Overview
This example illustrates how to achieve communication between a computer and an S7-200 using a free protocol. The computer acts as the master station and can perform read/write operations on the registers of the PLC slave station.
The computer sends instructions to the PLC's PORT0 (or PORT1) port via the COM port. The PLC receives the instructions via RCV, decodes them, calls the corresponding read/write subroutines to perform the operations required by the instructions, and returns the execution status information of the instructions.
Communication Protocol
In freeport mode, the communication protocol is user-defined. Users can control communication operations by calling receive interrupts, transmit interrupts, transmit commands (XMT), and receive commands (RCV) using ladder logic programs. In freeport mode, the communication protocol is entirely controlled by the ladder logic program.
Instruction format definition
The computer performs a read/write operation by sending a 33-byte instruction at a time. The instruction format is shown in Table 1.
start character
The start character marks the beginning of an instruction. In this example, it is defined as the ASCII code "g". Different PLC slaves can define different start characters to receive instructions from that PLC.
Instruction type
This byte is used to indicate the type of instruction. In this example, 05H represents a read operation and 06H represents a write operation.
Target PLC station address
The target PLC station address occupies bytes B2 and B3 of the instruction, and represents the target PLC station address in hexadecimal ASCII code format.
Target register address
Internally, a PLC can use 4 bytes to represent the address of a register (but not a bit address). The first two bytes indicate the register type, and the last two bytes indicate the register number.
0000 (H): I register area
0100 (H): Q register area
0200(H): M register area
0800(H): V register area
For example:
The address of IB000 can be represented as 00000000 (H).
The address of VB100 can be represented as 08000064 (H).
Number of bytes read/write (M)
----When reading commands, always read back 8 consecutive bytes of data starting from the target register (which occupies 16 bytes after conversion to hexadecimal ASCII code), which can be used as needed, and M can be written arbitrarily.
When writing a command, M represents the number of bytes occupied by the hexadecimal ASCII code of the data to be written. For example, to write 1 byte of data, represented in hexadecimal ASCII code in the command, it will occupy 2 bytes, so "02" should be written to M. Similarly, if you want to write 5 bytes of data, "0A" should be written to M.
Data to be written
The data to be written is represented in hexadecimal ASCII format in the instruction, occupying 16 bytes (B14-B29). The data area must be filled, but only the first M bytes will be written to the destination register. A single instruction can write a maximum of 8 bytes of data (in this case, "10" should be written in M, representing decimal 16).
BCC verification code
During transmission, instructions may be subject to interference, causing distortion of the original data signal. In such cases, the instruction is obviously erroneous. To detect errors during transmission, the receiver must further verify the instruction to prevent erroneous instructions from being executed. The simplest method is to use a checksum. The BCC checksum method involves XORing the ASCII codes of the string to be transmitted byte by byte and transmitting this XOR sum as part of the instruction. Similarly, upon receiving the instruction, the receiver XORs the received string in the same way and compares it with the value sent by the transmitter. If the values are equal, the received instruction is correct; otherwise, it is erroneous.
In this example, bcc is the XOR sum of instructions B1 to B29, and BCC is the hexadecimal ASCII code of bcc.
----bcc=B1xorB2xorB3xorB4xor……xorB29
End character
The end character marks the end of an instruction. In this example, it is defined as the ASCII code "G". Different PLC slaves can define different end characters to receive instructions from that PLC.
After receiving the instruction from the host computer, the PLC will send a 21-byte feedback message, the format of which is shown in Table 2.
illustrate:
start character
The start character marks the beginning of the feedback information. In this example, it is defined as the ASCII code "g". Different PLC slave stations can define different start characters, so that the host computer can determine the source of the feedback information based on the start character of the information.
Status information
This byte contains information about the execution status of the instruction; in this example...
01H indicates that the reading was correct.
02H indicates that the write was correct.
03H indicates a BCC checksum error.
04H indicates that the instruction is invalid.
Data area
----The data to be read by the read command is represented in hexadecimal ASCII code in the feedback information B3 to B18.
BCC verification code
Similar to the BCC checksum in the host computer instructions, it is the XOR sum of feedback information B3 to B18.
End character
The closing character marks the end of the feedback message and is defined as 26H in this example.
Why use ASCII codes in the instructions?
In addition to data, an instruction also contains necessary control words (start character, end character, instruction type, etc.). If the data in the instruction is transmitted directly in its original form, it will inevitably be confused with the control words in the instruction.
