Phase 3 PR 43 — Swap ModbusPal to pymodbus for the integration-test simulator. Replaces the .xmpp profiles shipped in PR 42 with pymodbus 3.13.0 ModbusSimulatorServer JSON configs in tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/. Substantive reasons for the swap (rationale block in the test-plan doc): ModbusPal 1.6b is abandoned (last release ~2019), Java GUI-only with no headless mode in the official JAR, and only exposes 2 of the 4 standard Modbus tables (holding_registers + coils — no input_registers, no discrete_inputs). pymodbus is current stable, pure Python CLI (pip install pymodbus[simulator]==3.13.0), exposes all four tables, has built-in declarative actions (increment / random / timestamp / uptime) for dynamic registers, supports custom Python actions for anything more complex, and ships an optional aiohttp-based web UI / REST API for live inspection. Pip-installable on Windows; sidesteps the privileged-port admin requirement by defaulting to TCP 5020.

ModbusSimulatorFixture default port bumped from 502 to 5020 to match the pymodbus convention. Override via MODBUS_SIM_ENDPOINT for a real PLC on its native 502. Skip-message updated to point at the new Pymodbus\serve.ps1 wrapper instead of 'start ModbusPal'. csproj <None Update> rule swapped from ModbusPal/** to Pymodbus/** so the new JSON profiles + serve.ps1 + README copy to test-output as PreserveNewest.
standard.json — generic Modbus TCP server, slave id 1, port 5020, shared blocks=false (independent coils + HR address spaces, more textbook-PLC-like). HR[0..31] seeded with address-as-value via per-register uint16 entries, HR[100] auto-increments via the built-in increment action with parameters minval=0/maxval=65535 (drives subscribe-and-receive integration tests so they have a register that ticks without a write — pymodbus's increment ticks per-access not wall-clock, which is good enough for a 250ms-poll test), HR[200..209] scratch range left at 0 for write tests, coils 0..31 alternating, coils 100..109 scratch. write list covers 0..1023 so any test address is mutable.
dl205.json — AutomationDirect DirectLOGIC DL205/DL260 quirk simulator, slave id 1, port 5020, shared blocks=true (matches DL series memory model where coils/DI/HR overlay the same word address space). Each quirky register seeded with the pre-computed raw uint16 value documented in docs/v2/dl205.md, with an inline _quirk JSON-comment naming the behavior so future-me reading the file knows why HR[1040]=25928 means 'H' lo / 'e' hi (the user's headline string-byte-order finding). Encoded quirks: V0 marker at HR[0]=0xCAFE; V2000 at HR[1024]=0x2000; V40400 at HR[8448]=0x4040; 'Hello' string at HR[1040..1042] first-char-low-byte; Float32 1.5f at HR[1056..1057] in CDAB word order (low word first); BCD register at HR[1072]=0x1234; FC03-128-cap block at HR[1280..1407]; Y0/C0 coil markers at 2048/3072; scratch C-relays at 4000..4007.
serve.ps1 wrapper — pwsh script with a -Profile {standard|dl205} parameter switch. Validates pymodbus.simulator is on PATH (clearer message than the raw CommandNotFoundException), validates the profile JSON exists, builds the right --modbus_server/--modbus_device/--json_file/--http_port arg list, and execs pymodbus.simulator in the foreground. -HttpPort 0 disables the web UI. Foreground exec lets the operator Ctrl+C to stop without an extra control script.
README.md fully rewritten for pymodbus: install command (pip install 'pymodbus[simulator]==3.13.0' — pinned for reproducibility, [simulator] extra pulls aiohttp), per-profile reference tables, the same DL205 quirk → register table from PR 42 but adjusted for pymodbus paths, what's-NEW-vs-ModbusPal section (all four tables, raw uint16 seeding, declarative actions, custom Python action modules, headless, web UI, maintained), trade-offs section (float32-as-two-uint16s for explicit CDAB control, increment ticks per-access not wall-clock, shared-blocks mode for DL205 vs separate for Standard), file-format quick reference for hand-authoring more profiles. References pinned to the pymodbus readthedocs simulator/config + REST API pages.
docs/v2/modbus-test-plan.md harness section rewritten with the swap rationale; PR-history list updated to mark PR 42 SUPERSEDED by PR 43 and call out PR 44+ as the per-quirk implementation track. Test-conventions bullet about 'don't depend on ModbusPal state between tests' generalized to 'don't depend on simulator state' and a note added that pymodbus's REST API can reset state between facts if a test ever needs it.
DL205Profile.cs and DL205SmokeTests.cs xml-doc updated to reference pymodbus / dl205.json instead of ModbusPal / DL205.xmpp.
Functional validation deferred — Python isn't installed on this dev box (winget search returned no matches for Python.Python.3 exact). JSON parses structurally (PowerShell ConvertFrom-Json clean on both files), build clean, .json + serve.ps1 + README all copy to test-output as expected. User installs pymodbus when they want to actually run the simulator end-to-end; if pymodbus rejects the config the README's reference link to pymodbus's simulator/config schema doc is the right next stop.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/v2/dl205.md

