MELSEC
Table of contents
Overview
Frames
Message Format
Subheader
4E frame - Request message (serial No. ‘1234’)
| * all in hex | Fixed Value | SN | Free |
|---|---|---|---|
| ASCII mode | 35 34 30 30 | 31 32 33 34 | 30 30 30 30 |
| Binary mode | 54 00 | 34 12 | 00 00 |
3E frame - Request message
| * all in hex | Fixed Value |
|---|---|
| ASCII mode | 35 30 30 30 |
| Binary mode | 50 00 |
Response message
| * all in hex | Fixed Value |
|---|---|
| ASCII mode | 44 30 30 30 |
| Binary mode | D0 00 |
Access Route
4E, 3E
| * all in hex | Network No. | PC No. | Req Dst Module I/O No. | Req Dst Module Station No. |
|---|---|---|---|---|
| ASCII mode | 30 30 | 46 46 | 30 33 46 46 | 30 30 |
| Binary mode | 00 | FF | FF 03 | 00 |
Commands and Functions
The value of command is specified at the head of a request data. </br>
4C/3C/4E/3E frame
Reference
IPESOFT - Mitsubishi MELSEC protocol
nmap - melsecq-discover.nse
SLMP reference Manual
MELSEC Communication Protocol Reference Manual
Github - blackhat23-melsoft
Github - mitsubishi-wireshark-plugin