franckcl

Reading inputs using FINS/TCP from a PC

6 posts in this topic

Hello,

I'm trying to read data from a PLC using TCP/FINS protocol.
I am able to read the data in the memory area from a supervisor PC (using command 01 01) but I do not know how to read the information specific to this machine.

Extract from the machine manufacturer's document:

Name	Data type	Address/Value	Usage	comment
Loc_in1	BOOL		1.00			In		Local Input 1
Loc_in2	BOOL		1.01			In		Local Input 2
Loc_in3	BOOL		1.02			In		Local Input 3
UPS	BOOL		3.00			Work	UPS Input
Int1	BOOL		3.01			Work	Interlock 1
Int2	BOOL		3.02			Work	Interlock 2
T1_LSB	CHANNEL		D20				Work	UPS Hold time LSB
T1_MSB	CHANNEL		D21				Work	UPS Hold time MSB
REM_1	BOOL		H0.00			Work	Remote input 1
REM_2	BOOL		H0.01			Work	Remote input 2
REM_3	BOOL		H0.02			Work	Remote input 3

 

This is the document I've written to understand the protocol:

1st frame to send:

46,49,4E,53 : ‘FINS’
00,00,00,1A : Length(8 de l’entête + 18 de la chaine qui suit)
00,00,00,02 : Cmd (2)
00,00,00,00 : Error code (0)

 

Second frame to send

80,00,02,00 : ICF + RSV + GCT + DNA
0F          : DA1-FINS node address of Ethernet unit (Server node=15)
00          : DA2-Destination machine address (0=PLC Main unit-CPU)
00          : SNA-Source FINS network address (0)
FB          : SA1-FINS node address on the PC side (Client node=251)
00          : SA2-Source FINS network address
01          : SID-any data from the source process identifier
01,01       : MRC,SRC-FINS command code 0101: Read memory areas
82          : Memeory area=Variable type: DM (Dxxxxx)
00,14,00    : Read start address (20)
00,01       : count (1)

This shoud send the UPS hold time but everything is at  zero.

Who could help me ? What is wrong ?

Thanks

 

Share this post


Link to post
Share on other sites

Hello,

1 hour ago, franckcl said:

Who could help me ? What is wrong ?

Download the trial/demo version of PeakHMI and use it for generating request to the PLC.

Use WireShark to capture and analyze the request/response packets.

Edited by Mark-

Share this post


Link to post
Share on other sites

Download Etherway from the omron Website. It has a built in FINS message creation tool with examples. I just made one requesting D20 from node 20 and you're not too far off:

<--: 46494E530000001A000000020000000080000300140000FB00050101820014000001  (Request)
-->: 46494E53000000180000000200000000C0000200FB000014000501010000FFFF   (Response)

 

1 person likes this

Share this post


Link to post
Share on other sites

Here is a wireshark cap of the request - this may be easier to compare to

Wireshark.JPG

Share this post


Link to post
Share on other sites

Hi all,

Thank you all for your help and particulary "Photovoltaic"
I downloaded Etherway from the omron Website and I'm now able to communicate with this PLC.

For those who are interested, here is the procedure to read and write data

1)	Send a connection request 
This request should only be sent once after connecting the "socket".
Never renew this request until the "socket" has been disconnected.
Keep the server node that is returned as well as the client node. These two values will be used subsequently in all exchanges.

Frame to send (always the same) 
46,49,4E,53 : HEADER (FINS)
00,00,00,0C : Length(12)
00,00,00,00 : Command (0)
00,00,00,00 : Error code (0)
00,00,00,00 : Client node Add (0=auto)

Response
46,49,4E,53 : ‘FINS’
00,00,00,10 : Length(16)
00,00,00,01 : Command (1)
00,00,00,00 : Error code (0)
00,00,00,FB : Client node (251)
00,00,00,0F : Server node (15)
--> Keep Client node et Server node.

2)	Reading and writing memory area

First frame to send
46,49,4E,53 : ‘FINS’
00,00,00,1A : Length = 8 for the header + 18 for the following frame, depends of the cases a), b) or c)
00,00,00,02 : Command (2)
00,00,00,00 : Error code (0)
--> Do not wait for a reply to this message - This message must be sent in a separate frame.

Second frame to send
80,00,02,00	: ICF + RSV + GCT + DNA
0F 		: DA1-FINS node address of Ethernet unit (Server node=15)
00        	: DA2-Destination machine address (0=PLC Main unit-CPU)
00		: SNA-Source FINS network address (0)
FB		: SA1-FINS node address on the PC side (Client node=251)
00		: SA2-Source FINS network address
01		: SID-any data from the source process identifier

Then add one of the following specific frames :
a)	To read a WORD in the area D at address 10 for 10 words, add :
01,01	: MRC,SRC-FINS command code 0101: Read memory areas
82		: Memory area code=Variable type: DM (Dxxxxx)
00,0A,00	: Read start address on 3 bytes (10)
00,10	: count

b)	Or to read the BIT 10 at address CIO 2781 (0ADD) for 1 bit
01,01	: MRC,SRC-FINS command code 0101: Read memory areas
30		: Memory area
0A,DD,0A	: Read start address + bit 10 (0A)
00,01	: count

c)	Or to write n bits, add
01,02	: MRC,SRC-FINS command code 0102: Write memory areas
00		: memory area code (00=CIO)
00,64	: Start address (ex: 100)
00		: Start bit number
00,03	: Number of words to write
00,01,01 : Data to write

 

 

Share this post


Link to post
Share on other sites

Glad to hear you got it sorted out.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now