User Tools

Site Tools


10 Constants

PLC Types

Correspond with the slot they are sitting in. Rack number is usually 0.

CPU Type Slot
S7-300 2: 0x02
S7-400 3: 0x03
S7-1200 1: 0x01
S7-1500 1: 0x01

Beware that some PLC types require special settings in TIA portal / Simatic Manager!

Message Types

Also called ROSCTR (Remote Operating Service Control), as used in the S7COMM Header

Message Type Value
JOB 0x01 (request)
ACK 0x02 (acknowledge)
ACK_DATA 0x03 (response)
USERDATA 0x07 (request user data)
SRVCTRL 0x08 (request server control)

Function Codes

As used in the S7COMM Header

Function Code
CPU services 0x00
Setup communication 0xF0
Read Variable 0x04
Write Variable 0x05
Request download 0x1A
Download block 0x1B
Download ended 0x1C
Start upload 0x1D
Upload 0x1E
End upload 0x1F
PLC Control 0x28
PLC Stop 0x29

PDU Sizes

PDU Size needs to be negotiated, meaning a value is requested an the PLC will reply with the actually supported value. Beware: Not all PLCs understand or can reply to all PDU size values!

PLC Type Value
S7-1200 0x00F0 = 240 bytes
Default 0x01E0 = 480 bytes
S7-1500 0x03C0 = 960 bytes

Memory Areas

Area type Value
P 0x80
I 0x81
O 0x82
M 0x83
DB 0x84
Counter 0x1C
Timer 0x1D

Variable Types

Request Data Types

in item data

Variable type Value bits Sign
BIT 0x01 1
BYTE 0x02 8 unsigned
CHAR 0x03 8 signed
WORD 0x04 16 unsigned
INT (short) 0x05 16 signed
DWORD 0x06 32 unsigned
DINT (long) 0x07 32 signed
REAL 0x08 32 floating point
DATE 0x09 64
TOD 0x0A

Variable Addressing Mode

Usually referred to as “Syntax ID”

Mode Description
0x10 S7-Any (memory + variable_length + offset, eg DB1.DBX10.2)
0x13 R_ID for PBC
0x16 Alarm Message
0x19 Alarm Acknowledge Message
0x82 Sinumerik NCK HMI Access
0xa2 Drive-ES-Any (seen on Drive ES Starter with routing over S7)
0xb2 Symbolic addressing mode for S7-1200/1500
0xb0 Special DB addressing for S7-400 (subitem read/write)

Transport Data Types

Correspond to Transport Sizes

Requested type Value Transp. Unit Size
BIT 0x03 bits 1
BYTE, WORD, DWORD 0x04 bits 8, 16, 32
INT 0x05 bits 16
DINT 0x06 bytes 4
REAL 0x07 bytes 4
CHAR 0x09 bytes 1

Parameter Error Codes

Taken from Wireshark dissector and libnodave header files - might actually be “Error Class” and “Error Code”

Description Value
No error 0x0000
Invalid block type number 0x0110
Invalid parameter 0x0112
PG ressource error 0x011A
PLC ressource error 0x011B
Protocol error 0x011C
User buffer too short 0x011F
Request error 0x0141
Version mismatch 0x01C0
Not implemented 0x01F0
L7 invalid CPU state 0x8001
hardware fault. 0x8101
object access not allowed. 0x8103
context is not supported or PUT/GET not enabled 0x8104
invalid address. 0x8105
data type not supported. 0x8106
data type not consistent. 0x8107
object does not exist. 0x810A
insufficient CPU memory ? 0x8301
CPU already in RUN or already in STOP ? 0x8402
severe error ? 0x8404
L7 PDU size error 0x8500
address invalid. 0x8702
Step7:variant of command is illegal. 0xd002
Step7:status for this command is illegal. 0xd004
Step7:function is not allowed in the current prote level 0xd0A1
block name syntax error. 0xd201
syntax error function parameter. 0xd202
syntax error block type. 0xd203
no linked block in storage medium. 0xd204
object already exists. 0xd205
object already exists. 0xd206
block exists in EPROM. 0xd207
block does not exist/could not be found. 0xd209
no block present. 0xd20e
block number too big. 0xd210
unfinished block transfer in progress(???) 0xd240
Coordination rules were violated. 0xd240
Operation not permitted in current protection level. 0xd241
protection violation while processing F-blocks. 0xd242
L7 invalid SZL ID 0xD401
L7 invalid index 0xD402
L7 DGS Connection already announced 0xD403
L7 Max user NB 0xD404
L7 DGS function parameter syntax error 0xD405
L7 info not available 0xD406
diagnosis: DP error. 0xd409
L7 PRT function parameter syntax error 0xD601
L7 invalid variable address 0xD801
L7 unknown request 0xD802
L7 invalid request status 0xD803
invalid BCD code or Invalid time format? 0xdc01