For example, in this case, the instruction starts with "g" (ASCII code 67H) and ends with "G" (ASCII code 47H). If the data to be written also contains "47H" and is transmitted directly in its original form, the PLC will stop receiving data because it receives "47H". This would result in an incomplete and invalid instruction, potentially causing malfunctions.
To avoid this situation, binary data can be transmitted using text. By describing the data in hexadecimal ASCII format, each binary byte can be represented as a pair of ASCII codes, which represent the two hexadecimal characters of that byte. This format can represent any value, using only ASCII codes 30H to 39H (representing 0 to 9) and 41H to 46H (representing A to F). The remaining parts of the ASCII code can be used as control words (start flags, end flags, instruction types, etc.). Thus, 47H in the data, transmitted in ASCII form, becomes two bytes, 34H37H, thereby avoiding the error of the PLC stopping reception upon receiving 47H in the data.
Table 1 Host Computer Command Format
Table 2 Feedback Information Format
Program execution process
During the first scan, the PLC executes an initialization subroutine to initialize the ports and RCV instructions. After initialization, the RCV instruction is executed to put the ports into accept mode.
RCV will save instructions that begin with "g" and end with "G" to the receive buffer and generate a receive completion interrupt at the same time.
The RCVcomplete interrupt service routine handles receive completion interrupt events. It restores the hexadecimal ASCII code in the receive buffer to data and saves it, while simultaneously setting the trigger condition ( M0.1 ) of the Verify subroutine. The Verify subroutine first resets its own trigger condition to prevent repeated calls, then calculates the BCC checksum of the instruction in the receive buffer and compares it with the BCC checksum in the instruction. If they are equal, the BCC checksum verification flag ( M0.0 ) is set to 1; if the instruction format is correct (the instruction end marker is at a specific position VB133 in the receive buffer) but the BCC codes are not equal, feedback information indicating a BCC checksum error is sent; if the instruction format is incorrect (VB133 is not the instruction end marker), feedback information indicating an instruction format error is returned.
The Read subroutine is triggered under the following conditions: the station address in the instruction matches the local station address, the instruction type is a read instruction, and the BCC checksum is correct. When these conditions are met, the Read subroutine is executed. The Read subroutine first disables RCV, then converts the data to be read into hexadecimal ASCII code and writes it to the transmit buffer, calculates the BCC checksum, and finally sends feedback information.
The Write subroutine is triggered under the following conditions: the station address in the instruction matches the local station address, the instruction type is a write instruction, and the BCC checksum is correct. When these conditions are met, the Write subroutine is executed. The Write subroutine first disables RCV, then writes the data in the instruction to the destination register, and finally sends feedback indicating that the write was successful.
Each time the PLC receives an instruction, it sends a feedback message. When the feedback message transmission is complete, a transmission completion interrupt is generated. The XMTcomplete interrupt service routine is used to handle the transmission completion interrupt event. The operations performed in the XMTcomplete interrupt service routine include: resetting the BCC checksum correct flag ( M0.0 ); enabling RCV; clearing the BCC code register; reloading the address pointer used to calculate the BCC checksum; and clearing the byte VB133 in the receive buffer that stores the instruction end character (used to determine if the next instruction format is correct).
PLC register address allocation
This program uses PLC registers VB100-VB199, and internal relays use M0.0 and M0.1 . See Tables 3, 4, 5, and 6 for register address allocation.
Table 3 Receive Buffer
Table 4 Decoding Area
Table 5 Send Buffer
Table 6 Other
Listing
Main program:
NETWORK1
LDSM0.1 // Initialization subroutine called on the first scan
CALLinitialize
NETWORK2
LDB=VB134,VB199 // The station address in the instruction matches the local station address.
AB=VB102, 5 // Instruction type is read instruction
AM0.0 // BCC code verification correct
CALLRead // Call the read subroutine
NETWORK3
LDB=VB134,VB199 // The station address in the instruction matches the local station address.
AB=VB102, 6 // Instruction type is write instruction
AM0.0 // BCC code verification correct
CALLWrite // Calls the write subroutine
NETWORK4
LDM0.1 // Call the BCC code verification subroutine after the instruction is received.
