Value.ShouldBe(false);
    }
    private static ModbusDriverOptions BuildOptions(ModbusSimulatorFixture sim, IReadOnlyList<ModbusTagDefinition> tags)
        => new()
        {
            Host = sim.Host,
            Port = sim.Port,
            UnitId = 1,
            Timeout = TimeSpan.FromSeconds(2),
            Tags = tags,
            Probe = new ModbusProbeOptions { Enabled = false },
        };
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusPal/README.md
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusPal/README.md
@@ -1,30 +0,0 @@
 # ModbusPal simulator profiles
 Drop device-specific `.xmpp` profiles here. The integration tests connect to the
 endpoint in `MODBUS_SIM_ENDPOINT` (default `localhost:502`) and expect the
 simulator to already be running — tests do not launch ModbusPal themselves,
 because its Java GUI + JRE requirement is heavier than the harness is worth.
 ## Getting started
 1. Download ModbusPal from SourceForge (`modbuspal.jar`).
 2. `java -jar modbuspal.jar` to launch the GUI.
 3. Load a profile from this directory (or configure one manually) and start the
   simulator on TCP port 502.
 4. `dotnet test tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` — tests
   auto-skip with a clear `SkipReason` if the TCP probe at the configured
   endpoint fails within 2 seconds.
 ## Profile files
 - `DL205.xmpp` — _to be added_ — register map reflecting the AutomationDirect
  DL205 quirks tracked in `docs/v2/modbus-test-plan.md`. The scaffolded smoke
  test in `DL205/DL205SmokeTests.cs` needs holding register 100 writable and
  present; a minimal ModbusPal profile with a single holding-register bank at
  address 100 is sufficient.
 ## Environment variables
 - `MODBUS_SIM_ENDPOINT` — override the simulator endpoint. Accepts `host:port`;
  defaults to `localhost:502`. Useful when pointing the suite at a real PLC on
  the bench.
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusSimulatorFixture.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusSimulatorFixture.cs
@@ -3,8 +3,9 @@ using System.Net.Sockets;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests;
 /// <summary>
-///     Reachability probe for a Modbus TCP simulator (ModbusPal or a real PLC). Parses
+///     Reachability probe for a Modbus TCP simulator (pymodbus-driven, see
-///     <c>MODBUS_SIM_ENDPOINT</c> (default <c>localhost:502</c>) and TCP-connects once at
+///     <c>Pymodbus/serve.ps1</c>) or a real PLC. Parses
 ///     <c>MODBUS_SIM_ENDPOINT</c> (default <c>localhost:5020</c> per PR 43) and TCP-connects once at
 ///     fixture construction. Each test checks <see cref="SkipReason"/> and calls
 ///     <c>Assert.Skip</c> when the endpoint was unreachable, so a dev box without a running
 ///     simulator still passes `dotnet test` cleanly — matches the Galaxy live-smoke pattern in
@@ -25,7 +26,11 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests;
 /// </remarks>
 public sealed class ModbusSimulatorFixture : IAsyncDisposable
 {
-    private const string DefaultEndpoint = "localhost:502";
+    // PR 43: default port is 5020 (pymodbus convention) instead of 502 (Modbus standard).
    // Picking 5020 sidesteps the privileged-port admin requirement on Windows + matches the
    // port baked into the pymodbus simulator JSON profiles in Pymodbus/. Override with
    // MODBUS_SIM_ENDPOINT to point at a real PLC on its native port 502.
    private const string DefaultEndpoint = "localhost:5020";
    private const string EndpointEnvVar = "MODBUS_SIM_ENDPOINT";
    public string Host { get; }
@@ -41,18 +46,30 @@ public sealed class ModbusSimulatorFixture : IAsyncDisposable
        try
        {
-            using var client = new TcpClient();
+            // Force IPv4 family on the probe — pymodbus's TCP server binds 0.0.0.0 (IPv4 only)
-            var task = client.ConnectAsync(Host, Port);
+            // while .NET's TcpClient default-resolves "localhost" → IPv6 ::1 first, fails to
            // connect, and only then tries IPv4. Under .NET 10 the IPv6 fail surfaces as a
            // 2s timeout (no graceful fallback by default), so the C# probe times out even
            // though a PowerShell probe of the same endpoint succeeds. Resolving + dialing
            // explicit IPv4 sidesteps the dual-stack ordering.
            using var client = new TcpClient(System.Net.Sockets.AddressFamily.InterNetwork);
            var task = client.ConnectAsync(
                System.Net.Dns.GetHostAddresses(Host)
                    .FirstOrDefault(a => a.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
                    ?? System.Net.IPAddress.Loopback,
                Port);
            if (!task.Wait(TimeSpan.FromSeconds(2)) || !client.Connected)
            {
                SkipReason = $"Modbus simulator at {Host}:{Port} did not accept a TCP connection within 2s. " +
-                             $"Start ModbusPal (or override {EndpointEnvVar}) and re-run.";
+                             $"Start the pymodbus simulator (Pymodbus\\serve.ps1 -Profile standard) " +
                             $"or override {EndpointEnvVar}, then re-run.";
            }
        }
        catch (Exception ex)
        {
            SkipReason = $"Modbus simulator at {Host}:{Port} unreachable: {ex.GetType().Name}: {ex.Message}. " +
-                         $"Start ModbusPal (or override {EndpointEnvVar}) and re-run.";
+                         $"Start the pymodbus simulator (Pymodbus\\serve.ps1 -Profile standard) " +
                             $"or override {EndpointEnvVar}, then re-run.";
        }
    }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/README.md
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/README.md
@@ -0,0 +1,163 @@
 # pymodbus simulator profiles
 Two JSON-config profiles for pymodbus's `ModbusSimulatorServer`. Replaces the
 ModbusPal `.xmpp` profiles that lived here in PR 42 — pymodbus is headless,
 maintained, semantic about register layout, and pip-installable on Windows.
 | File | What it simulates | Test category |
 |---|---|---|
 | [`standard.json`](standard.json) | Generic Modbus TCP server — HR[0..31] = address-as-value, HR[100] declarative auto-increment via `"action": "increment"`, alternating coils, scratch ranges for write tests. | `Trait=Standard` |
 | [`dl205.json`](dl205.json) | AutomationDirect DirectLOGIC DL205 / DL260 quirks per [`docs/v2/dl205.md`](../../../docs/v2/dl205.md): low-byte-first string packing, CDAB Float32, BCD numerics, V-memory address markers, Y/C coil mappings. Inline `_quirk` comments per register name the behavior. | `Trait=DL205` |
 Both bind TCP **5020** (pymodbus convention; sidesteps the Windows admin
 requirement for privileged port 502). The integration-test fixture
 (`ModbusSimulatorFixture`) defaults to `localhost:5020` to match — override
 via `MODBUS_SIM_ENDPOINT` to point at a real PLC on its native port 502.
 Run only **one profile at a time** (they share TCP 5020).
 ## Install
 ```powershell
 pip install "pymodbus[simulator]==3.13.0"
 ```
 The `[simulator]` extra pulls in `aiohttp` for the optional web UI / REST API.
 Pinned to 3.13.0 for reproducibility — avoid 4.x dev releases until stabilized.
 Requires Python ≥ 3.10. Windows Firewall will prompt on first bind; allow
 Private network.