Response Item Return Codes

Partly taken from Wireshark dissector

Description Value
Reserved 0x00
Hardware fault 0x01
Object Accessing not allowed 0x03
Address out of range 0x05
Data type not supported 0x06
Data type inconsistent (size mismatch?) 0x07
Object does not exist 0x0A
Parameter does not exist 0x20
Parameter is read-only 0x21
Parameter value out of range 0x22
Parameter index is wrong 0x23
Parameter has no index 0x24
Parameter value impermissible 0x34
Drive-ES-Any error (???) 0x39
Success 0xFF

Parameter-related return codes pertain to Drive-ES-Any communication.


Taken from

# Most of this is extracted from s7comm 
# wireshark dissector plugin sources 
# created by Thomas Wiens <th.wiens[AT]>
# Date: 2016-15-03
# Author: Gyorgy Miru
# Version: 0.2
#Protocol ID:
0x32 - Protocol ID
#Message Types:
0x01 - Job Request
0x02 - Ack
0x03 - Ack-Data
0x07 - Userdata
#Header Error Class:
0x00 - No error
0x81 - Application relationship error
0x82 - Object definition error
0x83 - No ressources available error
0x84 - Error on service processing
0x85 - Error on supplies
0x87 - Access error
#Header Error Codes: (Further refines error)
#Parameter Error Codes:
0x0000 - No error
0x0110 - Invalid block type number
0x0112 - Invalid parameter
0x011A - PG ressource error
0x011B - PLC ressource error
0x011C - Protocol error
0x011F - User buffer too short
0x0141 - Request error
0x01C0 - Version mismatch
0x01F0 - Not implemented
0x8001 - L7 invalid CPU state
0x8500 - L7 PDU size error
0xD401 - L7 invalid SZL ID
0xD402 - L7 invalid index
0xD403 - L7 DGS Connection already announced
0xD404 - L7 Max user NB
0xD405 - L7 DGS function parameter syntax error
0xD406 - L7 no info
0xD601 - L7 PRT function parameter syntax error
0xD801 - L7 invalid variable address
0xD802 - L7 unknown request
0xD803 - L7 invalid request status
#Return value of item response
0x00 - Reserved
0x01 - Hardware fault
0x03 - Accessing the object not allowed
0x05 - Address out of range
0x06 - Data type not supported
0x07 - Data type inconsistent
0x0a - Object does not exist
0xff - Success
#Job Request/Ack-Data function codes
0x00 - CPU services
0xF0 - Setup communication
0x04 - Read Variable
0x05 - Write Variable
0x1A - Request download
0x1B - Download block
0x1C - Download ended
0x1D - Start upload
0x1E - Upload
0x1F - End upload
0x28 - PLC Control
0x29 - PLC Stop
#Memory Areas
0x03 - System info of S200 family
0x05 - System flags of S200 family
0x06 - Analog inputs of S200 family
0x07 - Analog outputs of S200 family
0x1C - S7 counters (C)
0x1D - S7 timers (T)
0x1E - IEC counters (200 family)
0x1F - IEC timers (200 family)
0x80 - Direct peripheral access (P)
0x81 - Inputs (I)
0x82 - Outputs (Q)
0x83 - Flags (M) (Merker)
0x84 - Data blocks (DB)
0x85 - Instance data blocks (DI)
0x86 - Local data (L)
0x87 - Unknown yet (V)
#Transport size (variable Type) in Item data
0x01 - BIT
0x02 - BYTE
