Google Git
Sign in
apache / plc4x / 6e7f5055370816313a32c112d74b03b2dc49b7cc / . / src / site / asciidoc / protocols / s7 / index.adoc
blob: 01bb4bd15757e25289e122723cdd11a7e4983178 [file] [log] [blame]
//
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
:imagesdir: ../../images/
== S7 Communication
When communicating with S7 Devices there is a whole family of protocols, that can be used.
In general you can divide them into `Profinet` protocols and `S7 Comm` protocols.
The later are far simpler in structure, but also far less documented.
The `S7 Comm` protocols are generally split up into two flavours: The classic `S7 Comm` and a newer version unofficially called `S7 Comm Plus`.
=== Overview of the Protocols
[ditaa,protocols-s7-osi]
....
: : : implemented :
: : : | :
: Profinet : : | S7 Protocol :
: : : V :
- - - - - - - - - - +-------------+-------------+-------------+-------------+-------------+-------------+-------------+ - -
|c0B0 |c0B0 |c0B0 |c0B0 |c05A |c0BA |c0BA |
Application | | | | | | | |
Layer | | | | | | | |
| | | | | | | |
| Profinet IO | Profinet IO | Profinet CBA| Profinet CBA| | | |
- - - - - - - - - - | RT / IRT | | | RT | | | | - -
| | | | | | | |
Presentation | | | | | | | |
Layer | | | | | S7 | S7 | S7 |
| | | | | Comm | Comm | Comm |
| | | | | Plus | | |
- - - - - - - - - - | +-------------+-------------+ | | | | - -
| |cAAA |cAAA | | | | |
Session | | | | | | | |
Layer | | RPC | DCOM | | | | |
| | | | | | | |
| | | | | | | |
- - - - - - - - - - | +-------------+-------------+ +-------------+-------------+-------------+ - -
| |cAAA |cAAA | |cF6F |
| | | | | ISO Transport Protocol |
| | | | | RFC 905 |
| | | | | (Class 0) |
| | | | +---------------------------+ |
| | | | |cFF6 | |
Transport | | | | | ISO on TCP | |
Layer | | UDP | TCP | | RFC 1006 | |
| | | | +---------------------------+ |
| | | | |cAAA | |
| | | | | TCP | |
| | | | | | ISO |
- - - - - - - - - - | +-------------+-------------+ +---------------------------+ Transport | - -
| | cAAA | |cAAA | Protocol |
Network | | | | | RFC 905 |
Layer | | IP | | IP | (Class 4) |
| | | | | |
| | | | | |
- - - - - - - - - - +-------------+---------------------------+-------------+---------------------------+-------------+ - -
|cAAA |
Data Link | |
Layer | |
| |
| Industrial |
- - - - - - - - - - | Ethernet | - -
| |
Physical | |
Layer | |
| |
| |
- - - - - - - - - - +-------------------------------------------------------------------------------------------------+ - -
....
=== Protocol Descriptions
|===
|Name |ISO |RFC |Link
|Transmission Control Protocol (TCP) |- | RFC 793 |https://tools.ietf.org/html/rfc793
|ISO on TCP |- | RFC 1006| https://tools.ietf.org/html/rfc1006
|ISO Transport Protocol (Class 4) |ISO DP 8073 | RFC 905 |https://tools.ietf.org/html/rfc905
|S7 Comm (0x32) |- |- |http://gmiru.com/article/s7comm/ http://gmiru.com/article/s7comm-part2/ https://www.eng.tau.ac.il/~yash/jdsfl2014.pdf
|S7 Comm Plus (0x72) |- |- |(Information seems to be invalid or incorrect however) https://opensource-security.de/thesis/MA_Maik_Brueggemann.pdf
|RPC |- | RFC 1057 & RFC 5531 |https://tools.ietf.org/html/rfc1057 https://tools.ietf.org/html/rfc5531
|DCOM |- |- | https://msdn.microsoft.com/library/cc201989.aspx
|===
=== Interaction with an S7 PLC
Currently we are concentrating on implementing the TCP-based variants of the `S7 Comm` and `S7 Comm Plus` protocols.
Both are transferred using `ISO TP` which is wrapped by `ISO on TCP`.
Both protocols require establishing a connection on the `ISO TP` level first.
After the `ISO TP` connection is established, the higher level protocols then establish their connections.
These are then handled by the individual protocol sub-pages:
- link:s7comm.html[S7 Comm (0x32)]
- link:s7comm-plus.html[S7 Comm Plus (0x72)]
The hex-value behind each of these correlates to the first byte used in the protocols messages to indicate the type of protocol.
[seqdiag,s7-interaction]
....
{
=== Connect ===
Client -> "ISO TP" [label = "Connection Request"]
Client <- "ISO TP" [label = "Connection Response"]
=== Higher Level Connect ===
=== Higher Level Communication ===
=== Disconnect ===
Client -> "ISO TP" [label = "Disconnect Request"]
}
....
=== ISO TP Message Types
Even if `ISO TP` defines more types of messages, the ones required for `S7 Comm` or `S7 Comm Plus` are only the following.
Each message is called a `TPDU` (Transport Protocol Data Unit):
- Connection Request TPDU
- Connection Response TPDU
- Data TPDU
- Disconnect Request TPDU
Notice: There is no `Disconnect Response` in `ISO TP: Class 0`.
==== Connection Request TPDU
// len (length of bits - use instead of explicit byte count - requires "*" as first element)
// label
// color / background
// linecolor
// rotate (degrees)
// colheight
// height
// numbered
// label_orientation (vertical, horizontal)
// stacked (no value)
// icon
// shape (box, circle, ...)
