You are not registered yet. Please click here to register!


 
 
plc storereviewsdownloads
This board is for PLC Related Q&A ONLY. Please DON'T use it for advertising, etc.
 
Try our online PLC Simulator- FREE.  Click here now to try it.

---------->>>>>Get FREE PLC Programming Tips

New Here? Please read this important info!!!


Go Back   PLCS.net - Interactive Q & A > PLCS.net - Interactive Q & A > LIVE PLC Questions And Answers

PLC training tools sale

Reply
 
Thread Tools Display Modes
Old October 15th, 2015, 10:04 PM   #1
NevisGroup
Member
United States

NevisGroup is offline
 
Join Date: Jan 2014
Location: Wisconsin
Posts: 65
Beckhoff ADS Read Tag properties

Hello all:
I am in the process of writing some drivers on a PC that will communicate with a Beckhoff PLC via AMS/ADS .
I can request a handle to a tag and read and write via that handle. No probs....
What I need now is how to get info about a given tag.
ie, is it a bool,int,float, etc.
if it is a struct, what is the make up of the struct?
if is is an array, how big is it?
etc...

I have done a lot of digging through the Beckhoff website.
I have found a few documents that allude to being able to do this and a few examples that use a Bechhoff library to do it.

It kind of looks like I want to use idxgrp 0xf000,0xf001,and 0xf002. But I can not find documentation on these.
If I call them I get responses.

Any pointers?
  Reply With Quote
Old October 16th, 2015, 06:55 AM   #2
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,754
Here is a snippet from the AdvancedHMI TwinCAT driver where it retrieves symbol information, see if it helps:
Code:
            Dim VarName() As Byte = System.Text.Encoding.ASCII.GetBytes(symbol.ToUpper(System.Globalization.CultureInfo.InvariantCulture))
            Dim Packet(VarName.Length + 16) As Byte

            '* Group=&HF009 (ADSIGRP_SYM_INFOBYNAMEEX) and Offset=0
            BitConverter.GetBytes(Convert.ToUInt32(&HF009)).CopyTo(Packet, 0)

            'Read Length
            BitConverter.GetBytes(Convert.ToUInt32(&HFFFF)).CopyTo(Packet, 8)

            '* Length of Symbol Name + null terminator
            BitConverter.GetBytes(Convert.ToUInt32(VarName.Length + 1)).CopyTo(Packet, 12)

            '* Add symbol name to packet
            VarName.CopyTo(Packet, 16)

            '* Send the Packet to TwinCAT
            SendAMSPacket(ADSCommand.ReadWrite, Packet)
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - HMI Software without the license key hassles
  Reply With Quote
Old October 16th, 2015, 07:06 AM   #3
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,754
This code build a response packet as TwinCAT would, but you can use the offsets to parse the packet that is returned from the request:
Code:
        BitConverter.GetBytes(Result.Length).CopyTo(Result, 0)
        BitConverter.GetBytes(Convert.ToUInt32(m_IndexGroup)).CopyTo(Result, 4)
        BitConverter.GetBytes(Convert.ToUInt32(m_IndexOffset)).CopyTo(Result, 8)
        BitConverter.GetBytes(m_Size).CopyTo(Result, 12)
        BitConverter.GetBytes(m_DataType).CopyTo(Result, 16)
        BitConverter.GetBytes(m_Flags).CopyTo(Result, 20)
        BitConverter.GetBytes(Convert.ToUInt16(m_Name.Length)).CopyTo(Result, 24)
        BitConverter.GetBytes(Convert.ToUInt16(m_Type.Length)).CopyTo(Result, 26)
        BitConverter.GetBytes(Convert.ToUInt16(m_Comment.Length)).CopyTo(Result, 28)

        System.Text.ASCIIEncoding.ASCII.GetBytes(m_Name).CopyTo(Result, 30)
        System.Text.ASCIIEncoding.ASCII.GetBytes(m_Type).CopyTo(Result, 30 + m_Name.Length + 1)
        System.Text.ASCIIEncoding.ASCII.GetBytes(m_Comment).CopyTo(Result, 30 + m_Comment.Length + m_Name.Length + 2)
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - HMI Software without the license key hassles
  Reply With Quote
Old October 16th, 2015, 09:07 PM   #4
NevisGroup
Member
United States

NevisGroup is offline
 
Join Date: Jan 2014
Location: Wisconsin
Posts: 65
Thanks Archie. This will be very helpful.
I will be pulled away from this for a few days (bigger fires have sprung up)
Is this documented anywhere? I see references to all kinds of useful stuff in index groups 0xF000 through 0xF010.

