CIP protocol message of Omron PLC

1. About the CIP protocol

　　CIP communication is the abbreviation of Common Industrial Protocol (CIP), which is a point-to-point object-oriented protocol, which
can realize the connection between industrial devices (sensors, actuators) and the connection between high-level controllers.
Currently, there are three kinds of networks DeviceNet, ControlNet, and EtherNet/IP that use the CIP communication protocol as their upper-layer network protocol, and are managed by the ODVA organization to ensure its consistency and accuracy.

2. EtherNet/IP communication

　　EtherNet/IP (Ethernet/Industrial Protocol) is an industrial-grade communication network for high-speed information exchange between industrial devices,
including simple IO devices (sensors) and complex controllers (robots, PLCs, welding machines, process controllers).
EtherNet/IP uses CIP (Common Industrial Protocol), which uses EtherNet and TCP/IP technology to transmit CIP communication packets. As an open application layer, CIP is located on top of EtherNet and TCP/IP protocols.

//1. Register session ID

            byte[] registerSessionCommand = new byte[]
            {                 //---------------------------------------- ------------------Header 24byte------------------------------ ------- 　　0x6F,0x00,//Command 2byte 　　0x04,0x00,//The length of the data behind the Header 2byte 　　0x00,0x00,0x00,0x00,//Session handle 4byte 　　0x00,0x00,0x00,0x00,// State default 0 4byte 　　0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//Sender description default 0 8byte 　　0x00,0x00,0x00,0x00,//Option default 0 4byte     //------ ---------------------------------------------------- Command Specific Data Instruction specified data 4byte 　　0x01,0x00,//protocol version 2byte 　　0x00,0x00,//option mark 2byte             };

            //2. Extract the response message of the session ID-registration request

            byte[] RefRegisterCmd = new byte[28]
{

    //------------------------------------------------ --------Header 24byte-------------------------------------
    0x6F, 0x00 ,//command 2byte
    0x04, 0x00,//length of CommandSpecificData 2byte
    0x6B, 0x01, 0x01, 0x00,//session handle 4byte generated by PLC
    0x00, 0x00, 0x00, 0x00,//state default 0 4byte
    0x00, 0x00, 0x00 , 0x00, 0x00, 0x00, 0x00, 0x00,//Sender description default 0 8byte
    0x00, 0x00, 0x00, 0x00,//Option default 0 4byte

    //------------------------------------------------ -------CommandSpecificData command specified data 4byte

    0x01, 0x00,//Protocol version 2byte
    0x00, 0x00,//Option mark 2byte
};
            byte[] SessionHandle = new byte[4] { 0x6B, 0x01, 0x01, 0x00 };//Session ID extracted from the response message : Start at index 4, look for 4 bytes

            //------------------3. Read data service request message------------------- ---

            //The message consists of three parts: Header 24 bytes, CommandSpecificData 16 bytes, and a CIP message (generated by the read tag) instance, //The
            total length of the message read by a single tag named TAG1 is 64 Byte
            byte[] Header = new byte[24]
{ 0x6F,0x00,//command 2byte 　　0x28,0x00,//length 2byte (total length-Header length)=40  　　0x6B,0x01,0x01,0x00,//session Handle 4byte 　　0x00,0x00,0x00,0x00,//status default 0 4byte 　　0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//sender description default 0 8byte 　　0x00,0x00,0x00,0x00,// option default 0 4byte };             byte[] CommandSpecificData = new byte[16] { 0x00,0x00,0x00,0x00,//interface handle CIP default is 0x00000000 4byte 　　0x01,0x00,//timeout default 0x0001 4byte 　　0x02,0x00,// The number of items defaults to 0x0002 4byte 　　0x00,0x00, //Empty address items default to 0x0000 2byte













　　0x00,0x00,//The default length is 0x0000 2byte
　　0xb2,0x00,//The unconnected data item defaults to 0x00b2
　　0x18,0x00,//The length of the following data packet is 24 bytes (total length-Header length-CommandSpecificData length)
};

            byte[] CipMessage = new byte[24]
{

 0x52,0x02, //service default 0x52 request path size default 2

0x22,0x06,0x24,0x01,//request path default 0x01240622 4byte
　　0x0A,0xF0,//timeout default 0xF00A 4byte
　　0x0A,0x00,//Cip instruction length from service ID to service command specified data length 
　　0x4C,//service ID is fixed It is 0x4C 1byte  
　　0x03, // the length of the node is 2byte, the rule is (the length of the tag name + 1/2) + 1
　　0x91, // the extension symbol defaults to 0x91
　　0x04, // the length of the tag name

　　0x54,0x41,0x47,0x31,//Tag name: TAG1 is converted into ASCII bytes. When the length of the tag name is an odd number, 0 needs to be added at the end. For example, TAG converted to ASCII is 0x54, 0x41, 0x47, and 0 needs to be added at the end becomes 0x54,0x41,0x47,0

