Message I/O module directly

Darn, I got 0x0E and 0x03 backwards in my head, I even checked my notes and read them wrong :(

Just tried 0x0E and 0x03 the correct way, same result.

You might try 0x0E service requests among Assembly instances 100-110, 200-210, 300-310, etc. There are gaps in attributes in these instances, so you might have to try a dozen or so before moving onto the next instance.

I'll give it a try, I'll probably just write a bit of code to do it for me.

One of my early pressing questions in dabbling in all this was how exactly something like a passive or ephemeral rack could be identified externally.

I get the rack info by hitting port 1 on the controller or comm adapter (see screenshot of attached code.)

EDIT:
I think I’m understanding what “rack-optimized” connections really do now: create dynamic assemblies on the AENT that are populated with IO data that the AENT populates on its own by getting module data on its own.
A word of warning on rack optimization, I was part of an FCO on a new plant where we had many racks set to rack optimization. When comms were lost to a rack, then came back online, for a single scan all DI were a value of 0 in the controller even though the field value never changed. The value would hold in the controller while the rack was offline, we would only see the 0 value for one scan on all points when comms were re-established. For this reason I never use rack optimization anymore.

Screenshot 2022-09-08 093908.png Screenshot 2022-09-08 094129.png
 
Last edited:
Theoretically one should be able to set an IP on an AENT/AENTR build a 63-slot chassis of IB8 and get IO data without ever establishing a cyclic connection.

Circling back to this, it works.
- IB8/IB4 CIP discrete point and assembly instances respond.
- Adapter just needs its chassis size set to envelope the modules you're interested in messaging.
- If you are doing cyclic IO, the chassis size still needs to reflect no greater than the modules present.
 
Last edited:
So I am doing some fuzzing against my IO.
Since it won't respond with a class list on the message router, I figured I would hit it and see what error messages are returned.
Testing with Service 0x0E, Instance 0x01, and Attribute 0x03, unconnected

From service 0x01 to 0xFF, the common error message for failed messages is:
"Destination unknown, class unsupported, instance undefined or structure element undefined (see extended status) - Extended status out of memory (05, 00)"

From service 0x100 and above the error message is
"IOI syntax error. A syntax error was detected decoding the Request Path (see extended status) - Extended status out of memory (04, 00)"

But for a handful of messages I got a different error.
1756-IB16 (firmware version 2 and 3):
XClass: 0x1: Device: Service not supported
XClass: 0x2: MessageRouter: Service not supported
XClass: 0x4: Assembly: Service not supported
XClass: 0x6: Connection Manager: Service not supported
XClass: 0x1D: Unknown: Service not supported
XClass: 0x1E: Unknown: Object does not exist
XClass: 0x66: Integrated Control Platform: Service not supported
XClass: 0x77: Coordinated System Time: Service not supported
XClass: 0x84: Unknown: Service not supported
XClass: 0x8A: Unknown: Service not supported (firmware version 2 only)
XClass: 0xA1: Unknown: Service not supported

1756-OB8 (firmware v3):
XClass: 0x1: Device: Service not supported
XClass: 0x2: MessageRouter: Service not supported
XClass: 0x4: Assembly: Service not supported
XClass: 0x6: Connection Manager: Service not supported
XClass: 0x1D: Unknown: Object does not exist
XClass: 0x1E: Unknown: Service not supported
XClass: 0x66: Integrated Control Platform: Service not supported
XClass: 0x77: Coordinated System Time: Service not supported
XClass: 0x84: Unknown: Service not supported
XClass: 0x8A: Unknown: Service not supported
XClass: 0xA1: Unknown: Service not supported

1756-IA16 (firmware v2)
XClass: 0x1: Device: Service not supported
XClass: 0x2: MessageRouter: Service not supported
XClass: 0x4: Assembly: Service not supported
XClass: 0x6: Connection Manager: Service not supported
XClass: 0x1D: Unknown: Service not supported
XClass: 0x1E: Unknown: Object does not exist
XClass: 0x66: Integrated Control Platform: Service not supported
XClass: 0x84: Unknown: Service not supported
XClass: 0x8A: Unknown: Service not supported
XClass: 0xA1: Unknown: Service not supported

1756-OA16 (firmware v3)
XClass: 0x1: Device: Service not supported
XClass: 0x2: MessageRouter: Service not supported
XClass: 0x4: Assembly: Service not supported
XClass: 0x6: Connection Manager: Service not supported
XClass: 0x1D: Unknown: Object does not exist
XClass: 0x1E: Unknown: Service not supported
XClass: 0x66: Integrated Control Platform: Service not supported
XClass: 0x84: Unknown: Service not supported
XClass: 0x8A: Unknown: Service not supported
XClass: 0xA1: Unknown: Service not supported

While not great that I did not get a single reply, it does give an idea of what classes exist.
I also tried with service 0x03.

Some testing with service 0x01 on the same class range. The following classes returned data on a 1756-IB16. (I apologize for the terrible format python puts it in)
Class: 0x1: Device
b'\x01\x00\x07\x00\x0b\x00\x02\x06e\x00\xa8#\x05\x00 1756-IB16/A DCIN '

Class: 0x66: Integrated Control Platform
b'\x00\x07\x00\x00\x00\x00\x03\x00'

Class: 0x77: Coordinated System Time
b'q8\x86\xf9\x03\x00\x00\x00\x02\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Note: This value changes each time, I image it is a timestamp.

Class: 0x84: Unknown
b'\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 N\x00\x00\x00\x00\x00\x00'

Class: 0xA1: Unknown
b'\x02\x00'
 
Last edited:
OK, a quick scan on services that will work on the assembly class.
I tested every service from 1 to 256, and every instance from 1 to 0x100.
I passed attribute 0x00 to every test with no request data.
All instance ids replied with the same error codes for the services.
I ran this using an unconnected message.