 ## Run
 Foreground (Ctrl+C to stop). Use the `serve.ps1` wrapper:
 ```powershell
 .\serve.ps1 -Profile standard
 .\serve.ps1 -Profile dl205
 ```
 Or invoke pymodbus directly:
 ```powershell
 pymodbus.simulator `
    --modbus_server srv `
    --modbus_device dev `
    --json_file .\standard.json `
    --http_port 8080
 ```
 Web UI at `http://localhost:8080` lets you inspect + poke registers manually.
 Pass `--no_http` (or `-HttpPort 0` to `serve.ps1`) to disable.
 ## Run the integration tests
 In a separate shell, with the simulator running:
 ```powershell
 cd C:\Users\dohertj2\Desktop\lmxopcua
 dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests
 ```
 Tests auto-skip with a clear `SkipReason` if `localhost:5020` isn't reachable
 within 2 seconds. Filter by trait when both profiles' tests coexist:
 ```powershell
 dotnet test ... --filter "Trait=Standard"
 dotnet test ... --filter "Trait=DL205"
 ```
 ## What's encoded in each profile
 ### standard.json
 - HR[0..31]: each register's value equals its address. Easy mental map.
 - HR[100]: `"action": "increment"` ticks 0..65535 on every register access — drives subscribe-and-receive tests so they have a register that changes without a write.
 - HR[200..209]: scratch range for write-roundtrip tests.
 - Coils[0..31]: alternating on/off (even=on).
 - Coils[100..109]: scratch.
 - All addresses 0..1023 are writable (`"write": [[0, 1023]]`).
 ### dl205.json (per `docs/v2/dl205.md`)
 | HR address | Quirk demonstrated | Raw value | Decoded |
 |---|---|---|---|
 | `0` (V0) | Register 0 is valid (rejects-register-0 rumour disproved) | `51966` (0xCAFE) | marker |
 | `1024` (V2000 octal) | V-memory octal-to-decimal mapping | `8192` (0x2000) | marker |
 | `8448` (V40400 octal) | V40400 → PDU 0x2100 (NOT register 0) | `16448` (0x4040) | marker |
 | `1040..1042` | String "Hello" packed first-char-low-byte | `25928, 27756, 111` | `"Hello"` |
 | `1056..1057` | Float32 1.5f in CDAB word order | `0, 16320` | `1.5f` |
 | `1072` | Decimal 1234 in BCD encoding | `4660` (0x1234) | `1234` |
 | `1280..1407` | 128-register block (FC03 cap = 128 above spec's 125) | first/last/mid markers; rest defaults to 0 | for FC03 cap test |
 | Coil address | Quirk demonstrated |
 |---|---|
 | `2048` | Y0 maps to coil 2048 (DL260 layout) |
 | `3072` | C0 maps to coil 3072 (DL260 layout) |
 | `4000..4007` | Scratch C-relay range for write-roundtrip tests |
 The DL260 X-input markers (FC02 discrete inputs) **are not encoded separately**
 because the profile uses `shared blocks: true` (matches DL series memory
 model) — coils/DI/HR/IR overlay the same word address space. Tests that
 target FC02 against this profile end up reading the same bit positions as
 the coils they share with.
 ## What's IN pymodbus that wasn't in ModbusPal
 - **All four standard tables** (HR, IR, coils, DI) configurable via `co size` / `di size` / `hr size` / `ir size` setup keys.
 - **Per-register raw uint16 seeding** — `{"addr": 1040, "value": 25928}` puts exactly that 16-bit value on the wire. No interpretation.
 - **Built-in actions**: `increment`, `random`, `timestamp`, `reset`, `uptime` for declarative dynamic registers. No Python script alongside the config required.
 - **Custom actions** — point `--custom_actions_module` at a `.py` file exposing callables to express anything more complex (per-second wall-clock ticks, BCD synthesis, etc.).
 - **Headless** — pure CLI process, no Java, no Swing. Pip-installable. Plays well with CI runners.
 - **Web UI / REST API** — `--http_port 8080` adds an aiohttp server for live inspection. Optional.
 - **Maintained** — current stable 3.13.0 (April 2026), active development on 4.0 dev branch.
 ## Trade-offs vs the hand-authored ModbusPal profiles
 - pymodbus's built-in `float32` type stores in pymodbus's word order; for explicit DL205 CDAB control we seed two raw `uint16` entries instead. Documented inline in `dl205.json`.
 - `increment` action ticks per-access, not wall-clock. A 250ms-poll integration test sees variation either way; for strict 1Hz cadence add `--custom_actions_module my_actions.py` with a `time.time()`-based callable.
 - `dl205.json` uses `shared blocks: true` because it matches DL series memory model; `standard.json` uses `shared blocks: false` so coils and HR address spaces are independent (more like a textbook PLC).
 ## File format reference
 ```json
 {
  "server_list": {
    "<server-name>": {
      "comm": "tcp",
      "host": "0.0.0.0",
      "port": 5020,
      "framer": "socket",
      "device_id": 1
    }
  },
  "device_list": {
    "<device-name>": {
      "setup": {
        "co size": N, "di size": N, "hr size": N, "ir size": N,
        "shared blocks": false,
        "type exception": false,
        "defaults": { "value": {...}, "action": {...} }
      },
      "invalid": [],
      "write": [[<from>, <to>]],
      "bits":    [{"addr": N, "value": 0|1}],
      "uint16":  [{"addr": N, "value": <0..65535>, "action"?: "increment", "parameters"?: {...}}],
      "uint32":  [{"addr": N, "value": <int>}],
      "float32": [{"addr": N, "value": <float>}],
      "string":  [{"addr": N, "value": "<text>"}],
      "repeat":  []
    }
  }
 }
 ```
 The CLI args `--modbus_server <server-name> --modbus_device <device-name>`
 pick which entries the simulator binds.