BTW: I know I can read this out of the XML file that TC2 creates. I want to read it out of the PLC so that I don't have to worry about someone changing something online ( i.e. the size of an array) and not updating the computer.
  Reply With Quote
Old October 17th, 2015, 02:25 AM   #5
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,754
I had written my driver through a combination of these documents and a lot of reverse engineering.

http://www.beckhoff.com/english/down...71003127100417

TwinCAT PLC ADS

TwinCAT ADS

TwinCAT ADS AMS Specification


You can also go to GitHub and search TwinCAT to find several implementations.
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - HMI Software without the license key hassles
  Reply With Quote
Old November 2nd, 2015, 07:58 PM   #6
NevisGroup
Member
United States

NevisGroup is offline
 
Join Date: Jan 2014
Location: Wisconsin
Posts: 65
Thanks Archie:
Now I have some other odd behavior.
Let me explain my setup first. This is kinda important so take notes...
My CX8090 is at IP address 192.168.73.114
My Linux work station is at 192.168.73.101
My win7 laptop is at 192.168.73.134 AND 192.168.73.156. (It is dual homed and they are the same physical port)
Each ADS address is also unique.
So with a lot of wire sharking....
I have TC2_PLC running on my laptop using 192.168.73.134...all is well
I started my Python code to read tags from the CX8090 on my Linux box (...101).
Without an explicit route setup in the CX8090 things fail..but wait..
Wireshark captures the CX8090 accepting the connection and the query from the Linux box. Instead of responding, it sends something to port 137. It appears to be a netbios name query!!!
It trys this query a few times then closes the connection that the Linux box opened. Hmmmmm

So I put in an explicit route into the CX8090 and tried this all again. Everything works great and there is no mystery packet sent to port 137.

OK so now back to my laptop.

If I do not have anything TC2 running (mind you the router is still lurking in the background somewhere) I can run my code and it works fine. The code is using IP Addr ...134. All is well.
As soon as I start TC2_PLC things get fishy.
My currently running program gets its connection closed. At this point TC_PLC in not online, just open.

Wireshark shows me that TC_PLC is also using IP addr ...134.
What I see is my running program and TC_PLC connecting to the CX8090. The CX8090 then closes one of the connections. Not right away. There my be a few transactions on both connections. It seams about 50/50 which connection it closes.
The take away here is that the CX8090 closed the connection! The connection was NOT closed on the PC side.

So..
I forced my program to use IP Addr ...156 (Dual homed, remember).
Now it behaves like my Lunix connection. If there is not an explicit route in the CX8090 to ...156, I get packets aimed at port 137 that appear to be netbios Name service.
(Note: the TCP side of the connection is all setup. All the handshaking is done. The Netbios query does not occur until I send an actual ADS packet).
After a few attempts at Netbios on port 137 the CX8090 closes the TCP connection.

When I put in the explicit route to ...156 into the CX8090 all works well.

Currently I have TC_PLC running in one window ( using ip addr ...134) and my software running in another (using ip addr 156) all on my win7 laptop. I also have my software running on the Linux workstation. Very busy network but it is working fine.

So....
What is this Netbios Name query about?
Can I ever have more than one connection to the PLC from a given IP addr?
Is there a way to answer the Netbios query such that a route gets created?
And is any of this documented?????