0x01,0x00,//service command specified data is 0x0001 by default　

　  0x01,0x00,0x01,0x00//The last digit is the slot number of the PLC

};
            //PLC reply message:
            //6F00 1800 6B010100 00000000 0000000000000000 00000000 00000000 0100 0200 00000000 B200

            //Example, the total length of reading multiple messages with tags named TAG and TAG1 is 86 bytes
            . 000A02200224010200060010004C0391035441470001004C03910454414731010001000100

            //Header：6F003E006B01010000000000000000000000000000000000      24byte

            //CommandSpecificData: 00 00 00 00 0100020000000000B2002E00 16byte
            /*
            CipMessage:
            - service code - request path size - request path 0AF0 timeout 20 00 CIP command length (the length between 0A - 00 is 32 bytes)
            - request path size request Path 0200 Number of labels 0600 Offset (initial value: 2 + number of labels * 2)
            1000 Offset = label service length + initial offset (several labels have several offsets)
            4C 03 91 03 54414700 0100 TAG 4C039104544147310100 TAG1

            PLC reply message:
            6F00006B010100000000000000000000000000000000000000000100020000000000B200008A000000020006001300CC000000D00005003232 323232CC000000D00005003232323232 76byte

            Header: 6F0034006B0101000000000000000000000000000000000 24byte
            CommandSpecificData: 000000000100020000000000B2002400 16byte
            CipMessage: CC000000D00005 003232323232
            8A - multiple tags 0000 - status 0200 - number of items 0600 - tag TAG offset 1300 - tag TAG1 offset 0000 - status 0 OK D000 - data type: string 0500
            : String length (specific to string type)
            3232323232 - data "22222":
            currently commonly used data types: C1 - BOOL C2 - SINT C3 - Short C4 - Int C7 - UShort C8 - UInt CA - Float CB - Double D0 - String
            */

            //-----------------4. Write data service message--------------------- ---

            /*Example, write true to the tag name: TAG1 and the data type is bool

            Write message: 68byte

            6F002C006B01010000000000000000000000000000000000 000000000100020000000000B2001C00 5202200624010AF00E004D03910454414731C1000100010001000100

            header：6F002C006B01010000000000000000000000000000000000   24byte
            CommandSpecificData:000000000100020000000000B2001C00     16byte

            20062401 0AF0  0E00 4D 03 91 04 54414731 C100 0100 0100 01000100   28byte

            - Request path size 20062401 - Request path, default 0AF0 - Timeout 0E00 - CIP instruction length (the length of the green part)

            4D-write identification 03-(length of tag name+1)/2+1 91-extended symbol 04-length of tag TAG1 54414731-ASCII representation of tag name

            C100-data type 0100-default item 0100-data TRUE (2byte) 01000100 - the default last digit is PLC slot number

            PLC reply message:

            6F0014006B0101 00000 00000000000000000000000000000 000000000100020000000000B2000400CD000000   44byte

            header:6F0014006B01010000000000000000000000000000000000 24byte

            CommandSpecificData:000000000100020000000000B2000400  16byte

            CIPMessage:CD 00 0000 CD-Service ID 00-Padding bytes 0000-Status OK

            Note: When writing a string type, when the length of the written data is an odd number, a byte 0 needs to be filled after the data, which must be an even number
            */

            //------ 5. Expand knowledge----------------------

            /*First establish a TCP connection, and the CIP communication port defaults to 44818. After the TCP connection is successful, send a session message to obtain a four-byte session ID, and then you can read and write normally.

000000000000000000000000000000 24 bytes

 0x0000: The status is normal (the low bit comes first and the high bit comes after the message)

 0x0001: An invalid or unsupported encapsulation command was issued;

            0x0002: Insufficient memory resources in the receiver to process the command;

            0x0003: The data in the data portion of the encapsulated message is poorly formed or incorrect;

            0x0004:Reserved for legacy(RA);

            0x0064: The originator used an invalid session handle when sending an encapsulated message to the target;

            0x0065: The target received a message with an invalid length

0x0069: Unsupported encapsulation protocol revision

0x0000 - success

0x0004 - it was not generated correctly or the matching token does not exist

0x0005 - The specified item (usually an instance) referenced could not be found

0x0006 - The requested amount of data does not fit in the response buffer. Partial data transfer occurred

0x000A - An error occurred while trying to process one of the properties

0x0013 - Not enough command data/parameters were provided in the command to perform the requested service

0x001C - Insufficient number of attributes provided compared to attribute count

0x001E - An error occurred with the service request in this service

0x0020 - The data type of the parameter in the command is inconsistent with the data type of the actual parameter

0x0026 - The IOI word length does not match the number of IOIs processed */