instructables

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL

ETHERNET NETWORK

by tuenhidiy

Today, I’d share with you how to connect Arduino with PLC S7-300 via Ethernet. From Internet, I also studied some
libraries that can handle this communication, such as:

MQTT-Siemens-S7-300

Settimino Library

I selected “settimino” library to test communication between Arduino & PLC because of its pro & easy to understand.
To get this test, you need to have certain knowledge of PLC Siemens and also have to spend quite money of
course....

Ca ut io ns :

D o n o t c o n n e c t A rd uin o wit h Et h e rn e t sh ie ld t o fa c t o ry in d ust ria l Et h e rn e t n e t wo rk & a pply

t h is t e st . I t c a n c a use se rio us c o n se que n c e s.

W it h pro je ct ' s VIDEO be lo w, NO DEM CU + M PU6 0 50 is communicated w it h PLC v ia W IFI t o co nt ro l

Spe e d/ D ire ct io n o f DC m o t o r.

//www.yout ube.com/embed/KBwQQGBpTXE

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 1
Step 1: ARDUINO LIBRARY & PLC SIEMENS

Dave Nardella - Italian - is the author of two great libraries of interfaces between ARM Linux / MIPS microprocessors
and PLC Siemens S7 ™:

Snap7: Snap7 is a cross-platform, open source Ethernet communication library for Siemens PLC
(LOGO 0BA7 / 0BA8, S7-200 / 300/400 & CPUs 1200/1500) and Raspberry PI (1 and 2), BeagleBone
Black.... Link:

http://snap7.sourceforge.net/

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 2
 Settimino: It was rewritten from Snap7 to be compatible with the Arduino platform.

http://settimino.sourceforge.net/

About PLC, you can refer to the Siemens o cial website:

Siemens Global Website

SIMATIC S7-300 CPU 31xC Technological Functions

Using the integrated function "Pulse-width Modulation" of the S7 CPU 31xC

Step 2: B.O.M

Bill Of Material is as below:

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 3
Important note about Ethernet Shield: The resistor value in the red rectangle should be 49R9 or 510 (about 50 ~ 51
ohm), with some Ethernet Shields, this value is 511 (510 ohm). I have a problem with the 511 resistor so I cannot
connect to the PLC & nally have to buy another one with R510, then, the connection is successful.

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 4
I tested PLC & Arduino communications with 2 options:

ARDUINO UNO R3 equipped with ARDUINO Ethernet Shield R3.

NodeMCU ESP 12-E V1.0 standalone & connect via wi router.

Step 3: HARDWARE CONFIGURATION - ETHERNET SHIELD

Hardware con guration - ARDUINO UNO R3 equipped with ARDUINO Ethernet Shield R3

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 5
Hardware con guration explanation:

With this con guration you have the freedom to modify both PLC program/Data and Arduino
Sketch. And Snap7 ClientDemo is optional.

In the Arduino IDE, we used ConnectTo () to de ne the IP_Address, Rack, Slot for the rst connection,
which set up the internal parameters and connect to the PLC.

In the STEP 7 program, the IP_Address of the PLC (CP343-1) must be the address declared in the
Arduino program: 192.168.0.71. See details in the image.

Hardware con g in SIMATIC MANAGER

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 6
Actual hardware demo kit:

With above con guration, two controllers can exchange data with each other easily, for example:

PLC side can get the MPU-6050 data, read distance of HC-SR05 or control RC-SERVO.

Arduino side can read temperature from PT100/ thermocouples, get status of 24V proximity
switches, or turn on / o 220VAC lamps.

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 7
Step 4: PROGRAM - ETHERNET SHIELD

1. S E T T IM INO LIBRARY

You can download the link at: Settimino Library, which includes: library, detailed instructions for using settiminno
library and sample programs.

In the manual, please note the terms "Big-Endian" and "Little-Endian" to describe di erences in reading and writing
data between ARDUINO ™ (Little -Endian) and PLC Siemens S7 ™ ( Big -Endian).

Big – Endia n : MSB (left-most bit) --> LSB (right-most bit), for example, DW O RD 0 x4 C21112F is
stored in PLC Siemens S7 ™ as follows:

Lit t le Endia n : LSB (left-most bit) --> MSB (right-most bit), with same DWORD above but ARDUINO ™
will be stored in the opposite way to PLC

2. PLC PRO GRAM

I used STEP 7 Professional 2010 V5.5 to con gure hardware & write program for PLC. If you are an automatic
engineer, you will be very knowledgeable about it...

You can also use the SIMATIC WinCC as an HMI / SCADA system to control Siemens S7 ™ PLCs or ARDUINO ™.

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 8
Settimino can directly access the Siemens PLCs with built-in Ethernet moldule (such as CPU 315-2PN/DP, CPU412-
2PN/DP, CPU414-3PN/DP ...) or via a separated Ethernet card (like CP343 for CPU S7-300), or CP443 for CPU S7-400). I
was tested in the case of S7-300 CPU + CP343.