CALLVerify
NETWORK5
LDSM4.5 // Start RCV when the port is idle
RCVVB100, 0
Read subroutine:
NETWORK1
LDSM0.0 // Stop receiving on port 0
RSM87.7,1
RM0.0,1
RCVVB100, 0
NETWORK2
LDSM0.0 // Writes data to the transmit buffer
MOVB103, VB154
MOVB1, VB155
HTA*VD135, VB156, 16
MOVB26, VB174
MOVB21, VB153
NETWORK3
LDSM0.0 // Calculate BCC checksum
FORVW177, +1, +16
NETWORK4
LDSM0.0
XORB*VD181, VB180
NETWORK5
LDSM0.0
INCDVD181
NETWORK6
NEXT
NETWORK7
LDSM0.0
HTAVB180, VB172, 2 // BCC checksum written to the transmit buffer
NETWORK8
LDSM4.5 // Send feedback information
XMTVB153, 0
Write subroutine:
NETWORK1
LDSM0.0 // Stop receiving on port 0
RSM87.7,1
RM0.0,1
RCVVB100, 0
NETWORK2
LDSM0.0 // Load the address pointer to be written to the data source
MOVD&VB115, VD145
NETWORK3
LDSM0.0 // Write data
ATH*VD145, *VD135, VB139
NETWORK4
LDSM0.0 // Feedback information from instruction execution is written to the transmit buffer.
MOVB21, VB153
MOVB103, VB154
MOVB2, VB155
MOVB26, VB174
NETWORK5
LDSM4.5 // Send feedback information for command execution
XMTVB153, 0
Verify subroutine:
NETWORK1
LDSM0.0
RM0.1,1 // Reset the execution conditions of the verify subroutine
NETWORK2
LDSM0.0 // Calculate BCC code
FORVW175, +1, +29
NETWORK3
LDSM0.0
XORB*VD149, VB179
NETWORK4
LDSM0.0
INCDVD149
NETWORK5
NEXT
NETWORK6
LDB=VB179, VB140 // When the BCC code verification is correct, M0.0 is set to 1.
AB=VB133,71
SM0.0,1
NETWORK7
LDB=VB133,71 // Send feedback information when BCC code error occurs
AB《》VB179,VB140
MOVB21, VB153
MOVB103, VB154
MOVB3, VB155
MOVB26, VB174
RSM87.7,1
RCVVB100, 0
XMTVB153, 0
NETWORK8
LDB (VB133.71) // Send feedback information when there is an instruction format error or RCV timeout.
MOVB21, VB153
MOVB103, VB154
MOVB4, VB155
MOVB26, VB174
RSM87.7,1
RCVVB100, 0
XMTVB153, 0
Initialize subroutine:
NETWORK1
LDSM0.0
MOVB9, SMB30//0 port "9600, N, 8, 1"
NETWORK2
LDSM0.0 //RCV instruction initialization
MOVB16#EC, SMB87
MOVB103, SMB88
MOVB71, SMB89
MOVB+1000, SMW92
MOVB35, SMB94
RSM87.2,1
NETWORK3
LDSM0.0
ATCHRCVcomplete, 23 // Interrupt indicating completion of receive operation on port 0
NETWORK4
LDSM0.0
ATCHXMTcomplete, 9 // Interrupt indicating completion of transmission from port 0
NETWORK5
LDSM0.0
ENI // Interrupt Enable
NETWORK6
LDSM0.0
MOVB2, VB199 // Load the local station address into the register
NETWORK7
LDSM0.0
MOVB&VB102, VD149 // Load address pointer
MOVB0, VB179 // Clear BCC code register
MOVB & VB156, VD181 // Load address pointer
MOVB0, VB180 // Clear BCC code register
RCVcomplete interruptor
NETWORK1
LDSM0.0
ATHVB103, VB134, 2 // Instruction decoding (ASCII to hexadecimal)
ATHVB105, VB135, 8
ATHVB113, VB139, 2
ATHVB131, VB140, 2
SM0.1,1 // Set the trigger condition for the Verify subroutine
MOVB0, VB179 // Clear BCC code register
MOVD&VB102, VD149 // Load address pointer
XMTcomplete interruptor
NETWORK1
LDSM0.0
RM0.0,1 // Reset the BCC checksum correctness flag.
SSM87.7,1 // Allow port 0 to receive
MOVB0, VB179 // Clear BCC checksum register
MOVB0, VB180 // Clear BCC checksum register
MOVD&VB102, VD149 // Reload the address pointer
MOVD&VB156, VD181
MOVB0, VB133 // Clear the bytes storing the instruction end character in the receive buffer.
