DF1 unknown CMD FNC

Jiri Toman

Member
Join Date
Jun 2002
Posts
498
While looking at the serial data stream going into the SLC5/03 I came across a CMD = 0F and FNC = A1. I have examined the Published DF1 command set, chapter 7. I cannot find this CMD and FNC combo. I have searched through the AB web site for a possible addendum to the DF1 command set and came up with nothing. Does anybody know the
exact data structure for this command? Or maybe there is
an additional document to the current DF1 manual?
Any help would be appreciated.
 
DF1 Protocol and Command SET

Chapter 6 Pg 5:
CMD and FNC
These bytes work together to define the activity that is to be
performed by the command message at the destination node.
Values for these bytes are supplied by the application layer.
The message format depends on the CMD and FNC values.
 
This is a real WAG. The CMD/FNC combination of CMD = 0F, FNC = 00 is defined, although not valid for the SLC 5/03.

I don't what software you're using to examine the data stream, but many programs won't print or display the ASCII 0 (null) character. Could the A1 character possibly be the first character after the FNC code 00?
 
Jiri,

Man, you've come to the right place ! I have spent most of the past week doing protocol captures on DF1 messages embedded in DeviceNet explicit messages.

You are correct that FNC code A1 is not in the DF1 protocol manual, and I was surprised to find that there's no published extension to that manual.

As I understand them, FNC codes A1 and A9 are SLC/MicroLogix versions of FNC codes A2 and AA, which are "protected typed logical read/write with three address fields".

The A1 and A9 FNC codes have two address fields instead of three; they don't use the Sub-Element Number field.

There's some good information about how these are used in the DeviceNet interface (where I found this info) in Knowbase document G16610.
 
This is a undocument command.

I could not find it in the DF1 documentation either.

It is for a SLC Typed Read with only two address fields. One for the file number and one for the element. One can not address sub elements with this command and function.

There are other documents the we have on PCCC. This is the application layer that sits on the DF1 data link layer. The command and function are really part of PCCC.

DF1 is just the Data Link Layer.
PCCC can be used by both Ethernet and DF1.
 
Thanks

Ken,
Thanks a lot for the info. Funny thing is that I am also analyzing
the Explicit messaging and PCCC structure. In my case I am looking at
RSLinx 'Ethernet Devices' driver talking to ENI and 5/05 via
EtherNet/IP. In addition to having some issues with undocumented
PCCC commands I also have problems identifying Item ID's in a
Common packet format of the Explicit message as listed in volume 2
Chapter 2 page 2-19 of the Ethernet/IP adaptation of CIP.
The actual Item ID that I see is Hex0085 in one instance and in the other instances I would see Hex0081 and Hex0091.
According to the spec the 0085 is Reserved for future expansion and 0081 and 0091 are reserved for legacy RA.
I realise that most PLC users don't have a need to know about these
issues but since you have answered my first question may be
you know something about these Item ID's as well. If not maybe
you know of some document that lists these legacy and future
Item ID's.
In any case I am greatful.
 
Undocumented CMD-FNC

I discovered the 0F-A1 combination watching the output of RSLinx. After looking in the manual, I rang tech support. They said "You don't expect everything to be publically available, do you?" Nuts :rolleyes: . Anyway, I reckon the string goes like this: DLE-STX-DST-SRC-CMD(0F)-STS-TNS(2)-FNC(A1)-BTR-TAB-DAT-ST-DLE-ETX-CRC1-CRC2 where BTR is bytes-to-read, DAT is data type (see DF1 manual p7-18) and ST is the starting element.
By the same token, the CMD-FNC combination 0F-A9 will write to a table. DLE-STX-DST-SRC-CMD(0F)-STS-TNS(2)-FNC(A1)-BTW-TAB-DAT-ST-D1L-D1H-D2L-D2H-DxL-DxH-DLE-ETX-CRC1-CRC2 where BTW is bytes to write, DxL and DxH are the lower and upper bytes to write.

Now, does anyone out there know how to interrogate the size of a data table?
 
Re: Undocumented CMD-FNC

NickAllen said:
Now, does anyone out there know how to interrogate the size of a data table?

This isn't intended as an answer, just maybe something to, I hope, point you in the right direction. The GA-BASIC module, a member of the PLC-3 family, has a command called (SIZEOF) which, when issued, returns the 'size of' a specified data file in the processor's data table. I'm not sure but (SIZEOF) may also be available on the S4 scanner modules. In any case, this is a backplane command, not something you'd see over a comm. line.

If nothing else, it indicates that what you seek may at least be possible. Maybe another of those undocumented commands? :rolleyes:

Good luck.
 

Similar Topics

I'm come across a CMD=0F and FNC=AB while going through the serial data stream to a SLC5/05. The DF1 command set and AB websitt does not refer to...
Replies
3
Views
1,709
Hi, I appreciate any help to make connection between AB DF1 Micrologix 1200 and WinCC Adv project (PC station - not HMI) possible. For now I can...
Replies
5
Views
563
Hello everyone. I'm new on this forum and this is my firs thread. I have problem with AB 1679-L31 tags. There are tags group (tepe INT[256]) in a...
Replies
4
Views
1,071
I'm trying to convert an old panelview 600 application to the 800 and I'd like to keep the current serial comms configuration instead of adding...
Replies
1
Views
563
Hi all, I am attempting to communicate between PC and AB compactlogix L32E Using Logix 5000. FTLinx is able to communicate via ethernet. FTLinx...
Replies
12
Views
1,741
Back
Top Bottom