This was supposed to be easy
  Reply With Quote
Old November 2nd, 2015, 08:57 PM   #7
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,754
Earlier this year I ran into a problem with both a CX8090 and a CX5010 controller in which it seemed to not want to connect. After hours of testing, I finally figured out there was an exactly 24 second delay between the first read and the response. Although I never completely figured out the cause of this, but it seemed to be related to the NETBIOS.

Since only a few controllers showed this long delay, I began experimenting to try to figure how to fix it. So far I found the only way to eliminate the long delay was to delete everything from the flash card, re-install the OS image, and set everything back up from scratch.

I never have figured out what triggers this to start happening nor an easier way to fix it. On the controllers that did it, I did a quick test to eliminate anything my driver was doing. After rebooting my PC, I opened System Manager, selected the controller, then watched the status on the lower right. It took the full 24 seconds before it would show "run". I even sent the WireShark captures to Beckhoff and they were never able to give me an answer.

I made a work around in my driver by making the timeout 25 seconds for the first read.
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - HMI Software without the license key hassles
  Reply With Quote
Old November 2nd, 2015, 09:06 PM   #8
NevisGroup
Member
United States

NevisGroup is offline
 
Join Date: Jan 2014
Location: Wisconsin
Posts: 65
Interesting...
After I posted, I went back to playing with it a bit.
When a route is defined in the CX8090 I noticed that is still tried the NETBIOS reads but gave up and connected. Yeah it probably took 25 seconds or so. I did not time it.

But if the route is not defined it closes the connection instead.

I will try pestering my contact at Beckhoff somemore.

The issue on my end will be that the end customer will want to put my software on any computer and have it connect with the PLC.

Why can't anything simple be easy?
  Reply With Quote
Old November 2nd, 2015, 09:10 PM   #9
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,754
Quote:
Originally Posted by NevisGroup View Post
Interesting...
After I posted, I went back to playing with it a bit.
When a route is defined in the CX8090 I noticed that is still tried the NETBIOS reads but gave up and connected. Yeah it probably took 25 seconds or so. I did not time it.
If you Wireshark it and see from the first request to the first response is 24 seconds, let me know. I want to be able to go back to Beckhoff and show them that it is not just me having the problem.
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - HMI Software without the license key hassles
  Reply With Quote
Old November 4th, 2015, 07:58 AM   #10
NevisGroup
Member
United States

NevisGroup is offline
 
Join Date: Jan 2014
Location: Wisconsin
Posts: 65
The further I dig into this. The messier it gets.
I put wire shark on the CX8090 side so I could see everything that it was up to.
There is a lot of traffic that does not belong on an industrial network. Looks like debits from WinCe.
Anyway...My delay is more like 8 seconds. It is clearly 4 NetBios Name requests that need to time out. Each timeout is 2 seconds. There is also a DNS request that goes out as well. But my DNS server answers right away.

If your network is not answering DNS or NetBios then there would be huge delays.

Do you know if there is a way into WinCe to turn some of this off?

Also it appears that the AMS router that is lurking in the background goes a little crazy when it sees packets with a destination port of 48898. Even if they are not targeted at this computer.
(I put a port mirrored switch on the PLC and the mirrored port came into my laptop on a different network. Whenever AMS saw any packet with a destination port of 48898 it sent odd disconnect messages out the proper interface to the CX8090...very messy)
  Reply With Quote
Reply
Jump to Live PLC Question and Answer Forum

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Thread Thread Starter Forum Replies Last Post
Beckhoff ADS communication M4rk06 LIVE PLC Questions And Answers 0 September 30th, 2015 02:52 PM
VBA FTView SE to Write to a PLC tag (Direct reference) MorphuisOGrady LIVE PLC Questions And Answers 0 November 25th, 2014 05:55 AM
latch/unlatch reinhart LIVE PLC Questions And Answers 12 November 1st, 2014 03:02 AM
Citect Trends Jayden LIVE PLC Questions And Answers 3 April 8th, 2010 05:15 AM
Read tag from Flexlogic carlos25 LIVE PLC Questions And Answers 5 November 11th, 2004 02:07 PM


All times are GMT -5. The time now is 12:04 PM.


.