 ## References
 - [pymodbus on PyPI](https://pypi.org/project/pymodbus/) — install, version pin
 - [Simulator config docs](https://pymodbus.readthedocs.io/en/dev/source/library/simulator/config.html) — full schema reference
 - [Simulator REST API](https://pymodbus.readthedocs.io/en/latest/source/library/simulator/restapi.html) — for the optional web UI
 - [`docs/v2/dl205.md`](../../../docs/v2/dl205.md) — what each DL205 profile entry simulates
 - [`docs/v2/modbus-test-plan.md`](../../../docs/v2/modbus-test-plan.md) — the `DL205_<behavior>` test naming convention
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/dl205.json
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/dl205.json
@@ -0,0 +1,111 @@
 {
  "_comment": "DL205.json — DirectLOGIC DL205/DL260 quirk simulator. Models docs/v2/dl205.md as concrete register values. NOTE: pymodbus rejects unknown keys at device-list / setup level; explanatory comments live at top-level _comment + in README + git. Inline _quirk keys WITHIN individual register entries are accepted by pymodbus 3.13.0 (it only validates addr / value / action / parameters per entry). Each quirky uint16 is a pre-computed raw 16-bit value; pymodbus serves it verbatim. shared blocks=true matches DL series memory model. write list mirrors each seeded block — pymodbus rejects sweeping write ranges that include undefined cells.",
  "server_list": {
    "srv": {
      "comm": "tcp",
      "host": "0.0.0.0",
      "port": 5020,
      "framer": "socket",
      "device_id": 1
    }
  },
  "device_list": {
    "dev": {
      "setup": {
        "co size":    16384,
        "di size":     8192,
        "hr size":    16384,
        "ir size":     1024,
        "shared blocks": true,
        "type exception": false,
        "defaults": {
          "value":  {"bits": 0, "uint16": 0, "uint32": 0, "float32": 0.0, "string": " "},
          "action": {"bits": null, "uint16": null, "uint32": null, "float32": null, "string": null}
        }
      },
      "invalid": [],
      "write": [
        [0, 0],
        [200, 209],
        [1024, 1024],
        [1040, 1042],
        [1056, 1057],
        [1072, 1072],
        [1280, 1282],
        [1343, 1343],
        [1407, 1407],
        [1, 1],
        [128, 128],
        [192, 192],
        [250, 250],
        [8448, 8448]
      ],
      "uint16": [
        {"_quirk": "V0 marker. HR[0]=0xCAFE proves register 0 is valid on DL205/DL260 (rejects-register-0 was a DL05/DL06 relative-mode artefact). 0xCAFE = 51966.",
         "addr": 0,    "value": 51966},
        {"_quirk": "Scratch HR range 200..209 — mirrors the standard.json scratch range so the smoke test (DL205Profile.SmokeHoldingRegister=200) round-trips identically against either profile.",
         "addr": 200, "value": 0},
        {"addr": 201, "value": 0},
        {"addr": 202, "value": 0},
        {"addr": 203, "value": 0},
        {"addr": 204, "value": 0},
        {"addr": 205, "value": 0},
        {"addr": 206, "value": 0},
        {"addr": 207, "value": 0},
        {"addr": 208, "value": 0},
        {"addr": 209, "value": 0},
        {"_quirk": "V2000 marker. V2000 octal = decimal 1024 = PDU 0x0400. Marker 0x2000 = 8192.",
         "addr": 1024, "value": 8192},
        {"_quirk": "V40400 marker. V40400 octal = decimal 8448 = PDU 0x2100 (NOT register 0). Marker 0x4040 = 16448.",
         "addr": 8448, "value": 16448},
        {"_quirk": "String 'Hello' first char in LOW byte. HR[0x410] = 'H'(0x48) lo + 'e'(0x65) hi = 0x6548 = 25928.",
         "addr": 1040, "value": 25928},
        {"_quirk": "String 'Hello' second char-pair: 'l'(0x6C) lo + 'l'(0x6C) hi = 0x6C6C = 27756.",
         "addr": 1041, "value": 27756},
        {"_quirk": "String 'Hello' third char-pair: 'o'(0x6F) lo + null(0x00) hi = 0x006F = 111.",
         "addr": 1042, "value": 111},
        {"_quirk": "Float32 1.5f in CDAB word order. IEEE 754 1.5 = 0x3FC00000. CDAB = low word first: HR[0x420]=0x0000, HR[0x421]=0x3FC0=16320.",
         "addr": 1056, "value": 0},
        {"_quirk": "Float32 1.5f CDAB high word.",
         "addr": 1057, "value": 16320},
        {"_quirk": "BCD register. Decimal 1234 stored as BCD nibbles 0x1234 = 4660. NOT binary 1234 (= 0x04D2).",
         "addr": 1072, "value": 4660},
        {"_quirk": "FC03 cap test marker — first cell of a 128-register span the FC03 cap test reads. Other cells in the span aren't seeded explicitly, so reads of HR[1283..1342] / 1344..1406 return the default 0; the seeded markers at 1280, 1281, 1282, 1343, 1407 prove the span boundaries.",
         "addr": 1280, "value": 0},
        {"addr": 1281, "value": 1},
        {"addr": 1282, "value": 2},
        {"addr": 1343, "value": 63},
        {"addr": 1407, "value": 127}
      ],
      "bits": [
        {"_quirk": "X-input bank marker cell. X0 -> DI 0 conflicts with uint16 V0 at cell 0, so this marker covers X20 octal (= decimal 16 = DI 16 = cell 1 bit 0). X20=ON, X23 octal (DI 19 = cell 1 bit 3)=ON -> cell 1 value = 0b00001001 = 9.",
         "addr": 1, "value": 9},
        {"_quirk": "Y-output bank marker cell. pymodbus's simulator maps Modbus FC01/02/05 bit-addresses to cell index = bit_addr / 16; so Modbus coil 2048 lives at cell 128 bit 0. Y0=ON (bit 0), Y1=OFF (bit 1), Y2=ON (bit 2) -> value=0b00000101=5 proves DL260 mapping Y0 -> coil 2048.",
         "addr": 128, "value": 5},
        {"_quirk": "C-relay bank marker cell. Modbus coil 3072 -> cell 192 bit 0. C0=ON (bit 0), C1=OFF (bit 1), C2=ON (bit 2) -> value=5 proves DL260 mapping C0 -> coil 3072.",
         "addr": 192, "value": 5},
        {"_quirk": "Scratch cell for coil 4000..4015 write round-trip tests. Cell 250 holds Modbus coils 4000-4015; all bits start at 0 and tests set specific bits via FC05.",
         "addr": 250, "value": 0}
      ],
      "uint32":  [],
      "float32": [],
      "string":  [],
      "repeat":  []
    }
  }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/serve.ps1
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/serve.ps1
@@ -0,0 +1,60 @@
 <#
 .SYNOPSIS
    Launches the pymodbus simulator with one of the integration-test profiles
    (Standard or DL205). Foreground process — Ctrl+C to stop.
 .PARAMETER Profile
    Which simulator profile to run: 'standard' or 'dl205'. Both bind TCP 5020 by
    default so they can't run simultaneously on the same box.
 .PARAMETER HttpPort
    Port for pymodbus's optional web UI / REST API. Default 8080. Pass 0 to
    disable (passes --no_http).
 .EXAMPLE
    .\serve.ps1 -Profile standard
    Starts the standard server on TCP 5020 with web UI on 8080.
 .EXAMPLE
    .\serve.ps1 -Profile dl205 -HttpPort 0
    Starts the DL205 server on TCP 5020, no web UI.
 #>
 [CmdletBinding()]
 param(
    [Parameter(Mandatory)] [ValidateSet('standard', 'dl205')] [string]$Profile,
    [int]$HttpPort = 8080
 )
 $ErrorActionPreference = 'Stop'
 $here = $PSScriptRoot
 # Confirm pymodbus.simulator is on PATH — clearer message than the
 # 'CommandNotFoundException' dotnet style.
 $cmd = Get-Command pymodbus.simulator -ErrorAction SilentlyContinue
 if (-not $cmd) {
    Write-Error "pymodbus.simulator not found. Install with: pip install 'pymodbus[simulator]==3.13.0'"
    exit 1
 }
 $jsonFile = Join-Path $here "$Profile.json"
 if (-not (Test-Path $jsonFile)) {
    Write-Error "Profile config not found: $jsonFile"
    exit 1
 }
 $args = @(
    '--modbus_server', 'srv',
    '--modbus_device', 'dev',
    '--json_file',     $jsonFile
 )
 if ($HttpPort -gt 0) {
    $args += @('--http_port', $HttpPort)
    Write-Host "Web UI will be at http://localhost:$HttpPort"
 } else {
    $args += '--no_http'
 }
 Write-Host "Starting pymodbus simulator: profile=$Profile  TCP=localhost:5020"
 Write-Host "Ctrl+C to stop."
