dohertj2/lmxopcua
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 3 PR 54 -- Siemens S7 Modbus TCP quirks research doc #53

Merged
dohertj2 merged 1 commits from phase-3-pr54-s7-research-doc into v2 2026-04-18 22:54:03 -04:00
Conversation 0 Commits 1 Files Changed 1 +485
dohertj2 commented 2026-04-18 22:53:58 -04:00
Owner
Copy Link

Summary

Adds docs/v2/s7.md (485 lines) covering Siemens SIMATIC S7 family Modbus TCP behavior. Mirrors the docs/v2/dl205.md template for future per-quirk implementation PRs.

Key findings for the implementation track

  • No fixed memory map — every S7 Modbus server is user-wired via MB_SERVER/MODBUSCP/MODBUSPN library blocks. Driver must accept per-site config, not assume a vendor layout.
  • MB_SERVER requires non-optimized DBs (STATUS 0x8383 if optimized). Most common field bug.
  • Word order default = ABCD (opposite of DL260). Driver's S7 profile default must be ByteOrder.BigEndian, not WordSwap.
  • One port per MB_SERVER instance — multi-client requires parallel FBs on 503/504/… Most clients assume port 502 multiplexes (wrong on S7).
  • CP 343-1 Lean is server-only, requires the 2XV9450-1MB00 license.
  • FC20/21/22/23/43 all return Illegal Function on every S7 variant — driver must not attempt FC23 bulk-read optimization for S7.
  • STOP-mode behavior non-deterministic across firmware bands — treat both read/write STOP-mode responses as unavailable.

Two items flagged as unconfirmed rumour (V2.0+ float byte-order claim, STOP-mode caching location).

No code, no tests — implementation lands in PRs 56+.

Test plan

  • Doc renders as markdown
  • 31 citations present
  • Section structure matches dl205.md template
## Summary Adds `docs/v2/s7.md` (485 lines) covering Siemens SIMATIC S7 family Modbus TCP behavior. Mirrors the `docs/v2/dl205.md` template for future per-quirk implementation PRs. ## Key findings for the implementation track - **No fixed memory map** — every S7 Modbus server is user-wired via `MB_SERVER`/`MODBUSCP`/`MODBUSPN` library blocks. Driver must accept per-site config, not assume a vendor layout. - **MB_SERVER requires non-optimized DBs** (STATUS `0x8383` if optimized). Most common field bug. - **Word order default = ABCD** (opposite of DL260). Driver's S7 profile default must be `ByteOrder.BigEndian`, not `WordSwap`. - **One port per MB_SERVER instance** — multi-client requires parallel FBs on 503/504/… Most clients assume port 502 multiplexes (wrong on S7). - **CP 343-1 Lean is server-only**, requires the `2XV9450-1MB00` license. - **FC20/21/22/23/43 all return Illegal Function** on every S7 variant — driver must not attempt FC23 bulk-read optimization for S7. - **STOP-mode behavior non-deterministic** across firmware bands — treat both read/write STOP-mode responses as unavailable. Two items flagged as unconfirmed rumour (V2.0+ float byte-order claim, STOP-mode caching location). No code, no tests — implementation lands in PRs 56+. ## Test plan - [x] Doc renders as markdown - [x] 31 citations present - [x] Section structure matches dl205.md template
dohertj2 added 1 commit 2026-04-18 22:53:59 -04:00
Phase 3 PR 54 -- Siemens S7 Modbus TCP quirks research document. 485-line doc at docs/v2/s7.md mirroring the docs/v2/dl205.md template for the Siemens SIMATIC S7 family (S7-1200 / S7-1500 / S7-300 / S7-400 / ET 200SP / CP 343-1 / CP 443-1 / CP 343-1 Lean / MODBUSPN). Siemens S7 is fundamentally different from DL260: there is no fixed Modbus memory map baked into firmware -- every deployment runs MB_SERVER (S7-1200/1500/ET 200SP), MODBUSCP (S7-300/400 + CP), or MODBUSPN (S7-300/400 PN) library blocks wired up to user DBs via the MB_HOLD_REG / ADDR parameters. The driver's job is therefore to handle per-site CONFIG rather than per-family QUIRKS, and the doc makes that explicit. Key findings worth flagging for the PR 56+ implementation track: (1) S7 has no fixed memory map -- must accept per-site DriverConfig, cannot assume vendor-standard layout. (2) MB_SERVER requires NON-optimized DBs in TIA Portal; optimized DBs cause the library to return STATUS 0x8383 on every access -- the single most common S7 Modbus deployment bug in the field. (3) Word order is ABCD by default (big-endian bytes + big-endian words) across all Siemens S7 Modbus paths, which is the OPPOSITE of DL260 CDAB -- the Modbus driver's S7 profile default must be ByteOrder.BigEndian, not WordSwap. (4) MB_SERVER listens on ONE port per FB instance; multi-client support requires running MB_SERVER on 502 / 503 / 504 / ... simultaneously -- most clients assume port 502 multiplexes, which is wrong on S7. (5) CP 343-1 Lean is SERVER-ONLY and requires the separate 2XV9450-1MB00 MODBUS TCP CP library license; client mode calls return immediate error on Lean. (6) MB_SERVER does NOT filter Unit ID, accepts any value. Means the driver can't use Unit ID to detect 'direct vs gateway' topology. (7) FC23 Read-Write Multiple, FC22 Mask Write, FC20/21 File Records, FC43 Device Identification all return exception 01 Illegal Function on every S7 variant -- the driver MUST NOT attempt bulk-read optimisation via FC23 when talking to S7. (8) STOP-mode read/write behaviour is non-deterministic across firmware bands: reads may return cached data (library internal buffer), writes may succeed-silently or return exception 04 depending on CPU firmware version -- flagged as 'driver treats both as unavailable, do not distinguish'. Unconfirmed rumours flagged separately: 'V2.0+ reverses float byte order' claim (cited but not reproduced), STOP-mode caching location (folklore, no primary source). Per-model test differentiation section names the tests as S7_<model>_<behavior> matching the DL205 template convention (e.g. S7_1200_MB_SERVER_requires_non_optimized_DB, S7_343_1_Lean_rejects_client_mode, S7_FC23_returns_IllegalFunction). 31 cited references across the Siemens Industry Online Support entry-ID system (68011496 for MB_SERVER FAQ, etc.), TIA Portal library manuals, and three third-party driver vendor release notes (Kepware, Ignition, FactoryTalk). This is a pure documentation PR -- no code, no tests, no csproj changes. Per-quirk implementation lands in PRs 56+. Research conducted 2026-04-18 against latest publicly-available Siemens documentation; STOP-mode behaviour and MB_SERVER versioning specifically cross-checked against Siemens forum answers from 2024-2025. 9e2b5b330f
dohertj2 merged commit 299bd4a932 into v2 2026-04-18 22:54:03 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dohertj2
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dohertj2/lmxopcua#53
Delete Branch "phase-3-pr54-s7-research-doc"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?