Data exchange with Siemens S7-300/400 with tcp/ip socket

E

Thread Starter

Ernst Murnleitner

<p>Below is the rather short source code. I have some questions (I cannot find the address of the author, the email in the source code seems to be not valid anymore).

<p>1. Does anybody know which protocol this is (is it Siemens specific)? It is called FETCH/WRITE but I cannot find a description about it.

<p>2. Is there any doucumentation which would explain the parameters?

<p>3. There are 16 bytes. The 9th is named org. What is this?

<p>I would appreciate your help very much.

<p>Here is the C code:

<pre>
/* FETCH/WRITE routines for communication with Siemens S7 via Ethernet.
Author: Georg Michel
Date: 05/17/01
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <fcntl.h>

/* Opens a TCP socket to the PLC and gives the file */
/* descriptor back (-1 on error) cp is the numeric */
/* ip address in dot notation, port is the port number */
int s7_open(const char* cp, const unsigned short port) {
struct sockaddr_in adresse;
int fd;
adresse.sin_family = AF_INET;
adresse.sin_port = htons(port);
inet_aton(cp,&adresse.sin_addr);
fd = socket(PF_INET, SOCK_STREAM, 0);
if(connect(fd, &adresse, sizeof(adresse))) {
fprintf(stderr,"No connection to %s on port %d!\n",cp,port);
return(-1);
} return(fd);
}

/* Writes memory range data of length len to the PLC memory */
/* specified by org dbnr and s7addr (see FETCH/WRITE doc) */
/* via the previously opened socket fd */
int s7_write(const int fd, const char* data, const unsigned short len,
const char org, const char dbnr,
const unsigned short s7addr) {
unsigned char req[16] = {'S','5',16,1,3,3,3,8,0,0,0,0,0,0,0xff,2},
ack[16];
req[8] = org;
req[9] = dbnr;
req[0xa] = s7addr/0x100;
req[0xb] = s7addr%0x100;
req[0xc] = len/0x100;
req[0xd] = len%0x100;
write(fd, req, 16);
write(fd, data, len);
if(read(fd, ack, 16)<16) {
fprintf(stderr,"Got too few bytes ACK from PLC!\n");
return(-1);
} return(ack[8]);
}

/* Fetches memory range data of length len from the PLC memory */
/* specified by org dbnr and s7addr (see FETCH/WRITE doc) */
/* via the previously opened socket fd */
/* Be aware of different Endianness of Intel PC's and S7 */
int s7_fetch(const int fd, char* data, const unsigned short len,
const char org, const char dbnr,
const unsigned short s7addr) {
int i,j;
unsigned char req[16] = {'S','5',16,1,3,5,3,8,0,0,0,0,0,0,0xff,2},
ack[16];
req[8] = org;
req[9] = dbnr;
req[0xa] = s7addr/0x100;
req[0xb] = s7addr%0x100;
req[0xc] = len/0x100;
req[0xd] = len%0x100;
write(fd, req, 16);
if(read(fd, ack, 16)<16) {
fprintf(stderr,"Got too few bytes ACK from PLC!\n");
return(-1);
}
if(ack[8]) {
fprintf(stderr, "Got error %d from PLC!\n",ack[8]);
return(ack[8]);
}
if(read(fd, data, len) < len) {
fprintf(stderr,"Gor too few bytes from FETCH!\n");
return(-1);
} return(0);
}


int main(int arcg, char** argv) {
char *cp="194.94.215.17";
int writefd, fetchfd, i;
unsigned short dummy=0xfeff;
writefd = s7_open(cp,2001);
fetchfd = s7_open(cp,2000);
for(i=0;i<1000;++i) {
if(s7_write(writefd, (char*)&dummy, 2, 2, 0, 0)) exit(1);
}
printf("Now reading...\n");
for(i=0;i<1000;++i) {
if(s7_fetch(fetchfd, (char*)&dummy, 2, 2, 0, 0)) exit(1);
printf("Counter Value: %d\n",(dummy%0x100)*0x100+dummy/0x100);
}
close(writefd);
close(fetchfd);
exit(0);
}
</pre>
 
J
Dear Mr. Murnleitner,

I'd like to know if you received any answer concerning the protocol documentation/explanation. I'm trying to do some tests based in this code but, as you know, it's almost impossible to decode a data array if you don't know the protocol and the variable meaning.

If you have some news about this, please contact me and I volunteer (if we can do something) to write a document about this matter.

Best regards

J. Simoes
 
D

Donald Pittendrigh

The answers to your questions are all in the Simatic Net documentation, the questions about tuhe comms headers appear as if they may have to do with ISO/OSI protocol, but I am not sure, Fetch Write is normally associated with
ISO/OSI protocol.

The New Simatic NET cards also do standard TCP/IP socket connections and S7 functions connections.

At the Siemens website in the support section there is a wealth of information in the user manuals for Simatic NET, I would find and start with the NCM manual. The best description of the OSI/ISO I have seen is in the old FMS manuals for the S5 PLC. I have copies of most of these manuals on paper, if you are really stuck you can contact me directly at donaldp(at)iasicc.co.za and I can find you some part numbers for the manuals you can take to your local Siemens Rep.

Good Luck
Donald P
 
Top