 & pymodbus.simulator @args
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/standard.json
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/standard.json
@@ -0,0 +1,97 @@
 {
  "_comment": "Standard.json — generic Modbus TCP server for the integration suite. See ../README.md. NOTE: pymodbus rejects unknown keys at device-list / setup level; explanatory comments live in the README + git history. Layout: HR[0..31]=address-as-value, HR[100]=auto-increment, HR[200..209]=scratch, coils 1024..1055=alternating, coils 1100..1109=scratch. Coils live at 1024+ because pymodbus stores all 4 standard tables in ONE underlying cell array — bits and uint16 at the same address conflict (each cell can only be typed once).",
  "server_list": {
    "srv": {
      "comm": "tcp",
      "host": "0.0.0.0",
      "port": 5020,
      "framer": "socket",
      "device_id": 1
    }
  },
  "device_list": {
    "dev": {
      "setup": {
        "co size": 2048,
        "di size": 2048,
        "hr size": 2048,
        "ir size": 2048,
        "shared blocks": true,
        "type exception": false,
        "defaults": {
          "value":  {"bits": 0, "uint16": 0, "uint32": 0, "float32": 0.0, "string": " "},
          "action": {"bits": null, "uint16": null, "uint32": null, "float32": null, "string": null}
        }
      },
      "invalid": [],
      "write": [
        [0, 31],
        [100, 100],
        [200, 209],
        [1024, 1055],
        [1100, 1109]
      ],
      "uint16": [
        {"addr":  0, "value":  0}, {"addr":  1, "value":  1},
        {"addr":  2, "value":  2}, {"addr":  3, "value":  3},
        {"addr":  4, "value":  4}, {"addr":  5, "value":  5},
        {"addr":  6, "value":  6}, {"addr":  7, "value":  7},
        {"addr":  8, "value":  8}, {"addr":  9, "value":  9},
        {"addr": 10, "value": 10}, {"addr": 11, "value": 11},
        {"addr": 12, "value": 12}, {"addr": 13, "value": 13},
        {"addr": 14, "value": 14}, {"addr": 15, "value": 15},
        {"addr": 16, "value": 16}, {"addr": 17, "value": 17},
        {"addr": 18, "value": 18}, {"addr": 19, "value": 19},
        {"addr": 20, "value": 20}, {"addr": 21, "value": 21},
        {"addr": 22, "value": 22}, {"addr": 23, "value": 23},
        {"addr": 24, "value": 24}, {"addr": 25, "value": 25},
        {"addr": 26, "value": 26}, {"addr": 27, "value": 27},
        {"addr": 28, "value": 28}, {"addr": 29, "value": 29},
        {"addr": 30, "value": 30}, {"addr": 31, "value": 31},
        {"addr": 100, "value": 0,
         "action": "increment",
         "parameters": {"minval": 0, "maxval": 65535}},
        {"addr": 200, "value": 0}, {"addr": 201, "value": 0},
        {"addr": 202, "value": 0}, {"addr": 203, "value": 0},
        {"addr": 204, "value": 0}, {"addr": 205, "value": 0},
        {"addr": 206, "value": 0}, {"addr": 207, "value": 0},
        {"addr": 208, "value": 0}, {"addr": 209, "value": 0}
      ],
      "bits": [
        {"addr": 1024, "value": 1}, {"addr": 1025, "value": 0},
        {"addr": 1026, "value": 1}, {"addr": 1027, "value": 0},
        {"addr": 1028, "value": 1}, {"addr": 1029, "value": 0},
        {"addr": 1030, "value": 1}, {"addr": 1031, "value": 0},
        {"addr": 1032, "value": 1}, {"addr": 1033, "value": 0},
        {"addr": 1034, "value": 1}, {"addr": 1035, "value": 0},
        {"addr": 1036, "value": 1}, {"addr": 1037, "value": 0},
        {"addr": 1038, "value": 1}, {"addr": 1039, "value": 0},
        {"addr": 1040, "value": 1}, {"addr": 1041, "value": 0},
        {"addr": 1042, "value": 1}, {"addr": 1043, "value": 0},
        {"addr": 1044, "value": 1}, {"addr": 1045, "value": 0},
        {"addr": 1046, "value": 1}, {"addr": 1047, "value": 0},
        {"addr": 1048, "value": 1}, {"addr": 1049, "value": 0},
        {"addr": 1050, "value": 1}, {"addr": 1051, "value": 0},
        {"addr": 1052, "value": 1}, {"addr": 1053, "value": 0},
        {"addr": 1054, "value": 1}, {"addr": 1055, "value": 0},
        {"addr": 1100, "value": 0}, {"addr": 1101, "value": 0},
        {"addr": 1102, "value": 0}, {"addr": 1103, "value": 0},
        {"addr": 1104, "value": 0}, {"addr": 1105, "value": 0},
        {"addr": 1106, "value": 0}, {"addr": 1107, "value": 0},
        {"addr": 1108, "value": 0}, {"addr": 1109, "value": 0}
      ],
      "uint32":  [],
      "float32": [],
      "string":  [],
      "repeat":  []
    }
  }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj
@@ -24,7 +24,7 @@
    </ItemGroup>
    <ItemGroup>
-        <None Update="ModbusPal\**\*" CopyToOutputDirectory="PreserveNewest"/>
+        <None Update="Pymodbus\**\*" CopyToOutputDirectory="PreserveNewest"/>
        <None Update="DL205\**\*" CopyToOutputDirectory="PreserveNewest"/>
    </ItemGroup>
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/DirectLogicAddressTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/DirectLogicAddressTests.cs
@@ -0,0 +1,139 @@
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
 [Trait("Category", "Unit")]
 public sealed class DirectLogicAddressTests
 {
    [Theory]
    [InlineData("V0", (ushort)0x0000)]
    [InlineData("V1", (ushort)0x0001)]
    [InlineData("V7", (ushort)0x0007)]
    [InlineData("V10", (ushort)0x0008)]
    [InlineData("V2000", (ushort)0x0400)]  // canonical DL205/DL260 user-memory start
    [InlineData("V7777", (ushort)0x0FFF)]
    [InlineData("V10000", (ushort)0x1000)]
    [InlineData("V17777", (ushort)0x1FFF)]
    public void UserVMemoryToPdu_converts_octal_V_prefix(string v, ushort expected)
        => DirectLogicAddress.UserVMemoryToPdu(v).ShouldBe(expected);
    [Theory]
    [InlineData("0", (ushort)0)]
    [InlineData("2000", (ushort)0x0400)]
    [InlineData("v2000", (ushort)0x0400)]   // lowercase v
    [InlineData(" V2000 ", (ushort)0x0400)] // surrounding whitespace
    public void UserVMemoryToPdu_accepts_bare_or_prefixed_or_padded(string v, ushort expected)
        => DirectLogicAddress.UserVMemoryToPdu(v).ShouldBe(expected);
    [Theory]
    [InlineData("V8")]     // 8 is not a valid octal digit
    [InlineData("V19")]
    [InlineData("V2009")]
    public void UserVMemoryToPdu_rejects_non_octal_digits(string v)
    {
        Should.Throw<ArgumentException>(() => DirectLogicAddress.UserVMemoryToPdu(v))
            .Message.ShouldContain("octal");
    }
    [Theory]
    [InlineData(null)]
    [InlineData("")]
    [InlineData("   ")]
    [InlineData("V")]
    public void UserVMemoryToPdu_rejects_empty_input(string? v)
        => Should.Throw<ArgumentException>(() => DirectLogicAddress.UserVMemoryToPdu(v!));
    [Fact]
    public void UserVMemoryToPdu_overflow_rejected()
    {
        // 200000 octal = 0x10000 — one past ushort range.
