Data comm options to secured CompactLogix

kolyur

Lifetime Supporting Member + Moderator
K
Join Date
Oct 2004
Location
Wooster, Ohio
Posts
1,602
Long story short... We recently purchased a large piece of OEM equipment. As a general rule, we will not purchase machinery with a locked PLC program. The OEM originally told us that they would provide us with the PLC password, but after the installation they reneged on this, citing management changes.

So, now we have this machine with a CompactLogix L43 and PanelView Plus 1500 communicating over Ethernet. I'm not very familiar with Logix security; when I try to go online I just get an error message, "Controller is secured." Our dilemma is that we need to be able to access the states of specific alarm conditions to control other aspects of the production line, upstream and downstream of this particular machine. I'm trying to determine how we can access tag data from the secured CompactLogix, if it's at all possible.

We use Red Lion G3's frequently and they have an Allen-Bradley native tags driver for Logix, which I've used in the past. If we had a list of PLC tags, would this be an easy option or is it possible to secure the CompactLogix comm ports to prevent this? (Keep in mind it's already talking to the Panelview.) I know it's possible to transfer data between a CompactLogix and MicroLogix via message instructions, but I believe this requires some setup on the Logix side.

The OEM is aware of our situation and I think is willing to help us, short of releasing the PLC program. I just want to make sure I know what our options are before contacting them. Any suggestions are appreciated.
 
kolyur said:
(Keep in mind it's already talking to the Panelview.)
Click to expand...

How about finding out the tagnames used in the PanelView and using those in the G3?

You should be able to use the native tags driver and manually enter tag names as long as the comms channel is set up correctly.

Of course this is all moot if the tags you want to access aren't used in the PanelView or if it is also OEM locked.
 
OkiePC said:
How about finding out the tagnames used in the PanelView and using those in the G3?

You should be able to use the native tags driver and manually enter tag names as long as the comms channel is set up correctly.

Of course this is all moot if the tags you want to access aren't used in the PanelView or if it is also OEM locked.
Click to expand...

I haven't verified whether the Panelview application is secured, but I would assume it is. We could probably get a list of tags from the OEM but I wasn't sure if the Ethernet port would be locked down also. Is security between the CompactLogix and Panelview coordinated? (In other words, could the Ethernet port be configured to allow access to the PV but not other devices?)

I could make a test program in the G3 but I would have to know some valid tagnames in the program... unfortunately I don't have any. Are there any system or predefined tags in the CompactLogix that I could use?
 
If you know the IP addy of the compactlogix, Grab a demo copy of Kepware Server and add it. Use the built in OPC client to browse to it and see what you can see :D
 
I recall the Inductive Automation OPC-UA EIP driver will list tags in a PLC, so it sounds like Kepware can do it to. I am not sure what the CIP command is to do this, but unless I am dreaming, I was impressed when I see this in action.

There's always Wireshark for sniffing the traffic between the HMI and PLC. That should give valid tagnames, if you like reverse engineering.
 
kolyur said:
.....I could make a test program in the G3 but I would have to know some valid tagnames in the program... unfortunately I don't have any. Are there any system or predefined tags in the CompactLogix that I could use?
Click to expand...

There are only 6 predefined tags in the Logix5000 series, and they are all "system" tags....

S:FS - BOOL - First Scan bit
S:MINOR - BOOL - At least one "minor" fault exists
S:Z - BOOL - The result of the last executed math instruction was zero
S:N - BOOL - The result of the last executed math instruction was negative
S:V - BOOL - The result of the last executed math instruction caused an overflow
S:C - BOOL - The result of the last executed math instruction generated a carry

Add to this list the module-defined tags....

eg1. an Input module in slot 4 will create the following tags..

Local:4:I
Local:4:C

eg2. an Output module in slot 5 will create the following tags..

Local:5:O
Local:5:I
Local:5:C

All of the module-defined tags are of predefined data-type, depending on the modules used. You could put the specific modules into a new program to see what structure they have. EDIT: Typically, a digital input card will have a .Data member which contains enumerated subelements for the input bit number. eg. channel 13 of a digital input card in slot 4 : Local:4:I.Data.13

Nothing else is predictable.

The OPC topic idea is probably your best way in, if you can get it to reveal the tags.
 
Last edited:
I for one feel a bit uneasy about the idea of reverse engineering the application. It could land you in some hot water....
 
daba said:
I for one feel a bit uneasy about the idea of reverse engineering the application. It could land you in some hot water....
Click to expand...
I'm afraid that's probably beyond my capabilities anyway, at least in the time I have available. I got Wireshark running and was able to catch some traffic between the PLC and HMI, but can't make any sense of it. All the data just looks like nonsense to me.

I do have a setup with a G3 and non-locked CompactLogix that I'm using for testing. I've already found out that the G3 cannot read I/O (Local) tags directly; I suspect those status tags may have the same result. I'll probably pursue the OPC option tomorrow.
 
kolyur said:
I do have a setup with a G3 and non-locked CompactLogix that I'm using for testing. I've already found out that the G3 cannot read I/O (Local) tags directly; I suspect those status tags may have the same result. I'll probably pursue the OPC option tomorrow.
Click to expand...

Not all I/O (module-defined) tags are local, the "Local" in the tag-name is just replaced with the name of the remote I/O comms module.

And the only thing that distinguishes I/O tags from other tags is that they contain a colon in the tag-name, something you cannot create yourself. Perhaps that is what the G3 complains about. I don't know G3 Red Lion, but if thats the case, then shame on Red Lion for not allowing access to the I/O tags.

Someone will know more than me
 
Drop all of your investigations, and explain to your management that since they don't own the machine, but are only leasing it, any work that needs to be done to it is the responsibility of the OEM (no matter what the cost is).

I love getting equipment like that in.
 

Similar Topics

N
Send/Receive Data(ethernet comm..) between CPU 315-2 DP & S7-1200 OVER CP 343-1 Lean
Send/Receive Data(ethernet comm..) between CPU 315-2 DP & S7-1200 OVER CP 343-1 Lean I have 2 programs. In 1.(first program ) my hardware...
Replies
0
Views
2,689
naturephoenix
N
X
Red Lion Data Station Comm Problem
Hello, I'm programming a Red Lion CSMSTRGT Modular Controller in Crimson 3.0 to read and change parameters within various temperature...
Replies
5
Views
4,629
robertkjonesjr
R
danw
Can't establish basic USB comm with Data Station Plus
Problem: Can't download a basic comm configuration to DSP Error: Target Device is not compatible with this file Red Lion Data Station Plus...
Replies
4
Views
6,173
JeremyH
JeremyH
R
AB controllogix serial Comm Barcode Data
Hi, im new in AB contorllogix. may i know how to configure rslogix5k in order to get the string dumped by barcode reader? if i direct connect the...
Replies
0
Views
3,180
rhasta
R
E
Maximum data length in DP/DP comm.
Hello, In a profibus DP-DP network which consist of three CPU315-2dp , 1.What is the maximum length of data that can be transferred between the...
Replies
6
Views
3,221
ggchavhan
G
Back
Top Bottom