1. You can write and read the register values (byte, word, and dual-word );
2. You can set and reset components (v, M, S, Q, And I;
3. the on/off status of the component (v, M, S, Q, And I) can be read.
4. PLC Operation and stop can be controlled.
Published the popular PPI protocol on the Internet. Although this protocol is incorrect, the idea is correct.
There are many ways to communicate between Siemens S7-200 PLC or between PLC and PC: Free Port, PPI mode, Mpi mode, PROFIBUS mode. When programming with a free port, you must write data communication programs in both the host computer and the PLC. When the PPI protocol is used for communication, the PLC does not need to program and can read and write all data areas, which is fast and convenient. However, Siemens has not published the format of the PPI protocol. If you want to use PPI protocol monitoring, you must purchase monitoring products or third-party manufacturer configuration software. This makes it difficult for the user to develop independently. In particular, the self-developed field equipment cannot access the PLC through the PPI protocol. Programming in other communication methods is also complicated, requiring the purchase of software and authorization. (1 ). Through the method of data monitoring and analysis, we find out the key message format of PPI protocol, which can be used for communication between host computer, field equipment and S7-200 CPU.
2 Analysis Method
Siemens step 7 micro/Win32 is a development tool for the S7-200 series PLC, it uses the comport on the PC through a PC/PPI programming cable connected to the PLC programming port. This shows that the PC can communicate with the S7-200 CPU through the serial port. We don't know the communication protocol. By intercepting the sending and receiving data on the serial port of the PC, we may analyze the packets and communication methods of the commands according to the commands issued by Step 7. Then, send messages directly to the PLC through the serial port to verify whether these command messages are correct. In this way, we use the following steps to obtain these packets.
First, create a serial port splitter. The RX and TX of COM1 are connected to the Tx and Rx of com2 respectively, that is, the crossover wiring, so that com2 of COM1 can receive the data. The PC/PPI programming cable is connected to com1. in this way, messages sent from step7 micro/Win32 to PLC can be received on com2. We set up two serial ports according to the S7-200 System Manual, the parameters should be the same, are 9600,8, even verification, 1 stop bit. Then set step 7 software, so that it can communicate with the S7-200 CPU. The monitoring software on com2 can display this packet by issuing a clear instruction from step 7 (in hexadecimal format ). By analogy with the PROFIBUS standard (2), we can get some key packets. This method is more direct and comprehensive than the NETR and NETW commands in PLC (3 ).
3. PPI protocol analysis
The PC communicates with the PLC in master-slave mode. The PC sends read/write commands in the following format, and the PLC receives the correct response (e5h or f9h for the response data returned ), when the host machine receives this response, it sends a confirmation command (10 02 5C 5E 16), and the PLC then returns the corresponding data to the host machine.
SD le ler sd da sA fc dsap ssap du FCED
SD: Start character (68 h) Le, ler: length (from Da to DU)
Da: Destination Address SA: Source Address
FC: Function Code (6ch) DSAP: Target Service Access Point
SSAP: Source Service Access Point du: Data Unit
FCS: Checksum ed: terminator (16 h)
3.1 read command Analysis
Read one piece of data at a time
For a single data read, The READ command is 33 bytes. The preceding 0-21 bytes are the same:
68 1B 1B 68 02 00 6C 32 01 00 00 00 00 0e 00 04 01 12 0a 10
Because it is the command for reading PLC Data from PC, SA = 00, da = 02. If there are multiple stations, da should be changed to the corresponding station number. In the READ command, the length from Da to DU is 1 B, that is, 27 bytes. Starting from 22 bytes, the data is read based on the data type and location. Table 1 is the Byte22-32 for reading different memory commands.
Byte 22 23 24 25 26 28 29 30 31 32
Function read length data count * memory type offset check ended
Read q0.0 01 00 01 00 00 00 82 00 00 00 64 16
Read m0.0 01 00 01 00 00 00 83 00 00 65 16
Read m0.1 01 00 01 00 00 83 00 01 66 16
Read smb34 02 00 01 00 00 05 00 01 10 F9 16
Read vb100 02 00 01 00 01 84 00 03 20 8B 16
Read vw100 04 00 01 00 01 84 00 03 20 8d 16
Read vd100 06 00 01 00 01 84 00 03 20 8f 16
Read i0.5 01 00 01 00 00 81 00 00 05 68 16"
Read i0.7 01 00 01 00 00 81 00 00 07 6a 16"
Byte22-32 for table 1 read commands
The following results can be obtained from the table:
Length of data read by byte 22
01:1 bit 02byte
04: 1 word 06: Double Word
The number of bytes in 24, which is 01. For more information, see the following description.
Byte 26 memory type, 01: V memory 00: Other
Byte 27 memory type
04: s 05: Sm 06: AI 07: AQ 1E: c
81: I 82: Q 83: M 84: V 1f: T
Byte 28, 29, 30 memory offset pointer (memory address x 8), for example, vb100, memory address: 100, offset pointer: 800, converted to hexadecimal format: 320 H, the Byte 28-29 is 00 03 20.
Byte 31 checksum. As mentioned above, this is from (DA + SA + DSAP + SSAP + DU) mod 256.
Read multiple data records at a time
When reading multiple data at a time, the first 21byte is similar to the preceding one, but the length is lD. LDR and byte 14 are different:
Bytes 14 indicates the number of bytes occupied by the data block. It is related to the number of data blocks. The length is 4 + + number of data blocks x 10. For example, if a piece of data is 4 + 10 = 0e (H, Q 4 + 3*10 = 22 (h) for three different data blocks ).
Byte 22 is always 02 in bytes.
Byte 24 is the number of bytes continuously read in bytes. For example, if two VD values are read, byte24 = 8.
Byte 19---30 is listed in sequence based on the format of one data read at a time,
Byte 31---42 another type of data is also given in the preceding format.
Similarly, a maximum of 222 bytes of data can be read at a time.
3.2 write command Analysis
Write a double word data at a time. The write command is 40 bytes, and the remaining 38 bytes.
Write Data of the Double Word type. The first 0-21 bytes are:
68 23 23 68 02 00 6C 32 01 00 00 00 00 0e 00 04 01 12 0a 10
Write a data of another type. The first 0-21 bytes are: (compared with the previous one, only the length bytes are changed)
68 21 21 68 02 00 6C 32 01 00 00 00 00 0e 00 04 01 12 0a 10
The value and position of the written data vary from 22 bytes to 22 bytes. Table 2 is a Byte22-40 of several write commands.
Section 22 23 24 25 26 28 29 30 31 32 33 34 35 36 38 39 40
Write location and value length type offset bit value, verification code, and Terminator
M0.0 = 1 01 00 01 00 00 83 00 00 00 03 00 01 01 00 71 16
M0.0 = 0 01 00 01 00 00 83 00 00 00 03 00 01 00 00 70 16
M0.1 = 1 01 00 01 00 00 83 00 01 00 03 00 01 01 00 72 16
Vb100 = 10 02 00 01 00 01 84 00 03 20 00 04 00 08 10 00 AE 16
Vb100 = FF 02 00 01 00 01 84 00 03 20 00 04 00