        Should.Throw<OverflowException>(() => DirectLogicAddress.UserVMemoryToPdu("V200000"));
    }
    [Fact]
    public void SystemVMemoryBasePdu_is_0x2100_for_V40400()
    {
        // V40400 on DL260 / H2-ECOM100 absolute mode → PDU 0x2100 (decimal 8448), NOT 0x4100
        // which a naive octal-to-decimal of 40400 octal would give (= 16640).
        DirectLogicAddress.SystemVMemoryBasePdu.ShouldBe((ushort)0x2100);
        DirectLogicAddress.SystemVMemoryToPdu(0).ShouldBe((ushort)0x2100);
    }
    [Fact]
    public void SystemVMemoryToPdu_offsets_within_bank()
    {
        DirectLogicAddress.SystemVMemoryToPdu(1).ShouldBe((ushort)0x2101);
        DirectLogicAddress.SystemVMemoryToPdu(0x100).ShouldBe((ushort)0x2200);
    }
    [Fact]
    public void SystemVMemoryToPdu_rejects_overflow()
    {
        // ushort wrap: 0xFFFF - 0x2100 = 0xDEFF; anything above should throw.
        Should.NotThrow(() => DirectLogicAddress.SystemVMemoryToPdu(0xDEFF));
        Should.Throw<OverflowException>(() => DirectLogicAddress.SystemVMemoryToPdu(0xDF00));
    }
    // --- Bit memory: Y-output, C-relay, X-input, SP-special ---
    [Theory]
    [InlineData("Y0", (ushort)2048)]
    [InlineData("Y1", (ushort)2049)]
    [InlineData("Y7", (ushort)2055)]
    [InlineData("Y10", (ushort)2056)]    // octal 10 = decimal 8
    [InlineData("Y17", (ushort)2063)]    // octal 17 = decimal 15
    [InlineData("Y777", (ushort)2559)]   // top of DL260 Y range per doc table
    public void YOutputToCoil_adds_octal_offset_to_2048(string y, ushort expected)
        => DirectLogicAddress.YOutputToCoil(y).ShouldBe(expected);
    [Theory]
    [InlineData("C0", (ushort)3072)]
    [InlineData("C1", (ushort)3073)]
    [InlineData("C10", (ushort)3080)]
    [InlineData("C1777", (ushort)4095)]  // top of DL260 C range
    public void CRelayToCoil_adds_octal_offset_to_3072(string c, ushort expected)
        => DirectLogicAddress.CRelayToCoil(c).ShouldBe(expected);
    [Theory]
    [InlineData("X0", (ushort)0)]
    [InlineData("X17", (ushort)15)]
    [InlineData("X777", (ushort)511)]    // top of DL260 X range
    public void XInputToDiscrete_adds_octal_offset_to_0(string x, ushort expected)
        => DirectLogicAddress.XInputToDiscrete(x).ShouldBe(expected);
    [Theory]
    [InlineData("SP0", (ushort)1024)]
    [InlineData("SP7", (ushort)1031)]
    [InlineData("sp0", (ushort)1024)]     // lowercase prefix
    [InlineData("SP777", (ushort)1535)]
    public void SpecialToDiscrete_adds_octal_offset_to_1024(string sp, ushort expected)
        => DirectLogicAddress.SpecialToDiscrete(sp).ShouldBe(expected);
    [Theory]
    [InlineData("Y8")]
    [InlineData("C9")]
    [InlineData("X18")]
    public void Bit_address_rejects_non_octal_digits(string bad)
        => Should.Throw<ArgumentException>(() =>
        {
            if (bad[0] == 'Y') DirectLogicAddress.YOutputToCoil(bad);
            else if (bad[0] == 'C') DirectLogicAddress.CRelayToCoil(bad);
            else DirectLogicAddress.XInputToDiscrete(bad);
        });
    [Theory]
    [InlineData("Y")]
    [InlineData("C")]
    [InlineData("")]
    public void Bit_address_rejects_empty(string bad)
        => Should.Throw<ArgumentException>(() => DirectLogicAddress.YOutputToCoil(bad));
    [Fact]
    public void YOutputToCoil_accepts_lowercase_prefix()
        => DirectLogicAddress.YOutputToCoil("y0").ShouldBe((ushort)2048);
    [Fact]
    public void CRelayToCoil_accepts_bare_octal_without_C_prefix()
        => DirectLogicAddress.CRelayToCoil("0").ShouldBe((ushort)3072);
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusCapTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusCapTests.cs
@@ -0,0 +1,165 @@
 using Shouldly;
 using Xunit;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
 [Trait("Category", "Unit")]
 public sealed class ModbusCapTests
 {
    /// <summary>
    ///     Records every PDU sent so tests can assert request-count and per-request quantity —
    ///     the only observable behaviour of the auto-chunking path.
    /// </summary>
    private sealed class RecordingTransport : IModbusTransport
    {
        public readonly ushort[] HoldingRegisters = new ushort[1024];
        public readonly List<(ushort Address, ushort Quantity)> Fc03Requests = new();
        public readonly List<(ushort Address, ushort Quantity)> Fc16Requests = new();
        public Task ConnectAsync(CancellationToken ct) => Task.CompletedTask;
        public Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
        {
            var fc = pdu[0];
            if (fc == 0x03)
            {
                var addr = (ushort)((pdu[1] << 8) | pdu[2]);
                var qty = (ushort)((pdu[3] << 8) | pdu[4]);
                Fc03Requests.Add((addr, qty));
                var byteCount = (byte)(qty * 2);
                var resp = new byte[2 + byteCount];
                resp[0] = 0x03;
                resp[1] = byteCount;
                for (var i = 0; i < qty; i++)
                {
                    resp[2 + i * 2] = (byte)(HoldingRegisters[addr + i] >> 8);
                    resp[3 + i * 2] = (byte)(HoldingRegisters[addr + i] & 0xFF);
                }
                return Task.FromResult(resp);
            }
            if (fc == 0x10)
            {
                var addr = (ushort)((pdu[1] << 8) | pdu[2]);
                var qty = (ushort)((pdu[3] << 8) | pdu[4]);
                Fc16Requests.Add((addr, qty));
                for (var i = 0; i < qty; i++)
                    HoldingRegisters[addr + i] = (ushort)((pdu[6 + i * 2] << 8) | pdu[7 + i * 2]);
                return Task.FromResult(new byte[] { 0x10, pdu[1], pdu[2], pdu[3], pdu[4] });
            }
            return Task.FromException<byte[]>(new ModbusException(fc, 0x01, $"fc={fc} unsupported"));
        }
        public ValueTask DisposeAsync() => ValueTask.CompletedTask;
    }
    [Fact]
    public async Task Read_within_cap_issues_single_FC03_request()
    {
        var tag = new ModbusTagDefinition("S", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 40); // 20 regs — fits in default cap (125).