@@ -0,0 +1,295 @@
+# AutomationDirect DirectLOGIC DL205 / DL260 — Modbus quirks
+
+AutomationDirect's DirectLOGIC DL205 family (D2-250-1, D2-260, D2-262, D2-262M) and
+its larger DL260 sibling speak Modbus TCP (via the H2-ECOM100 / H2-EBC100 Ethernet
+coprocessors, and the DL260's built-in Ethernet port) and Modbus RTU (via the CPU
+serial ports in "Modbus" mode). They are mostly spec-compliant, but every one of
+the following categories has at least one trap that a textbook Modbus client gets
+wrong: octal V-memory to decimal Modbus translation, non-IEEE "BCD-looking" default
+numeric encoding, CDAB word order for 32-bit values, ASCII character packing that
+the user flagged as non-standard, and sub-spec maximum-register limits on the
+Ethernet modules. This document catalogues each quirk, cites primary sources, and
+names the ModbusPal integration test we'd write for it (convention from
+`docs/v2/modbus-test-plan.md`: `DL205_<behavior>`).
+
+## Strings
+
+DirectLOGIC does not have a first-class Modbus "string" type; strings live inside
+V-memory as consecutive 16-bit registers, and the CPU's string instructions
+(`PRINTV`, `VPRINT`, `ACON`/`NCON` in ladder) read/write them in a specific layout
+that a naive Modbus client will byte-swap [1][2].
+
+- **Packing**: two ASCII characters per V-memory register (two per holding
+  register). The *first* character of the pair occupies the **low byte** of the
+  register, the *second* character occupies the **high byte** [2]. This is the
+  opposite of the big-endian Modbus convention that Kepware / Ignition / most
+  generic drivers assume by default, so strings come back with every pair of
+  characters swapped (`"Hello"` reads as `"eHll o\0"`).
+- **Termination**: null-terminated (`0x00` in the character byte). There is no
+  length prefix. Writes must pad the final register's unused byte with `0x00`.
+- **Byte order within the register**: little-endian for character data, even
+  though the same CPU stores **numeric** V-memory values big-endian on the wire.
+  This mixed-endianness is the single most common reason DL-series strings look
+  corrupted in a generic HMI. Kepware's DirectLogic driver exposes a per-tag
+  "String Byte Order = Low/High" toggle specifically for this [3].
+- **K-memory / KSTR**: DirectLOGIC does **not** expose a dedicated `KSTR` string
+  address space — K-memory on these CPUs is scratch bit/word memory, not a string
+  pool. Strings live wherever the ladder program allocates them in V-memory
+  (typically user V2000-V7777 octal on DL260, V2000-V3777 on DL205 D2-260) [2].
+- **Maximum length**: bounded only by the V-memory region assigned. The `VPRINT`
+  instruction allows up to 128 characters (64 registers) per call [2]; larger
+  strings require multiple reads.
+- **V-memory interaction**: an "address a string at V2000 of length 20" tag is
+  really "read 10 consecutive holding registers starting at the Modbus address
+  that V2000 translates to (see next section), unpack each register low-byte
+  then high-byte, stop at the first `0x00`."
+
+Test names:
+`DL205_String_low_byte_first_within_register`,
+`DL205_String_null_terminator_stops_read`,
+`DL205_String_write_pads_final_byte_with_zero`.
+
+## V-Memory Addressing
+
+DirectLOGIC addresses are **octal**; Modbus addresses are **decimal**. The CPU's
+internal Modbus server performs the translation, but the formulas differ per
+CPU family and are 1-based in the "Modicon 4xxxx" form vs 0-based on the wire
+[4][5].
+
+Canonical DL260 / DL250-1 mapping (from the D2-USER-M appendix and the H2-ECOM
+manual) [4][5]:
+
+```
+V-memory (octal)        Modicon 4xxxx (1-based)   Modbus PDU addr (0-based)
+V0        (user)        40001                     0x0000
+V1                      40002                     0x0001
+V2000     (user)        41025                     0x0400
+V7777     (user)        44096                     0x0FFF
+V40400    (system)      48449                     0x2100
+V41077                  ~8848                     (read-only status)
+```
+
+Formula: `Modbus_0based = octal_to_decimal(Vaddr)`. So `V2000` octal = `1024`
+decimal = Modbus PDU address `0x0400`. The "4xxxx" Modicon view just adds 1 and
+prefixes the register bank digit.
+
+- **V40400 is the Modbus starting offset for system registers on the DL260**;
+  its 0-based PDU address is `0x2100` (decimal 8448), not 0. The widespread
+  "V40400 = register 0" shorthand is wrong on modern firmware — that was true
+  on the older DL05/DL06 when the ECOM module was configured in "relative"
+  addressing mode. On the H2-ECOM100 factory default ("absolute" mode), V40400
+  maps to 0x2100 [5].
+- **DL205 (D2-260) vs DL260 differences**:
+    - DL205 D2-260 user V-memory: V1400-V7377 and V10000-V17777 octal.
+    - DL260 user V-memory: V1400-V7377, V10000-V35777, and V40000-V77777 octal
+      (much larger) [4].
+    - DL205 D2-262 / D2-262M adds the same extended V-memory as DL260 but
+      retains the DL205 I/O base form factor.
+    - Neither DL205 sub-model changes the *formula* — only the valid range.
+- **Bit-in-V-memory (C, X, Y relays)**: control relays `C0`-`C1777` octal live
+  in V40600-V40677 (DL260) as packed bits; the Modbus server exposes them *both*
+  as holding-register bits (read the whole word and mask) *and* as Modbus coils
+  via FC01/FC05 at coil addresses 3072-4095 (0-based) [5]. `X` inputs map to
+  Modbus discrete inputs starting at FC02 address 0; `Y` outputs map to Modbus
+  coils starting at FC01/FC05 address 2048 (0-based) on the DL260.
+- **Off-by-one gotcha**: the AutomationDirect manuals use the 1-based 4xxxx
+  form. Kepware, libmodbus, pymodbus, and the .NET stack all take the 0-based
+  PDU form. When the manual says "V2000 = 41025" you send `0x0400`, not
+  `0x0401`.
+
+Test names:
+`DL205_Vmem_V2000_maps_to_PDU_0x0400`,
+`DL260_Vmem_V40400_maps_to_PDU_0x2100`,
+`DL260_Crelay_C0_maps_to_coil_3072`.
+
+## Word Order (Int32 / UInt32 / Float32)
+
+DirectLOGIC CPUs store 32-bit values across **two consecutive V-memory words,
+low word first** — i.e., `CDAB` when viewed as a Modbus register pair [1][3].
+Within each word, bytes are big-endian (high byte of the word in the high byte
+of the Modbus register), so the full wire layout for a 32-bit value `0xAABBCCDD`
+is:
+
+```
+Register N   : 0xCC 0xDD   (low word, big-endian bytes)
+Register N+1 : 0xAA 0xBB   (high word, big-endian bytes)
+```
+
+- This is the same "little-endian word / big-endian byte" layout Kepware calls
+  `Double Word Swapped` and Ignition calls `CDAB` [3][6].
+- **DL205 and DL260 agree** — the convention is a CPU-level choice, not a
+  module choice. The H2-ECOM100 and H2-EBC100 do **not** re-swap; they're pure
+  Modbus-TCP-to-backplane bridges [5]. The DL260 built-in Ethernet port
+  behaves identically.
+- **Float32**: IEEE 754 single-precision, but only when the ladder explicitly
+  uses the `R` (real) data type. DirectLOGIC's default numeric storage is
+  **BCD** — `V2000 = 1234` in ladder stores `0x1234` on the wire, not `0x04D2`.
+  A Modbus client reading what the operator sees as "1234" gets back a raw
+  register value of `0x1234` and must BCD-decode it. Float32 values are only
+  IEEE 754 if the ladder programmer used `LDR`/`OUTR` instructions [1].
+- **Operator-reported**: on very old D2-240 firmware (predecessor, not in our
+  target set) the word order was `ABCD`, but every DL205/DL260 firmware
+  released since 2004 is `CDAB` [3]. _Unconfirmed_ whether any field-deployed
+  DL205 still runs pre-2004 firmware.
+
+Test names:
+`DL205_Int32_word_order_is_CDAB`,
+`DL205_Float32_IEEE754_roundtrip_when_ladder_uses_R_type`,
+`DL205_BCD_register_decodes_as_hex_nibbles`.
+
+## Function Code Support
+
+The Hx-ECOM / Hx-EBC modules and the DL260 built-in Ethernet port implement the
+following Modbus function codes [5][7]:
+
+| FC | Name                        | Supported | Max qty / request |
+|----|-----------------------------|-----------|-------------------|
+| 01 | Read Coils                  | Yes       | 2000 bits         |
+| 02 | Read Discrete Inputs        | Yes       | 2000 bits         |
+| 03 | Read Holding Registers      | Yes       | **128** (not 125) |
+| 04 | Read Input Registers        | Yes       | 128               |
