They are stored in a table inside the bootloader starting at address 0x014D98 with 128 entries. Primary Handlers: A primary list of handlers that can be invoked directly from the first protocol stage.There are multiple layers of handlers present in the system:
The UART protocol handler exposes a list of low level functions. The return value of this function is checked at 0x0EDF0 and the protocol handler at 0xF3D0 is entered if the initial handshake has been performed. If such a string is encountered, it will answer with the string "-CPU" and return 1 to indicate that the protocol handler is getting executed. In the bootloader at address 0x0368 is called to wait for a magic string "MFGT1" within half a second. A client for the UART protocol containing functionality to execute payloads on the PLC from within early boot is implemented in this utility. Upon receiving those bytes in the given timeframe the bootloader enters a special protocol offering a large variety of functionality over serial.
SIEMENS SIMATIC S7 1200 VERIFY IP ADDRESS SERIAL
During startup, the bootloader waits for half a second, listening on the serial input to receive a magic sequence of bytes. Bootloader UART Protocol OverviewĪn interesting observation we made when looking at the firmware more deeply to investigate non-invasive access techniques is a protocol over UART during the very early boot stage implemented by the bootloader (v4.2.1). Siemens S7-1212C v4 is using a 1GB Winbond W94AD2KB or 256MB W948D2FBJX6E high-speed LPDDR1 SDRAM or a Micron Technologies MT46H32M32LFB5-5 IT (FBGA code D9LRB) in a 90-Ball VFBGA form. Note that in mid 2019, Siemens updated the NAND Flash to NW812 (MT29F1G08ABBFAH4-ITE:F).
The part number is MT29F1G16ABBDAHC-IT:D. Using Micron FBGA decoder we could get the part number of the flash. The S7-1200 DC/DC/DC v2018 is using Micron Technologies NQ281 (FBGA code) 1Gbit (128MB) flash. We got a response with value 0x411fc143 (0b1000001000111111100000101000011), meaning that it is a ARM Cortex R4 Revision 3, ARMv7 R, Thumb 2 Real-Time profile SoC with Protected Memory System Architecture (PMSA), based on a Memory Protection Unit (MPU).