3. ARDUINO PRO GRAM

3. 1. Arduino re a d DB v a lue s f ro m PLC - “ DBG e t De m o”

In PLC program, I created DB2 containing 100 bytes with initial values assigned in order from 0 ~ 99.

The “DBGetDemo” read 100 bytes values from DB2 and displayed them on the Serial Monitor of
Arduino IDE.

While Arduino reading DB2 from the PLC, I used "FORCE" function to change value of two bytes
DB2.DBB0 & DB2.DBB1 to check whether Arduino is reading correctly or not.

Detail you can see at:

//www.yout ube.com/embed/OgDz6RdKRwg

3. 2. W rit e t o PLC ’s Da t a Blo ck a t S e curit y Le v e l 3

Program Overview:

Enable Security Level 3 (Read / Write Protection) in the CPU300 con guration – Then, Compile &
Download to Module.

In PLC, we created DB1 (Data Block) containing 1,090 bytes with KNO W _ HO W _ PRO T EC T
(generally speaking, this DB is locked in Siemens terminology).

The “WriteDemo” program writes the desired value from Arduino to the DB1.DBB0 & DB1.DBB1 being
stored in the PLC.

Change DB1 values by Arduino program and check the PLC's DB1 online monitoring.

Detail you can check at:

//www.yout ube.com/embed/ViyL77UK2yo

Step 5: HARDWARE CONFIGURATION - NODEMCU ESP 12-E V1.0

Ha rdw a re dia g ra m :

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 9
Act ua l s y s t e m pict ure :

Wireless router is located inside my home with distance about 15m and it is not shown on the picture.

No de M CU int e rg a t e M PU6 0 50 a s pict ure :

Ha rdw a re co n g ura t io n e xpla na t io n:

As picture above, 24VDC PLC outputs are connected to "24 V t o 5V Co nv e rt e r B o a rd " to change
voltage level and then control DC motor through L298N with PWM integrated function inside PLC
314C-2DP. I had to do like that because I didn't have motor DC drive connecting with PLC.

NodeMCU + MPU6050 are connected to PLC system by wi router and it took ro ll v a lue from
MPU6050 to adjust direction & speed of DC motor.

This demo is based on integrated PWM function in CPU314C-2DP. To control pulse width modulation
via the user program, we use SFB 49 "PULSE". The following operations are available:
* Starting/stopping via software gate SW_EN.
* Enabling/controlling the output DO.
* Retrieving the status bits STS_EN, STS_STRT and STS_DO.
* Input of the output value.
* Jobs for reading/writing the registers.

From beginning of this project, my purpose is making a vibration sensor that can be integrated to
industrial network, something like: https://www.dytran.com/Series-7556A-Analog-6D-Sen...It will be
very cheap & useful for vibration protect or vibration analysis. For example with high power motor, it
can be attached on gearbox and take 6DOF vibration data for analysis or popup alarm to PLC system
when vibration is higher than limit. Or we can use it as portable analysis device for prevented
maintenance. With this demo, it's just start point & it can be come true with acceptable sampling
time.

Step 6: ARDUINO PROGRAM - NODEMCU ESP 12-E V1.0

https://www.instructables.comhttps://gist.github.com/tuenhidiy/fb2bec2b09bbd5104f5c2f2cfaace35e

