RSLogix 500 & SLC 500

bga6418

Member
Join Date
Sep 2007
Location
Somewhere
Posts
9
I was checking the communication between RsLogix 500 and SLC 500 (DF1 full duplex) and found that RSLogix issues some undocumented commands and some very strange reads. Can someone please explain it?

Thank you in advance.

1. Undocumented Command (0x0F, Function 0xA3?):
DLE STX 01 00 0F 00 70 6C A3 56 02 84 01 00 FF D4 53 FF D6 53 FF 60 54 FF 62 54 FF 92 54 FF 94 54 FF D2 53 56 02 84 05 00 DLE ETX 2E D3
Reply:
DLE STX 00 01 4F 00 70 6C 00 26 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 00 00 10 00 00 00 00 DLE ETX 6A 75

2. Strange Read (What is the logical address 00 00 00 00?):
DLE STX 01 00 0F 00 70 48 A2 2C 00 00 00 00 DLE ETX 96 A6
Reply:
DLE STX 00 01 4F 00 70 48 55 4E 54 49 54 4C 45 44 00 00 00 00 00 00 00 00 00 00 3D 00 12 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B3 77 DLE ETX F3 6A

3. Strange Read (What is the logical address 00 00 0B 00?):
DLE STX 01 00 0F 00 70 4C A2 14 00 00 0B 00 DLE ETX E2 2F
Reply:
DLE STX 00 01 4F 00 70 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DLE ETX 05 48

4. Strange Read (What is the logical address 00 64 00 00?):
DLE STX 01 00 0F 00 70 50 A2 18 00 64 00 00 DLE ETX 8D 48
Reply:
DLE STX 00 01 4F 00 70 50 4C 04 01 00 04 00 02 80 00 00 45 43 00 00 02 00 00 00 00 00 E0 01 30 00 DLE ETX 70 6E

Any help would be greatly appreciated,
bga
 
I don't see how ascii table is related to my question.
I was not able to find anything on internet and asked in this forum.
If you do not understand the question please ask for clarification otherwise, please do not post junk
 
This is kind of deep-under-the-hood stuff, where RSLogix 500 is reading SLC-500 System Memory. This isn't User Program Memory, which is generally accessed by HMI programs and messages from other controllers.

I can't exactly figure out these commands because they don't line up with my limited documentation. A-B doesn't make the full command set public.

Command 0x0F, Function 0xA3 is an SLC-500 Scattered Read, for which the arguments are Masks and SLC system addresses

where the first Mask byte is a bitwise designation of what is to follow:

Bit 0= indirect file number mask
Bit 1= file number mask
Bit 2= file type
Bit 3= indirect element number mask
Bit 4= element number mask
Bit 5= indirect sub-element number mask
Bit 6= sub-element number mask
Bit 7= indexed address

If we take a look at the data you captured:

0x56 = 0101 0110 binary = following data includes File Number, File Type, Element Number, Sub-Element
0x02 Data File Number 2
0x84 Data File Type 0x84 = Status
0x01 Data Element Number 1
0x00 Data Sub-Element 0

0XFF Next data element is 2 bytes
0x53D4
0xFF Next data element is 2 bytes
0x53D6
0xFF Next data element is 2 bytes
0x5460
0xFF Next data element is 2 bytes
0x5462
0xFF Next data element is 2 bytes
0x5492
0xFF Next data element is 2 bytes
0x5494
0xFF Next data element is 2 bytes
0x53D2

0x56 = 0101 0110 binary
0x02 Data File Number 2
0x84 Data File Type = Status
0x05 Data Element 5
0x00 Data Sub-Element 0

The reply is the Status byte (00) and the reply data, low byte first. There are 13 Words received.

0x0026
0x0000
0x0000
0x0000
0x0000
0x0000
0x0001
0x0000
0x0000
0x0001
0x1000
0x0000
0x0000

I can't figure out which data elements the middle seven values indicate, or why there are 13 words received for the command.

So, that's my best shot. Why do you need to decode these communications between the RSLogix software and the controller ?
 
Thank you, Ken.
You mentioned that you have some docs. Where did you get them? All I have is DF1 Protocol pdf from AB (1770-6.5.16)

I need to write utility that would read some data from PLC, then download updated ladder logic to PLC and then save some data into PLC back. I implemented DF1 protocol communication, but have a few issues here and there. So I decided to look what RSLogix does.

Could you also help with strange read commands?
I cannot understand logical addresses it passed to PLC.

Thank you in advance,
bga
 
That's where you're going to run into a roadblock. The internal workings of RSLogix 500 and the communications commands it uses are proprietary and are seldom licensed, even to Rockwell's partner companies.

Since you're working on software that sounds like it could potentially compete with FactoryTalk AssetCentre program management, you're very likely not going to be able to get that proprietary information.

My documentation is an old RA PCCC reference document from about 10 years ago that has "Internal Reference Only" written all over it. The age of the documentation is probably why it doesn't explain the addressing formats you are seeing, like the "File 00, Type 00, Element 00, Sub-Element 00" in the 0xA2 command. I use it to troubleshoot DF1 network communication, because it covers most ordinary DF1 data table reads and writes.
 
I'm sorry to raise such a old post. Did you / anyone else managed to understand the A3 command?

Did anyone find any documentation of it?

I have similar data with A3 commands. Though I don't have the leading header (I mean that after the A3 opcode I get FF 78 04 FF 64 04... immediately)

Thanks
Nitay
 
Hi Nitay,

It looks like RsLogix uses A3 command as some form of a heart beat - it reads multiple parameters at once with this scattered read command. I noticed that it is was repeated with the same interval over and over.

BTW, the exact format may vary between different PLC modules (SLC500, ML1100, etc.)

I did not really needed it. I think you will only need it if you want to communicate with RsLogix (in other words if you are writing an emulator) or if you want to write your own RsLogix :).

Thank you,
bga6418
 
0XFF Next data element is 2 bytes
0x53D4
0xFF Next data element is 2 bytes
0x53D6
0xFF Next data element is 2 bytes
0x5460
0xFF Next data element is 2 bytes
0x5462
0xFF Next data element is 2 bytes
0x5492
0xFF Next data element is 2 bytes
0x5494
0xFF Next data element is 2 bytes
0x53D2

Hey guys

Do you know what represents the two bytes data elements?
Can I convert those to Binary Logical Address?
Can I match each of those address to a specific element of a specific file?
 

Similar Topics

Hello. I am trying to change the indexes when I Paste from SLC Library and I must be doing something wrong. I tried it with a very simple rung to...
Replies
4
Views
1,351
Hi all, yesterday I was at a customer site doing a PM and after making a couple of minor mods to the program, I went to back it up to EEPROM (yes...
Replies
2
Views
2,348
I have a few projects I want to Save As file type SLC to be able to use the Translation tool in Studio 5000 (migrating from SLC 5/03 to...
Replies
3
Views
2,458
Hi all, Sorry to make my first post a request, but I was given this .RSS file and need to convert it to .SLC - would some helpful person with...
Replies
7
Views
4,454
Hello. I am learning Allen-Bradley PLC programming using the RSLogix 500 emulator. So I need some help pls. I am using the RSLogix Microstarter...
Replies
8
Views
4,235
Back
Top Bottom