Rating: (0) Dear All, I am new in studing this field, so dont be annoyed if I ask dumb questions please. First of all, I have some idea on PLC and Automation by all means.So, I started reading Hans Bergers 'Automation with Simatic S7-300 inside TIA portal'. To configure the S7-1200 or S7-1500 PLC to communicate with the C-more Panel, you will first need to find the Port Settings for your Siemens PLC. Find the Rack and Slot numbers. Devices Device Configuration click on CPU Project Information, Rack 0, Slot 1. From the figure shown above. The head station is on slot / module 0, all other PLC cards on slot / modules 2 to 17 and 19 to 34. Head station as PLC box ID Property Value 20161 Configuration project Not empty 20408 PLC station ID Not empty 20409 Station type ET200AL 20416 PLC type designation For example 6ES7 157-1AB00-0AB0 20427 Rack 0 20164 Bus coupler / head station.
- Siemens Plc Slot Numbering Machine
- Siemens Plc Slot Numbering Software
- Siemens Plc Slot Numbering Tool
S7comm (S7 Communication) is a Siemens proprietary protocol that runs between programmable logic controllers (PLCs) of the Siemens S7-300/400 family.
It is used for PLC programming, exchanging data between PLCs, accessing PLC data from SCADA (supervisory control and data acquisition) systems and diagnostic purposes.
The S7comm data comes as payload of COTP data packets. The first byte is always 0x32 as protocol identifier. Special communication processors for the S7-400 series (CP 443) may use this protocol without the TCP/IP layers.
OSI layer | Protocol | |
7 | Application Layer | S7 communication |
6 | Presentation Layer | S7 communication |
5 | Session Layer | S7 communication |
4 | Transport Layer | ISO-on-TCP (RFC 1006) |
3 | Network Layer | IP |
2 | Data Link Layer | Ethernet |
1 | Physical Layer | Ethernet |
To establish a connection to a S7 PLC there are 3 steps:
- Connect to PLC on TCP port 102
- Connect on ISO layer (COTP Connect Request)
- Connect on S7comm layer (s7comm.param.func = 0xf0, Setup communication)
Step 1) uses the IP address of the PLC/CP.
Step 2) uses as a destination TSAP of two bytes length. The first byte of the destination TSAP codes the communication type (1=PG, 2=OP). The second byte of the destination TSAP codes the rack and slot number: This is the position of the PLC CPU. The slot number is coded in Bits 0-4, the rack number is coded in Bits 5-7.
Step 3) is for negotiation of S7comm specific details (like the PDU size).
History
The protocol is used by Siemens since the Simatic S7 product series was launched in 1994. The protocol is also used on top of other physical/network layers, like RS-485 with MPI (Multi-Point-Interface) or Profibus.
Protocol dependencies
S7 communication consists of (at least) the following protocols:
COTP: ISO 8073 COTP Connection-Oriented Transport Protocol (spec. available as RFC905)
TPKT: RFC1006 'ISO transport services on top of the TCP: Version 3', updated by RFC2126
TCP: Typically, TPKT uses TCP as its transport protocol. The well known TCP port for TPKT traffic is 102.
Example traffic
Wireshark
The S7comm dissector is partially functional.
Preference Settings
(XXX add links to preference settings affecting how PROTO is dissected).
Example capture file
SampleCaptures/s7comm_downloading_block_db1.pcap s7comm: connecting and downloading program block DB1 into PLC
SampleCaptures/s7comm_program_blocklist_onlineview.pcap s7comm: connecting and getting a list of all available block in the PLC
SampleCaptures/s7comm_reading_plc_status.pcap s7comm: connecting and viewing the PLC status
SampleCaptures/s7comm_reading_setting_plc_time.pcap s7comm: connecting, reading and setting the time of the PLC
SampleCaptures/s7comm_varservice_libnodavedemo.pcap s7comm: running libnodave demo with S7-300 PLC, using variable-services with several areas
SampleCaptures/s7comm_varservice_libnodavedemo_bench.pcap s7comm: running libnodave demo benchmark with S7-300 PLC using variable-services to check the communication capabilities
Display Filter
A complete list of PROTO display filter fields can be found in the display filter reference
Show only the S7comm based traffic:
Capture Filter
You cannot directly filter S7comm protocols while capturing.
