S7-200 can directly communicate modbus _s7-200 features and decryption methods

The S7-200 is a small programmable controller for automation of inspection, monitoring and control in a variety of industries and applications. The power of the S7-200 Series enables complex control functions to be implemented in stand-alone operation or connected to a network. The S7-200 series therefore has a very high performance/price ratio.

1) Extremely high reliability.

2) Very rich instruction set.

3) Easy to master.

4) Convenient operation.

5) Rich built-in integration features.

6) Real-time characteristics.

7) Strong communication capabilities.

8) Rich expansion modules.

1. The S7-200 has 6 CPU modules, which can expand up to 7 expansion modules and expand to 256 digital I\O or 45 analog I\O. There are up to 24KB of program storage space and 10KB of user data storage space.

2. Integrated 6 high-speed counters with 13 operating modes and two-point high-speed pulse generator\pulse width modulator. The high-speed counter of the CPU 224XP has a maximum count frequency of 200kHZ and a high-speed output with a maximum frequency of 100kHZ.

The program structure of the S7-200 is simple and clear. In the programming software, the main program, subprograms and interrupt programs are stored in separate pages. Use local variables in each block. Easy to port programs to other projects. The subroutine uses the input and output parameters as a software interface to implement structured programming. The S7-200's commands are powerful and easy to master.

The input (I), output (Q), bit memory (M), sequence control relay (S), variable memory (V) and local variable (L) of the S7-200 can be (bit), byte, word and Double word reading and writing.

The programming software STEP 7-Micro\WIN can be used in several languages ​​including Chinese. There are ladder diagrams, statement tables and function block diagram programming languages, as well as SIMATIC and IEC61131-3 programming modes.

Programming and application of PID control, network communication, high-speed input, high-speed output, position control, data recording, recipe and text display are the difficulties in PLC programming. Programming them in a common way is both cumbersome and error-prone.

The CPU module of the S7-200S has one or two standard RS-485 ports, which can be used for programming or communication. It can be combined with other S7-200, S7-300\S7-400PLC, inverter and computer without adding hardware. Communication. The S7-200 can use PPI, MPI, ModbusRTU slaves, ModbusRTU master and USS communication protocols, as well as free port communication mode.

The s7-200 cannot directly implement the communication modbus. The steps of the s7-200 to implement the communication modbus method are as follows:

To use the Modbus protocol, you must first install the instruction library on STEP7Micro/Win.

The Modbus Master Protocol only supports STEP7Micro/WinV4.0SP5 and above. .

1. Hardware settings

2. Parameter matching

3. The storage address of the instruction library

4. Keep registers worth transferring

The Modbus communication in the routine is performed between the No. 0 communication ports of the two S7-200 CPUs (preferably each CPU has two communication ports). On the master side, you can also select the corresponding library file "MBUS_CTRL_P1" and "MBUS_MSG_P1" to communicate via communication port No. 1. Communication port 1 establishes PG or PC connection with Micro/WIN, and communication port 0 of two CPUs is connected by PPI cable (the pin connection of cable is 2, 3, 7, 8).

Figure 01

For MODBUS communication, the library "MBUS_CTRL" and "MBUS_MSG" are required on the master side, and the libraries "MBUS_INIT" and "MBUS_SLAVE" are required on the slave side.

In Micro/WIN you need to create a new project for the master and slave. The program and parameter settings are shown in Fig. 02.

It is necessary to ensure that the parameters of the "Baud" and "Parity" of the master and slave are the same, and that the "Slave" address in the program block "MBUS_MSG" is identical to that set by "Addr" in the program block "MBUS_INIT". (See Fig. 02).

The baud rate of the 0 communication port set in the Micro/WIN "system block" is independent of the MODBUS protocol ("Mode" = "1").

Figure 02

The table below lists the various parameter options for the block and their meanings.

Main site

MBUS_CTRL

Parameter meaning option EN enable Mode protocol selection 0=PPI, 1=MODBUSBaud transmission rate kbps1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200Parity check selection 0=no parity, 1=odd check, 2= Even check the longest response time of the TImeout slave msDone "Complete" flag error error code 1) Table 01

1) Refer to the STEP7Micro/WIN help: "Error code MBUS_MSG when the MODBUS master executes MBUS_MSG".

MBUS_MSG

Parameter Meaning Option EN Enable First Read and Write Request Bit Slave Slave Address RW "Read" or "Write" 0 = Read, 1 = Write Addr Read and Write Slave Data Address 0. .128=Digital output Q0.0. .Q15.7

1001. .10128=Digital input I0.0. .Q15.7

30001. .30092=Analog input AIW0. .AIW62

40001. .49999=Maintain register 2Count bit or number of words (0xxxx, 1xxxx)/words(3xxxx, 4xxxx) DataPtrV memory area start address pointer Done 'Complete' flag error code 1) Table 02

1) Refer to the STEP7Micro/WIN help: "Error code MBUS_MSG when the MODBUS master executes MBUS_MSG".

Slaves

MBUS_INIT

Parameter meaning option EN enable Mode protocol selection 0=PPI, 1=MODBUSAddr slave address Baud transmission rate kbps1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200Parity check 0 = no parity, 1 = odd parity , 2 = Even check Delay timeout msMaxIQ can be used for digital input and output points 2) MaxAI can use analog input points 2) MaxHold keeps the maximum number of register words 2) HoldStart hold register start address (40001) Done complete Flag bit Error error code 3) Table 03

2) The maximum address depends on the type of CPU used and its maximum value.

3) See STEP7Micro/WIN Help: "Error Code for MODBUS Slave Protocol".

MBUS_SLAVE

Parameter Meaning Option EN Enable Done Completion Flag Error Error Code 3) Table 04

3) See STEP7Micro/WIN Help: "Error Code for MODBUS Slave Protocol".