0x03 - CHAR
0x04 - WORD
0x05 - INT
0x06 - DWORD
0x07 - DINT
0x08 - REAL
0x09 - DATE
0x0A - TOD
0x0B - TIME
0x0C - S5TIME
0x1D - TIMER
#Variable Addressing Mode
0x10 - S7-Any pointer (regular addressing: memory + variable_length + offset)
0xa2 - Drive-ES-Any (seen on Drive ES Starter with routing over S7)
0xb2 - S1200/S1500? Symbolic addressing mode
0xb0 - Special DB addressing for S400 (subitem read/write)
#Transport size in data
0x00 - NULL
0x03 - BIT
0x05 - INTEGER
0x07 - REAL
#Block type constants
'08' - OB
'0A' - DB
'0B' - SDB
'0C' - FC
'0D' - SFC
'0E' - FB
'0F' - SFB
#Sub block types
0x08 - OB
0x0a - DB
0x0b - SDB
0x0c - FC
0x0d - SFC
0x0e - FB
0x0f - SFB
#Block security mode
0 - None
3 - Kow How Protect
#Block Language
0x00 - Not defined
0x01 - AWL
0x02 - KOP
0x03 - FUP
0x04 - SCL
0x05 - DB
0x06 - GRAPH
0x07 - SDB
0x08 - CPU-DB DB was created from Plc programm (CREAT_DB)
0x11 - SDB (after overall reset) another SDB, don't know what it means, in SDB 1 and SDB 2, uncertain
0x12 - SDB (Routing) another SDB, in SDB 999 and SDB 1000 (routing information), uncertain
0x29 - ENCRYPT  block is encrypted (encoded?) with S7-Block-Privacy
#Userdata transmission type
0x0 - Push cyclic data push by the PLC
0x4 - Request by the master
0x8 - Response by the slave
#Userdata last PDU
0x00 - Yes
0x01 - No
#Userdata Functions
0x1 - Programmer commands
0x2 - Cyclic data
0x3 - Block functions
0x4 - CPU functions
0x5 - Security
0x7 - Time functions
#Variable table type of data
0x14 - Request
0x04 - Response
#VAT area and length type
0x01 - MB
0x02 - MW
0x03 - MD
0x11 - IB
0x12 - IW
0x13 - ID
0x21 - QB
0x22 - QW
0x23 - QD
0x31 - PIB
0x32 - PIW
0x33 - PID
0x71 - DBB
0x72 - DBW
0x73 - DBD
0x54 - TIMER
0x64 - COUNTER
#Userdata programmer subfunctions
0x01 - Request diag data (Type 1)
0x02 - VarTab
0x0c - Erase
0x0e - Read diag data
0x0f - Remove diag data
0x10 - Forces
0x13 - Request diag data (Type2)
#Userdata cyclic data subfunctions
0x01 - Memory
0x04 - Unsubscribe
#Userdata block subfunctions
0x01 - List blocks
0x02 - List blocks of type
0x03 - Get block info
#Userdata CPU subfunctions
0x01 - Read SZL
0x02 - Message service
0x03 - Transition to stop
0x0b - Alarm was acknowledged in HMI/SCADA 1
0x0c - Alarm was acknowledged in HMI/SCADA 2
0x11 - PLC is indicating a ALARM message
0x13 - HMI/SCADA initiating ALARM subscription
#Userdata security subfunctions
0x01 - PLC password
#Userdata time subfunctions
0x01 - Read clock
0x02 - Set clock
0x03 - Read clock (following)
0x04 - Set clock
#Flags for LID access
0x2 - Encapsulated LID
0x3 - Encapsulated Index
0x4 - Obtain by LID
0x5 - Obtain by Index
0x6 - Part Start Address
0x7 - Part Length
#TIA 1200 area names
0x8a0e - DB
0x0000 - IQMCT
0x50 - Inputs (I)
0x51 - Outputs (Q)
0x52 - Flags (M)
0x53 - Counter (C)
0x54 - Timer (T)
kb/production/s7-communication/constants.txt · Last modified: 2024/02/19 08:55 by joerg.hampel