jeskudero

CIP betwen CJ2M and NS8 HMI

20 posts in this topic

Hello

I'm quit new in this world and i have several doubts about the comunication of EIP. I'm trying to capture the comunication betwen a CJ2M and an NS8 HMI.

I was trying with MolexEIPtool, so i could understand better the communication process and i did a little. Here is the wireshark capture of an get all attributes request: CIP_Molex_tool.pcapng  (The last two packets are  another unconnected request).

I can see the request for list services, the register sesion request and the Forward open request. Then, i can see the request for service "get_attributes_all" and how the cj2m responses with all the attributes. Finally, the forward close request.

But when i put my computer betwen the two devices, i cant figure it out what is happening. Here is the capture: CIP_OMRON.pcapng

I can see that the packets are "SendUnitData", so i think it is a connected transmision, but wireshark cant decode the rest of the frame, so i dont know whats going on.

Thanks

Share this post


Link to post
Share on other sites

Do you know the communications are set to EtherNet/IP?

It may be set to FINS protocol.

Share this post


Link to post
Share on other sites

I supose so. I was trying with indusoft web studio (SCADA software), and betwen those two the comunication is on FINS ( udp ), here is the proof:

fins.png.173ce7556711df5a9eab9daf1925ae6

Indusoft_FINS.pcapng

The thing is, betwen the CJ2M and NS i guess the comunication is on EIP (the packets are TCP), but wireshark does not know how to decode it?? When i did the same with Molex EIPTool it knows how to do it.

I dont understand really whats going on.

Edited by jeskudero

Share this post


Link to post
Share on other sites

Omron NS-Series HMI can supports both FINS and EIP protocol, depending on which is selected during program design of the HMI.
 

Seeing the packets between CJ and NS in your capture, it uses Omron specific Class ID and Service Code (I see 0x54 there) which is non-standard EIP Packet. That's why Wireshark cannot decode it since the resulting packet is unique to Omron. 0x54 I believe is about finding list of available Network Variables. I cannot say for sure though, since this specific packets are not listed anywhere on any Omron manuals.

Did your NS and CJ already connecting? I mean like can you read any value of a memory inside the CJ from the NS screen? Because I believe if you already reading at least on memory, it will show different Service Codes, like 1C, 1D, 1E, 1F, depending on what kind of data you are reading.

 

I suppose you are trying to replicate CIP Protocol that NS uses to communicate with CJ PLC?

Edited by innoaloe
1 person likes this

Share this post


Link to post
Share on other sites

Yes, the PLC and the HMI are connected and they communicate perfect. It reads values from the memory and show those in the screen.

Yes i want to replicate the the traffic betwen the PLC and the HMI, and identify the values read from de PLC.

I'm trying to find any manual from Omron to know about the special codes, but i didn't find anything yet.

Share this post


Link to post
Share on other sites
17 hours ago, jeskudero said:

Yes, the PLC and the HMI are connected and they communicate perfect. It reads values from the memory and show those in the screen.

Yes i want to replicate the the traffic betwen the PLC and the HMI, and identify the values read from de PLC.

I'm trying to find any manual from Omron to know about the special codes, but i didn't find anything yet.

Your best bet is with Manual number W465-E1 which is manual for Omron CS/CJ Ethernet/IP Master Units. It should be available in most Omron websites as long as you have a user account (which is free, try the industrial.omron.eu since you're in Spain).

From this manual go to Section 9 then 9-2-1 where you can find list of PLC Object Services. This basically lists all CIP Service Code that you can use to read/write memory of a certain type. The manual itself covers about how you would interpret the message using PLC Program, but you can use it as a base to generate your own CIP Package.

My suggestion is to use Molex CIP Tool first using the UCCM type communication to test these Service Codes

Share this post


Link to post
Share on other sites

OK, thanks innoale, i will try with the manual and see what can i do.

Share this post


Link to post
Share on other sites

Hello

I'm comming with another issue. I'm stiil working in my problem but this time i have another one.

When i connect my cj2m to cx-programmer, i cant undestand anything. Its a FINS communication or EIP? wireshark cant decode nothing. But cx-programmer works perfect.

I don't understand nothing....

CX-PROGRAMMER.pcapng

Share this post


Link to post
Share on other sites

Try this manual

W342 Communications Command Reference

Communication type will depend on how you setup the Network Type in CX-Programmer.

I do not know for certain, but Ethernet/IP setting MAY be FINS commands in an E/IP message.

Good Luck.

Share this post


Link to post
Share on other sites
20 hours ago, jeskudero said:

Hello

I'm comming with another issue. I'm stiil working in my problem but this time i have another one.

When i connect my cj2m to cx-programmer, i cant undestand anything. Its a FINS communication or EIP? wireshark cant decode nothing. But cx-programmer works perfect.

I don't understand nothing....

CX-PROGRAMMER.pcapng

All Omron PLC that supports EIP also supports FINS protocol (Omron dedicated protocol, which @gtsuport mentioned about the manual above).

Looking at your Wireshark capture, it is definitely FINS. No CIP protocol being used at all.