        var transport = new RecordingTransport();
        var opts = new ModbusDriverOptions { Host = "fake", Tags = [tag], Probe = new ModbusProbeOptions { Enabled = false } };
        await using var drv = new ModbusDriver(opts, "modbus-1", _ => transport);
        await drv.InitializeAsync("{}", TestContext.Current.CancellationToken);
        _ = await drv.ReadAsync(["S"], TestContext.Current.CancellationToken);
        transport.Fc03Requests.Count.ShouldBe(1);
        transport.Fc03Requests[0].Quantity.ShouldBe((ushort)20);
    }
    [Fact]
    public async Task Read_above_cap_splits_into_two_FC03_requests()
    {
        // 240-char string = 120 regs. Cap = 100 (a typical sub-spec device cap). Expect 100 + 20.
        var tag = new ModbusTagDefinition("LongString", ModbusRegion.HoldingRegisters, 100, ModbusDataType.String,
            StringLength: 240);
        var transport = new RecordingTransport();
        // Seed cells so the re-assembled payload is stable — confirms chunks are stitched in order.
        for (ushort i = 100; i < 100 + 120; i++)
            transport.HoldingRegisters[i] = (ushort)((('A' + (i - 100) % 26) << 8) | ('A' + (i - 100) % 26));
        var opts = new ModbusDriverOptions
        {
            Host = "fake",
            Tags = [tag],
            MaxRegistersPerRead = 100,
            Probe = new ModbusProbeOptions { Enabled = false },
        };
        await using var drv = new ModbusDriver(opts, "modbus-1", _ => transport);
        await drv.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await drv.ReadAsync(["LongString"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        transport.Fc03Requests.Count.ShouldBe(2, "120 regs / cap 100 → 2 requests");
        transport.Fc03Requests[0].ShouldBe(((ushort)100, (ushort)100));
        transport.Fc03Requests[1].ShouldBe(((ushort)200, (ushort)20));
        // Payload continuity: re-assembled string starts where register 100 does and keeps going.
        var s = (string)results[0].Value!;
        s.Length.ShouldBeGreaterThan(0);
        s[0].ShouldBe('A'); // register[100] high byte
    }
    [Fact]
    public async Task Read_cap_honors_Mitsubishi_lower_cap_of_64()
    {
        // 200-char string = 100 regs. Mitsubishi Q cap = 64. Expect: 64, 36.
        var tag = new ModbusTagDefinition("MitString", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 200);
        var transport = new RecordingTransport();
        var opts = new ModbusDriverOptions { Host = "fake", Tags = [tag], MaxRegistersPerRead = 64, Probe = new ModbusProbeOptions { Enabled = false } };
        await using var drv = new ModbusDriver(opts, "modbus-1", _ => transport);
        await drv.InitializeAsync("{}", TestContext.Current.CancellationToken);
        _ = await drv.ReadAsync(["MitString"], TestContext.Current.CancellationToken);
        transport.Fc03Requests.Count.ShouldBe(2);
        transport.Fc03Requests[0].Quantity.ShouldBe((ushort)64);
        transport.Fc03Requests[1].Quantity.ShouldBe((ushort)36);
    }
    [Fact]
    public async Task Write_exceeding_cap_throws_instead_of_splitting()
    {
        // Partial FC16 across two transactions is not atomic. Forcing an explicit exception so the
        // caller knows their tag definition is incompatible with the device cap rather than silently
        // writing half a string and crashing between chunks.
        var tag = new ModbusTagDefinition("LongStringWrite", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 220); // 110 regs.
        var transport = new RecordingTransport();
        var opts = new ModbusDriverOptions { Host = "fake", Tags = [tag], MaxRegistersPerWrite = 100, Probe = new ModbusProbeOptions { Enabled = false } };
        await using var drv = new ModbusDriver(opts, "modbus-1", _ => transport);
        await drv.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await drv.WriteAsync(
            [new WriteRequest("LongStringWrite", new string('A', 220))],
            TestContext.Current.CancellationToken);
        // Driver catches the internal exception and surfaces BadInternalError — the Fc16Requests
        // list must still be empty because nothing was sent.
        results[0].StatusCode.ShouldNotBe(0u);
        transport.Fc16Requests.Count.ShouldBe(0);
    }
    [Fact]
    public async Task Write_within_cap_proceeds_normally()
    {
        var tag = new ModbusTagDefinition("ShortStringWrite", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 40); // 20 regs.
        var transport = new RecordingTransport();
        var opts = new ModbusDriverOptions { Host = "fake", Tags = [tag], MaxRegistersPerWrite = 100, Probe = new ModbusProbeOptions { Enabled = false } };
        await using var drv = new ModbusDriver(opts, "modbus-1", _ => transport);
        await drv.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await drv.WriteAsync(
            [new WriteRequest("ShortStringWrite", "HELLO")],
            TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0u);
        transport.Fc16Requests.Count.ShouldBe(1);
        transport.Fc16Requests[0].Quantity.ShouldBe((ushort)20);
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusDataTypeTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusDataTypeTests.cs
@@ -172,4 +172,144 @@ public sealed class ModbusDataTypeTests
        wire[1].ShouldBe((byte)'i');
        for (var i = 2; i < 8; i++) wire[i].ShouldBe((byte)0);
    }
    // --- DL205 low-byte-first strings (AutomationDirect DirectLOGIC quirk) ---
    [Fact]
    public void String_LowByteFirst_decodes_DL205_packed_Hello()
    {
        // HR[1040] = 0x6548 (wire BE bytes [0x65, 0x48]) decodes first char from low byte = 'H',
        // second from high byte = 'e'. HR[1041] = 0x6C6C → 'l','l'. HR[1042] = 0x006F → 'o', nul.
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 5, StringByteOrder: ModbusStringByteOrder.LowByteFirst);
        var wire = new byte[] { 0x65, 0x48, 0x6C, 0x6C, 0x00, 0x6F };
        ModbusDriver.DecodeRegister(wire, tag).ShouldBe("Hello");
    }
    [Fact]
    public void String_LowByteFirst_decode_truncates_at_first_nul()
    {
        // Low-byte-first with only 2 real chars in register 0 (lo='H', hi='i') and the rest nul.
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 6, StringByteOrder: ModbusStringByteOrder.LowByteFirst);
        var wire = new byte[] { 0x69, 0x48, 0x00, 0x00, 0x00, 0x00 };
        ModbusDriver.DecodeRegister(wire, tag).ShouldBe("Hi");
    }
    [Fact]
    public void String_LowByteFirst_encode_round_trips_with_decode()
    {
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 5, StringByteOrder: ModbusStringByteOrder.LowByteFirst);
        var wire = ModbusDriver.EncodeRegister("Hello", tag);
        // Expect exactly the DL205-documented byte sequence.
        wire.ShouldBe(new byte[] { 0x65, 0x48, 0x6C, 0x6C, 0x00, 0x6F });
        ModbusDriver.DecodeRegister(wire, tag).ShouldBe("Hello");
    }
    [Fact]
    public void String_HighByteFirst_and_LowByteFirst_differ_on_same_wire()
    {
        // Same wire buffer, different byte order → first char switches 'H' vs 'e'.