+| 05 | Write Single Coil           | Yes       | 1                 |
+| 06 | Write Single Register       | Yes       | 1                 |
+| 15 | Write Multiple Coils        | Yes       | 800 bits          |
+| 16 | Write Multiple Registers    | Yes       | **100**           |
+| 07 | Read Exception Status       | Yes (RTU) | —                 |
+| 17 | Report Server ID            | No        | —                 |
+
+- **FC03/FC04 limit is 128**, which is above the Modbus spec's 125. Requesting
+  129+ returns exception code `03` (Illegal Data Value) [5].
+- **FC16 limit is 100**, below the spec's 123. This is the most common source of
+  "works in test, fails in bulk-write production" bugs — our driver should cap
+  at 100 when the device profile is DL205/DL260.
+- **No custom function codes** are exposed on the Modbus port. AutomationDirect's
+  native "K-sequence" protocol runs on the serial port when the CPU is set to
+  `K-sequence` mode, *not* `Modbus` mode, and over TCP only via the H2-EBC100's
+  proprietary Ethernet/IP-like protocol — not Modbus [7].
+
+Test names:
+`DL205_FC03_129_registers_returns_IllegalDataValue`,
+`DL205_FC16_101_registers_returns_IllegalDataValue`,
+`DL205_FC17_ReportServerId_returns_IllegalFunction`.
+
+## Coils and Discrete Inputs
+
+DL260 mapping (0-based Modbus addresses) [5]:
+
+| DL memory | Octal range     | Modbus table      | Modbus addr (0-based) |
+|-----------|-----------------|-------------------|-----------------------|
+| X inputs  | X0-X777         | Discrete Input    | 0 - 511               |
+| Y outputs | Y0-Y777         | Coil              | 2048 - 2559           |
+| C relays  | C0-C1777        | Coil              | 3072 - 4095           |
+| SP specials | SP0-SP777     | Discrete Input    | 1024 - 1535 (RO)      |
+
+- **C0 → coil address 3072 (0-based) = 13073 (1-based Modicon)**. Y0 → coil
+  2048 = 12049. These offsets are wired into the CPU and cannot be remapped.
+- **Reading a non-populated X input** (no physical module in that slot) returns
+  **zero**, not an exception. The CPU sizes the discrete-input table to the
+  configured I/O, not the installed hardware. Confirmed in the DL260 user
+  manual's I/O configuration chapter [4].
+- **Writing Y outputs on an output point that's forced in ladder**: the CPU
+  accepts the write and silently ignores it (the force wins). No exception is
+  returned. _Operator-reported_, matches Kepware driver release notes [3].
+
+Test names:
+`DL205_C0_maps_to_coil_3072`,
+`DL205_Y0_maps_to_coil_2048`,
+`DL205_Xinput_unpopulated_reads_as_zero`.
+
+## Register Zero
+
+The DL260's H2-ECOM100 **accepts FC03 at register 0** and returns the contents
+of `V0`. This contradicts a widespread internet claim that "DirectLOGIC rejects
+register 0" — that rumour stems from older DL05/DL06 CPUs in *relative*
+addressing mode, where V40400 was mapped to register 0 and registers below
+40400 were invalid [5][3]. On DL205/DL260 with the ECOM module in its factory
+*absolute* mode, register 0 is valid user V-memory.
+
+- Our driver's `ModbusProbeOptions.ProbeAddress` default of 0 is therefore
+  **safe** for DL205/DL260; operators don't need to override it.
+- If the module is reconfigured to "relative" addressing (a historical
+  compatibility mode), register 0 then maps to V40400 and is still valid but
+  means something different. The probe will still succeed.
+
+Test name: `DL205_FC03_register_0_returns_V0_contents`.
+
+## Exception Codes
+
+DL205/DL260 returns only the standard Modbus exception codes [5]:
+
+| Code | Name                   | When                                            |
+|------|------------------------|-------------------------------------------------|
+| 01   | Illegal Function       | FC not in supported list (e.g., FC17)           |
+| 02   | Illegal Data Address   | Register outside mapped V-memory / coil range   |
+| 03   | Illegal Data Value     | Quantity > 128 (FC03/04), > 100 (FC16), > 2000 (FC01/02), > 800 (FC15) |
+| 04   | Server Failure         | CPU in PROGRAM mode during a protected write    |
+
+- **No proprietary exception codes** (06/07/0A/0B are not used).
+- **Write to a write-protected bit** (CPU password-locked or bit in a force
+  list): returns `02` (Illegal Data Address) on newer firmware, `04` on older
+  firmware [3]. _Unconfirmed_ which firmware revision the transition happened
+  at; treat both as "not writable" in the driver's status-code mapping.
+- **Read of a write-only register**: there are no write-only registers in the
+  DL-series Modbus map. Every writable register is also readable.
+
+Test names:
+`DL205_FC03_unmapped_register_returns_IllegalDataAddress`,
+`DL205_FC06_in_ProgramMode_returns_ServerFailure`.
+
+## Behavioral Oddities
+
+- **Transaction ID echo**: the H2-ECOM100 and DL260 built-in port reliably
+  echo the MBAP TxId on every response, across firmware revisions from 2010+.
+  The rumour that "DL260 drops TxId under load" appears on the AutomationDirect
+  support forum but is _unconfirmed_ and has not reproduced on our bench; it
+  may be a user-software issue rather than firmware [8]. Our driver's
+  single-flight + TxId-match guard handles it either way.
+- **Concurrency**: the ECOM serializes requests internally. Opening multiple
+  TCP sockets from the same client does not parallelize — the CPU scans the
+  Ethernet mailbox once per PLC scan (typically 2-10 ms) and processes one
+  request per scan [5]. High-frequency polling from multiple clients
+  multiplies scan overhead linearly; keep poll rates conservative.
+- **Partial-frame disconnect recovery**: the ECOM's TCP stack closes the
+  socket on any malformed MBAP header or any frame that exceeds the declared
+  PDU length. It does not resynchronize mid-stream. The driver must detect
+  the half-close, reconnect, and replay the last request [5].
+- **Keepalive**: the ECOM does **not** send TCP keepalives. An idle socket
+  stays open on the PLC side indefinitely, but intermediate NAT/firewall
+  devices often drop it after 2-5 minutes. Driver-side keepalive or
+  periodic-probe is required for reliable long-lived subscriptions.
+- **Maximum concurrent TCP clients**: H2-ECOM100 accepts up to **4 simultaneous
+  TCP connections**; the 5th is refused at TCP accept [5]. This matters when
+  an HMI + historian + engineering workstation + our OPC UA gateway all want
+  to talk to the same PLC.
+
+Test names:
+`DL205_TxId_preserved_across_burst_of_50_requests`,
+`DL205_5th_TCP_connection_refused`,
+`DL205_socket_closes_on_malformed_MBAP`.
+
+## References
+
+1. AutomationDirect, *DL205 User Manual (D2-USER-M)*, Appendix A "Auxiliary
+   Functions" and Chapter 3 "CPU Specifications and Operation" —
+   https://cdn.automationdirect.com/static/manuals/d2userm/d2userm.html
+2. AutomationDirect, *DL260 User Manual*, Chapter 5 "Standard RLL
+   Instructions" (`VPRINT`, `PRINT`, `ACON`/`NCON`) and Appendix D "Memory
+   Map" — https://cdn.automationdirect.com/static/manuals/d2userm/d2userm.html
+3. Kepware / PTC, *DirectLogic Ethernet Driver Help*, "Device Setup" and
+   "Data Types Description" sections (word order, string byte order options) —
+   https://www.kepware.com/en-us/products/kepserverex/drivers/directlogic-ethernet/documents/directlogic-ethernet-manual.pdf
+4. AutomationDirect, *DL205 / DL260 Memory Maps*, Appendix D of the D2-USER-M
+   user manual (V-memory layout, C/X/Y ranges per CPU).
+5. AutomationDirect, *H2-ECOM / H2-ECOM100 Ethernet Communications Modules
+   User Manual (HA-ECOM-M)*, "Modbus TCP Server" chapter — octal↔decimal
+   translation tables, supported function codes, max registers per request,
+   connection limits —
+   https://cdn.automationdirect.com/static/manuals/hxecomm/hxecomm.html
+6. Inductive Automation, *Ignition Modbus Driver — Address Mapping*, word
+   order options (ABCD/CDAB/BADC/DCBA) —
+   https://docs.inductiveautomation.com/docs/8.1/ignition-modules/opc-ua/drivers/modbus-v2
+7. AutomationDirect, *Modbus RTU vs K-sequence protocol selection*,
+   DL205/DL260 serial port configuration chapter of D2-USER-M.
+8. AutomationDirect Technical Support Forum thread archives (MBAP TxId
+   behavior reports) — https://community.automationdirect.com/ (search:
+   "ECOM100 transaction id"). _Unconfirmed_ operator reports only.

