How to realize reverse engineering for S7CommPlus?

[Toha1997]

Hello,
I'm a software developer working for Phoenix Contact. Currently, we aim to integrate a S7CommPlus driver into our Open-Source software tool called IIoT Framework. For that, we need to reverse engineer the protocol in a similar way this project does it. For that, I would like to ask how this project was realized? Is there any specification for S7CommPLus available to understand what would be needed? Our goal is to create an implementation that is supported in industrial use. Can anyone help us to understand how to reverse energineer S7CommPLus? Thanks in advance and make it a great day!

[jogibear9988]

There is no open specification, all is done via looking at the bytes wich go over the wire.

why don‘t you look at this code, the harpo lib or the wireshark s7 comm plus dissector?

[thomas-v2]

I've started developing the Wireshark dissector first, but at a time where there was not encryption or even authentication at all. You build up the informations, using a client which does only minimal communication. I've done most of my analysis with WinCC Scada as client, because I know from developing the classic S7comm dissector, what the system does, and how you can force only single requests.

I build up the dissector, checking what parts are fixed, what parts are changing. Then write specific values and look where the values are in the transmitted data. I think what first wasn't obvious was the variable length encoding. At an early state, I had an absolut rudimentary driver which was able to sent data to a 1200 CPU with firmeware V2, which had no authentication. Also other parts are completely different now in current CPUs (like browsing the variables of the CPU).

Fortunately I've done most parts before Siemens came up with TLS encryption. If they first started with TLS, it would be much more complicated.

But you can now disable TLS encryption in TIA Portal for at least the current online session. And if I remember correctly in WinCC V8.1 Siemens has added also the option to disable TLS. Otherwise you can use a TLS man-in-the-middle for analysis, but at this point you need to know many details of the protocol to start from here.

[jogibear9988]

Maybe it would also work to patch the openssl libs in TIA portal to write the key to file.

[Ich-Eben]

Just so you don’t go down the same rabbit hole as I have: I had the same idea a while back and figured that you would have to patch the “OMSp_core_managed.dll” to achieve that, as siemens does not load the openssl lib from an external dll, but it seems like they have imported the lib directly in there C++ project. What you may find interesting, is that there is actually a functionality build in TIA to dump the TLS secrets. You can activate it by setting the “TiaOmsTlsKeysDumpPath“-setting to a path of your choice. Unfortunately, they encrypt the dumped secrets with an envelope. So to be able to decrypt them, you would need to change the hardcoded public key inside the “OMSp_core_managed.dll”. But as this would violate the TOS no one would do this of course. That’s why I wrote the mitm proxy. Unfortunately, it is rather unstable for some reason I could not figure out yet.