?Service: 75
Connection failure (see extended status) - Invalid configuration format (01, 118)
b'\x18\x01'

XService: 76: Insufficient command data

?Service: 78
Connection failure (see extended status) - Connection not found (01, 107)
b'\x07\x01\t\x10\xa06&z\x00\x00\x00\x00'

?Service: 84
Connection failure (see extended status)
b"\x19\x01'\x04\t\x10\xa06&z\x00\x00"

I don't have anything in my notes on those services.
I will begin testing with connected messages next.

EDIT:
I had no luck with connected messages. But something interesting to note with unconnected messages, with service 206 and 212 on all instances, although it responded with service not supported, there was a payload returned.
?Service: 206
Service not supported
b'\t\x10\xa06&z\x00\x00\x00\x00'

?Service: 212
Service not supported
b"'\x04\t\x10\xa06&z\x00\x00"
 
Last edited:
Circling back to this, it works.
- IB8/IB4 CIP discrete point and assembly instances respond.
- Adapter just needs its chassis size set to envelope the modules you're interested in messaging.
- If you are doing cyclic IO, the chassis size still needs to reflect no greater than the modules present.


That is interesting. Can you share more of the messages you sent to it?
I am interested to try on an 1756 ethernet adapter, as they behave somewhat different since there is no limit on the number of ethernet adapters in the rack, I wonder if they would still work the same, or if there is some magic that needs to be set in the ethernet adapter to make it grab the IO information from the modules.
 
Yes, about to be on the road.

Would you be able to post the EDS file for the 1756-IB16?
 
Last edited:
That is interesting. Can you share more of the messages you sent to it?
I am interested to try on an 1756 ethernet adapter, as they behave somewhat different since there is no limit on the number of ethernet adapters in the rack, I wonder if they would still work the same, or if there is some magic that needs to be set in the ethernet adapter to make it grab the IO information from the modules.

Service 0x0E to Class 0x04 Instance 4 Attribute 3 gets you 1734-IB8 packed point status.
 
Last edited:
What happens if you use Service 0x4C on Class 0x04 Instance 130 with 4 byte payload 01 00 03 00 ? (on a 1756-IB16)

edited.
 
Last edited:
What happens if you use Service 0x4C on Class 0x04 Instance 130 with 4 byte payload 01 00 03 00 ? (on a 1756-IB16)

edited.

I get a connection error with an unconnected message (see attached)

Interestingly, when using a connected message on that one, I get path destination unknown error. (See attached)

What is service 0x4C? My notes say it is either Set Attributes Scattered or Read Tag, but in this context I don't think that is what it means.

As for messaging the ENBT directly, I have not had any luck with getting IO info from it yet. I do think it works different than the normal IO adapters though, perhaps there is something the controller sets in the module to make it work as an IO adapter. I just got some 24V power supplies for my bench at home yesterday, so I will be connecting my second 1756 rack up (my first one had a 120v supply on it so I could just plug it into the wall). I will get wireshark out and look at the packets from the controller to the remote rack once I have it hooked up and running.

EDIT: OK, interesting. On the molex tool, the connected message option does not use the routing path, so when using connected it hits my 1756-ENBT instead of the 1756-IB16.

EDIT 2: I wrote a python script to do a routed connected message and try it. It refused to connect.
Python script:
Code:
def cipService4CTest():
    with CIPDriver(address) as plc:
        result = plc.generic_message(service=0x4C, class_code=0x04, instance=130, attribute=0x00,
                                     request_data=b'\x01\x00\x03\x00',
                                     connected=True, unconnected_send=False, route_path=True)
        if result.error is not None:
            print(result.error)
            return

        printBytes(result.value)

EDIT 3: When using the same code to with an unconnected message, I get the following error:
"Connection failure (see extended status) - Invalid configuration format (01, 118)"

Screenshot 2022-09-13 074313.png Screenshot 2022-09-13 074556.png
 
Last edited:
From what I gather, the path is decoded as follows:
"20 04 24 02 2C C6 2C 82"

20 04 = Class 0x04
24 02 = Instance 0x02
2C C6 = Attribute 198 (output data)
2C 82 = Attribute 130 (input data)

But I always get an unsupported service requested error. I have tried with services:
0x01 - Get All Attributes
0x03 - Get Attribute List
0x0E - Get Single Attribute
Hello tlf30: I am wonder pull data from the 1756-CN2R module and other I/O modules by the Message instruction,but i can not how to use this information to configure the MSG instruction too, I see the EDS files ,and gather the connect path:"20 04 24 02 2C C6 2C 82"
But i don't understand Follow data is the mean
20 04 = Class 0x04
24 02 = Instance 0x02
2C C6 = Attribute 198 (output data)
2C 82 = Attribute 130 (input data)
0x01 - Get All Attributes
0x03 - Get Attribute List
0x0E - Get Single Attribute
and service code etc., so Please guide me or give the data referece manual, thanks!
 

Similar Topics

Hi, I currently have 5 DH+ networks, each with approx 10 or so PLC5s on it. In order to communicate between each network a ControlLogix routing...
Replies
0
Views
3,465
Hello, I made a change in alarm setup in factory view studio, where I changed a alarm message text. After that I made a run application and...
Replies
0
Views
70
I have a safety PLC AB that is stuck trying to charge the capacitor and will not do anything. No communication or anything can be done. Is there...
Replies
0
Views
61
Hello, Ive gotten a few answers on this from the Rockwell tech support but it's just not clear as they often point to the manual. I've also read...
Replies
0
Views
81
Hello I need to message read the entire 16 channel raw analog inputs from a 1769-L33ER Compact Logic controller to another 1769-L33ER Compact...
Replies
8
Views
231
Back
Top Bottom