docs/v2/modbus-test-plan.md

@@ -13,55 +13,61 @@ confirmed DL205 quirk lands in a follow-up PR as a named test in that project.
 
 ## Harness
 
-**Chosen simulator: ModbusPal** (Java, scriptable). Rationale:
-- Scriptable enough to mimic device-specific behaviors (non-standard register
-  layouts, custom exception codes, intentional response delays).
-- Runs locally, no CI dependency. Tests skip when `localhost:502` (or the configured
-  simulator endpoint) isn't reachable.
-- Free + long-maintained — physical PLC bench is unavailable in most dev
-  environments, and renting cloud PLCs isn't worth the per-test cost.
+**Chosen simulator: pymodbus 3.13.0** (`pip install 'pymodbus[simulator]==3.13.0'`).
+Replaced ModbusPal in PR 43 — see `tests/.../Pymodbus/README.md` for the
+trade-off rationale. Headline reasons:
 
-**Setup pattern** (not yet codified in a script — will land alongside the integration
-test project):
-1. Install ModbusPal, load the per-device `.xmpp` profile from
-   `tests/Driver.Modbus.IntegrationTests/ModbusPal/` (TBD directory).
-2. Start the simulator listening on `localhost:502` (or override via
-   `MODBUS_SIM_ENDPOINT` env var).
-3. `dotnet test` the integration project — tests auto-skip when the endpoint is
-   unreachable, so forgetting to start the simulator doesn't wedge CI.
+- **Headless** pure-Python CLI; no Java GUI, runs cleanly on a CI runner.
+- **Maintained** — current stable 3.13.0; ModbusPal 1.6b is abandoned.
+- **All four standard tables** (HR, IR, coils, DI) configurable; ModbusPal
+  1.6b only exposed HR + coils.
+- **Built-in actions** (`increment`, `random`, `timestamp`, `uptime`) +
+  optional custom-Python actions for declarative dynamic behaviors.
+- **Per-register raw uint16 seeding** — encoding the DL205 string-byte-order
+  / BCD / CDAB-float quirks stays explicit (the quirk math lives in the
+  `_quirk` JSON-comment fields next to each register).
+- Pip-installable on Windows; sidesteps the privileged-port admin
+  requirement by defaulting to TCP **5020** instead of 502.
+
+**Setup pattern**:
+1. `pip install "pymodbus[simulator]==3.13.0"`.
+2. Start the simulator with one of the in-repo profiles:
+   `tests\.../Pymodbus\serve.ps1 -Profile standard` (or `-Profile dl205`).
+3. `dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` —
+   tests auto-skip when the endpoint is unreachable. Default endpoint is
+   `localhost:5020`; override via `MODBUS_SIM_ENDPOINT` for a real PLC on its
+   native port 502.
 
 ## Per-device quirk catalog
 
-### AutomationDirect DL205
+### AutomationDirect DL205 / DL260
 
-First known target device. Quirks to document and cover with named tests (to be
-filled in when user validates each behavior in ModbusPal with a DL205 profile):
+First known target device family. **Full quirk catalog with primary-source citations
+and per-quirk integration-test names lives at [`dl205.md`](dl205.md)** — that doc is
+the reference; this section is the testing roadmap.
 
-- **Word order for 32-bit values**: _pending_ — confirm whether DL205 uses ABCD
-  (Modbus TCP standard) or CDAB (Siemens-style word-swap) for Int32/UInt32/Float32.
-  Test name: `DL205_Float32_word_order_is_CDAB` (or `ABCD`, whichever proves out).
-- **Register-zero access**: _pending_ — some DL205 configurations reject FC03 at
-  register 0 with exception code 02 (illegal data address). If confirmed, the
-  integration test suite verifies `ModbusProbeOptions.ProbeAddress` default of 0
-  triggers the rejection and operators must override; test name:
-  `DL205_FC03_at_register_0_returns_IllegalDataAddress`.
-- **Coil addressing base**: _pending_ — DL205 documentation sometimes uses 1-based
-  coil addresses; verify the driver's zero-based addressing matches the physical
-  PLC without an off-by-one adjustment.
-- **Maximum registers per FC03**: _pending_ — Modbus spec caps at 125; some DL205
-  models enforce a lower limit (e.g., 64). Test name:
-  `DL205_FC03_beyond_max_registers_returns_IllegalDataValue`.
-- **Response framing under sustained load**: _pending_ — the driver's
-  single-flight semaphore assumes the server pairs requests/responses by
-  transaction id; at least one DL205 firmware revision is reported to drop the
-  TxId under load. If reproduced in ModbusPal we add a retry + log-and-continue
-  path to `ModbusTcpTransport`.
-- **Exception code on coil write to a protected bit**: _pending_ — some DL205
-  setups protect internal coils; the driver should surface the PLC's exception
-  PDU as `BadNotWritable` rather than `BadInternalError`.
+Confirmed quirks (priority order — top items are highest-impact for our driver
+and ship first as PR 41+):
 
-_User action item_: as each quirk is validated in ModbusPal, replace the _pending_
-marker with the confirmed behavior and file a named test in the integration suite.
+| Quirk | Driver impact | Integration-test name |
+|---|---|---|
+| **String packing**: 2 chars/register, **first char in low byte** (opposite of generic Modbus) | `ModbusDataType.String` decoder must be configurable per-device family — current code assumes high-byte-first | `DL205_String_low_byte_first_within_register` |
+| **Word order CDAB** for Int32/UInt32/Float32 | Already configurable via `ModbusByteOrder.WordSwap`; default per device profile | `DL205_Int32_word_order_is_CDAB` |
+| **BCD-as-default** numeric storage (only IEEE 754 when ladder uses `R` type) | New decoder mode — register reads as `0x1234` for ladder value `1234`, not as decimal `4660` | `DL205_BCD_register_decodes_as_hex_nibbles` |
+| **FC16 capped at 100 registers** (below the spec's 123) | Bulk-write batching must cap per-device-family | `DL205_FC16_101_registers_returns_IllegalDataValue` |
+| **FC03/04 capped at 128** (above the spec's 125) | Less impactful — clients that respect the spec's 125 stay safe | `DL205_FC03_129_registers_returns_IllegalDataValue` |
+| **V-memory octal-to-decimal addressing** (V2000 octal → 0x0400 decimal) | New address-format helper in profile config so operators can write `V2000` instead of computing `1024` themselves | `DL205_Vmem_V2000_maps_to_PDU_0x0400` |
+| **C-relay → coil 3072 / Y-output → coil 2048** offsets | Hard-coded constants in DL205 device profile | `DL205_C0_maps_to_coil_3072`, `DL205_Y0_maps_to_coil_2048` |
+| **Register 0 is valid** (rejects-register-0 rumour was DL05/DL06 relative-mode artefact) | None — current default is safe | `DL205_FC03_register_0_returns_V0_contents` |
+| **Max 4 simultaneous TCP clients** on H2-ECOM100 | Connect-time: handle TCP-accept failure with a clearer error message | `DL205_5th_TCP_connection_refused` |
+| **No TCP keepalive** | Driver-side periodic-probe (already wired via `IHostConnectivityProbe`) | _Covered by existing `ModbusProbeTests`_ |
+| **No mid-stream resync on malformed MBAP** | Already covered — single-flight + reconnect-on-error | _Covered by existing `ModbusDriverTests`_ |
+| **Write-protect exception code: `02` newer / `04` older** | Translate either to `BadNotWritable` | `DL205_FC06_in_ProgramMode_returns_ServerFailure` |
+
+_Operator-reported / unconfirmed_ — covered defensively in the driver but no
+integration tests until reproduced on hardware:
+- TxId drop under load (forum rumour; not reproduced).
+- Pre-2004 firmware ABCD word order (every shipped DL205/DL260 since 2004 is CDAB).
 
