S7 Communication

When communicating with S7 Devices there is a whole family of protocols, that can be used. In general you can divide them into Profinet protocols and S7 Comm protocols. The later are far simpler in structure, but also far less documented. The S7 Comm protocols are generally split up into two flavours: The classic S7 Comm and a newer version unofficially called S7 Comm Plus.

Overview of the Protocols

protocols s7 osi

Protocol Descriptions

Name

ISO

RFC

Link

Transmission Control Protocol (TCP)

-

RFC 793

https://tools.ietf.org/html/rfc793

ISO on TCP

RFC 1006

https://tools.ietf.org/html/rfc1006

ISO Transport Protocol (Class 4)

ISO DP 8073

RFC 905

https://tools.ietf.org/html/rfc905

S7 Comm (0x32)

-

http://gmiru.com/article/s7comm/ http://gmiru.com/article/s7comm-part2/ https://www.eng.tau.ac.il/~yash/jdsfl2014.pdf

S7 Comm Plus (0x72)

-

-

(Information seems to be invalid or incorrect however) https://opensource-security.de/thesis/MA_Maik_Brueggemann.pdf

RPC

-

RFC 1057 & RFC 5531

https://tools.ietf.org/html/rfc1057 https://tools.ietf.org/html/rfc5531

DCOM

-

-

https://msdn.microsoft.com/library/cc201989.aspx

Interaction with an S7 PLC

Currently we are concentrating on implementing the TCP-based variants of the S7 Comm and S7 Comm Plus protocols. Both are transferred using ISO TP which is wrapped by ISO on TCP. Both protocols require establishing a connection on the ISO TP level first. After the ISO TP connection is established, the higher level protocols then establish their connections. These are then handled by the individual protocol sub-pages:

The hex-value behind each of these correlates to the first byte used in the protocols messages to indicate the type of protocol.

Failed to generate image: Could not find the 'seqdiag', 'seqdiag3' executable in PATH; add it to the PATH or specify its location using the 'seqdiag' document attribute
{
    === Connect ===

    Client -> "ISO TP" [label = "Connection Request"]
    Client <- "ISO TP" [label = "Connection Response"]

    === Higher Level Connect ===

    === Higher Level Communication ===

    === Disconnect ===

    Client -> "ISO TP" [label = "Disconnect Request"]

}

ISO TP Message Types

Even if ISO TP defines more types of messages, the ones required for S7 Comm or S7 Comm Plus are only the following. Each message is called a TPDU (Transport Protocol Data Unit):

  • Connection Request TPDU

  • Connection Response TPDU

  • Data TPDU

  • Disconnect Request TPDU

Notice: There is no Disconnect Response in ISO TP: Class 0.

Connection Request TPDU

s7 connect request

Legend:

  • ISO on TCP Packet Header

  • ISO Transport Protocol Packet Header

  • Part of the packet that identifies the type of request

  • Variable Parts of the ISO Transport Protocol Packet Header

Connection Response TPDU

The Connection Response is identical to the Connection Request with the only difference that the TPDU-Code has a code of 0xD0.

Data TPDU

s7 data

Legend:

  • ISO on TCP Packet Header

  • ISO Transport Protocol Packet Header

  • Part of the packet that identifies the type of request

Disconnect Request TPDU

s7 disconnect request

Legend:

  • ISO on TCP Packet Header

  • ISO Transport Protocol Packet Header

  • Part of the packet that identifies the type of request

  • Variable Parts of the ISO Transport Protocol Packet Header