S7comm uses port 102, so it is possible to capture S7comm data by using the capture filter
External links
RFC1006ISO Transport Service on top of the TCP Version: 3, based on ISO 8073
RFC905ISO Transport Protocol Specification ISO DP 8073
Siemens - Information about the properties of the S7 protocolWhat properties, advantages and special features does the S7 protocol offer - Siemens Industry Online Support
Discussion
SIMATIC is a series of programmable logic controller and automation systems, developed by Siemens. Introduced in 1958, the series has gone through four major generations, the latest being the SIMATIC S7 generation. The series is intended for industrial automation and production.
The name SIMATIC is a registered trademark of Siemens. It is a portmanteau of “Siemens” and “Automatic”.
Function[edit]
As with other programmable logic controllers,SIMATIC devices are intended to separate the control of a machine from the machine's direct operation,in a more lightweight and versatile manner than controls hard-wired for a specific machine. Early SIMATIC devices were transistor-based, intended to replace relays attached and customized to a specific machine. Microprocessors were introduced in 1973, allowing programssimilar to those on general-purpose digital computers to be stored and used for machine control.[1] SIMATIC devices have input and output modules to connect with controlled machines. The programs on the SIMATIC devices respond in real time to inputs from sensors on the controlled machines, and send output signals to actuators on the machines that direct their subsequent operation.
Depending on the device and its connection modules, signals may be a simple binary value ('high' or 'low') or more complex. For example, a binary input going from a thermometer on a machine to a SIMATIC device might have the following meanings:
- “High” signal: Temperature exceeded an operating limit
- “Low” signal: Temperature is within expected limits
Based on this input, and other factors, the program on the SIMATIC device might send a binary output signal to the same machine with the following meanings:
- “High” signal: Run the motor
- “Low” signal: Stop the motor
More complex inputs, outputs, and calculations were also supported as the SIMATIC line developed. For example, the SIMATIC 505 could handle floating point quantities and trigonometric functions.[2]
Product lines[edit]
Siemens has developed four product lines to date:
- 1958: SIMATIC Version G
- 1973: SIMATIC S3
- 1979: SIMATIC S5
- 1995: SIMATIC S7
SIMATIC S5[edit]
The S5 line was sold in 90U, 95U, 101U, 100U, 105, 110, 115,115U, 135U, and 155U chassis styles. The higher the number (except for the 101U), the more sophisticated and more expensive the system was. Within each chassis style, several CPUs were available, with varying speed, memory, and capabilities. Some systems provided redundant CPU operation for ultra-high-reliability control, as used in pharmaceuticalmanufacturing, for example.
Each chassis consisted of a power supply, and a backplane with slots for the addition of various option boards. Available options included serial and Ethernet communications, digital input and output cards, analog signal processing boards, counter cards, and other specialized interface and function modules.
SIMATIC S7[edit]
The first entries in the S7 line were released in 1994, available under three performance classes: S7-200, S7-300 and S7-400. The introduction of SIMATIC S7 saw also the release of a new fieldbus standard PROFIBUS, and the pioneer use of industrial Ethernet to facilitate communication between automation devices. The great success of the S7-300 CPU family in particular helped to cement the role of Siemens as one of the global leader in automation technology. These series are expected to be phased out in 2023.[3]
The first generation of S7 CPUs were later succeeded by the S7-1200 and S7-1500, released in 2012.[4] These models came with standard Profinet interface.
Software[edit]
Programs running on SIMATIC devices run in software environments created by Siemens. The environment varies by product line:
- The SIMATIC S5 product line is programmed in STEP 5.
- The SIMATIC S7 product line is programmed in STEP 7 (V5.x or TIA Portal).[5]
Step 5[edit]
The S5 product line was usually programmed with a PC based software programming tool called STEP 5. STEP 5 was used for programming, testing, and commissioning, and for documentation of programs for S5 PLCs.
