3964R Siemens S7 - Reading Extended Data Block?

I'm writing a driver using the 3964r Protocol and i'm having trouble finding good documentation. I've crawled all over google and havn't been able to uncover much useful information.

I'm using the commands AD and ED (in bytes 3 and 4) to read and write data blocks. However I also need to read and write analog values to word addresses larger then 255. These are all even addresses going from 2.0 to 214.0 The AD command has a single byte for word address and this only gets me to 255. I then discovered an AX and EX command however i cannot find any information on the packet structure for these commands. I have a 3964r protocol engine from Adontec. It has a function for this but the packet still only has one byte for the word address (this is the 6th byte). Is there something i'm missing? Would the device recieving this command handle the word address differently for an AX command? (on another note i don't yet have the hardware to test any of my assumptions, which is why i'm asking here)

AD Command Packet(in hex):

00 00 41 44 01 01 00 0A FF FF (Bytes: 1&2 Signature, 3 Command, 4 Address Mode, 5 Device Address, 6 Word Address, 7&8 number of words, 9&10 Coordination bytes)

AX Command Packet??

I welcome any advice. Thanks in advance,

Bill

Reply to
Ron_Bacardi
Loading thread data ...

Bill, looking though an old 3964R protocol manual I have here I can find no mention of an AX or EX command. The commands listed are:

AS, ES - Absolute address AD, ED - Data block, data word AE, EE - Input byte/image AA, EA - Output byte/image AM, EM - Flag byte AZ, EZ - Counter AT, ET - Timer

The AD/ED command system is certainly not restricted to one byte of data. Digging through my old files, I find a typical packet from years back:

00 00 41 44 10 00 00 02 FF FF 00 02 00 02 10 03 04

Bytes: 1&2 Signature, 3 Command, 4 Address Mode, 5 Device Address, 6 Word Address, 7&8 number of words, 9&10 Coordination bytes, 11&12 Data Word #1,

13&14 Data Word #2, 15&16 Terminator, 17 BCC

The response to this is: 10 02 To which I reply: 10 And the response: 00 00 00 00 10 23 (ie. received with no errors) To which I reply: 10

In this example, I am writing 2 words of data (4 bytes) to DB10, DW0. You can read/write as many 16-bit words as you like.

3964R is a clumsy system, but it's not nearly as bad as some. ;-)

I hope this helps, Cameron:-)

Reply to
Cameron Dorrough

Bill, after re-reading your post, a bit of history:

The 3965R protocol was developed mainly for use with Siemens S5 PLCs. The memory in an S5 is broken up into Data Blocks containing Data Words - essentially a 16-bit memory address somewhere between 0000h and FFFFh - and AFAIK, you can't address anything outside this space.

I don't recognise the addresses you list above as being analog - 'x.x' is typically a *bit* address - even in the S7 system (eg. PIW472 -> DB10.DBW30 is a mapping for an analog input to a data word).

Are your addresses correct? Maybe you are using DW=0 for a bunch of DBs from 2 to 214??

Cameron:-)

Reply to
Cameron Dorrough

The documentation i was able to find is so limited. Even having trouble getting the correct docs from Siemens. As i look at this spec sheet my customer says they have in DB100, word addresses starting at

2 and going through 514. ( I made a mistake in my last post its not 2-214 its 2-514) All even numbered addresses. Now, this strikes me as odd seeing as 2-514 only even numbers is actually 255 values which is enough to store in the single byte address. My problem is which command handles this. I was assuming the AX and EX command (which i'm bummed your documentation doesn't have :) would be handled differently and possibly be translated to the adresses availible in this database.

00 00 45 44 64 30 00 02 FF FF

The above packet requests 2 words from DB100 (64h) starting at address

48 (30h)

00 00 45 58 64 30 00 02 FF FF

This is supposed to be the extended read of 2 words from db100. My problem is if this is an extended read, is there an extra 255 blocks that that are part of DB100 and this reads the data words from a seperate database like DBX100? or perhaps for this command is the address translated from 30h (48d) to 4Eh (78d), (30*2+2) and thats how i can access word addresses 2-514.

I hope that makes sense.. on the other hand i do have all the communications working correctly. My big pain is not having the hardware to test it on, because i could simply keep guessing till something worked :)

Thanks for your help Cameron,

Bill

Reply to
Bill Klees

The documentation I have (which is quite old now) shows a limit of 128 characters on the data transfer. If you want to exceed this value you transmit a "continuation message" (different response packet to the regular one) - I had always taken "extended read" to mean this, but someone may well have extended the protocol definition in the years since I looked at it.

I'm suspecting that (1) your client may have made a typo and (2) that the AX/EX commands you have seen are not something that was developed by Siemens - maybe have a talk to the Adontec people.

Even if your client hasn't made a typo, it is pretty bad form to insist on using non-standard addresses (ie. >255) for communications registers.

Good luck!

Cameron:-)

Reply to
Cameron Dorrough

A single frame can transfer 64 DWs (register), so setting the start address as 255, you will get data from registers 255..318, which may contain also some useless data.

Paul

Reply to
Paul Keinanen

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.