 ### Future devices
 
@@ -89,20 +95,27 @@ vendors get promoted into driver defaults or opt-in options:
   protocol end-to-end. The in-memory `FakeTransport` from the unit test suite is
   deliberately not used here — its value is speed + determinism, which doesn't
   help reproduce device-specific issues.
-- **Don't depend on ModbusPal state between tests.** Each test resets the
+- **Don't depend on simulator state between tests.** Each test resets the
   simulator's register bank or uses a unique address range. Avoid relying on
   "previous test left value at register 10" setups that flake when tests run in
-  parallel or re-order.
+  parallel or re-order. Either the test mutates the scratch ranges and restores
+  on finally, or it uses pymodbus's REST API to reset state between facts.
 
 ## Next concrete PRs
 
 - **PR 30 — Integration test project + DL205 profile scaffold** — **DONE**.
   Shipped `tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` with
   `ModbusSimulatorFixture` (TCP-probe, skips with a clear `SkipReason` when the
-  endpoint is unreachable), `DL205/DL205Profile.cs` (tag map stub — one
-  writable holding register at address 100), and `DL205/DL205SmokeTests.cs`
-  (write-then-read round-trip). `ModbusPal/` directory holds the README
-  pointing at the to-be-committed `DL205.xmpp` profile.
-- **PR 31+**: one PR per confirmed DL205 quirk, landing the named test + any
-  driver-side adjustment (e.g., retry on dropped TxId) needed to pass it. Drop
-  the `DL205.xmpp` profile into `ModbusPal/` alongside the first quirk PR.
+  endpoint is unreachable), `DL205/DL205Profile.cs` (tag map stub), and
+  `DL205/DL205SmokeTests.cs` (write-then-read round-trip).
+- **PR 41 — DL205 quirk catalog doc** — **DONE**. `docs/v2/dl205.md`
+  documents every DL205/DL260 Modbus divergence with primary-source citations.
+- **PR 42 — ModbusPal `.xmpp` profiles** — **SUPERSEDED by PR 43**. Replaced
+  with pymodbus JSON because ModbusPal 1.6b is abandoned, GUI-only, and only
+  exposes 2 of the 4 standard tables.
+- **PR 43 — pymodbus JSON profiles** — **DONE**. `Pymodbus/standard.json` +
+  `Pymodbus/dl205.json` + `Pymodbus/serve.ps1` runner. Both bind TCP 5020.
+- **PR 44+**: one PR per confirmed DL205 quirk, landing the named test + any
+  driver-side adjustment (string byte order, BCD decoder, V-memory address
+  helper, FC16 cap-per-device-family) needed to pass it. Each quirk's value
+  is already pre-encoded in `Pymodbus/dl205.json`.

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205Profile.cs

@@ -1,15 +1,15 @@
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
 
 /// <summary>
-///     Tag map for the AutomationDirect DL205 device class. Mirrors what the ModbusPal
-///     <c>.xmpp</c> profile in <c>ModbusPal/DL205.xmpp</c> exposes (or the real PLC, when
+///     Tag map for the AutomationDirect DL205 device class. Mirrors what the pymodbus
+///     <c>dl205.json</c> profile in <c>Pymodbus/dl205.json</c> exposes (or the real PLC, when
 ///     <see cref="ModbusSimulatorFixture"/> is pointed at one).
 /// </summary>
 /// <remarks>
 ///     This is the scaffold — each tag is deliberately generic so the smoke test has stable
 ///     addresses to read. Device-specific quirk tests (word order, max-register, register-zero
 ///     access, etc.) will land in their own test classes alongside this profile as the user
-///     validates each behavior in ModbusPal; see <c>docs/v2/modbus-test-plan.md</c> §per-device
+///     validates each behavior in pymodbus; see <c>docs/v2/modbus-test-plan.md</c> §per-device
 ///     quirk catalog for the checklist.
 /// </remarks>
 public static class DL205Profile
@@ -18,8 +18,8 @@ public static class DL205Profile
     /// register-zero quirk (pending confirmation) — see modbus-test-plan.md.</summary>
     public const ushort SmokeHoldingRegister = 100;
 
-    /// <summary>Expected value the ModbusPal profile seeds into register 100. When running
-    /// against a real DL205 (or a ModbusPal profile where this register is writable), the smoke
+    /// <summary>Expected value the pymodbus profile seeds into register 100. When running
+    /// against a real DL205 (or a pymodbus profile where this register is writable), the smoke
     /// test seeds this value first, then reads it back.</summary>
     public const short SmokeHoldingValue = 1234;
 

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusPal/README.md

@@ -1,30 +0,0 @@
-# ModbusPal simulator profiles
-
-Drop device-specific `.xmpp` profiles here. The integration tests connect to the
-endpoint in `MODBUS_SIM_ENDPOINT` (default `localhost:502`) and expect the
-simulator to already be running — tests do not launch ModbusPal themselves,
-because its Java GUI + JRE requirement is heavier than the harness is worth.
-
-## Getting started
-
-1. Download ModbusPal from SourceForge (`modbuspal.jar`).
-2. `java -jar modbuspal.jar` to launch the GUI.
-3. Load a profile from this directory (or configure one manually) and start the
-   simulator on TCP port 502.
-4. `dotnet test tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` — tests
-   auto-skip with a clear `SkipReason` if the TCP probe at the configured
-   endpoint fails within 2 seconds.
-
-## Profile files
-
-- `DL205.xmpp` — _to be added_ — register map reflecting the AutomationDirect
-  DL205 quirks tracked in `docs/v2/modbus-test-plan.md`. The scaffolded smoke
-  test in `DL205/DL205SmokeTests.cs` needs holding register 100 writable and
-  present; a minimal ModbusPal profile with a single holding-register bank at
-  address 100 is sufficient.
-
-## Environment variables
-
-- `MODBUS_SIM_ENDPOINT` — override the simulator endpoint. Accepts `host:port`;
-  defaults to `localhost:502`. Useful when pointing the suite at a real PLC on
-  the bench.

