WinLDR weird cross referencing

kexlington

Member
K
Join Date
Jan 2008
Location
Gladstone
Posts
10
Hi,
I have a very old machine I am trying to fix. The PLC is an FA-2 Junior and I am able to connect to it and monitor the code using WinLDR.

Luckily for me, there are no comments in the program and I just have a heap of memory addresses. While trying to reverse engineer what is going on, I have found a number of memory registers that change during the course of the machine operating, but when I do a cross reference on these registers results are returned but there is nothing writing to the registers - all results are read only. I really need to find out what these registers do - they appear to be related to the sequence that machine operates with.

This machine is old - there is no HMI or SCADA writing to these memory registers (there's no network connection to the PLC at all). The memory registers must be getting written to somewhere in the program, but I can't find where. Having ~400 rungs of uncommented code doesn't help.

Has anybody out there had this experience while using WinLDR?
 
The registers could be part of file shifts or bit shifts.


Say it is reading 3004 which is never written to, but 3001 is, then it is shifted twice to be in 3004.


If you can zip and post the project we can go through it to try and find the source.
 
Sound like you're program is doing a pile of SHIFT commands. Was very common to do when wanting to "hold" a value. (Credit here to I_Automation)

Post it as a printed file or attach it, forum as helped me figure out a pile of confusing programming (y)
 
Please find the attached code.

I searched through the code and I can't find any instances of bit shifting.

An example of my problem is when I cross reference memory address M0052 - there is nothing that writes to this bit but I can see it changing while online (I suspect this bit is related to the portion of code that is causing my particular problem).
 
Unfortunately I can't open the file.

My version of WindLDR (v8.15.0) does not support that old of a PLC. The file says it was created with v5.35.

I put in a call to my local Idec office to see what software I need.
 
Idec called back.

Turns out the FA-2J PLC was an Asian market only PLC and the American WindLDR won't open the files.

Getting me the info on the needed software.
 
Yeah it's a pretty old PLC. I've been waiting in vain for 3 years for this thing to die so that we can justify upgrading it.

Let me know if you can't get the software, I just might happen to know where you can get a copy ;)
 
kexlington said:
Please find the attached code.

I searched through the code and I can't find any instances of bit shifting.

An example of my problem is when I cross reference memory address M0052 - there is nothing that writes to this bit but I can see it changing while online (I suspect this bit is related to the portion of code that is causing my particular problem).
Click to expand...


rung273 and 275 have store and move word inscrunctions to M40 bit.

Probably they write 16bits (M40..M55 bits)?
 
I see... I'm not very familiar with this type of PLC, I didn't pick this up. But after reading the help file on these instructions I can see what is going on.

So the important thing to say here is that the JST0 and WMOV instruction can move data to boolean addresses (not only just words).

Gotta love these old PLCs, where the programming is half a step above assembly!
 
Almost all PLC's treat boolean bits as words of bits.


For Allen Bradley SLC, ML & PLC5 there are bits B3:0/0 to B3:0/15 that can be checked individually or read and written to as the work B3:0

You can also read words of digital input cards and write words to digital outputs (say to turn off all outputs during a fault or E-stop)


And some move and copy commands have a length value that can read or write that many words together.
 
kexlington said:
I see... I'm not very familiar with this type of PLC, I didn't pick this up. But after reading the help file on these instructions I can see what is going on.

So the important thing to say here is that the JST0 and WMOV instruction can move data to boolean addresses (not only just words).

Gotta love these old PLCs, where the programming is half a step above assembly!
Click to expand...


I haven't programmed Idec at all, but Schneider Twido was prepranted Idec PLC with less commands.
Cross referendce shows only start address for indirect addressing, so you need to check every bit from cross reference and look if it is used with word commands.
 

Similar Topics

T
IDEC WinLDR ladder question...
On a job and using the IDEC Micro FC6A hardware with WinLDR software for the first time and I have a quick ladder logic question. What's the...
Replies
3
Views
923
timothy585
T
R
Winldr help (wktim,wktbl)
Hello everyone I am a beginner and am taking on a project utilizing a PlC. I want to turn a light on throughout the year at different times each...
Replies
7
Views
2,433
Stationmaster
Stationmaster
B
Winldr help
I have an existing program running that i would like to add a small change to and don't want to make a mistake.Right now an input I005 is pushed...
Replies
0
Views
1,431
BWW
B
J
Weird Issue with ABB-CI873 and Control Logix
I currently have a weird issue involving Ethernet IP communication between a ABB CI873 (EthernetIP Module) and a 1756-L83ES. The Layout is as...
Replies
8
Views
727
gobinath
G
dalporto
Weird Structured Text execution order
Good morning. I'm doing a rehab and I need to recycle some part of the old code that won't change and that I need. This is a calculation that...
2
Replies
22
Views
1,321
I_Automation
I_Automation
Back
Top Bottom