src/site/asciidoc/protocols/s7/s7comm-plus.adoc - plc4x - Git at Google

 //
 //  Licensed to the Apache Software Foundation (ASF) under one or more
 //  contributor license agreements.  See the NOTICE file distributed with
 //  this work for additional information regarding copyright ownership.
 //  The ASF licenses this file to You under the Apache License, Version 2.0
 //  (the "License"); you may not use this file except in compliance with
 //  the License.  You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 //  Unless required by applicable law or agreed to in writing, software
 //  distributed under the License is distributed on an "AS IS" BASIS,
 //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 //
 :imagesdir: ../../img/

 == S7 Comm Plus (0x72)

 The `S7 Comm Plus` protocol is a new version of the original `S7 Comm` protocol.
 While a `S7 Comm` packet is identified, by the magic byte `0x32`, the `S7 Comm Plus` packet uses the magic byte `0x72`.
 The End of a packet is indicated by a frame end sequence of 6 bytes: 00 00 72 01 00 00

 The general structure of the protocols content however is completely different and far less documented.

 The biggest source for getting started in implementing this protocol was the https://os-s.de/thesis/MA_Maik_Brueggemann.pdf[Master Thesis of Maik Brüggemann].
 However this only covered the basic structure of a `S7 Comm Plus` packet and it seems that this information is not quite correct as many assumptions hav turned out to not be correct.

 Beyond that, it seems that implementing this protocol would require knowledge of some shared keys which are contained in the bytecode of the PLCs as well as the official drivers.
 As we can't reverse-engineer these keys, the only way we could get them, would be by disassembling the existing code, which would not be allowed.

 Therefore we have currently stopped working on this protocol type.
 Eventually things may change in the future, but for now we see no way we could finish this on a legally correct path.

 == Links

 https://www.blackhat.com/docs/eu-17/materials/eu-17-Lei-The-Spear-To-Break%20-The-Security-Wall-Of-S7CommPlus-wp.pdf
	//
	// Licensed to the Apache Software Foundation (ASF) under one or more
	// contributor license agreements. See the NOTICE file distributed with
	// this work for additional information regarding copyright ownership.
	// The ASF licenses this file to You under the Apache License, Version 2.0
	// (the "License"); you may not use this file except in compliance with
	// the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	:imagesdir: ../../img/

	== S7 Comm Plus (0x72)

	The `S7 Comm Plus` protocol is a new version of the original `S7 Comm` protocol.
	While a `S7 Comm` packet is identified, by the magic byte `0x32`, the `S7 Comm Plus` packet uses the magic byte `0x72`.
	The End of a packet is indicated by a frame end sequence of 6 bytes: 00 00 72 01 00 00

	The general structure of the protocols content however is completely different and far less documented.

	The biggest source for getting started in implementing this protocol was the https://os-s.de/thesis/MA_Maik_Brueggemann.pdf[Master Thesis of Maik Brüggemann].
	However this only covered the basic structure of a `S7 Comm Plus` packet and it seems that this information is not quite correct as many assumptions hav turned out to not be correct.

	Beyond that, it seems that implementing this protocol would require knowledge of some shared keys which are contained in the bytecode of the PLCs as well as the official drivers.
	As we can't reverse-engineer these keys, the only way we could get them, would be by disassembling the existing code, which would not be allowed.

	Therefore we have currently stopped working on this protocol type.
	Eventually things may change in the future, but for now we see no way we could finish this on a legally correct path.

	== Links

	https://www.blackhat.com/docs/eu-17/materials/eu-17-Lei-The-Spear-To-Break%20-The-Security-Wall-Of-S7CommPlus-wp.pdf