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusSimulatorFixture.cs

@@ -3,8 +3,9 @@ using System.Net.Sockets;
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests;
 
 /// <summary>
-///     Reachability probe for a Modbus TCP simulator (ModbusPal or a real PLC). Parses
-///     <c>MODBUS_SIM_ENDPOINT</c> (default <c>localhost:502</c>) and TCP-connects once at
+///     Reachability probe for a Modbus TCP simulator (pymodbus-driven, see
+///     <c>Pymodbus/serve.ps1</c>) or a real PLC. Parses
+///     <c>MODBUS_SIM_ENDPOINT</c> (default <c>localhost:5020</c> per PR 43) and TCP-connects once at
 ///     fixture construction. Each test checks <see cref="SkipReason"/> and calls
 ///     <c>Assert.Skip</c> when the endpoint was unreachable, so a dev box without a running
 ///     simulator still passes `dotnet test` cleanly — matches the Galaxy live-smoke pattern in
@@ -25,7 +26,11 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests;
 /// </remarks>
 public sealed class ModbusSimulatorFixture : IAsyncDisposable
 {
-    private const string DefaultEndpoint = "localhost:502";
+    // PR 43: default port is 5020 (pymodbus convention) instead of 502 (Modbus standard).
+    // Picking 5020 sidesteps the privileged-port admin requirement on Windows + matches the
+    // port baked into the pymodbus simulator JSON profiles in Pymodbus/. Override with
+    // MODBUS_SIM_ENDPOINT to point at a real PLC on its native port 502.
+    private const string DefaultEndpoint = "localhost:5020";
     private const string EndpointEnvVar = "MODBUS_SIM_ENDPOINT";
 
     public string Host { get; }
@@ -46,13 +51,15 @@ public sealed class ModbusSimulatorFixture : IAsyncDisposable
             if (!task.Wait(TimeSpan.FromSeconds(2)) || !client.Connected)
             {
                 SkipReason = $"Modbus simulator at {Host}:{Port} did not accept a TCP connection within 2s. " +
-                             $"Start ModbusPal (or override {EndpointEnvVar}) and re-run.";
+                             $"Start the pymodbus simulator (Pymodbus\\serve.ps1 -Profile standard) " +
+                             $"or override {EndpointEnvVar}, then re-run.";
             }
         }
         catch (Exception ex)
         {
             SkipReason = $"Modbus simulator at {Host}:{Port} unreachable: {ex.GetType().Name}: {ex.Message}. " +
-                         $"Start ModbusPal (or override {EndpointEnvVar}) and re-run.";
+                         $"Start the pymodbus simulator (Pymodbus\\serve.ps1 -Profile standard) " +
+                             $"or override {EndpointEnvVar}, then re-run.";
         }
     }
 

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/README.md

@@ -0,0 +1,163 @@
+# pymodbus simulator profiles
+
+Two JSON-config profiles for pymodbus's `ModbusSimulatorServer`. Replaces the
+ModbusPal `.xmpp` profiles that lived here in PR 42 — pymodbus is headless,
+maintained, semantic about register layout, and pip-installable on Windows.
+
+| File | What it simulates | Test category |
+|---|---|---|
+| [`standard.json`](standard.json) | Generic Modbus TCP server — HR[0..31] = address-as-value, HR[100] declarative auto-increment via `"action": "increment"`, alternating coils, scratch ranges for write tests. | `Trait=Standard` |
+| [`dl205.json`](dl205.json) | AutomationDirect DirectLOGIC DL205 / DL260 quirks per [`docs/v2/dl205.md`](../../../docs/v2/dl205.md): low-byte-first string packing, CDAB Float32, BCD numerics, V-memory address markers, Y/C coil mappings. Inline `_quirk` comments per register name the behavior. | `Trait=DL205` |
+
+Both bind TCP **5020** (pymodbus convention; sidesteps the Windows admin
+requirement for privileged port 502). The integration-test fixture
+(`ModbusSimulatorFixture`) defaults to `localhost:5020` to match — override
+via `MODBUS_SIM_ENDPOINT` to point at a real PLC on its native port 502.
+
+Run only **one profile at a time** (they share TCP 5020).
+
+## Install
+
+```powershell
+pip install "pymodbus[simulator]==3.13.0"
+```
+
+The `[simulator]` extra pulls in `aiohttp` for the optional web UI / REST API.
+Pinned to 3.13.0 for reproducibility — avoid 4.x dev releases until stabilized.
+Requires Python ≥ 3.10. Windows Firewall will prompt on first bind; allow
+Private network.
+
+## Run
+
+Foreground (Ctrl+C to stop). Use the `serve.ps1` wrapper:
+
+```powershell
+.\serve.ps1 -Profile standard
+.\serve.ps1 -Profile dl205
+```
+
+Or invoke pymodbus directly:
+
+```powershell
+pymodbus.simulator `
+    --modbus_server srv `
+    --modbus_device dev `
+    --json_file .\standard.json `
+    --http_port 8080
+```
+
+Web UI at `http://localhost:8080` lets you inspect + poke registers manually.
+Pass `--no_http` (or `-HttpPort 0` to `serve.ps1`) to disable.
+
+## Run the integration tests
+
+In a separate shell, with the simulator running:
+
+```powershell
+cd C:\Users\dohertj2\Desktop\lmxopcua
+dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests
+```
+
+Tests auto-skip with a clear `SkipReason` if `localhost:5020` isn't reachable
+within 2 seconds. Filter by trait when both profiles' tests coexist:
+
+```powershell
+dotnet test ... --filter "Trait=Standard"
+dotnet test ... --filter "Trait=DL205"
+```
+
+## What's encoded in each profile
+
+### standard.json
+
+- HR[0..31]: each register's value equals its address. Easy mental map.
+- HR[100]: `"action": "increment"` ticks 0..65535 on every register access — drives subscribe-and-receive tests so they have a register that changes without a write.
+- HR[200..209]: scratch range for write-roundtrip tests.
+- Coils[0..31]: alternating on/off (even=on).
+- Coils[100..109]: scratch.
+- All addresses 0..1023 are writable (`"write": [[0, 1023]]`).
+
+### dl205.json (per `docs/v2/dl205.md`)
+
+| HR address | Quirk demonstrated | Raw value | Decoded |
+|---|---|---|---|
+| `0` (V0) | Register 0 is valid (rejects-register-0 rumour disproved) | `51966` (0xCAFE) | marker |
+| `1024` (V2000 octal) | V-memory octal-to-decimal mapping | `8192` (0x2000) | marker |
+| `8448` (V40400 octal) | V40400 → PDU 0x2100 (NOT register 0) | `16448` (0x4040) | marker |
+| `1040..1042` | String "Hello" packed first-char-low-byte | `25928, 27756, 111` | `"Hello"` |
+| `1056..1057` | Float32 1.5f in CDAB word order | `0, 16320` | `1.5f` |
+| `1072` | Decimal 1234 in BCD encoding | `4660` (0x1234) | `1234` |
+| `1280..1407` | 128-register block (FC03 cap = 128 above spec's 125) | first/last/mid markers; rest defaults to 0 | for FC03 cap test |
+
+| Coil address | Quirk demonstrated |
+|---|---|
+| `2048` | Y0 maps to coil 2048 (DL260 layout) |
+| `3072` | C0 maps to coil 3072 (DL260 layout) |
+| `4000..4007` | Scratch C-relay range for write-roundtrip tests |
+
+The DL260 X-input markers (FC02 discrete inputs) **are not encoded separately**
+because the profile uses `shared blocks: true` (matches DL series memory
+model) — coils/DI/HR/IR overlay the same word address space. Tests that
+target FC02 against this profile end up reading the same bit positions as
+the coils they share with.
+
+## What's IN pymodbus that wasn't in ModbusPal
+
+- **All four standard tables** (HR, IR, coils, DI) configurable via `co size` / `di size` / `hr size` / `ir size` setup keys.
+- **Per-register raw uint16 seeding** — `{"addr": 1040, "value": 25928}` puts exactly that 16-bit value on the wire. No interpretation.
+- **Built-in actions**: `increment`, `random`, `timestamp`, `reset`, `uptime` for declarative dynamic registers. No Python script alongside the config required.
+- **Custom actions** — point `--custom_actions_module` at a `.py` file exposing callables to express anything more complex (per-second wall-clock ticks, BCD synthesis, etc.).
+- **Headless** — pure CLI process, no Java, no Swing. Pip-installable. Plays well with CI runners.
+- **Web UI / REST API** — `--http_port 8080` adds an aiohttp server for live inspection. Optional.
+- **Maintained** — current stable 3.13.0 (April 2026), active development on 4.0 dev branch.
+
+## Trade-offs vs the hand-authored ModbusPal profiles
+
+- pymodbus's built-in `float32` type stores in pymodbus's word order; for explicit DL205 CDAB control we seed two raw `uint16` entries instead. Documented inline in `dl205.json`.
+- `increment` action ticks per-access, not wall-clock. A 250ms-poll integration test sees variation either way; for strict 1Hz cadence add `--custom_actions_module my_actions.py` with a `time.time()`-based callable.
+- `dl205.json` uses `shared blocks: true` because it matches DL series memory model; `standard.json` uses `shared blocks: false` so coils and HR address spaces are independent (more like a textbook PLC).
+
+## File format reference
+
+```json
+{
+  "server_list": {
+    "<server-name>": {
+      "comm": "tcp",
+      "host": "0.0.0.0",
+      "port": 5020,
+      "framer": "socket",
+      "device_id": 1
+    }
+  },
+  "device_list": {
+    "<device-name>": {
+      "setup": {
+        "co size": N, "di size": N, "hr size": N, "ir size": N,
+        "shared blocks": false,
+        "type exception": false,
+        "defaults": { "value": {...}, "action": {...} }
+      },
+      "invalid": [],
+      "write": [[<from>, <to>]],
+      "bits":    [{"addr": N, "value": 0|1}],
+      "uint16":  [{"addr": N, "value": <0..65535>, "action"?: "increment", "parameters"?: {...}}],
+      "uint32":  [{"addr": N, "value": <int>}],
+      "float32": [{"addr": N, "value": <float>}],
+      "string":  [{"addr": N, "value": "<text>"}],
+      "repeat":  []
+    }
+  }
+}
+```
+
+The CLI args `--modbus_server <server-name> --modbus_device <device-name>`
+pick which entries the simulator binds.
+
+## References
+
+- [pymodbus on PyPI](https://pypi.org/project/pymodbus/) — install, version pin
+- [Simulator config docs](https://pymodbus.readthedocs.io/en/dev/source/library/simulator/config.html) — full schema reference
+- [Simulator REST API](https://pymodbus.readthedocs.io/en/latest/source/library/simulator/restapi.html) — for the optional web UI
+- [`docs/v2/dl205.md`](../../../docs/v2/dl205.md) — what each DL205 profile entry simulates
+- [`docs/v2/modbus-test-plan.md`](../../../docs/v2/modbus-test-plan.md) — the `DL205_<behavior>` test naming convention