        var wire = new byte[] { 0x48, 0x65 };
        var hi = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 2, StringByteOrder: ModbusStringByteOrder.HighByteFirst);
        var lo = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
            StringLength: 2, StringByteOrder: ModbusStringByteOrder.LowByteFirst);
        ModbusDriver.DecodeRegister(wire, hi).ShouldBe("He");
        ModbusDriver.DecodeRegister(wire, lo).ShouldBe("eH");
    }
    // --- BCD (binary-coded decimal, DL205/DL260 default numeric encoding) ---
    [Theory]
    [InlineData(0x0000u, 0u)]
    [InlineData(0x0001u, 1u)]
    [InlineData(0x0009u, 9u)]
    [InlineData(0x0010u, 10u)]
    [InlineData(0x1234u, 1234u)]
    [InlineData(0x9999u, 9999u)]
    public void DecodeBcd_16_bit_decodes_expected_decimal(uint raw, uint expected)
        => ModbusDriver.DecodeBcd(raw, nibbles: 4).ShouldBe(expected);
    [Fact]
    public void DecodeBcd_rejects_nibbles_above_nine()
    {
        Should.Throw<InvalidDataException>(() => ModbusDriver.DecodeBcd(0x00A5u, nibbles: 4))
            .Message.ShouldContain("Non-BCD nibble");
    }
    [Theory]
    [InlineData(0u, 0x0000u)]
    [InlineData(5u, 0x0005u)]
    [InlineData(42u, 0x0042u)]
    [InlineData(1234u, 0x1234u)]
    [InlineData(9999u, 0x9999u)]
    public void EncodeBcd_16_bit_encodes_expected_nibbles(uint value, uint expected)
        => ModbusDriver.EncodeBcd(value, nibbles: 4).ShouldBe(expected);
    [Fact]
    public void Bcd16_decodes_DL205_register_1234_as_decimal_1234()
    {
        // HR[1072] = 0x1234 on the DL205 profile represents decimal 1234. A plain Int16 decode
        // would return 0x04D2 = 4660 — proof the BCD path is different.
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Bcd16);
        ModbusDriver.DecodeRegister(new byte[] { 0x12, 0x34 }, tag).ShouldBe(1234);
        var int16Tag = tag with { DataType = ModbusDataType.Int16 };
        ModbusDriver.DecodeRegister(new byte[] { 0x12, 0x34 }, int16Tag).ShouldBe((short)0x1234);
    }
    [Fact]
    public void Bcd16_encode_round_trips_with_decode()
    {
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Bcd16);
        var wire = ModbusDriver.EncodeRegister(4321, tag);
        wire.ShouldBe(new byte[] { 0x43, 0x21 });
        ModbusDriver.DecodeRegister(wire, tag).ShouldBe(4321);
    }
    [Fact]
    public void Bcd16_encode_rejects_out_of_range_values()
    {
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Bcd16);
        Should.Throw<OverflowException>(() => ModbusDriver.EncodeRegister(10000, tag))
            .Message.ShouldContain("4 decimal digits");
    }
    [Fact]
    public void Bcd32_decodes_8_digits_big_endian()
    {
        // 0x12345678 as BCD = decimal 12_345_678.
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Bcd32);
        ModbusDriver.DecodeRegister(new byte[] { 0x12, 0x34, 0x56, 0x78 }, tag).ShouldBe(12_345_678);
    }
    [Fact]
    public void Bcd32_word_swap_handles_CDAB_layout()
    {
        // PLC stored 12_345_678 with word swap: low-word 0x5678 first, high-word 0x1234 second.
        // Wire bytes [0x56, 0x78, 0x12, 0x34] + WordSwap → decode to decimal 12_345_678.
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Bcd32,
            ByteOrder: ModbusByteOrder.WordSwap);
        ModbusDriver.DecodeRegister(new byte[] { 0x56, 0x78, 0x12, 0x34 }, tag).ShouldBe(12_345_678);
    }
    [Fact]
    public void Bcd32_encode_round_trips_with_decode()
    {
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Bcd32);
        var wire = ModbusDriver.EncodeRegister(87_654_321u, tag);
        wire.ShouldBe(new byte[] { 0x87, 0x65, 0x43, 0x21 });
        ModbusDriver.DecodeRegister(wire, tag).ShouldBe(87_654_321);
    }
    [Fact]
    public void Bcd_RegisterCount_matches_underlying_width()
    {
        var b16 = new ModbusTagDefinition("A", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Bcd16);
        var b32 = new ModbusTagDefinition("B", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Bcd32);
        ModbusDriver.RegisterCount(b16).ShouldBe((ushort)1);
        ModbusDriver.RegisterCount(b32).ShouldBe((ushort)2);
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusExceptionMapperTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusExceptionMapperTests.cs
@@ -0,0 +1,88 @@
 using Shouldly;
 using Xunit;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
 /// <summary>
 ///     Unit tests for the Modbus-exception-code → OPC UA StatusCode mapping added in PR 52.
 ///     Before PR 52 every server exception + every transport failure collapsed to
 ///     BadInternalError (0x80020000), which made field diagnosis "is this a bad tag or a bad
 ///     driver?" impossible. These tests lock in the translation table documented on
 ///     <see cref="ModbusDriver.MapModbusExceptionToStatus"/>.
 /// </summary>
 [Trait("Category", "Unit")]
 public sealed class ModbusExceptionMapperTests
 {
    [Theory]
    [InlineData((byte)0x01, 0x803D0000u)] // Illegal Function → BadNotSupported
    [InlineData((byte)0x02, 0x803C0000u)] // Illegal Data Address → BadOutOfRange
    [InlineData((byte)0x03, 0x803C0000u)] // Illegal Data Value → BadOutOfRange
    [InlineData((byte)0x04, 0x80550000u)] // Server Failure → BadDeviceFailure
    [InlineData((byte)0x05, 0x80550000u)] // Acknowledge (long op) → BadDeviceFailure
    [InlineData((byte)0x06, 0x80550000u)] // Server Busy → BadDeviceFailure
    [InlineData((byte)0x0A, 0x80050000u)] // Gateway path unavailable → BadCommunicationError
    [InlineData((byte)0x0B, 0x80050000u)] // Gateway target failed to respond → BadCommunicationError
    [InlineData((byte)0xFF, 0x80020000u)] // Unknown code → BadInternalError fallback
    public void MapModbusExceptionToStatus_returns_informative_status(byte code, uint expected)
        => ModbusDriver.MapModbusExceptionToStatus(code).ShouldBe(expected);
    private sealed class ExceptionRaisingTransport(byte exceptionCode) : IModbusTransport
    {
        public Task ConnectAsync(CancellationToken ct) => Task.CompletedTask;
        public Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
            => Task.FromException<byte[]>(new ModbusException(pdu[0], exceptionCode, $"fc={pdu[0]} code={exceptionCode}"));
        public ValueTask DisposeAsync() => ValueTask.CompletedTask;
    }
    [Fact]
    public async Task Read_surface_exception_02_as_BadOutOfRange_not_BadInternalError()
    {
        var transport = new ExceptionRaisingTransport(exceptionCode: 0x02);
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16);
        var opts = new ModbusDriverOptions { Host = "fake", Tags = [tag], Probe = new ModbusProbeOptions { Enabled = false } };
        await using var drv = new ModbusDriver(opts, "modbus-1", _ => transport);
        await drv.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await drv.ReadAsync(["T"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0x803C0000u, "FC03 at an unmapped register must bubble out as BadOutOfRange so operators can spot a bad tag config");
    }
    [Fact]
    public async Task Write_surface_exception_04_as_BadDeviceFailure()
    {
        var transport = new ExceptionRaisingTransport(exceptionCode: 0x04);
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16);
        var opts = new ModbusDriverOptions { Host = "fake", Tags = [tag], Probe = new ModbusProbeOptions { Enabled = false } };
        await using var drv = new ModbusDriver(opts, "modbus-1", _ => transport);
        await drv.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var writes = await drv.WriteAsync(
            [new WriteRequest("T", (short)42)],
            TestContext.Current.CancellationToken);
        writes[0].StatusCode.ShouldBe(0x80550000u, "FC06 returning exception 04 (CPU in PROGRAM mode) maps to BadDeviceFailure");
    }
    private sealed class NonModbusFailureTransport : IModbusTransport
    {
        public Task ConnectAsync(CancellationToken ct) => Task.CompletedTask;
        public Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
            => Task.FromException<byte[]>(new EndOfStreamException("socket closed mid-response"));
        public ValueTask DisposeAsync() => ValueTask.CompletedTask;
    }
    [Fact]
    public async Task Read_non_modbus_failure_maps_to_BadCommunicationError_not_BadInternalError()
    {
        // Socket drop / timeout / malformed frame → transport-layer failure. Should surface
        // distinctly from tag-level faults so operators know to check the network, not the config.