Siemens Plc Slot Numbering Machine
The original STEP 5 versions ran on the CP/M operating system. Later versions ran on MS-DOS, and then versions of Windows through Windows XP. The final version of STEP 5 was version 7.2 (upgradable to version 7.23 Hotfix 1 with patches).
Siemens Plc Slot Numbering Software
In addition to STEP 5, Siemens offered a proprietary State logic programming package called Graph5. Graph5 is a sequential programming language intended for use on machines that normally run through a series of discrete steps. It simulates a State machine on the S5 platform.
Several third-party programming environments were released for the S5. Most closely emulated STEP 5, some adding macros and other minor enhancements, others functioning drastically differently from STEP 5. One allowed STEP 5 programs to be cross-compiled to and from the C programming language and BASIC.
Structured programming[edit]
STEP 5 allowed the creation of structured or unstructured programming, from simple AND/OR operations up to complex subroutines. A STEP 5 program may, therefore, contain thousands of statements.
To maintain maximum transparency, STEP 5 offers a number of structuring facilities:
- Block technique - A linear operation sequence is divided into sections and packed into individual blocks.
- Segments - Within blocks, fine structuring is possible by programming subtasks in individual segments.
- Comments - Both a complete program as well as individual blocks or segments and individual statements can be directly provided with comments.
Methods of representation[edit]
STEP 5 programs can be represented in three different ways:
- Statement List (STL) - The program consists of a sequence of mnemonic codes of the commands executed one after another by the PLC.
- Ladder Diagram (LAD) - Graphical representation of the automation task with symbols of the circuit diagram
- Function Block Diagram (FBD) - Graphical representation of the automation task with symbols to DIN 40700/ DIN 40719.
Absolute or symbolic designations can be used for operands with all three methods of representation.
In LAD and FBD complex functions and function block calls can be entered via function keys. They are displayed on the screen as graphical symbols.
There are several program editors, from either genuine Siemens, or from other suppliers. After Siemens discontinued support, other suppliers started to develop new STEP 5 version which can run on Windows XP, or Windows 7.
Blocks[edit]
Five types of blocks are available:
- Organization blocks (OB) - for managing the control program
- Programming blocks (PB) - contain the control program structured according to functional or process-oriented characteristics
- Sequence blocks (SB) - for programming sequential controls
- Function blocks (FB) - contain frequently occurring and particularly complex program parts
- Data blocks (DB) - for storing data required for processing the control program.
Some S5 PLCs also have block types FX (Extended Function Blocks), and DX(Extended Data Blocks); these are not distinct block types, but rather are another set of available blocks due to the CPU having more memory and addressing space.
Siemens Plc Slot Numbering Tool
Operations[edit]
STEP 5 differentiates between three types of operations:
- Basic operations, (e.g. linking, saving, loading & transferring, counting, comparing, arithmetic operations, module operations) - These can be performed in all three representations.
- Supplementary operations and complex functions, (e.g. substitution statements, testing functions, word-by-word logic operations, decrement/increment and jump functions.) - These can only be executed in STL.
- System operations (direct access the operating system) - These can only be executed in STL.
Stuxnet[edit]
The Stuxnetcomputer worm specifically targets SIMATIC S7 PLCs via its STEP 7 programming environment.
References[edit]
- ^'60 Years of Simatic'. Siemens. Siemens. Retrieved 4 March 2020.
- ^'Siemens Simatic 505'. Computing History. Centre for Computing History. Retrieved 4 March 2020.
- ^'SIMATIC S7-300'. Siemens. Retrieved 12 November 2020.
- ^'What are the differences between SIMATIC S7-300 and S7-1500 PLCs?'. RealPars. Retrieved 12 November 2020.
- ^'PLC Programming with SIMATIC STEP'. Siemens. Siemens. Retrieved 4 March 2020.
External links[edit]
- Hans Berger (2009) [2000]. Automating with SIMATIC. ISBN978-3-89578-333-3.
- Hans Berger (2011). Automating with SIMATIC S7-1200. ISBN978-3-89578-356-2.
- Jürgen Müller (2005). Controlling with SIMATIC. ISBN978-3-89578-255-8.