Hi Julian,
yes I know quite a bit about this protocol ... even if it doesn't have an official name, the Wireshark module is called S7Pluss ... It's a pretty complex protocol with lots of added pseudo-security. I usually referred to it as the 72-variant of the S7 protocol, as it uses "0x72" instead of "0x32" as marker byte. Unfortunately the only thing Siemens effectively secured is that they can sue people implementing drivers. It seems that in order to communicate with a S7 using the symbolic protocol, some special fields have to be encrypted using one of three keys. Right now the only way to find out the keys, would be to disassemble the official driver - which is forbidden. So if we came up with a driver, we would have to add these keys which we would have to provide evidence on how we got them. However I am discussing things with a guy who's deeply involved in reverse-engineering this protocol (He told me all this shared-key-stuff). Having had Kryptography as one of my major topics at the university, I do have an idea on how we could be able to provide such evidence and as soon as this works, working on this protocol makes huge sense. If you have a look at: http://plc4x.apache.org/protocols/s7/index.html I do already have pages for both protocol variants with some links to related work. Unfortunately I was told that the findings in some of the previous releases on this were not accurate at all ... but they could help getting started. The good thing is that we wouldn't need to implement all the features of the new protocol, so hopefully after calculating the keys achieving the goal of a PLC4X S7CommPluss driver is not too difficult. Chris Am 01.08.18, 15:13 schrieb "Julian Feinauer" <[email protected]>: Hi all, I just came across this announcement https://industrial.softing.com/de/news/nachrichten/article/datafeed-opc-suite-supports-optimized-block-access-for-siemens-controllers.html . They state there that there exists a new S7-2 protocol which allows communication with the PLC over symbolic addresses. Does anybody know something about this protocol? I was not able to find more information on this. Furthermore, does anybody know something about addressing / reading optimized datablocks? This is something we encounter often, as users tend to use more and more optimized blocks with symbolic addressing. And currently our only option is to copy the information unoptimized or make the blocks unoptimized. What exactly is this “optimization”? Best Julian
