## # Most of this is extracted from s7comm # wireshark dissector plugin sources # created by Thomas Wiens # Date: 2016-15-03 # Author: Gyorgy Miru # Version: 0.2 ## #Protocol ID: 0x32 - Protocol ID #Message Types: 0x01 - Job Request 0x02 - Ack 0x03 - Ack-Data 0x07 - Userdata #Header Error Class: 0x00 - No error 0x81 - Application relationship error 0x82 - Object definition error 0x83 - No ressources available error 0x84 - Error on service processing 0x85 - Error on supplies 0x87 - Access error #Header Error Codes: (Further refines error) #Parameter Error Codes: 0x0000 - No error 0x0110 - Invalid block type number 0x0112 - Invalid parameter 0x011A - PG ressource error 0x011B - PLC ressource error 0x011C - Protocol error 0x011F - User buffer too short 0x0141 - Request error 0x01C0 - Version mismatch 0x01F0 - Not implemented 0x8001 - L7 invalid CPU state 0x8500 - L7 PDU size error 0xD401 - L7 invalid SZL ID 0xD402 - L7 invalid index 0xD403 - L7 DGS Connection already announced 0xD404 - L7 Max user NB 0xD405 - L7 DGS function parameter syntax error 0xD406 - L7 no info 0xD601 - L7 PRT function parameter syntax error 0xD801 - L7 invalid variable address 0xD802 - L7 unknown request 0xD803 - L7 invalid request status #Return value of item response 0x00 - Reserved 0x01 - Hardware fault 0x03 - Accessing the object not allowed 0x05 - Address out of range 0x06 - Data type not supported 0x07 - Data type inconsistent 0x0a - Object does not exist 0xff - Success #Job Request/Ack-Data function codes 0x00 - CPU services 0xF0 - Setup communication 0x04 - Read Variable 0x05 - Write Variable 0x1A - Request download 0x1B - Download block 0x1C - Download ended 0x1D - Start upload 0x1E - Upload 0x1F - End upload 0x28 - PLC Control 0x29 - PLC Stop #Memory Areas 0x03 - System info of S200 family 0x05 - System flags of S200 family 0x06 - Analog inputs of S200 family 0x07 - Analog outputs of S200 family 0x1C - S7 counters (C) 0x1D - S7 timers (T) 0x1E - IEC counters (200 family) 0x1F - IEC timers (200 family) 0x80 - Direct peripheral access (P) 0x81 - Inputs (I) 0x82 - Outputs (Q) 0x83 - Flags (M) (Merker) 0x84 - Data blocks (DB) 0x85 - Instance data blocks (DI) 0x86 - Local data (L) 0x87 - Unknown yet (V) #Transport size (variable Type) in Item data 0x01 - BIT 0x02 - BYTE 0x03 - CHAR 0x04 - WORD 0x05 - INT 0x06 - DWORD 0x07 - DINT 0x08 - REAL 0x09 - DATE 0x0A - TOD 0x0B - TIME 0x0C - S5TIME 0x0F - DATE AND TIME 0x1C - COUNTER 0x1D - TIMER 0x1E - IEC TIMER 0x1F - IEC COUNTER 0x20 - HS COUNTER #Variable ddressing mode 0x10 - S7-Any pointer (regular addressing) memory+variable length+offset 0xa2 - Drive-ES-Any seen on Drive ES Starter with routing over S7 0xb2 - S1200/S1500? Symbolic addressing mode 0xb0 - Special DB addressing for S400 (subitem read/write) #Transport size in data 0x00 - NULL 0x03 - BIT 0x04 - BYTE/WORD/DWORD 0x05 - INTEGER 0x07 - REAL 0x09 - OCTET STRING #Block type constants '08' - OB '0A' - DB '0B' - SDB '0C' - FC '0D' - SFC '0E' - FB '0F' - SFB #Sub block types 0x08 - OB 0x0a - DB 0x0b - SDB 0x0c - FC 0x0d - SFC 0x0e - FB 0x0f - SFB #Block security mode 0 - None 3 - Kow How Protect #Block Language 0x00 - Not defined 0x01 - AWL 0x02 - KOP 0x03 - FUP 0x04 - SCL 0x05 - DB 0x06 - GRAPH 0x07 - SDB 0x08 - CPU-DB DB was created from Plc programm (CREAT_DB) 0x11 - SDB (after overall reset) another SDB, don't know what it means, in SDB 1 and SDB 2, uncertain 0x12 - SDB (Routing) another SDB, in SDB 999 and SDB 1000 (routing information), uncertain 0x29 - ENCRYPT block is encrypted (encoded?) with S7-Block-Privacy #Userdata transmission type 0x0 - Push cyclic data push by the PLC 0x4 - Request by the master 0x8 - Response by the slave #Userdata last PDU 0x00 - Yes 0x01 - No #Userdata Functions 0x1 - Programmer commands 0x2 - Cyclic data 0x3 - Block functions 0x4 - CPU functions 0x5 - Security 0x7 - Time functions #Variable table type of data 0x14 - Request 0x04 - Response #VAT area and length type 0x01 - MB 0x02 - MW 0x03 - MD 0x11 - IB 0x12 - IW 0x13 - ID 0x21 - QB 0x22 - QW 0x23 - QD 0x31 - PIB 0x32 - PIW 0x33 - PID 0x71 - DBB 0x72 - DBW 0x73 - DBD 0x54 - TIMER 0x64 - COUNTER #Userdata programmer subfunctions 0x01 - Request diag data (Type 1) 0x02 - VarTab 0x0c - Erase 0x0e - Read diag data 0x0f - Remove diag data 0x10 - Forces 0x13 - Request diag data (Type2) #Userdata cyclic data subfunctions 0x01 - Memory 0x04 - Unsubscribe #Userdata block subfunctions 0x01 - List blocks 0x02 - List blocks of type 0x03 - Get block info #Userdata CPU subfunctions 0x01 - Read SZL 0x02 - Message service 0x03 - Transition to stop 0x0b - Alarm was acknowledged in HMI/SCADA 1 0x0c - Alarm was acknowledged in HMI/SCADA 2 0x11 - PLC is indicating a ALARM message 0x13 - HMI/SCADA initiating ALARM subscription #Userdata security subfunctions 0x01 - PLC password #Userdata time subfunctions 0x01 - Read clock 0x02 - Set clock 0x03 - Read clock (following) 0x04 - Set clock #Flags for LID access 0x2 - Encapsulated LID 0x3 - Encapsulated Index 0x4 - Obtain by LID 0x5 - Obtain by Index 0x6 - Part Start Address 0x7 - Part Length #TIA 1200 area names 0x8a0e - DB 0x0000 - IQMCT 0x50 - Inputs (I) 0x51 - Outputs (Q) 0x52 - Flags (M) 0x53 - Counter (C) 0x54 - Timer (T)