2. Tech
  3. Programming remote reading AB PLC data

Programming remote reading AB PLC data

zhaozj2021-02-16  22

Programming remote reading AB PLC data

The RSLink developed by AB is the superior tool to read remote AB PLC data, which can read the name of the AB PLC. But in the actual system integration, due to the variety of remote PLC types, I received a task, and the autonomous developer read various PLCs.

In the remote device we use, there is AB's PLC, Siemens' PLC, LG's PLC, and a variety of RTUs, but there is a common feature: through serial access, just different data protocols, find out Data protocols, everything is OK. To this end, I have studied AB PLC.

AB provides software, and its information is a bit unknown. I have to use serial port monitoring technology to listen in serial port monitoring to get more intuitive information.

First, the supervisory of serial port

I use portmon.exe to listen to serial ports, the following is the data I listen to when I run RSLink:

IRP_MJ_WRITE 41 54 5A 0D

IRP_MJ_READ 41 54 5A 0D

IRP_MJ_WRITE 10 02 01 00 06 00 01 08 03 10 03 01 65

IRP_MJ_READ 10 06 10 02 00 01 46 00 01 08 00 EE 34 49 64 35 2F 30 33 20

20 20 20 20 20 20 00 00 86 10 10 8D A3 10 10 FC 10 03 18 55

IRP_MJ_WRITE 10 06

IRP_MJ_WRITE 100201000F002704A1C80789001003A3F3

IRP_MJ_READ

10 06 10 02 00 01 4F 00 27 04

00 00 C7 0C CF 0C C8 0C C6 0C 88 0C EC 0C AA 0C 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

F3 FF 0D 00 0D 00 00 00 4c 04 52 03 20 04 8B 03 84 03

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 1F 00 00 00 00 00

00 00 00 01 00 02 00 00 00 00 00 02 00 03 00

04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

C2 01 00 00 00 76 02 B6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽

5D 00 C7 0C CF 0C C8 0C C6 0C 86 0C EC 0C AA 0C 00 00 00 00

10 03 8D D8

IRP_MJ_WRITE 10 06

It can be seen that the RSLink is running three steps:

1. Initialize MODEM: Send ATZ to confirm the modem existence.

2, check the data structure of the PLC, receive the post-release 1006 confirmation

3, check the N7 data, receive the post-release 1006 confirmation

The steps to do now are very clear, the following work is to understand the meaning of the issued data returned.

Second, send data request format

For the data structure of PLC, each time is the same request, there is no need to spend time. We are trying to read the processing of N7 data: the data meaning of the data:

* 10 * 02 01 00 0F 00 27 04 A1 C8 07 89 00 * 10 03 A3 F3 start bit start bit destination address address read data retained ID number ID number

Word number area integer type start word end flag end flag check bit check digits

*: Add * does not participate in the CRC32 operation.

Calculation method of CRC32: The VB code is as follows:

Function Calccrc (Data (), Arraylen) As Long

DIM I, J, K, H AS Integer

For i = 0 TO Arraylen

J = J xor Data (i)

Fork = 1 to 8

H = j mod 2 'Test if Bit Will Be Shifted Out

J = int (j / 2) 'Shift Right

IF H THEN

J = j xor & h1000a001 'xor with constant

J = J - & H10000000 'CLEAR TOP WORD

END IF

Next K

Next I

Calccrc = j

END FUNCTION

Private submmand1_click ()

DIM I, J AS Long

Length = (len (text3.text) / 2 - 1

Redim Init (Length)

For i = 0 to Length

Init (i) = VAL ("& H" MID (Text3.Text, 2 * i 1, 2))

Next I

J = CALCCRC (Init (), Length)

TEXT2.TEXT = HEX (j mod 256)

TEXT1.TEXT = HEX (int (j / 256))

End Sub

Sending this string character will get the data returned by N7, returned by the data in units, and the start word and the number of words determine the return.

Third, received data

The data received above, starting with 10 06 10 02, 00 01 4F 00 27 04 is the destination and the ID number, and then the data returned, each byte is a set of data: such as my PLC Defined as follows:

TAGNAME

Address

Description

Compresure

N7: 68

Control traffic

FLUE_1

N7: 33

1 # Instantaneous traffic

FLUE_2

N7: 34

2 # instantaneous traffic

INPRESSUE

N7: 37

Total entrance pressure

Lowp_Alarm

N7: 28

Total pressure alarm lower limit

Lowp_set

N7: 106

Total pressure control setting lower limit

Lowpressure

N7: 26

Total pressure control lower limit

Midtank_p

N7: 36

Middle tank pressure

OUTP_LOW_ALARM

N7: 29

Export pressure Current alarm lower limit

OUTP_LOW_SET

N7: 109

Export pressure alarm lower limit setting

Outpressure

N7: 35

Outlet pressure

p_c_down

N7: 125

Reduce inlet pressure

P_c_up

N7: 124

Improve the entrance pressure

UPP_Alarm

N7: 27

Total pressure alarm upper limit

UPP_SET

N7: 105

Total pressure control value upper limit

Uppressure

N7: 25

Total pressure value upper limit

The address is the word, that is, two bytes.

In this way, we can read the specified area data, and break down according to the settings of your settings in the PLC, you can read the data of the AB PLC by the self-compiled program. Conclusion

This is the data protocol of the AB PLC, as unknown in AB's manual, and I read the PLC is another company developed, so I spent a lot of time in the meaning of data, and in the programming time Not much time. This summary is shared with everyone, you should make everyone eloquently.

转载请注明原文地址:https://www.9cbs.com/read-27239.html

9cbs

New Post(0)