Abstract: This paper introduces a communication program design method for reading and writing multiple adjacent bytes of data in the storage area of ​​an S7-200 PLC using a computer in free-port communication mode. Various reliability measures are adopted in the program design. Keywords: PLC, Communication, Free-port mode 1 Introduction Using the free-port mode of the S7-200 to communicate with a host computer offers low hardware cost and strong adaptability, but programming is relatively difficult. This paper develops a communication program based on a custom communication protocol, enabling the host computer to read and write byte, integer, or double-integer data in the memory of each PLC slave station. 2 Communication Protocol Communication adopts a single master station mode, with one computer as the master station and multiple PLCs as slave stations. The computer actively sends read/write command frames containing the slave station addresses to all PLCs via broadcast. Each time a PLC at the address specified by the computer receives the frame, it returns a response frame. The communication baud rate is 19.2 kbit/s, the serial data format is 1 start bit, 8 data bits, 1 stop bit, no parity check, and XOR check is used. The checksum is the XOR value of all bytes except itself. The computer uses an event-driven method to receive data; the PLC uses the XMT (send) instruction to send data and uses character interrupts to receive data. [align=center] Figure 1 Communication Frame Format[/align] Figure 1 shows the communication frame format, with the data area indicated by shading. The frame start flag occupies 3 bytes and is defined as the hexadecimal number BEBEBE. The station address is the slave station number that the computer is reading from or writing to. The read command byte is CCH, and the write command byte is DDH. The command byte in the PLC response frame is the same as the received command byte. The write command response frame does not have a "read data" part. Except for the frame start flag, the starting address of the read/write area, and the read/write data, each other part of the frame occupies only one byte. In Figure 1, when the PLC verifies the received data frame correctly and the command byte is CCH or DDH, the "PLC reception error flag" in the response frame is 1; otherwise, it is 0. The starting address of the read/write area in the command frame is the numerical code of the starting byte address of the read/write area within the PLC. After receiving the command frame, the PLC can use it as a pointer to read and write the continuous area specified by the computer using loop instructions. Through repeated experiments, the author obtained the numerical encoding rules for the addresses of various memory areas within the PLC. This numerical code is a double word; the high word represents the memory area type (see Table 1), and the low word represents the offset. The address code can be obtained based on the addressing area and the offset. For example, the address code for MB3 is 0200 0003H, which is equivalent to &MB3 in the PLC program, only the representation is different. Using the numerical code of the address in the communication frame can simplify the PLC program. Table 1: High word encoding of several memory area addresses. If the PLC receives a timeout, the PLC re-enters the receiving state; if the computer receives a timeout, it retransmits the command frame 3 times. If all 3 times timeouts, an alarm message is issued. 3. PLC Communication Program Design 3.1 Design of Receiving and Sending Programs As a slave station, the PLC only returns a response frame after receiving a command frame from the computer; it does not actively send data. The PLC uses multiple character interrupt service routines to sequentially receive the contents of each part of the command frame. In the interrupt service routine for receiving the frame start flag, the PLC considers it the start of a frame only after receiving three consecutive BEHs; otherwise, it re-receives the frame start flag. In the interrupt service routine for receiving the station address, the received station address is compared with the current station address. If they are the same, the remaining bytes of the command frame are received; otherwise, the frame start flag is re-received. This ensures that only one PLC receives the entire command frame at a time, avoiding unnecessary reception by other PLCs. In the interrupt service routine for receiving the data area, the number of bytes received in the data area is compared with the actual number of bytes received to determine whether the data area reception is complete. After receiving the data area, receiving a checksum byte completes the reception of one frame, and the transmit enable flag is set. When the main program detects that the transmit enable flag is 1, it performs an XOR check and examines the command byte. If the reception is correct, it determines whether it is a read command or a write command. If it is a read command, the data to be read by the computer is sent to the transmit buffer; if it is a write command, the data provided by the computer is written to the specified memory address. Finally, the XOR checksum is calculated and sent to the transmit buffer; after organizing the transmit frame, it is sent out. 3.2 Reading and Writing PLC Memory Area First, the starting address of the read/write area is retrieved from the receive buffer and stored in a double word with the symbolic address Address. A loop program is used to read and write multiple bytes. The statement format for reading and writing PLC memory area is MOVB *pFrom, *pTo. When the computer reads from the memory area, pFrom points to a continuous area of ​​m bytes starting from Address, pTo points to the transmit buffer, and the loop count m is the number of bytes to be read. When writing to the memory area, pFrom points to a continuous area of ​​n bytes to be written in the receive buffer, pTo points to a continuous area starting from Address, and the loop count n is the number of bytes to be written. 