Help Decoding raw TCP stream from SLC500


Thread Starter


We have an old 1990's PanelMate ePro running locked down code that controls an SLC-500. It does lots of things all in fast sequence and of course 20 years later nothing is documented, everyone that knows about the system is retired, bankrupt, and/or dead. So I am left with reverse engineering it.

I sniffed out all the TCP packets between the PC and the controller for 1 of the many sequences to see if I can decode it. Problem is TCP can be anything and I am not sure where to even start. One of the manuals online for the SLC500 showed a TCP interface that did things like "O:<slot>.<word>/<bit>". I do see one instance of 0x4F in most of the streams which is an ASCII "O" but I am not sure if that is what it means.

Just wondering if anyone has any clue how to decode streams like this:
0000 00 30 64 03 0c 8b 00 00 bc 1e 7f 53 08 00 45 00 .0d........S..E.
0010 00 50 b2 55 00 00 40 06 ae d8 0a 00 02 bd 0a 00 [email protected]
0020 02 be 08 ae 04 25 87 e5 a2 20 00 1b 00 58 50 18 .....%... ...XP.
0030 0b 68 a7 4c 00 00 02 07 00 0c 00 00 01 01 00 00 .h.L............
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 05 00 00 4f 00 d4 72 00 80 85 1d ......O..r....
Note that that is the full TCP stream with IP headers and everything. The data itself starts on line 0030, 7th byte in (0x01, followed by 0x07) and is 42 bytes long and goes to the end of the stream. You can see near the end, 7th to last byte, there is a 0x4F which is an "O" if it is ASCII, or it could be something completely different. That's why I am here!

01 is the start of a PCCC request.
07 means PCCC command, next two bytes are the length, etc., there are AB documents that cover the protocol.

4F is a response code to a 0F command sent to the PLC. This should be the response from the PLC to the device.

Good luck,


Post the full packet captures please. If you need help getting them on a site, I'll be happy to assist.

Can't do much reversing without all the data.

While that's going on, what TCP ports are in use? Have you tried applying different dissectors (use the 'decode-as' feature in wireshark)?


> 01 is the start of a PCCC request.

Sorry, 02 is the start of the PCCC response.

The request packet would be needed to determine the payload after the 4F (CMD response), STS and TNS and then data.

Good luck,