Redes Sociales

viernes, 23 de febrero de 2018

The Unity (UMAS) protocol (Part VI)

This is the sixth article of a series of entries in this blog about the Unity protocol, used by Schneider Electric devices for configuration purposes.

INDEX

Part I. Introduction, initialization phase, functions codes used in the initialization phase

Part II. Function codes used to read and write memory values from/to memory

Part III. Function codes used to deal with logic programs, and work with the PLC

Part IV. Other extra function codes

Part V. Specific Modicon Premium function codes

Part VI. Other function codes




In this part we'll talk about a variety of heterogeneous function codes. We actually do not have accurate information about them.



Data Information request(“00 53”)

In a firmware update tool from Schneider Electric when request "DatInf" the following request is done:

00 53 06 00 00 00 00 00 00
  • 00 53: Is the function code
  • 06: Is the length of the following bytes
  • 00 00 00 00 00 00 00: Unknown

The Modicon M340 PLC responds with an error message like:

00 FD 00


M580 request for memory read(“00 07”)

In the communication between Unity and a Modicon M580 a new function code was found.

The request was like:

00 07 00 36 00

The response was:

00 FE 36 00 B5 1A 00 00 00 20 8F E0 70 1C 13 28 4C 12 C7 31 00 00 00 A5 5A 5A 5A 5A

This request was sent every now and then, and the response was always the same. We still don't know what these requests mean.



Unknown request 1 (“00 38”)

Sent from a SCADA software to a M580. Its meaning is unknown.



Unknown request 2 (“00 42”)

It was found once in one communication. Te request is simple:

00 42 00 00

An the response is even simpler:

00 FE


Unknown request 3 (“00 51”)

This function code was found once in a communication. The request was:

00 51 F3 28 01 00

while the response (from the PLC) was:

00 FE C6 F6 02 00 00 00 00 00 00 02 00 11 00 C6 F6 13 00

Its meaning is still unknown.