If you want to see how CX-Programmer communicates through CIP, don't use the Auto Online button when connecting to the PLC. Instead, use the Ethernet/IP Node Online button. It is to the second button to the right of the Auto Online button. Alternatively you can right-click on the PLC Name, click Change, then set the Network type to Ethernet/IP.

If anything, instead of using CIP, I will encourage you to use FINS instead since it is easier to be implemented. There are also lots of available examples of FINS Implementation using DotNet or other language in the Downloads section on this forum, mine for instance : http://forums.mrplc.com/index.php?/files/file/1034-omron-simple-hmi_finsudp/

Share this post


Link to post
Share on other sites

I think @jeskudero is snooping the packet, just to learn more about EtherNet/IP (If I am reading this correctly). 

Summarizing some things that have been stated above and adding a little:  When using Explicit Messaging within EtherNet/IP, vendors have the flexibility to encapsulate whatever format they choose into a packet.  For instance AB, uses something called PCCC (Programmable Controller Communication Commands) between some of their products when using EIP Explicit Messaging.  Omron has chosen to use FINS commands within the EtherNet/IP packet.  Basically the NS asks the PLC for Addresses for each of the Tags and then uses those addresses within a FINS command in an EIP Explicit Message.  As stated above, if you are trying to understand EIP, this is not the best thing to snoop.  Look at Implicit communications between two devices (a PLC to an I/O module for example) to understand better.  

Share this post


Link to post
Share on other sites

Thast rigth Michael Walsh, i want to learn more about comunication in this PLC enviroment.

How can i take a closer look of an implicit comunication with my equipement? I have an educational sample of SMC called ITS-200 (https://www.smctraining.com/webpage/indexpage/197/C1527706618), and it has 3 CJ2M with a NS series HMI, and the I/O modules are directly conected to de PLCs body or rack . Samplel photos (https://www.smctraining.com/es/webpage/indexpage/199).

Edited by jeskudero

Share this post


Link to post
Share on other sites

@innoaloe, i am trying to connect cx-programmer to the PLC as you said, but it gives me an error:

error.png.ec7e67b4d8c598163f5eb2ff2ce1ef

It says that with the "examinar" button i can analyze the network for searching, but i read that with  static IP (i have static IP for the 3 PLC) it doesnt work.

When i try to connect as a CP1L it let me:

ok.png.3a334d2cd5739dd2598cf26a4b80c904.

Whats the diference betwen this two methods?

Edited by jeskudero

Share this post


Link to post
Share on other sites

I am assuming your PLC is CJ2M-CPU3[] something?

Try to click on Browse (Examinar in your case) before connecting. At times you'll be asked to select the Network Adapter first. Maybe it is set default to your Wireless.

The CP1L Node Online basically connects to CX-Programmer via FINS protocol. Not Ethernet/IP

Share this post


Link to post
Share on other sites

Ok, i found the problem, i was working in an XP machine as a user without administrators rights, and the browse options didnt work, i tried it with admin user and it could see the PLCs list, and i can connect.

Resuming a little bit, when I connect via CP1L it does with FINS protocol ( i tough this protocol worked with UDP), and with EIP node online it does with Ethernet/IP protocol.

When the CJ2M communicates with NS HMI, it does with Ethernet/IP but encapsulating with specific FINS commands for omron?

Thanks a lot, you are helping me so much!

Share this post


Link to post
Share on other sites
1 hour ago, jeskudero said:

Resuming a little bit, when I connect via CP1L it does with FINS protocol ( i tough this protocol worked with UDP), and with EIP node online it does with Ethernet/IP protocol.

Correct. Actually the CP1L method is intended for connection with CP1L-E Series PLC which doesn't have USB Port but have an Ethernet Port which doesn't support Ethernet/IP. But since all Omron PLC supports FINS anyway, you can connect to CJ2M via that method also.

1 hour ago, jeskudero said:

When the CJ2M communicates with NS HMI, it does with Ethernet/IP but encapsulating with specific FINS commands for omron?

It's the other way around actually. The FINS Protocol is encapsulated by the Ethernet/IP Protocol. Actually NS also can be configured to talk with the PLC via FINS only without the Ethernet/IP function.

 

I took another reading at the CIP_OMRON file you attached in the first post, and I think what you are seeing is not packet data between NS and the CJ2M PLC. Instead, it is a packet between your PC with CX-Programmer with your PLC via Ethernet/IP.

If you are using a Network Switch, Wireshark will not be able to read the transmissions between NS and CJ since a switch won't broadcast the data packets to all connected device, only to the targeted one. You may have a better luck if you are using Network Hub instead which just throws away packets everywhere, or if you have a Managed Switch it's usually possible to forward packets to another port or even broadcast it.


Since you are learning it (and I'm in a good mood during Chineese new year :D), I just put another note to let you know what's happening actually if you are connecting NS to CJ PLC via Ethernet/IP. You might able to observe this activity if you have a Hub or Managed Switch as I mentioned above. Basically all of this happens using Explicit Messaging. NS doesn't use Implicit Messaging as you've mentioned above. You can compare the jargons here with EtherNet/IP Manual Book.