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/dl205.json

@@ -0,0 +1,98 @@
+{
+  "_comment": "DL205.json — AutomationDirect DirectLOGIC DL205/DL260 quirk simulator. Models each behavior in docs/v2/dl205.md as concrete register values so DL205_<behavior> integration tests can assert against this profile WITHOUT a live PLC. Loaded by `pymodbus.simulator`. See ../README.md. Per-quirk address layout matches the table in dl205.md exactly. `shared blocks: true` matches DL series behavior — coils/HR overlay the same word address space (a Y-output is both a discrete bit AND part of a system V-memory register).",
+
+  "server_list": {
+    "srv": {
+      "comm": "tcp",
+      "host": "0.0.0.0",
+      "port": 5020,
+      "framer": "socket",
+      "device_id": 1
+    }
+  },
+
+  "device_list": {
+    "dev": {
+      "setup": {
+        "co size":    16384,
+        "di size":     8192,
+        "hr size":    16384,
+        "ir size":     1024,
+        "shared blocks": true,
+        "type exception": false,
+        "defaults": {
+          "value":  {"bits": 0, "uint16": 0, "uint32": 0, "float32": 0.0, "string": " "},
+          "action": {"bits": null, "uint16": null, "uint32": null, "float32": null, "string": null}
+        }
+      },
+      "invalid": [],
+      "write": [
+        [0, 16383]
+      ],
+
+      "_comment_uint16": "Holding-register seeds. Every quirky value is a raw uint16 with the byte math worked out in dl205.md so the simulator serves it verbatim — pymodbus does NOT decode strings, BCD, or float-CDAB on its own; that's the driver's job.",
+
+      "uint16": [
+        {"_quirk": "V0 marker. HR[0] = 0xCAFE proves register 0 is valid on DL205/DL260 (rejects-register-0 was a DL05/DL06 relative-mode artefact). 0xCAFE = 51966.",
+         "addr": 0,    "value": 51966},
+
+        {"_quirk": "V2000 marker. V2000 octal = decimal 1024 = PDU 0x0400. Marker 0x2000 = 8192.",
+         "addr": 1024, "value": 8192},
+
+        {"_quirk": "V40400 marker. V40400 octal = decimal 8448 = PDU 0x2100 (NOT register 0). Marker 0x4040 = 16448.",
+         "addr": 8448, "value": 16448},
+
+        {"_quirk": "String 'Hello' first char in LOW byte. HR[0x410] = 'H'(0x48) lo + 'e'(0x65) hi = 0x6548 = 25928.",
+         "addr": 1040, "value": 25928},
+        {"_quirk": "String 'Hello' second char-pair: 'l'(0x6C) lo + 'l'(0x6C) hi = 0x6C6C = 27756.",
+         "addr": 1041, "value": 27756},
+        {"_quirk": "String 'Hello' third char-pair: 'o'(0x6F) lo + null(0x00) hi = 0x006F = 111.",
+         "addr": 1042, "value": 111},
+
+        {"_quirk": "Float32 1.5f in CDAB word order. IEEE 754 1.5 = 0x3FC00000. CDAB = low word first: HR[0x420]=0x0000, HR[0x421]=0x3FC0=16320.",
+         "addr": 1056, "value": 0},
+        {"_quirk": "Float32 1.5f CDAB high word.",
+         "addr": 1057, "value": 16320},
+
+        {"_quirk": "BCD register. Decimal 1234 stored as BCD nibbles 0x1234 = 4660. NOT binary 1234 (= 0x04D2).",
+         "addr": 1072, "value": 4660},
+
+        {"_quirk": "FC03 cap test. Real DL205/DL260 FC03 caps at 128 registers (above spec's 125). HR[1280..1407] is 128 contiguous registers; rest of block defaults to 0.",
+         "addr": 1280, "value": 0},
+        {"addr": 1281, "value": 1},
+        {"addr": 1282, "value": 2},
+        {"addr": 1343, "value": 63,  "_marker": "FC03Block_mid"},
+        {"addr": 1407, "value": 127, "_marker": "FC03Block_last"}
+      ],
+
+      "_comment_bits": "Coils — Y outputs at 2048+, C relays at 3072+, scratch C at 4000-4007 for write tests. DL260 X inputs would be at discrete-input addresses 0..511 but pymodbus's shared-blocks mode + same-table-as-coils means those would conflict with HR seeds; FC02 tests against this profile use a separate discrete-input block instead — that's why `di size` is large but the X-input markers live in `bits` only when `shared blocks=false`. Document trade-off in README.",
+
+      "bits": [
+        {"_quirk": "Y0 marker. DL260 maps Y0 to coil 2048 (0-based). Coil 2048 = ON proves the mapping.",
+         "addr": 2048, "value": 1},
+        {"addr": 2049, "value": 0},
+        {"addr": 2050, "value": 1},
+
+        {"_quirk": "C0 marker. DL260 maps C0 to coil 3072 (0-based). Coil 3072 = ON proves the mapping.",
+         "addr": 3072, "value": 1},
+        {"addr": 3073, "value": 0},
+        {"addr": 3074, "value": 1},
+
+        {"_quirk": "Scratch C-relays for write-roundtrip tests against the writable C range.",
+         "addr": 4000, "value": 0},
+        {"addr": 4001, "value": 0},
+        {"addr": 4002, "value": 0},
+        {"addr": 4003, "value": 0},
+        {"addr": 4004, "value": 0},
+        {"addr": 4005, "value": 0},
+        {"addr": 4006, "value": 0},
+        {"addr": 4007, "value": 0}
+      ],
+
+      "uint32":  [],
+      "float32": [],
+      "string":  [],
+      "repeat":  []
+    }
+  }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/serve.ps1