3.3 The receive and transmit buffers can send a maximum of 255 bytes at a time when using the XMT instruction. Since the PLC cannot send and receive data simultaneously, to save storage space and simplify the program, the receive and transmit buffers share the area VB100–VB355. When receiving data, only the command byte and subsequent content of the command frame are stored. VB100 is the first byte of the XMT instruction transmit buffer, indicating the number of bytes to be sent; the response frame starts storing from VB101. For a given slave station, the frame start flag and station address are fixed values ​​and can be sent to the transmit buffer during the PLC's first scan. The command byte in the PLC response frame is the same as the received command byte; therefore, when generating the response frame, the PLC only needs to generate the part excluding the frame start flag, station address, and command byte. Analysis shows that the computer can read a maximum of 247 bytes from the PLC and write a maximum of 244 bytes of data to the PLC at a time. 4 Computer Programming The computer determines which slave station responded to which command by using the station address number and command byte returned in the PLC response frame, and performs appropriate processing based on the PLC's reception error flag. 4.1 Reception and Communication Error Handling The computer receives response frames from the PLC using serial port events. The computer sequentially places each received byte into the receive buffer (dynamic byte array), and determines whether the reception of the response frame is complete by checking the number of bytes in the data area. After reception, the computer performs an XOR check on the received data. If the check is successful, the command byte is CCH or DDH, and the PLC's reception error flag is 1, indicating correct reception. If the computer's XOR check indicates a reception error, or the PLC returns a reception error flag of 0, the same command frame will be retransmitted. If an error occurs after three consecutive retransmissions, the user will be prompted. 4.2 Command Frame Generation In the computer, command frames are represented by byte arrays. Suppose we want to read the first three bytes of data starting with MB6 from the PLC at station 1. The address code of MB6, 0200 0006H, should be placed in VB107~VB110 of the PLC's receive buffer. According to the addressing mode of S7-200, the values ​​of each byte in VB107~VB110 are 02H, 00H, 00H, and 06H respectively. The PLC stores bytes received from the lowest address, so in the computer, we only need to store the above four bytes sequentially in the command frame array. In this example, the read command frame starting from VB101 is: BE BE BE 01 06 CC 02 00 00 06 03 72 (hexadecimal number), and the last byte (72H) is the XOR checksum. 4.3 Methods for reading and writing integers and double integers Integers occupy one word, and double integers occupy two consecutive words. Since PLCs and computers store integers and double integers in the same way, the computer can split them into 2 bytes and 4 bytes respectively before sending them, or it can combine received multi-byte sequences into integers or double integers. Reading n consecutive integers from the PLC can be converted to reading 2n consecutive bytes; the computer then combines every two adjacent bytes into one integer. Similarly, reading n double words can be converted to reading 4n bytes; the computer then combines every four adjacent bytes into one double integer. When writing n words or double words to the PLC, they can be split into 2n bytes or 4n bytes and placed in the transmission frame in the order of high byte first, low byte last. The splitting operation can be implemented using bitwise logic operations. For example, to write the integers 256 and -1 to PLC MW6 and MW8, first split them into two bytes: 01H, 00H and FFH, FFH respectively. Assuming station number 1, the write command frame would be BE BE BE 01 09 CC 02 00 00 06 01 00 FF FF 7F (hexadecimal). 5. Experiments and Conclusions Multiple experiments show that the communication program described in this paper runs stably and reliably, meeting the requirements of practical engineering applications. The program has good versatility; the computer can read and write various storage areas in the PLC, and the starting address and number of bytes can be set. It can read and write up to 240 bytes at a time, and data can be read and written in bytes, integers, and double integers. The reliability of communication is ensured by the frame start flag, PLC reception error flag, and XOR checksum. The retransmission mechanism for reception errors and timeout errors further improves communication performance. References [1] Siemens AG. S7-200 Programmable Controller System Manual. Nuernberg, 2002 [2] Liao Changchu. PLC Programming and Application. Beijing: Machinery Industry Press, 2002 [3] Fan Yizhi et al. Using Visual Basic to Implement Serial-Parallel Communication Technology. Beijing: Tsinghua University Press