jeskudero

MrPLC Member
 View profile  See their activity

  • Content count

    12

  • Joined

  • Last visited

Posts posted by jeskudero

  1. Posted

    Thanks @gclshortt for your answer, I didnt know this omron library, i will give it a try.

    Anyway i could find the solution. I have changed the node number in the command to 00 and it works, it seems like IP layer covers these section and no need to specify it in the FINS command.

  2. Posted

    Hello

    I have problems when  trying to communicate with my cj1m.

    Recently, i have added an ETN11 ethernet module and i can now communicate with the PLC using CX-programer. But the problem is i cant communicate with my python script to read something.

    5c33468e71740_Capturadepantallade2019-01

    I just want to read CIO area 2 from bit 0 to bit 15. But Wireshark tells me that the end code is differente than completed. I cant find anywhere the end code 9005, any ideas?

    5c3346de5c37f_Capturadepantallade2019-01

     

    Thanks

     

  3. Posted · Edited by jeskudero

    Hello @innoaloe, i can see it better now. I can see the five DM memory request that i was searching, and i supose all the other memory addreses that the NS is requesting.

    Where can i get a manual to identify the b0 -> CIO, 82-> DM, ....??     I Found them in the manual W342!

    CIP_reques.png.109d83076fb13c81ed3225762

    Additionally, i wrote to omron and they say me that the codes 0x54 and 0x4a that i see in the captures are not from them.

    Thank you again.

  4. Posted

    16 minutes ago, innoaloe said:

    I took another reading at the CIP_OMRON file you attached in the first post, and I think what you are seeing is not packet data between NS and the CJ2M PLC. Instead, it is a packet between your PC with CX-Programmer with your PLC via Ethernet/IP.

    If you are using a Network Switch, Wireshark will not be able to read the transmissions between NS and CJ since a switch won't broadcast the data packets to all connected device, only to the targeted one. You may have a better luck if you are using Network Hub instead which just throws away packets everywhere, or if you have a Managed Switch it's usually possible to forward packets to another port or even broadcast it.

    I'm performing a MiTM attacks, so i can put myself betwen the PLC and the HMI. Thats not the problem.

    19 minutes ago, innoaloe said:
    • When the connection is started (Ethernet cable connected for the first time, or power on for the first time) NS throw "List Services" Request using UCMM
    • Should the PLC supports Ethernet/IP Explicit Message, it will reply with "Communications" Response.
    • NS then will send RegisterSession Request using UCMM
    • PLC will reply with a lot of things, but SessionHandle is the most important one, to be used by NS in the next communications
    • NS will then send a "Large Forward Open" Request using Class3. This is where NS and PLC establishes a memory mapping between them
    • PLC will return quite a lot of things such but the most important is Originator-->Target NetworkID which is basically a memory map identifier to be used by the NS in the next operation
    • From this point on, NS an CJ can communicate cyclically by the interval sets on the RPI parameter (this is to be set during Large Forward Open request. Basically a data refresh rate)
    • Cyclically NS will throw "SendUnitData" Request to the PLC to either Read or Write data on PLC Memory. This is where the FINS Command is encapsulated. You will also not able to decode it via Wireshark since the Service Code and ClassID used are Vendor-specific value to Omron. But if you managed to sniff the packet, you can see the FINS Command at the very end of the line.

    i have understood this procces, I could see how it worked with MolexEIP Tool. The big problems is the 8th point, i'm always seeing "SendUnitData" (requests and responses) frames but i cant undestand the FINS commands encapsulated inside.

  5. Posted

    Ok, i found the problem, i was working in an XP machine as a user without administrators rights, and the browse options didnt work, i tried it with admin user and it could see the PLCs list, and i can connect.

    Resuming a little bit, when I connect via CP1L it does with FINS protocol ( i tough this protocol worked with UDP), and with EIP node online it does with Ethernet/IP protocol.

    When the CJ2M communicates with NS HMI, it does with Ethernet/IP but encapsulating with specific FINS commands for omron?

    Thanks a lot, you are helping me so much!

  6. Posted · Edited by jeskudero

    @innoaloe, i am trying to connect cx-programmer to the PLC as you said, but it gives me an error:

    error.png.ec7e67b4d8c598163f5eb2ff2ce1ef

    It says that with the "examinar" button i can analyze the network for searching, but i read that with  static IP (i have static IP for the 3 PLC) it doesnt work.

    When i try to connect as a CP1L it let me:

    ok.png.3a334d2cd5739dd2598cf26a4b80c904.

    Whats the diference betwen this two methods?

  7. Posted · Edited by jeskudero

    Thast rigth Michael Walsh, i want to learn more about comunication in this PLC enviroment.

    How can i take a closer look of an implicit comunication with my equipement? I have an educational sample of SMC called ITS-200 (https://www.smctraining.com/webpage/indexpage/197/C1527706618), and it has 3 CJ2M with a NS series HMI, and the I/O modules are directly conected to de PLCs body or rack . Samplel photos (https://www.smctraining.com/es/webpage/indexpage/199).

  8. Posted

    Hello

    I'm comming with another issue. I'm stiil working in my problem but this time i have another one.

    When i connect my cj2m to cx-programmer, i cant undestand anything. Its a FINS communication or EIP? wireshark cant decode nothing. But cx-programmer works perfect.

    I don't understand nothing....

    CX-PROGRAMMER.pcapng

  10. Posted

    Yes, the PLC and the HMI are connected and they communicate perfect. It reads values from the memory and show those in the screen.

    Yes i want to replicate the the traffic betwen the PLC and the HMI, and identify the values read from de PLC.

    I'm trying to find any manual from Omron to know about the special codes, but i didn't find anything yet.

  11. Posted · Edited by jeskudero

    I supose so. I was trying with indusoft web studio (SCADA software), and betwen those two the comunication is on FINS ( udp ), here is the proof:

    fins.png.173ce7556711df5a9eab9daf1925ae6

    Indusoft_FINS.pcapng

    The thing is, betwen the CJ2M and NS i guess the comunication is on EIP (the packets are TCP), but wireshark does not know how to decode it?? When i did the same with Molex EIPTool it knows how to do it.

    I dont understand really whats going on.

  12. Posted

    Hello

    I'm quit new in this world and i have several doubts about the comunication of EIP. I'm trying to capture the comunication betwen a CJ2M and an NS8 HMI.

    I was trying with MolexEIPtool, so i could understand better the communication process and i did a little. Here is the wireshark capture of an get all attributes request: CIP_Molex_tool.pcapng  (The last two packets are  another unconnected request).

    I can see the request for list services, the register sesion request and the Forward open request. Then, i can see the request for service "get_attributes_all" and how the cj2m responses with all the attributes. Finally, the forward close request.

    But when i put my computer betwen the two devices, i cant figure it out what is happening. Here is the capture: CIP_OMRON.pcapng

    I can see that the packets are "SendUnitData", so i think it is a connected transmision, but wireshark cant decode the rest of the frame, so i dont know whats going on.

    Thanks