This is the sixth article of a series of entries in this blog about the Unity protocol, used by Schneider Electric devices for configuration purposes.
INDEX
Part I. Introduction, initialization phase, functions codes used in the initialization phase
Part II. Function codes used to read and write memory values from/to memory
Part III. Function codes used to deal with logic programs, and work with the PLC
Part IV. Other extra function codes
Part V. Specific Modicon Premium function codes
Part VI. Other function codes
In this part we'll talk about a variety of heterogeneous function codes. We actually do not have accurate information about them.
Data Information request(“00 53”)
In a firmware update tool from Schneider Electric when request "DatInf" the following request is done:
00 53 06 00 00 00 00 00 00
- 00 53: Is the function code
- 06: Is the length of the following bytes
- 00 00 00 00 00 00 00: Unknown
The Modicon M340 PLC responds with an error message like:
00 FD 00
M580 request for memory read(“00 07”)
In the communication between Unity and a Modicon M580 a new function code was found.
The request was like:
00 07 00 36 00
The response was:
00 FE 36 00 B5 1A 00 00 00 20 8F E0 70 1C 13 28 4C 12 C7 31 00 00 00 A5 5A 5A 5A 5A
This request was sent every now and then, and the response was always the same. We still don't know what these requests mean.
Unknown request 1 (“00 38”)
Sent from a SCADA software to a M580. Its meaning is unknown.
Unknown request 2 (“00 42”)
It was found once in one communication. Te request is simple:
00 42 00 00
An the response is even simpler:
00 FE
Unknown request 3 (“00 51”)
This function code was found once in a communication. The request was:
00 51 F3 28 01 00
while the response (from the PLC) was:
00 FE C6 F6 02 00 00 00 00 00 00 02 00 11 00 C6 F6 13 00
Its meaning is still unknown.