        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16);
        var opts = new ModbusDriverOptions { Host = "fake", Tags = [tag], Probe = new ModbusProbeOptions { Enabled = false } };
        await using var drv = new ModbusDriver(opts, "modbus-1", _ => new NonModbusFailureTransport());
        await drv.InitializeAsync("{}", TestContext.Current.CancellationToken);
        var results = await drv.ReadAsync(["T"], TestContext.Current.CancellationToken);
        results[0].StatusCode.ShouldBe(0x80050000u);
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusTcpReconnectTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusTcpReconnectTests.cs
@@ -0,0 +1,146 @@
 using System.Net;
 using System.Net.Sockets;
 using Shouldly;
 using Xunit;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
 /// <summary>
 ///     Exercises <see cref="ModbusTcpTransport"/> against a real TCP listener that can close
 ///     its socket mid-session on demand. Verifies the PR 53 reconnect-on-drop behavior: after
 ///     the "first" socket is forcibly torn down, the next SendAsync must re-establish the
 ///     connection and complete the PDU without bubbling an error to the caller.
 /// </summary>
 [Trait("Category", "Unit")]
 public sealed class ModbusTcpReconnectTests
 {
    /// <summary>
    ///     Minimal in-process Modbus-TCP stub. Accepts one TCP connection at a time, reads an
    ///     MBAP + PDU, replies with a canned FC03 response echoing the request quantity of
    ///     zeroed bytes, then optionally closes the socket to simulate a NAT/firewall drop.
    /// </summary>
    private sealed class FlakeyModbusServer : IAsyncDisposable
    {
        private readonly TcpListener _listener;
        public int Port => ((IPEndPoint)_listener.LocalEndpoint).Port;
        public int DropAfterNTransactions { get; set; } = int.MaxValue;
        private readonly CancellationTokenSource _stop = new();
        private int _txCount;
        public FlakeyModbusServer()
        {
            _listener = new TcpListener(IPAddress.Loopback, 0);
            _listener.Start();
            _ = Task.Run(AcceptLoopAsync);
        }
        private async Task AcceptLoopAsync()
        {
            while (!_stop.IsCancellationRequested)
            {
                TcpClient? client = null;
                try { client = await _listener.AcceptTcpClientAsync(_stop.Token); }
                catch { return; }
                _ = Task.Run(() => ServeAsync(client!));
            }
        }
        private async Task ServeAsync(TcpClient client)
        {
            try
            {
                using var _ = client;
                var stream = client.GetStream();
                while (!_stop.IsCancellationRequested && client.Connected)
                {
                    var header = new byte[7];
                    if (!await ReadExactly(stream, header)) return;
                    var len = (ushort)((header[4] << 8) | header[5]);
                    var pdu = new byte[len - 1];
                    if (!await ReadExactly(stream, pdu)) return;
                    var fc = pdu[0];
                    var qty = (ushort)((pdu[3] << 8) | pdu[4]);
                    var respPdu = new byte[2 + qty * 2];
                    respPdu[0] = fc;
                    respPdu[1] = (byte)(qty * 2);
                    // data bytes stay 0
                    var respLen = (ushort)(1 + respPdu.Length);
                    var adu = new byte[7 + respPdu.Length];
                    adu[0] = header[0]; adu[1] = header[1];
                    adu[4] = (byte)(respLen >> 8); adu[5] = (byte)(respLen & 0xFF);
                    adu[6] = header[6];
                    Buffer.BlockCopy(respPdu, 0, adu, 7, respPdu.Length);
                    await stream.WriteAsync(adu);
                    await stream.FlushAsync();
                    _txCount++;
                    if (_txCount >= DropAfterNTransactions)
                    {
                        // Simulate NAT/firewall silent close: slam the socket without a
                        // protocol-level goodbye, which is what DL260 + an intermediate
                        // middlebox would look like from the client's perspective.
                        client.Client.Shutdown(SocketShutdown.Both);
                        client.Close();
                        return;
                    }
                }
            }
            catch { /* best-effort */ }
        }
        private static async Task<bool> ReadExactly(NetworkStream s, byte[] buf)
        {
            var read = 0;
            while (read < buf.Length)
            {
                var n = await s.ReadAsync(buf.AsMemory(read));
                if (n == 0) return false;
                read += n;
            }
            return true;
        }
        public async ValueTask DisposeAsync()
        {
            _stop.Cancel();
            _listener.Stop();
            await Task.CompletedTask;
        }
    }
    [Fact]
    public async Task Transport_recovers_from_mid_session_drop_and_retries_successfully()
    {
        await using var server = new FlakeyModbusServer { DropAfterNTransactions = 1 };
        await using var transport = new ModbusTcpTransport("127.0.0.1", server.Port, TimeSpan.FromSeconds(2), autoReconnect: true);
        await transport.ConnectAsync(TestContext.Current.CancellationToken);
        // First transaction succeeds; server then closes the socket.
        var pdu = new byte[] { 0x03, 0x00, 0x00, 0x00, 0x01 };
        var first = await transport.SendAsync(unitId: 1, pdu, TestContext.Current.CancellationToken);
        first[0].ShouldBe((byte)0x03);
        // Second transaction: the connection is dead, but auto-reconnect must transparently
        // spin up a new socket, resend, and produce a valid response. Before PR 53 this would
        // surface as EndOfStreamException / IOException to the caller.
        var second = await transport.SendAsync(unitId: 1, pdu, TestContext.Current.CancellationToken);
        second[0].ShouldBe((byte)0x03);
    }
    [Fact]
    public async Task Transport_without_AutoReconnect_propagates_drop_to_caller()
    {
        await using var server = new FlakeyModbusServer { DropAfterNTransactions = 1 };
        await using var transport = new ModbusTcpTransport("127.0.0.1", server.Port, TimeSpan.FromSeconds(2), autoReconnect: false);
        await transport.ConnectAsync(TestContext.Current.CancellationToken);
        var pdu = new byte[] { 0x03, 0x00, 0x00, 0x00, 0x01 };
        _ = await transport.SendAsync(unitId: 1, pdu, TestContext.Current.CancellationToken);
        await Should.ThrowAsync<Exception>(async () =>
            await transport.SendAsync(unitId: 1, pdu, TestContext.Current.CancellationToken));
    }
 }