advertisement
from the Automation List department...
Data exchange with Siemens S7-300/400 with tcp/ip socket
PLCs and related questions. topic
Posted by Ernst Murnleitner on 22 October, 2003 - 11:01 pm

Below is the rather short source code. I have some questions (I cannot find the address of the author, the email in the source code seems to be not valid anymore).

1. Does anybody know which protocol this is (is it Siemens specific)? It is called FETCH/WRITE but I cannot find a description about it.

2. Is there any doucumentation which would explain the parameters?

3. There are 16 bytes. The 9th is named org. What is this?

I would appreciate your help very much.

Here is the C code:


/* FETCH/WRITE routines for communication with Siemens S7 via Ethernet.
Author: Georg Michel
Date: 05/17/01
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <fcntl.h>

/* Opens a TCP socket to the PLC and gives the file */
/* descriptor back (-1 on error) cp is the numeric */
/* ip address in dot notation, port is the port number */
int s7_open(const char* cp, const unsigned short port) {
struct sockaddr_in adresse;
int fd;
adresse.sin_family = AF_INET;
adresse.sin_port = htons(port);
inet_aton(cp,&adresse.sin_addr);
fd = socket(PF_INET, SOCK_STREAM, 0);
if(connect(fd, &adresse, sizeof(adresse))) {
fprintf(stderr,"No connection to %s on port %d!\n",cp,port);
return(-1);
} return(fd);
}

/* Writes memory range data of length len to the PLC memory */
/* specified by org dbnr and s7addr (see FETCH/WRITE doc) */
/* via the previously opened socket fd */
int s7_write(const int fd, const char* data, const unsigned short len,
const char org, const char dbnr,
const unsigned short s7addr) {
unsigned char req[16] = {'S','5',16,1,3,3,3,8,0,0,0,0,0,0,0xff,2},
ack[16];
req[8] = org;
req[9] = dbnr;
req[0xa] = s7addr/0x100;
req[0xb] = s7addr%0x100;
req[0xc] = len/0x100;
req[0xd] = len%0x100;
write(fd, req, 16);
write(fd, data, len);
if(read(fd, ack, 16)<16) {
fprintf(stderr,"Got too few bytes ACK from PLC!\n");
return(-1);
} return(ack[8]);
}

/* Fetches memory range data of length len from the PLC memory */
/* specified by org dbnr and s7addr (see FETCH/WRITE doc) */
/* via the previously opened socket fd */
/* Be aware of different Endianness of Intel PC's and S7 */
int s7_fetch(const int fd, char* data, const unsigned short len,
const char org, const char dbnr,
const unsigned short s7addr) {
int i,j;
unsigned char req[16] = {'S','5',16,1,3,5,3,8,0,0,0,0,0,0,0xff,2},
ack[16];
req[8] = org;
req[9] = dbnr;
req[0xa] = s7addr/0x100;
req[0xb] = s7addr%0x100;
req[0xc] = len/0x100;
req[0xd] = len%0x100;
write(fd, req, 16);
if(read(fd, ack, 16)<16) {
fprintf(stderr,"Got too few bytes ACK from PLC!\n");
return(-1);
}
if(ack[8]) {
fprintf(stderr, "Got error %d from PLC!\n",ack[8]);
return(ack[8]);
}
if(read(fd, data, len) < len) {
fprintf(stderr,"Gor too few bytes from FETCH!\n");
return(-1);
} return(0);
}


int main(int arcg, char** argv) {
char *cp="194.94.215.17";
int writefd, fetchfd, i;
unsigned short dummy=0xfeff;
writefd = s7_open(cp,2001);
fetchfd = s7_open(cp,2000);
for(i=0;i<1000;++i) {
if(s7_write(writefd, (char*)&dummy, 2, 2, 0, 0)) exit(1);
}
printf("Now reading...\n");
for(i=0;i<1000;++i) {
if(s7_fetch(fetchfd, (char*)&dummy, 2, 2, 0, 0)) exit(1);
printf("Counter Value: %d\n",(dummy%0x100)*0x100+dummy/0x100);
}
close(writefd);
close(fetchfd);
exit(0);
}


Posted by Joao Simoes on 20 January, 2004 - 4:05 pm
Dear Mr. Murnleitner,

I'd like to know if you received any answer concerning the protocol documentation/explanation. I'm trying to do some tests based in this code but, as you know, it's almost impossible to decode a data array if you don't know the protocol and the variable meaning.

If you have some news about this, please contact me and I volunteer (if we can do something) to write a document about this matter.

Best regards

J. Simoes


Posted by Donald Pittendrigh on 21 January, 2004 - 11:44 pm
The answers to your questions are all in the Simatic Net documentation, the questions about tuhe comms headers appear as if they may have to do with ISO/OSI protocol, but I am not sure, Fetch Write is normally associated with
ISO/OSI protocol.

The New Simatic NET cards also do standard TCP/IP socket connections and S7 functions connections.

At the Siemens website in the support section there is a wealth of information in the user manuals for Simatic NET, I would find and start with the NCM manual. The best description of the OSI/ISO I have seen is in the old FMS manuals for the S5 PLC. I have copies of most of these manuals on paper, if you are really stuck you can contact me directly at donaldp(at)iasicc.co.za and I can find you some part numbers for the manuals you can take to your local Siemens Rep.

Good Luck
Donald P

Your use of this site is subject to the terms and conditions set forth under Legal Notices and the Privacy Policy. Please read those terms and conditions carefully. Subject to the rights expressly reserved to others under Legal Notices, the content of this site and the compilation thereof is © 1999-2014 Nerds in Control, LLC. All rights reserved.

Users of this site are benefiting from open source technologies, including PHP, MySQL and Apache. Be happy.


Fortune
Mr. Cole's Axiom:
The sum of the intelligence on the planet is a constant; the
population is growing.
Advertise here
Advertisement
our advertisers
Help keep our servers running...
Patronize our advertisers!
Visit our Post Archive