browse() returns empty on V1-initial S7-1200 (V254 EXPLORE response format)

[gijzelaerr]

Problem

After the SessionKey handshake succeeds (PR #724), browse() returns an empty list on V1-initial S7-1200 PLCs (FW v4.2.2). The session setup completes successfully, but the EXPLORE response from the PLC uses frame version 0xFE (V254/SYSTEM_EVENT) instead of 0x01.

What we see

The PLC responds to EXPLORE with:

72 fe 00 c6 [198 bytes of data]

The 198-byte payload does NOT use the standard 14-byte response header or the PObject tree format (0xA1/0xA2/0xA3 tags). Instead it contains what appears to be a flat sequence of 16-bit attribute IDs (0x9D6C, 0x9D6D, ...) with 32-bit values. The session ID (923 = 0x039B) is visible at the expected position, confirming the data is valid.

What we need

1. A Wireshark pcap of TIA Portal successfully browsing symbols on the same PLC — to see how TIA Portal parses this format
2. Reverse-engineer the V254 EXPLORE response serialization format
3. Update _parse_explore_datablocks() and _parse_explore_fields() to handle this format

Current state

PR #724 fixes the connection (SessionKey handshake works). The fix-v1-explore-response branch handles V254 frames without crashing, but can't parse the data yet.

Related

• PR SessionKey handshake for V1-initial S7-1200 PLCs #724 — SessionKey handshake (session setup works)
• S7-1200 Session Setup Incomplete #710 — original bug report from @xBiggs

[xBiggs]

Adding some relevant TIAPortal V19 captures. You probably want to look at ProgramBlocks.pcapng and DB7_Integers.pcapng.

TIAPortal.zip

[xBiggs]

I tried to browse() on S7-1515 FW 2.5 from the research/harpo-port-incomplete branch. It errored out sometimes or returned an empty list. Attaching captures and logs of both scenarios

S7-1515_FW2_5.zip

[gijzelaerr]

Root cause found (from TIA Portal pcaps)

The V254 response is a red herring. The real issue: after the SessionKey handshake, all data operations must use V3 framing with a 32-byte HMAC integrity prefix.

TIA Portal flow on xBiggs's S7-1200 FW v4.2.2:

1. InitSSL → V1
2. CreateObject → V1
3. SetMultiVars (SessionKey + version) → V2
4. All subsequent data ops → V3 with 32-byte HMAC

We're sending EXPLORE as V1 (no integrity), so the PLC either rejects it or responds with a non-standard frame.

The 32-byte prefix in V3 frames is an HMAC computed from the session key (which we already derive correctly). The V3 frame format is:
```
72 03 [data_length] [0x20] [32-byte HMAC] [standard V1/V2 payload] 72 03 00 00
```

What's needed

1. After SessionKey handshake, switch `_protocol_version` to V3
2. Compute HMAC over each outgoing frame using the session key
3. Prepend the HMAC to outgoing frames, verify on incoming
4. TIA Portal uses `SetVariable` / `GetVarSubstreamed` for browsing on this PLC, not `EXPLORE` — may need to adjust `browse()` accordingly

This is a substantial piece of work but the path is clear now.

Thanks @xBiggs for the TIA Portal pcaps — they made the diagnosis possible.

[gijzelaerr]

Updated findings: post-auth legitimation required

All data operations (EXPLORE, GET_MULTI_VARIABLES, etc.) get V254 responses. The PLC requires a post-auth legitimation handshake after the SessionKey setup before it unlocks data access. TIA Portal does this in frames 18-30 of the ProgramBlocks pcap.

The legitimation sequence (from TIA pcap)

1. SET_VARIABLE (0x04F2) to session object, address 323 (0x143) — writes USINT value 5
   • 00 00 03 9b 01 82 43 00 02 05 ... + ObjectQualifier
2. GET_VAR_SUBSTREAMED (0x0586) from object 50 (0x32), address 7920 (0x1EF0) — reads 248-byte legitimation blob (starts with efbeadde = DEADBEEF LE)
3. GET_VAR_SUBSTREAMED from session object (0x039B), address 1842 (0x732) — reads 6 bytes
4. GET_VAR_SUBSTREAMED from object 50, address 7920 again — reads another legitimation blob

Only after this exchange completes does TIA send EXPLORE and data reads.

What's working

• SessionKey handshake (FEE1DEAD blob)
• V3 HMAC integrity framing (PLC accepts signed packets)
• EXPLORE to object 0x38 returns program tree (V3 response with PObject data)

What's needed

Implement the pre-TLS legitimation sequence (above) as an automatic post-auth step for V1-initial PLCs.

Note: the HarpoS7 GitHub repo appears to be down/deleted, so we can't reference the C# LegitimateScheme implementation anymore. The TIA Portal pcap is the primary reference.