responding to http://www.electrondepot.com/embedded/siemens-sab-80c537-reverse-engineering-43397-.htm , Gian Luigi wrote:> blockedofcourse wrote: > > On 6/8/2016 11:37 AM, gldiana wrote: > > > Dear all, I have a wind-turbine that is equipped with a Siemens > 80c537 CPU > > based PLC, named Sentic convoy 537. Seems that today nobody is able > to > > interact with this PLC. > > The wind turbine is named "Sentic Convoy 537"? Or, does the > PLC that controls > it bear that name? > > If the former, what is the name/model of the actual Siemens PLC > incorporated > into the device? Why can't you find documentation regarding that PLC's > "interface" (since you claim noone can "interact" > with it) > > > I have recognized the eprom (AMD 27c512). I need to modify a > functional > > parameter (the rotor rpm set): can anyone suggest how to do that? > > Yeah; look at the interface description for the device and see if > there's a "rotor rpm setpoint" parameter listed. If not, are > you sure > bad things won't happen if you alter this parameter? > > > I have an eprom programmer and I can read the eprom content. But I > need > > further help to do my job.... > > > > Please, can anyone help me? > > Contact the vendor. > > Contact Siemens (for PLC documentation). > > Dump the EPROM and reverse engineer its contents. >The turbine brand is "Windworld". The PLC brand (manifacturer) is "Sentic", model name is "convoy 537" ( known also as "Mark IV"). Sentic is no longer existing: the turbine was sold originally in 1992, and if you google "sentic controller" you will find almost nothing. That is more a controller than a PLC, in the sense that it has been tailor made for this application only... I know that in the eprom there's binary code, but I am not able to disassemble it without your help. Finally I would say that I know exactly what I am going to do modifying that parameter.. I have also a photo of that plc: is there any way to attach it here? Thank you in advance for any help..
Re: Siemens SAB 80C537 Reverse Engineering
Started by ●June 9, 2016
Reply by ●June 9, 20162016-06-09
On 6/9/2016 6:37 PM, Gian Luigi wrote:> The turbine brand is "Windworld". The PLC brand (manifacturer) is "Sentic", > model name is "convoy 537" ( known also as "Mark IV"). > Sentic is no longer existing: the turbine was sold originally in 1992, and if > you google "sentic controller" you will find almost nothing. That is more a > controller than a PLC, in the sense that it has been tailor made for this > application only...Ah.> I know that in the eprom there's binary code, but I am not able to disassemble > it without your help.Given the choice of a 64KB device, it is likely that at least half of it is used (else a 32KB device could have been used at reduced cost). That's a fair bit of code to "reverse engineer" -- esp if you have no *definitive* idea what the interfaces are like (which signals are present on which inputs, what the balance of the electronics do on the board, etc.) This is the sort of thing that falls in the "hobbyist" category -- someone with more interest/time than money (it would cost you a fair bit to have the design reverse engineered). [I've known folks who hand-disassembled ~48KB binaries "out of curiosity" but knew, up front, that it was an uneconomical task and did it for the "personal challenge"] Your comments suggest there's a servo/control loop operating to keep the turbine at (or "not to exceed"?) a particular speed. (how?) If that's the case, then you might find it easier to *trick* the controller into doing what you want: - <something> tells the MCU the current rotor rpm - the MCU actuates <somethingelse> to drive the rpm as desired So, if the current RPM setting is "hard coded" as X and you want it to be Y, figure out how to introduce a X/Y scale factor in the *sensed* RPM. In this way, when the motor RPM *is* Y, the MCU will see it as Y * X/Y = X and think it is doing exactly what it was designed to do! Alternatively, introduce a Y/X factor in the actuator output... [There are lots of assumptions in this -- any of which can make it an inappropriate solution. But, I don't know what your system does or how it operates so can't identify those risks]> Finally I would say that I know exactly what I am going to do modifying that > parameter.. > > I have also a photo of that plc: is there any way to attach it here?No. You could post it to a hosting site and pass a pointer (URL) in a followup post, here. But, hard to say much of anything even from a photo...