  1. When the connection is started (Ethernet cable connected for the first time, or power on for the first time) NS throw "List Services" Request using UCMM
  2. Should the PLC supports Ethernet/IP Explicit Message, it will reply with "Communications" Response.
  3. NS then will send RegisterSession Request using UCMM
  4. PLC will reply with a lot of things, but SessionHandle is the most important one since it must be used by NS in the all following communications
  5. NS will then send a "Large Forward Open" Request using Class3. This is where NS and PLC establishes a memory mapping between them
  6. PLC will return quite a lot of things such but the most important is Originator-->Target NetworkID which is basically a memory map identifier to be used by the NS in the next operations
  7. From this point on, NS an CJ can communicate cyclically by the interval sets on the RPI parameter (this is to be set during Large Forward Open request. Basically a data refresh rate)
  8. Cyclically NS will throw "SendUnitData" Request to the PLC to either Read or Write data on PLC Memory. This is where the FINS Command is encapsulated. You will also not able to decode it via Wireshark since the Service Code and ClassID used are Vendor-specific value to Omron. But if you managed to sniff the packet, you can see the FINS Command at the very end of the line.

Also, if you managed to get SysmacGateway software, you can use it as a PLC Memory Emulator in your PC, which also support Ethernet/IP. This way, you can connect NS HMI to your PC instead of actual PLC and sniff the data via Wireshark easily.


 

Edited by innoaloe

Share this post


Link to post
Share on other sites
16 minutes ago, innoaloe said:

I took another reading at the CIP_OMRON file you attached in the first post, and I think what you are seeing is not packet data between NS and the CJ2M PLC. Instead, it is a packet between your PC with CX-Programmer with your PLC via Ethernet/IP.

If you are using a Network Switch, Wireshark will not be able to read the transmissions between NS and CJ since a switch won't broadcast the data packets to all connected device, only to the targeted one. You may have a better luck if you are using Network Hub instead which just throws away packets everywhere, or if you have a Managed Switch it's usually possible to forward packets to another port or even broadcast it.

I'm performing a MiTM attacks, so i can put myself betwen the PLC and the HMI. Thats not the problem.

19 minutes ago, innoaloe said:
  • When the connection is started (Ethernet cable connected for the first time, or power on for the first time) NS throw "List Services" Request using UCMM
  • Should the PLC supports Ethernet/IP Explicit Message, it will reply with "Communications" Response.
  • NS then will send RegisterSession Request using UCMM
  • PLC will reply with a lot of things, but SessionHandle is the most important one, to be used by NS in the next communications
  • NS will then send a "Large Forward Open" Request using Class3. This is where NS and PLC establishes a memory mapping between them
  • PLC will return quite a lot of things such but the most important is Originator-->Target NetworkID which is basically a memory map identifier to be used by the NS in the next operation
  • From this point on, NS an CJ can communicate cyclically by the interval sets on the RPI parameter (this is to be set during Large Forward Open request. Basically a data refresh rate)
  • Cyclically NS will throw "SendUnitData" Request to the PLC to either Read or Write data on PLC Memory. This is where the FINS Command is encapsulated. You will also not able to decode it via Wireshark since the Service Code and ClassID used are Vendor-specific value to Omron. But if you managed to sniff the packet, you can see the FINS Command at the very end of the line.

i have understood this procces, I could see how it worked with MolexEIP Tool. The big problems is the 8th point, i'm always seeing "SendUnitData" (requests and responses) frames but i cant undestand the FINS commands encapsulated inside.

Share this post


Link to post
Share on other sites
3 hours ago, jeskudero said:

i have understood this procces, I could see how it worked with MolexEIP Tool. The big problems is the 8th point, i'm always seeing "SendUnitData" (requests and responses) frames but i cant undestand the FINS commands encapsulated inside.

Awesome! Then back to your Wireshark capture, you can try to look at the CIP Requests which sends out 372 bytes.
On the very last part there is CIP Class Generic/Command Specific Data. Those are the FINS Commands, although I must say it's kinda differ from it's usual format that is commonly used based on the W342 manual. It doesn't implement MRC/SRC part anywhere... just memory address that it wants to capture

See the Txt file here on some notes that I put. You can compare it later with manual W342
FINSData.txt

 

Share this post


Link to post
Share on other sites

Hello @innoaloe, i can see it better now. I can see the five DM memory request that i was searching, and i supose all the other memory addreses that the NS is requesting.

Where can i get a manual to identify the b0 -> CIO, 82-> DM, ....??     I Found them in the manual W342!

CIP_reques.png.109d83076fb13c81ed3225762

Additionally, i wrote to omron and they say me that the codes 0x54 and 0x4a that i see in the captures are not from them.

Thank you again.

Edited by jeskudero

Share this post


Link to post
Share on other sites

@jeskudero as some mentioned on the posts above, go look into W342 manual. You will find it on FINS command section
NVM... saw you have edited your post above ;-)

Edited by innoaloe

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now