@@ -0,0 +1,60 @@
+<#
+.SYNOPSIS
+    Launches the pymodbus simulator with one of the integration-test profiles
+    (Standard or DL205). Foreground process — Ctrl+C to stop.
+
+.PARAMETER Profile
+    Which simulator profile to run: 'standard' or 'dl205'. Both bind TCP 5020 by
+    default so they can't run simultaneously on the same box.
+
+.PARAMETER HttpPort
+    Port for pymodbus's optional web UI / REST API. Default 8080. Pass 0 to
+    disable (passes --no_http).
+
+.EXAMPLE
+    .\serve.ps1 -Profile standard
+    Starts the standard server on TCP 5020 with web UI on 8080.
+
+.EXAMPLE
+    .\serve.ps1 -Profile dl205 -HttpPort 0
+    Starts the DL205 server on TCP 5020, no web UI.
+#>
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory)] [ValidateSet('standard', 'dl205')] [string]$Profile,
+    [int]$HttpPort = 8080
+)
+
+$ErrorActionPreference = 'Stop'
+$here = $PSScriptRoot
+
+# Confirm pymodbus.simulator is on PATH — clearer message than the
+# 'CommandNotFoundException' dotnet style.
+$cmd = Get-Command pymodbus.simulator -ErrorAction SilentlyContinue
+if (-not $cmd) {
+    Write-Error "pymodbus.simulator not found. Install with: pip install 'pymodbus[simulator]==3.13.0'"
+    exit 1
+}
+
+$jsonFile = Join-Path $here "$Profile.json"
+if (-not (Test-Path $jsonFile)) {
+    Write-Error "Profile config not found: $jsonFile"
+    exit 1
+}
+
+$args = @(
+    '--modbus_server', 'srv',
+    '--modbus_device', 'dev',
+    '--json_file',     $jsonFile
+)
+
+if ($HttpPort -gt 0) {
+    $args += @('--http_port', $HttpPort)
+    Write-Host "Web UI will be at http://localhost:$HttpPort"
+} else {
+    $args += '--no_http'
+}
+
+Write-Host "Starting pymodbus simulator: profile=$Profile  TCP=localhost:5020"
+Write-Host "Ctrl+C to stop."
+& pymodbus.simulator @args

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/Pymodbus/standard.json

@@ -0,0 +1,81 @@
+{
+  "_comment": "Standard.json — generic Modbus TCP server for the integration suite. Loaded by `pymodbus.simulator`. See ../README.md for the launch command. Holding registers 0..31 are seeded with their address as value (HR[5]=5) for easy mental-map diagnostics. HR[100] auto-increments via pymodbus's built-in `increment` action so subscribe-and-receive integration tests have a register that ticks without a write. HR[200..209] is a scratch range left at 0 for write-roundtrip tests. Coils 0..31 alternate on/off (even=on); coils 100..109 scratch.",
+
+  "server_list": {
+    "srv": {
+      "comm": "tcp",
+      "host": "0.0.0.0",
+      "port": 5020,
+      "framer": "socket",
+      "device_id": 1
+    }
+  },
+
+  "device_list": {
+    "dev": {
+      "setup": {
+        "co size": 1024,
+        "di size": 1024,
+        "hr size": 1024,
+        "ir size": 1024,
+        "shared blocks": false,
+        "type exception": false,
+        "defaults": {
+          "value":  {"bits": 0, "uint16": 0, "uint32": 0, "float32": 0.0, "string": " "},
+          "action": {"bits": null, "uint16": null, "uint32": null, "float32": null, "string": null}
+        }
+      },
+      "invalid": [],
+      "write": [
+        [0, 1023]
+      ],
+
+      "bits": [
+        {"addr": 0,  "value": 1}, {"addr": 1,  "value": 0},
+        {"addr": 2,  "value": 1}, {"addr": 3,  "value": 0},
+        {"addr": 4,  "value": 1}, {"addr": 5,  "value": 0},
+        {"addr": 6,  "value": 1}, {"addr": 7,  "value": 0},
+        {"addr": 8,  "value": 1}, {"addr": 9,  "value": 0},
+        {"addr": 10, "value": 1}, {"addr": 11, "value": 0},
+        {"addr": 12, "value": 1}, {"addr": 13, "value": 0},
+        {"addr": 14, "value": 1}, {"addr": 15, "value": 0},
+        {"addr": 16, "value": 1}, {"addr": 17, "value": 0},
+        {"addr": 18, "value": 1}, {"addr": 19, "value": 0},
+        {"addr": 20, "value": 1}, {"addr": 21, "value": 0},
+        {"addr": 22, "value": 1}, {"addr": 23, "value": 0},
+        {"addr": 24, "value": 1}, {"addr": 25, "value": 0},
+        {"addr": 26, "value": 1}, {"addr": 27, "value": 0},
+        {"addr": 28, "value": 1}, {"addr": 29, "value": 0},
+        {"addr": 30, "value": 1}, {"addr": 31, "value": 0}
+      ],
+
+      "uint16": [
+        {"addr":  0, "value":  0}, {"addr":  1, "value":  1},
+        {"addr":  2, "value":  2}, {"addr":  3, "value":  3},
+        {"addr":  4, "value":  4}, {"addr":  5, "value":  5},
+        {"addr":  6, "value":  6}, {"addr":  7, "value":  7},
+        {"addr":  8, "value":  8}, {"addr":  9, "value":  9},
+        {"addr": 10, "value": 10}, {"addr": 11, "value": 11},
+        {"addr": 12, "value": 12}, {"addr": 13, "value": 13},
+        {"addr": 14, "value": 14}, {"addr": 15, "value": 15},
+        {"addr": 16, "value": 16}, {"addr": 17, "value": 17},
+        {"addr": 18, "value": 18}, {"addr": 19, "value": 19},
+        {"addr": 20, "value": 20}, {"addr": 21, "value": 21},
+        {"addr": 22, "value": 22}, {"addr": 23, "value": 23},
+        {"addr": 24, "value": 24}, {"addr": 25, "value": 25},
+        {"addr": 26, "value": 26}, {"addr": 27, "value": 27},
+        {"addr": 28, "value": 28}, {"addr": 29, "value": 29},
+        {"addr": 30, "value": 30}, {"addr": 31, "value": 31},
+
+        {"addr": 100, "value": 0,
+         "action": "increment",
+         "parameters": {"minval": 0, "maxval": 65535}}
+      ],
+
+      "uint32":  [],
+      "float32": [],
+      "string":  [],
+      "repeat":  []
+    }
+  }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj

@@ -24,7 +24,7 @@
     </ItemGroup>
 
     <ItemGroup>
-        <None Update="ModbusPal\**\*" CopyToOutputDirectory="PreserveNewest"/>
+        <None Update="Pymodbus\**\*" CopyToOutputDirectory="PreserveNewest"/>
         <None Update="DL205\**\*" CopyToOutputDirectory="PreserveNewest"/>
     </ItemGroup>