After the project is completed, the storage address of the library must be defined in Micro/WIN. When the storage area is defined, it must be guaranteed that it can no longer be used by other programs under any circumstances (main station side: "DataPtr" + "Count" slave station Side: "HoldStart" + "MaxHold").

Figure 03

After downloading the program to the corresponding CPU, you can assign a value to the V memory area on the master side in the status table and then monitor the change of the slave.

When the master station's I0.0 is enabled, the contents of VW2 are sent to the slave and written to the slave's VW2.

The transfer of the register values ​​is shown in the figure. 04.

The pointer "DataPtr" represents the starting address at which the V area is read.

The parameter "Count" indicates the number of times the address "Addr" = "4xxxx" (hold register) is read in words.

The V memory area read in the master station is written in a holding register whose address is "Addr" = "40002" ("RW" = "1").

The holding registers operate in word units and correspond to the V-zone address of the slave.

The pointer "HoldStart" specifies the initial address of the V memory area corresponding to the holding register start address 40001.

The V zone target pointer of the slave can be calculated like this:

2*(Addr-40001)+HoldStart=2*(40002-40001)+&VB0=&VB2

In addition, it is necessary to ensure that the data area defined by "MaxHold" can contain the data area to be written on the master side:

MaxHold》=Addr-40001+Count=40002-40001+1=2

Fig.04

More information on the STEP7Micro/WINMOBDUS library can be found in the S7-200 System Manual (EntryID1109582) and STEP7Micro/WIN Help.

How to find the ModbusRTU protocol and USS protocol operation library in STEP7Micro/WIN?

Description:

In STEP7Micro/WIN, the ModbusRTU protocol and the USS protocol operation library are located in the "Library" folder of the operation tree. The MODBUS library requires STEP7Micro/WIN to be V3.2 or higher.

Figure 1: Adding a function library

These libraries are additional function libraries and are not part of the configuration software STEP7Micro/WIN.

If you need to use the ModbusRTU protocol, you must purchase the "SIMATICSTEP7Micro/WINADDON: FuncTIonLibraryV1.1 (USS+MODBUS) for STEP7Micro/WIN32" software.

The order number for this optional additional function library is 6ES7830-2BC00-0YX0.

Installation order:

Install "STEP7Micro/WIN32ToolboxV1.0" (including the library) first, then install "STEP7Micro/WIN".

note:

This library contains the ModbusRTU protocol library and the USS protocol library that can be used in STEP7Micro/WINV3.2.

If you have STEP7Micro/WINV4.0SP5 or higher installed, the following functions are included in the operation library:

ModbusRTUMasterV1.2 corresponds to port 0 and port 1

ModbusRTUSlaveV1.0 corresponds to port 0

USSprotocolV2.3 corresponds to port 0 and port 1.

-------------------------------------------------- -------------------------------------------------- --

PLC decryption download address related to this section: http://

1, Siemens S7-200 PLC password is divided into three levels, we are most concerned about the system password, because it directly affects the upload of the program, is also a key layer of password we want to crack. The second is the POU password. For Siemens 200PLC, although you have cracked the system password and uploaded the program, each POU displays a small lock. You can't open the program, which directly affects our editing of the program. The other is the project password, which is generated by the programmer after the project is completed and kept secret under the "set password" under the "file" of the programming software.

2. First connect the PPI programming cable with the PLC. If you have not programmed the cable, then you can develop one yourself! Look at the following decryption software map, which is a fully licensed version developed in 2014 without registration. You only need to download and extract it to use it.

3, the solution subroutine (pou password) is to replace the datamanagers200.dll file of STEP7-MicroWIN, so in the "View" menu "Properties" inside the "Protection" can open the subroutine without entering a password; see crack flowchart .

4, on the installation of the crack patch replacement method:

If the programming software you are using is STEP7-MicroWINV4.0.6.35SP6. Copy (datamanagers200.dll) to the "C:\ProgramFiles\Siemens\STEP7-MicroWINV4.0\bin\ folder and overwrite the original file. The subroutine requires STEP7-MicroWINV4.0.3.08SP3 at least. The software version is updated to SP4, SP5, and SP6, and has now reached the SP7 version. The lower version or other versions do not work. The respective versions require their own crack patches, which are not common to each other.

5, on the PLC version for the 02 version (cn) system password cracking statement:

The new version of plc adds a new level 4 protection that prohibits reads and writes, whether or not you know the password. How is the so-called new version distinguished? First, the hardware records the version number at the bottom line of the bottom label of the PLC. Secondly, look at the model of the CPU marked on the front of the PLC, such as 226CN. If the "CN" character is included, the version number must be version 02. The third is the communication read version number. You connect the PLC with STEP7-MicroWIN and click the upload button. The pop-up dialog box clearly shows the CPU model and version number of the PLC. So to distinguish between the old and new versions is to see the version number, with the CN is only one of them, and there is also a four-level encryption function without the CN. It can also be said that any four-level encryption function is called a new version. Cracking this version does have some difficulty, but it is not as unsuccessful as Siemens said. There is always a flaw in everything.

Now CN's decryption kit is available for sale. Now it is basically possible to determine the scope of the Siemens S7-200PLC that can be cracked by the PPI protocol: under version 02.00, including part of the 02.00 version (exactly, the plc with the highest level of encryption function), which can be easily cracked by this software, 02.00 The above version, including version 02.00 (precise positioning is - version 2.0 with level 4 encryption) and all 200CN models, only disassemble and decrypt, so far there is no better way! Regarding the version number, you can detect it through this software.

Ningbo Autrends International Trade Co.,Ltd. , https://www.ecigarettevapepods.com