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 10
 /*----------------------------------------------------------------------
Thank to Davide Nardella
----------------------------------------------------------------------*/
// Wifi -> #define S7WIFI
// Cable -> #define S7WIRED
#define S7WIFI
#include
#include
#ifdef S7WIFI
#include
#endif
#include "Settimino.h"
#include
// MPU6050 Slave Device Address
const uint8_t MPU6050SlaveAddress = 0x68;
// Select SDA and SCL pins for I2C communication
const uint8_t scl = D1;
const uint8_t sda = D2;
// sensitivity scale factor respective to full scale setting provided in datasheet
const uint16_t AccelScaleFactor = 16384;
Stepconst
7: PLC PROGRAM
uint16_t - NODEMCU
GyroScaleFactor = 131; ESP 12-E V1.0
// MPU6050 few configuration register addresses
PLC program control DC motor:
const uint8_t MPU6050_REGISTER_SMPLRT_DIV = 0x19;
const uint8_t MPU6050_REGISTER_USER_CTRL = 0x6A;
Motor direction (CW or CCW ) is according to MPU6050 - ROLL VALUE (Positive or Negative). Q124.4.&
const uint8_t MPU6050_REGISTER_PWR_MGMT_1 = 0x6B;
Q124.5 connected to "Converter board" and L298N at pin IN1, IN2 to set motor direction.
const uint8_t MPU6050_REGISTER_PWR_MGMT_2 = 0x6C;
const uint8_t MPU6050_REGISTER_CONFIG = 0x1A;
And
const motor
uint8_t speed - DB1.DBW2 - is ABS( RO LL VALUE)
MPU6050_REGISTER_GYRO_CONFIG . PLC PWM output Q124.0 is connected to
= 0x1B;
"Coverter
const board" & L298N at pin ENA to control PWM=of
uint8_t MPU6050_REGISTER_ACCEL_CONFIG DC motor.
0x1C;
const uint8_t MPU6050_REGISTER_FIFO_EN = 0x23;
SFB49
const wasMPU6050_REGISTER_INT_ENABLE
uint8_t used in ladder program below to generate PWM at output channel 0 - Q124.0.
= 0x38;
const uint8_t MPU6050_REGISTER_ACCEL_XOUT_H = 0x3B;
const uint8_t MPU6050_REGISTER_SIGNAL_PATH_RESET = 0x68;
int16_t AccelX, AccelY, AccelZ, Temperature, GyroX, GyroY, GyroZ;
#define DO_IT_SMALL
// Enter a MAC address and IP address for your controller below.
// The IP address will be dependent on your local network:
Stepbyte mac[]TO
8: 24V = { 5V CONVERTER BOARD
0x90, 0xA2, 0xDA, 0x0F, 0x08, 0xE11 };
I usedIPAddress
ULN2803 to Local(192,168,0,70);
convert the voltage//level.
LocalEach
Address
ULN2803 contain eight darling-ton transistors, it means we can
IPAddress
convert 8 signalsPLC(192,168,0,71);
by using one ULN2803. // PLC Address
Circuit diagram as follow:
// Following constants are needed if you are connecting via WIFI
// The ssid is the name of my WIFI network (the password obviously is wrong)
char ssid[] = "FPT-Telecom"; // Your network SSID (name)
Pict ure
charo fpass[]
Co nv=e"12345689";
rt e r B o a rd// Your network password (if any)
IPAddress Gateway(192, 168, 0, 1);
IPAddress Subnet(255, 255, 255, 0);
ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 11
Step 9: MORE PICTURES & VIDEOS

About this project, you can check at my channel address:

//www.yout ube.com/embed/KBwQQGBpTXE

And more videos for PLC project at:

//www.yout ube.com/embed/lqBw-ZnK4 Ec

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 12
Step 10: SUMMARY

With S7-300 PLC in this test, Settimino can almost read / write to the PLC regardless of the CPU
Protection Level. This security issue caused certainly a great deal of di culty for automation
engineers who work with Siemens ™ CPUs.

Arduino is not compatible with industrial environments such as dust, humidity, temperature, and
cannot meet reliability requirements as PLC. But more or less, this is not bad way for us to make IoT /
Smart Home using new generation CPUs Siemens with built-in Ethernet port, a ordable, in
conjunction with the Arduino.

Special thank to Dave Nardella for "settimino" library....

PLEASE VOTE FOR ME ... so that I have more motivation to do more useful projects!!!

Can you show me with code arduino uno shield? I need it

Hi Kio. You can see arduino code at STEP 6 or check at my GitHub:

https://gist.github.com/tuenhidiy/fb2bec2b09bbd510...
In the code, there are 2 options for WIFI (NODEMCU standalone) or CABLE/WIRED (ARDUINO
UNO R3 + ARDUINO Ethernet Shield):
// Wifi -> #define S7WIFI
// Cable -> #define S7WIRED
Thanks a lot. I am working on a project about getting data from plc s7-1200 via arduino uno r3 +
erthernet shield then use nodeMCU to upload to MQTT. Can you give me any advice or research
materials?
Thank you for this great job I have plc- LSIS(XEC-28DRUA/DC) let try make common project to
upgrade your program to my PLC.
Hi Ali. I don't have this type of PLC so I can't test on it. Thank for being interest in my project.

Hi Sir, thank for your instruction. I still have error 0x300 and dont know how to fix it. Could you help
me?
Hi there, thanks for this. It would be great if you could do a video about the SFB 49 on its own, or if
you could show how you got a pulse out at Q124.0. I have read every manual on this function
block and every parameter setting but I am unsure of how to achieve a pulsing output. that would
help me greatly. Any other help would be great. Thank you in advance.
hey sir nice project 10/10
can you help me sir i have a sensor ultrason i want to send the value to plc s7-1200 ,I use the
library of settimino , please help me for the code of arduino howa can send this value
You can follow instructions on settimino manual. I'm only familiar with S7-300/400. And I don't
have S7-1200 for testing. Sorry for that...
i want tp ask you how can I write 2 value in one data block 1 DB1 help me please

You've got our vote!

Thanks!

ARDUINO™ "HACK" PLC SIEMENS™ THROUGH LAN/WIFI INDUSTRIAL ETHERNET NETWORK: Page 13