As 511

SIMATIC AS511 Protocol
Date : 27/01/2001
Prepared by : Cesar Garcia
Original information : http://www.runmode.com
http://members.xoom.it/cattaneo_plc.
Version : 0.1.0
SIEMENS SIMATIC S5 AS511 (Programming port) protocol description
INTRODUCTION
Information about the AS511 protocol from Siemens, is very difficult to find. This information is take from
http://www.runmode.com, and http://members.xoom.it/cattaneo_plc. I add some information that I found using this
protocol.
1. Siemens data frame.
Siemens data frame is not usual, open your port with:
Item value
Speed 9600 baud
Data 8 bits
Stop 1 bit
Parity EVEN
DLE (10hex) is a control character, used to inform the receiver that the following char is to be considered a control
character and not a data byte. In other words, DLE is a software switch within the AS511 protocol to divide control and data
bytes.Whenever a DATA byte containing the value 10hex is to be sent, the sender must DOUBLE the char. This means that
to send a data byte 10hex, the sender must send 10hex 10hex (DLE DLE). he receiver must consider the thing, so a single
DLE will mean a protocol signal, while two consecutive DLE are to be interpreted as a SINGLE data byte containing the
10hex value. This is a little tricky, since the receiver NEVER knows exactly how many bytes to expect.
Take also note that the AG can answer DLE NAK instead of DLE ACK if the requested operation can not be carried
out. In this case, the PG must abort the communication and wait for 500ms before attempting a new communication. The
value of 500mS is also applied as timeout value in case of missing response from the partner.This also means that no "holes"
of 500mS (or more) are allowed during a communication (e.g. within a DB_READ function). To read or write a datablock
value, you need to know its address in PLC memory. Therefore you must invoke B_INFO function to know the address, then
you can call DB_READ or DB_WRITE by giving the initial and final address of the area to be read or written.
Be aware that in SIMATIC the LSB/MSB bytes order is reversed:
SIMATIC:
15..............0
BYTE 0 BYTE 1
www.plctools.org
INTEL:
15..............0
BYTE 1 BYTE 0
To obtain the correct integer value of a dataword, the user

must therefore:
- swap the received bytes
and
- swap the bytes before sending them to the PLC
//////////////////////////////////////////////////////////////////////////////
B_INFO
input: block number
output: initial address of DW0 in AG
TIP
When I start working whit this information, I test different codes for the block identification, the firts byte in the header
section. You can use the following codes:
IDDB = 1 Data blocks
IDSB = 2 Estructured block
IDPB = 4 Program block
IDFB = 8 Function block
IDOB = 48 Cyclical block
IDFX = 76 Extended function block
IDDX = 144 Extended data blocks
PG AS
(hex) (hex)
---------------------- function start --------
02 ----> STX
<---- 10 DLE
<---- 06 ACK
1A ----> B_INFO function code = 1Ah
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 16 AG answer=16h
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
---------------------- header info --------
01 ----> ID=01h for Datablock
XX ----> DB number (0..255)
10 ----> DLE
04 ----> EOT
<---- 10 DLE
www.plctools.org
<---- 06 ACK
---------------------- data --------
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 00 NUL
<---- XX DB initial address
<---- XX
<---- 70 synchronization code: 70 70
<---- 70
<---- 41 block ID and DB number : 41 XX
<---- XX
<---- XX PG ID code: XX XX
<---- XX
<---- XX library number: XX XX
<---- XX
<---- XX block length (words): XX XX
<---- XX
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
---------------------- terminate --------
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 12 AG "end of transmission" code: 12h
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
//////////////////////////////////////////////////////////////////////////////
DB_READ
input: initial address in AG
final address in AG
output: contents of datawords
TIP
You can used the DB_READ function, for read the information of any memory position in the PLC.
PG AS
(hex) (hex)
---------------------- function start --------
02 ----> STX
<---- 10 DLE
<---- 06 ACK
04 ----> DB_READ function code = 04h
<---- 02 STX
10 ----> DLE
06 ----> ACK
www.plctools.org
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
---------------------- header info --------
XX ----> initial address in AG: XX XX
XX ---->
XX ----> final address in AG: XX XX
XX ---->
10 ----> DLE
04 ----> EOT
<---- 10 DLE
<---- 06 ACK
---------------------- data --------
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 00 NUL
<---- 00 NUL
<---- 00 NUL
<---- 00 NUL
<---- 00 NUL
<---- XX first byte of data
<---- XX
<---- XX
...
...
<---- XX
<---- XX
<---- XX last byte of data
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
---------------------- terminate --------
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
//////////////////////////////////////////////////////////////////////////////
DB_WRITE
input: - initial address in AG
- contents of datawords
output: - none
www.plctools.org
TIP
You can used the DB_WRITE function, for read the information of any memory position in the PLC.
PG AS
(hex) (hex)
---------------------- function start --------
02 ----> STX
<---- 10 DLE
<---- 06 ACK
03 ----> DB_WRITE function code = 03h
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
---------------------- header info --------
XX ----> initial address in AG: XX XX
XX ---->
---------------------- data --------
XX ----> first byte of data
XX ---->
XX ---->
...
...
XX ---->
XX ---->
XX ----> last byte of data
10 ----> DLE
04 ----> EOT
----> 10 DLE
----> 06 ACK
---------------------- terminate --------
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
//////////////////////////////////////////////////////////////////////////////
TIP
Sys_par give you the information about the address of I/O, flags, counters and timers. You can use the DB_READ and
DB_WRITE, to modify this memory address.
//////////////////////////////////////////////////////////////////////////////
www.plctools.org
SYS_PAR
input:
output: - address of I/O, flags, counter and timers.
PG AS
(hex) (hex)
---------------------- function start --------
02 ----> STX
<---- 10 DLE
<---- 06 ACK
03 ----> SYS_PAR function code = 03h
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
00 ----> NULL
00 ----> NULL
10 ----> DLE
04 ----> EOT
<---- 10 DLE
<---- 06 ACK
<---- 02 STX
10 ----> DLE
06 ----> ACK
---------------------- data --------
<---- 00 NUL
<---- 00 NUL
<---- 00 NUL
<---- 00 NUL
<---- 00 NUL
<---- XX AdrPAE
<---- XX AdrPAE
<---- XX AdrPAA
<---- XX AdrPAA
<---- XX AdrM
<---- XX AdrM
<---- XX AdrT
<---- XX AdrT
<---- XX AdrZ
<---- XX AdrZ
<---- XX AdrIAData
<---- XX AdrIAData
.....
..... 26 Don´t care bytes.
.....
<---- XX PLCType
.....
..... 7 Don´t care bytes.
www.plctools.org
.....
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
---------------------- terminate --------
<---- 02 STX
10 ----> DLE
06 ----> ACK
<---- 10 DLE
<---- 03 ETX
10 ----> DLE
06 ----> ACK
//////////////////////////////////////////////////////////////////////////////
end of document
www.plctools.org

As 511

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

As 511

Uploaded by

Copyright:

Available Formats

SIMATIC AS511 Protocol

SIEMENS SIMATIC S5 AS511 (Programming port) protocol description

1. Siemens data frame.

Siemens data frame is not usual, open your port with:

Be aware that in SIMATIC the LSB/MSB bytes order is reversed:

To obtain the correct integer value of a dataword, the user

- swap the received bytes

- swap the bytes before sending them to the PLC

output: contents of datawords

output: - address of I/O, flags, counter and timers.

You might also like