Omron CJ2M read/write from PC program over Ethernet/IP

Question

I am developing a program to connect my PC to Omron CJ2M PLC to send read / write commands.

As per my understanding, Omron PLCs can be communicated over 3 methods:

1) Hostlink,

2) FINS, (TCP or UDP) and

3) EIP.

My requirement here is to connect CJ2M through EIP, and send Read/Write commands over EIP(CIP) protocol.

Initally EIP communication needs to send 2 requests:

1) List Services and 2) Register Sessions

Register Sessions returns a handle which should be used in further communication over EIP.

I am successfully able to send List Services, Register Session and Forward Open (RR Data) and these are successfully replied by the Omron PLC. There is no problem in these 3 requests/responses.

Now I want to know which command/service need to be used to read the memory area of Omron (say DR 20 memory address).

I am sending service code 0x4d over RR Data, but it says "Vendor Specific Error" and then connection gets terminated.

I need protocol specification for Omron EIP or wireshark logs or some sniffed packets where a request / response is captured over EIP communication from PC to Omron PLC (no fins, no hostlink).

Answer 1

We can send requests to Omron EIP using "Send Unit Data" with service code 0x4d.

This service (0x4d) is used to send write request as per EIP documentation, but we can insert the Omron specific commands (FINS) to read the memory areas in command specific data.

0000 00 00 00 00 00 80 0e 00 01 00 80 00 02 00 00 00

0010 00 00 00 12 01 01 82 00 00 00 00 01