Reading and debugging S7 program with distribuited I/O

Pandiani

Lifetime Supporting Member
P
Join Date
Apr 2005
Location
Tz
Posts
718
Hello people,
I have S7-300 PLC (315-2 DP) with ET200M distributed modules. I don't have software, so I want to Upload program to PG. Is it possible to debug and follow program execution and monitor values on input and ouptut modules that are part of ET200M?
When I generate reference data, I cannot see addresses that belongs to modules on ET200M.
Can you give me any advice?
 
Do you know what the addresses are that were assigned to the ET200M modules in the hardware configuration of the original project?

It is possible to monitor the I/O values that are a part of ET200M, just like they were regular I/O.

I've only got a couple of small projects with ET200M and when I generate reference data the addresses that are used in the I/O module do show up, as long as they are not accessed only with some type of indirect addressing.
 
As tim2 says, you can monitor ET200M I/O just the same as conventional I/O on the CPU rack. The only problem is that if you can't see the I/O in X-Ref then either the I/O is unused (pretty unlikely I would guess) or, again as tim2 says, it's being addressed indirectly. Depending on how the program has been written (i.e. intentionally complicated) it may not be too easy to fathom out what's going on. However, from what I've seen of your other posts, you should be able to crack it - possibly with a little help from Simon! ;)
 
In the cross reference, be sure to look after PI/PQ adresses, not just I/Q adresses.
And be sure to check that you have enabled "Per. inputs" and "Periph. outp." in the filter for the cross reference.
 
RMA said:
However, from what I've seen of your other posts, you should be able to crack it - possibly with a little help from Simon! ;)
Click to expand...
RMA, what makes you think that? I'm working as a member maintenance staff in my company. I never had any formal training in STEpP7. Everything I know, I learned on my own as a student and on this forum by reading and posting. I simply didn't learn that much to even think about "cracking" or similar.

Parts of the program I have is written I guess in CFC which I don't have and SCL. I know that because of printed program.

I have uploded program from PLC and don't have symbolic variables. On the other side, I have PLC program with sysmbolic names in hard copy (printed).

I'm not sure how to check if I don't see these distributed inputs and outputs because they are indirectly addressed.

I tried to include Peripherals I/O in cross reference filter, but that didn't help.

It's not simple to call that company because they're in another country, and whole plant was installed much before I started to work for my company.
During Upload I received errors which I ignored and upload finished with the program.
I'm not sure if this can be one of the reasons.
Anway if you have any advice I'd be very grateful.
Thanks
 
Can you post the zipped archive on here ? (Note you should delete the cross reference data form the project before archiving to minimise the size of the project).

RMA's comment about cracking simply means "resolve the problem" in this context.
 
L D[AR2 said:
RMA's comment about cracking simply means "resolve the problem" in this context.
Click to expand...
I see, it was a misunderstanding....

L D[AR2 said:
Can you post the zipped archive on here ?
Click to expand...
I'm not sure if I'd be allowed to post program here, so everybody can see it. But if you're willing I can send you by mail, just to see what could be wrong. If you have time, I can contact by PM with more details...
 
Hello,

If the program is written by using CFC and you do not have it and SCL compiler also (which is used to compile charts) then I think that it is not posible to track down your PI/PO. In CFC you have chart reference...
 
SCL, GRAPH and CFC can be opened without the necessary packages. Only it will display as STL. And the data used will appear in the cross reference.

If there are no symbols and no comments, then there can hardly be any risk with posting the project on the forum.
 
Hello Jesper,

I know that you as expert know this kind of things much much better then us. I remember that when I got S7 aplication written in CFC for the first time (and at thet time I did not have that package) I could not understand anything. That is the reason why I wrote that I think that it is not possible to track down PI/PO.
Thanks for correcting me:) .
 
Pandiani - The ET200M station in question is connected to a CP342-5 via Profibus, there is nothing connected to the DP port of the 315 !
You will have to backtrack from the call to FC101 which transfers data to the CP342-5 from the DB's in the 315
 
Thank you L D[AR2,P#0.0], I don't have much experience working with this stuff especially when it comes to communication, CPs and similar. I hope I'll be able to work something out.
 
You will certainly have your work cut out to back track through the code in this project, most of which was orginally written in SCL.

To give you a start, here is where my detective work led me to track down how Q13.2 on the CP342 is evaluated (working backwards):

DB39.DBX86.0 byte 18 is transferred to the CP342 (FC100)
so Q13.2=DB39.DBX99.2

DB38.DBX76.0 byte 18 is copied to DB39.DBX86.0 (in FC100)
so Q13.2=DB38.DBX89.2

DB38.DIX89.2 = DB42.DBX6.0 (in FC51)
so Q13.2=DB42.DBX6.0

DB42.DBX6.0 = FB35.OUT15 (second call to FB35 in FC51)
so Q13.2 = FB35.OUT15

Things just get so tedious when then see you have backtrack all of the inputs to FB35 ......... good luck.

You really should post this project for others to see what an almighty mess you have been left with. You never know, someone might continue the scramble through the rats nest.
 
L D[AR2,P#0.0], thank you for your time. Now when I see this I know I'll not be able to find out what are conditions that cause my digitial output channel to activate. Since program is not corrupted or anything like that, I guess will need to involve people who know technology and operators to try to remember and find out what are process conditions needs to be satisfied. At first I though it might be easy to see what all inputs and variables are in game here, to find out from documentation what these inputs are connected to. I thought I might be lucky, like I was couple of times in the past.

I'm not supposed to share this program, because I don't know if there is some kind of "legal issues" or something like that. I really appreciate your help. At least I find out I'm not the one who will solve this. This maintenance job can be very boring...
 

Similar Topics

A
reading data from siemens controller (profinet) to ethernet/IP controller
Hello I have a s7-1200 and I would like to read the tags present in this controller with my controllogix controller. The two controllers don't use...
Replies
3
Views
37
Manglemender
M
J
Omron CJ2m cpu33 - reading codes
Hi all, i have 8 CJ2m plc units that show different numbers on the plc display and i am stuck on reading the info. my unit has an ip address of...
Replies
3
Views
81
chelton
C
H
Reading from N7:0 in RSLogix 500
Hi Everyone, I am not proficient in RSLogix 500 so I have a question regarding the evaluation of N7:0 data as an input. So as I understand in...
Replies
1
Views
81
parky
P
J
ControlLogix L71 Reading from 5/80E ver D.1
Trying to setup a message read via Ethernet. I have the path setup as 1, 1, 2, 192.168.66.10 I get an error code 1, ext err 315. I am beating...
Replies
9
Views
231
just_lionel
J
H
How to lock a fx3u plc ladder from reading using gx work2
Dear all, I don't know why setup of password became challenging and weird. After setting up the password and try to upload the ladder from the plc...
Replies
3
Views
172
how
H
Back
Top Bottom