[packetdiag,s7-connect-request,svg]
....
{
colwidth = 32
// ISO on TCP
* ISO on TCP Magic Number (0x03) [len = 8, color = "#068D9D"]
* Reserved (0x00) [len = 8, color = "#068D9D"]
* Packet Length (including ISO on TCP header) [len = 16, color = "#068D9D"]
// ISO Transport Protocol
* ISO TP Header Length\n(excluding length byte) [len = 8, color = "#53599A"]
* TPDU-Code\n(CR = 0xE0) [len = 4, color = "#AEECEF"]
* Signal CDT\n(0x00) [len = 4, color = "#53599A"]
// ISO TP Header (Fixed Part)
* Destination Reference [len = 16, color = "#53599A"]
* Source Reference [len = 16, color = "#53599A"]
* Protocol Class\n(Class 0 = 0x00) [len = 8, color = "#53599A"]
// ISO TP Header (Variable Part / Parameters)
* Parameter Code\n(TPDU Size = 0xC0) [len = 8, color = "#53599A"]
* Parameter Length\n(1 = 0x01) [len = 8, color = "#53599A"]
* Parameter Value\n(TPDU Size 1024 = 0x0A) [len = 8, color = "#53599A"]
* Parameter Code\n(Calling TSAP = 0xC1) [len = 8, color = "#53599A"]
* Parameter Length (2 = 0x02) [len = 8, color = "#53599A"]
* Device Group\n(PG/PC = 0x01) [len = 8, color = "#53599A"]
* TSAP Id (0x00) [len = 8, color = "#53599A"]
* Parameter Code\n(Called TSAP = 0xC2) [len = 8, color = "#53599A"]
* Parameter Length (2 = 0x02) [len = 8, color = "#53599A"]
* Device Group\n(Others = 0x03) [len = 8, color = "#53599A"]
* Rack Number[len = 4, color = "#80DED9"]
* Slot Number[len = 4, color = "#80DED9"]
}
....
Legend:
- [protocolIsoOnTcp]#ISO on TCP Packet Header#
- [protocolIsoTP]#ISO Transport Protocol Packet Header#
- [protocolId]#Part of the packet that identifies the type of request#
- [protocolParameter]#Variable Parts of the ISO Transport Protocol Packet Header#
==== Connection Response TPDU
The `Connection Response` is identical to the `Connection Request` with the only difference that the `TPDU-Code` has a code of `0xD0`.
==== Data TPDU
// len (length of bits - use instead of explicit byte count - requires "*" as first element)
// label
// color / background
// linecolor
// rotate (degrees)
// colheight
// height
// numbered
// label_orientation (vertical, horizontal)
// stacked (no value)
// icon
// shape (box, circle, ...)
[packetdiag,s7-data,svg]
....
{
colwidth = 32
// ISO on TCP
* ISO on TCP Magic Number (0x03) [len = 8, color = "#068D9D"]
* Reserved (0x00) [len = 8, color = "#068D9D"]
* Packet Length (including ISO on TCP header) [len = 16, color = "#068D9D"]
// ISO Transport Protocol
* ISO TP Header Length\n(excluding length byte) [len = 8, color = "#53599A"]
* TPDU-Code\n(DATA = 0xF0) [len = 4, color = "#AEECEF"]
* Signal CDT\n(0x00) [len = 4, color = "#53599A"]
* TPDU-NR/EOT [len = 8, color = "#53599A"]
}
....
Legend:
- [protocolIsoOnTcp]#ISO on TCP Packet Header#
- [protocolIsoTP]#ISO Transport Protocol Packet Header#
- [protocolId]#Part of the packet that identifies the type of request#
==== Disconnect Request TPDU
// len (length of bits - use instead of explicit byte count - requires "*" as first element)
// label
// color / background
// linecolor
// rotate (degrees)
// colheight
// height
// numbered
// label_orientation (vertical, horizontal)
// stacked (no value)
// icon
// shape (box, circle, ...)
[packetdiag,s7-disconnect-request,svg]
....
{
colwidth = 32
// ISO on TCP
* ISO on TCP Magic Number (0x03) [len = 8, color = "#068D9D"]
* Reserved (0x00) [len = 8, color = "#068D9D"]
* Packet Length (including ISO on TCP header) [len = 16, color = "#068D9D"]
// ISO Transport Protocol
* ISO TP Header Length\n(excluding length byte) [len = 8, color = "#53599A"]
* TPDU-Code\n(DR = 0x80) [len = 4, color = "#AEECEF"]
* Signal CDT\n(0x00) [len = 4, color = "#53599A"]
* Destination Reference [len = 16, color = "#53599A"]
* Source Reference [len = 16, color = "#53599A"]
* Reason [len = 8, color = "#53599A"]
// ISO TP Header (Variable Part / Parameters) (Optional)
* Parameter Code\n(Disconnect Additional Information = 0xE0) [len = 8, color = "#53599A"]
* Parameter Length\n(1 ... 128) [len = 8, color = "#53599A"]
* Parameter Data\n(Custom user data) [len = 24, color = "#53599A"]
}
....
Legend:
- [protocolIsoOnTcp]#ISO on TCP Packet Header#
- [protocolIsoTP]#ISO Transport Protocol Packet Header#
- [protocolId]#Part of the packet that identifies the type of request#
- [protocolParameter]#Variable Parts of the ISO Transport Protocol Packet Header#