SessionKey handshake for V1-initial S7-1200 PLCs

.pre-commit-config.yaml

@@ -3,7 +3,9 @@ repos:
     rev: v6.0.0
     hooks:
       - id: trailing-whitespace
+        exclude: '\.bin$'
       - id: end-of-file-fixer
+        exclude: '\.bin$'
       - id: check-ast
       - id: check-shebang-scripts-are-executable
       - id: check-json

s7/_s7commplus_client.py

@@ -261,7 +261,10 @@ def explore(self, explore_id: int = 0) -> bytes:
         if self._connection is None:
             raise RuntimeError("Not connected")
 
-        payload = _build_explore_payload(explore_id)
+        if self._connection._session_key is not None:
+            payload = _build_explore_payload_v3(explore_id if explore_id else 0x38)
+        else:
+            payload = _build_explore_payload(explore_id)
         response = self._connection.send_request(FunctionCode.EXPLORE, payload)
         return response
 
@@ -365,7 +368,12 @@ def list_datablocks(self) -> list[dict[str, Any]]:
         if self._connection is None:
             raise RuntimeError("Not connected")
 
-        payload = _build_explore_request(Ids.NATIVE_THE_PLC_PROGRAM_RID, [Ids.OBJECT_VARIABLE_TYPE_NAME, Ids.BLOCK_BLOCK_NUMBER])
+        if self._connection._session_key is not None:
+            payload = _build_explore_payload_v3(Ids.NATIVE_THE_PLC_PROGRAM_RID)
+        else:
+            payload = _build_explore_request(
+                Ids.NATIVE_THE_PLC_PROGRAM_RID, [Ids.OBJECT_VARIABLE_TYPE_NAME, Ids.BLOCK_BLOCK_NUMBER]
+            )
         response = self._connection.send_request(FunctionCode.EXPLORE, payload)
         return _parse_explore_datablocks(response)
 
@@ -394,7 +402,10 @@ def browse(self) -> list[dict[str, Any]]:
             db_rid = db_info.get("rid", 0)
             if db_rid == 0:
                 continue
-            payload = _build_explore_request(db_rid, [Ids.OBJECT_VARIABLE_TYPE_NAME])
+            if self._connection._session_key is not None:
+                payload = _build_explore_payload_v3(db_rid)
+            else:
+                payload = _build_explore_request(db_rid, [Ids.OBJECT_VARIABLE_TYPE_NAME])
             try:
                 response = self._connection.send_request(FunctionCode.EXPLORE, payload)
                 fields = _parse_explore_fields(response, db_info["number"], db_info["name"])
@@ -720,6 +731,19 @@ def _build_explore_payload(explore_id: int = 0) -> bytes:
     return bytes(payload)
 
 
+def _build_explore_payload_v3(explore_id: int, sequence: int = 10) -> bytes:
+    """Build a V3-style EXPLORE request payload matching TIA Portal format.
+
+    V1-initial PLCs use a 4-byte big-endian InObjectId followed by
+    fixed parameters, rather than the VLQ-based format.
+    """
+    payload = struct.pack(">I", explore_id)
+    payload += bytes([0x00, 0x01, 0x00, 0x01, 0x00, 0x00])
+    payload += bytes([sequence & 0xFF])
+    payload += bytes([0x00, 0x00, 0x00, 0x00, 0x00])
+    return payload
+
+
 def _build_invoke_payload(state: int) -> bytes:
     """Build an INVOKE request payload for SetPlcOperatingState.
 

s7/_s7commplus_server.py

@@ -635,23 +635,25 @@ def _handle_create_object(self, seq_num: int, request_data: bytes) -> bytes:
             session_id = self._next_session_id
             self._next_session_id += 1
 
-        # Build CreateObject response
+        # CreateObject response header is 10 bytes — there is no session_id
+        # field; session IDs come from the ResponseSet body's ObjectIds list.
+        # Reference: thomas-v2/S7CommPlusDriver CreateObjectResponse.Deserialize
         response = bytearray()
 
-        # Response header
         response += struct.pack(
-            ">BHHHHIB",
+            ">BHHHHB",
             Opcode.RESPONSE,
             0x0000,  # Reserved
             FunctionCode.CREATE_OBJECT,
             0x0000,  # Reserved
             seq_num,
-            session_id,
             0x00,  # Transport flags
         )
 
-        # Return code: success
-        response += encode_uint32_vlq(0)
+        # ResponseSet
+        response += encode_uint32_vlq(0)  # ReturnValue
+        response += bytes([1])  # ObjectIdCount
+        response += encode_uint32_vlq(session_id)  # ObjectIds[0] = session id
 
         # Object with session info
         response += bytes([ElementID.START_OF_OBJECT])