Even though Siemens never officially released their PLC communication protocol, there is a lot of information available, most of which was gained by reverse-engineering the network communication.

Bits and bytes about the actual Siemens S7 protocol can be found in various places.

• Siemens: Welche Eigenschaften, Vorteile und Besonderheiten bietet das S7-Protokoll?
• Siemens: STEP 7 Professional V14 SP1 Manual
• Siemens: String Parameterzuweisung

• Apache PLX4X: S7 Communication Overview
• Apache PLX4X: S7 Comm (0x32) Protocol description

• Wireshark

  • S7 Communication in the Wireshark Wiki
  • Wireshark S7comm dissector
• Snap7: Online Protocol Description
• LibNoDave: Packages the documentation with the download

• Kepware: Siemens TCP/IP Ethernet Driver
• Automation Direct C-more: https://www.automationdirect.com/microsites/c-more/software-help/Content/480.htm

• Kunbus: https://revolution.kunbus.com/tutorials/konfigurationswerte-fuer-revpi-7/

• S7NetPlus: https://github.com/S7NetPlus/s7netplus

• Moki: https://github.com/moki-ics/s7commwireshark/blob/master/src/s7comm/packet-s7comm.c

• Amit Kleinmann, Avishai Wool: Accurate Modeling of the Siemens S7 Scada Protocol for Intrusion Detection and Digital Forensics
• Jan Tore Sørensen, Martin Gilje Jaatun: An Analysis of the Manufacturing Messaging Specification Protocol

• Gyorgy Miru: General Structure
• Gyorgy Miru: Job Requests and Ack Data

• https://vulners.com/openvas/OPENVAS:1361412562310106099
• https://laucyun.com/3aa43ada8cfbd7eca51304b0c305b523.html