[old horse of industrial control] detailed explanation of Siemens PLC TCP protocol

Siemens PLC TCP protocol

explain ： The blue text indicates the cracked part ,[ Red text ] Indicates the description of cracking some numbers , Black text indicates further explanation of the cracked part , Bold text in black italics indicates the uncracked part , The highlighted text part indicates the part that the driver needs to deal with , The driving processing of unmarked highlighted parts can remain the default .

1. Initialize connection
1.1 S7-200

[PLC -> PC]
03 00 00 16 11 d0 00 01 53 38 00 c0 01 09 c1 02 4d 57 c2 02 4d 57

1.2 S7-300
//--------------------------------------------------------------------------------
[PC -> PLC]
03 00 00 16 11 e0 00 00 00 00 00 c1 02 01 00 c2 02 01 02 c0 01 09

//--------------------------------------------------------------------------------
[PLC -> PC]
03 00 00 16 11 d0 00 00 44 31 00 c0 01 09 c1 02 01 00 c2 02 01 02

1.3 S7-400
//--------------------------------------------------------------------------------
[PC -> PLC]
03 00 00 16 11 e0 00 00 00 01 00 c1 02 02 00 c2 02 02 23 c0 01 09

//--------------------------------------------------------------------------------
[PLC -> PC]
03 00 00 16 11 d0 00 00 44 31 00 c0 01 0ac1 02 01 00 c2 02 01 02

2 Initialize communication
//--------------------------------------------------------------------------------
[PC -> PLC]
03 00 00 19 02 f0 80 32 01 00 00 cc c1 00 08 00 00 f0 00 00 01 00 01 03 c0

//--------------------------------------------------------------------------------
[PLC -> PC]
03 00 00 1b 02 f0 80 32 03 00 00 cc c1 00 08 00 00 00 00 f0 01 00 01 00 01 00 f0

3. Reading data
3.1 Typical example [M0]
//--------------------------------------------------------------------------------
[PC -> PLC]
03 00 00 1f 02 f0 80 32 01 00 00 00 00 00 0e 00 00 04 01 12 0a 10 02 00 01 00 00 83 00 00 00

//--------------------------------------------------------------------------------
[PLC -> PC]
03 00 00 1a 02 f0 80 32 03 00 00 00 00 00 02 00 05 00 00 04 01 ff 04 00 08 ec

3.2 The reference sample [VB0 VB254 VB255]
//--------------------------------------------------------------------------------
[PC -> PLC]

//--------------------------------------------------------------------------------
[PLC -> PC]

4 Writing data
4.1 S7-200
4.1.1 Typical example [MB0]
//--------------------------------------------------------------------------------
[PC -> PLC]



//--------------------------------------------------------------------------------
[PLC -> PC]

4.1.2 The reference sample [Q0.0]
//--------------------------------------------------------------------------------
[PC -> PLC]

//--------------------------------------------------------------------------------
[PLC -> PC]

4.2 S7-300
4.2.1 Typical Example [MB0]
//--------------------------------------------------------------------------------
[PC -> PLC]

//--------------------------------------------------------------------------------
[PLC -> PC]

4.2.2 Typical Example [M0.3]
//--------------------------------------------------------------------------------
[PC -> PLC]

//--------------------------------------------------------------------------------
[PLC -> PC]

4.2.3 Typical Example [MW0]
//--------------------------------------------------------------------------------
[PC -> PLC]

//--------------------------------------------------------------------------------
[PLC -> PC]

4.2.4 Typical Example [MW0] Another protocol frame , The difference lies in the arrangement format of variable data and the number of variables
//--------------------------------------------------------------------------------
[PC -> PLC]

//--------------------------------------------------------------------------------
[PLC -> PC]