When the S7-1200 has an IP adress assigned on the local network it can be accessed trought that address. I don’t think people who are able to program the PLC will have difficulties with that.

When the PLC needs to be accessible over a router making it possible to browse to the web interface from everywhere on the internet there are some settings in the router and the PLC that need to be correct.

On the router a NAT row needs to be added to forward port 80 and 443 to the PLC address. Port 80 is for the http pages port 443 is needed to access secure pages over https.

In the PLC it is absolutely required to set the router IP address. When this isn’t set the webserver the  S7-1200 PLC will be accessible over the local network but not over the router.

Don’t forget to change the password of the PLC. Allowing access to the PLc over internet can be usefull but also very dangerous when not secure.

Also it’s not recommended to enable the webserver on a S7-1200 PLC if it’s not necessary. A DOS (Denial Of Service) attack can make the PLC crash!

The S7-1200 series are compact PLC’s from Siemens that can be directly connected to an Ethernet network. Being compact and affordable it perfectly suits for home automation projects.

A big drawback of the original firmware (V1) is the lack of an integrated webserver, certainly the fact that it’s impossible to download a program in run and that all data blocks return to the initial values after a download.

These problems are solved when upgrading the S7-1200 PLC firmware to V2.1.2. To do this update a 24MB Siemens memory card is required. Compared to the PLC this is an expensive little piece that will only be used for updating the firmware of the S7-1200 PLC. Unfortunately there is no way around this. You absolutely need this memory card to update the firmware!

Before updating the firmware be sure you update your installation of TIA portal to the latest version and Service Pack. You can find some updates on the Siemens support website:

http://support.automation.siemens.com/WW/view/en/28919804/

Download the latest Firmware for you PLC (for me it is the 1212C) from the Siemens website:

http://support.automation.siemens.com/WW/view/en/38710101/

After downloading the firmware execute the file to extract the firmware to the empty memory card. A folder “FWUPDATE.S7S” and a file “S7_JOB.S7S” are extracted to the root folder of the memory card.

Now we’re prepared for the actual firmware upgrade of the S7-1200 PLC. The following steps are required to perform this update:

1. Insert the memory card in the PLC. The status goes to stop. And the  maintenance LED blinks.
2. Power cycle the PLC. After this the firmware is copied to the internal memory. The RUN/STOP alternates between green and orange.
3. When the copying process is done the LEDS will look like this: RUN/STOP LED is orange, maintenance LED blinks.
4. Remove the Memory Card from the  PLC and again do a power cycle to load the new firmware.
5. With the upgrade to version 2.0.3 my PLC didn’t go to run by itself, use TIA portal to get the PLC back in RUN mode when necessary. After the upgrade the firmware version 2.1.2 the PLC went to RUN.
6. Enjoy the new features!

This would be the ideal world, of course some problems occurred during the upgrade:

The installation of TIA Portal V11 SP1 failed. This problem could not be solved by reinstalling TIA Portal V11 but only by reinstalling Windows! With a fresh image of Windows the installation of TIA Portal V11, SP1 and Update 2 succeeded.

After updating TIA Portal and the firmware I had some major issues with the PLC. The internal memory got corrupted giving an error “Internal load memory is corrupt (delete in TIA Portal or with program card)” and I got an error saying “Internal system error (error code: 0×800011210000008d) - Please contact SIMATIC customer support.“. A complete factory reset solved these problems (but downgraded the firmware back to V1.0). So upgrading again… Some research told me this problem could be related to the use of PID controllers (I’m using them for the heat control of my home). This problem should not occur when ‘all blocks’ are downloaded after a software change. An other source speaks about having the PID block only in run when the PLC itself is in RUN mode. In all the other cases the PID controlled should be in reset mode.

Before installing Firmware version 2.1.2 I upgraded to version 2.0.3. When I tried to create user webpages this error occurred:

Conslusion: The firmware update of the S7-1200 PLC introduces a lot of new features but also some issues. If you’re happy with your old firmware don’t upgrade. If it ain’t broke, don’t fix it!

Whoever worked with PCS7 knows that compiling a project can take a while. This is because PCS7 compilation is done in the database on the hard disk and not in the computer memory. This means a faster hard disk will decrease the compilation time of the PCS7 project.

A first possibility is the use a solid state disk in the engineering station. Read and write access to these disks is much faster than regular hard disks.

A second and even faster possibility is a RAM disk. A RAM disk is a virtual disk in the RAM memory of the engineering station. A part of the memory is reserved and formatted as a hard drive. When a PCS7 project is stored in the RAM memory it will be compiled in the RAM memory.

From now on you’ll only be able to drink 3 cups of coffee during compilation of your PCS7 project instead of 10!

Once upon a time it didn’t seem necessary to protect automation systems (PLCS’s) against hackers and people with bad intentions. They were connected to isolated networks and there was no link to the outer world. Nowdays engineers want to see how their machines are doing on the other side of the planet meaning that in some way there is a link between the automation system and the internet.

Whenever a computer that is connected to the plant bus and to the internet is infected with a trojan a hacker can gain access to the  plant bus from whereever he wants. Since the security on the plant bus is poor or unexistant the hacker will be able to connect to the PLC’s on the network.

During ‘Black Hat 2011′ Dillon Beresford reveald that he found ways to bypass the S7’s security measures and read and write data into the PLC memory, even when the system has password protection enabled. And on the S7-300 Beresford even found a command shell left in the firmware by Siemens engineers, that he can connect to and use to run commands on the system.

It’s a Unix-like shell where commands can be ran. Username: basisk; password: basisk. This shell is a “back door” to the system that can be used to gain access to automation controllers.

So, what can be hacked using this security issue? Every system that has a connection to the outer world! (network, usb stick,…)

Are we in danger? Let’s hope not. If the engineers of nuclear plants, water purification installation and other critical installations used their common sense while designing the plants. The controller of a critical plant should always be isolated from the outer world. Monitoring the plant can be done with separate sensors and controllers whenever necessary.

Automating a factory is fun (it’s my job) but when the factory is made of Lego bricks it’s even better. The Lego factories are mostly controlled by one or more Lego Mindstorms brain. Lego Technics has a huge amount of possibilities for the mechanical design.

Brand specific systems

A lot of switch/power outlet/.. manufactures have their own home automation system. Most of them are easy to configure and are good candidates for a DIY home automation system. There is Nikobus from Niko, QBus, BTichino,… The back draw of this manufacturer specific home automation systems is the dependency. When a component fails you need to stick to the manufacturer, buying the same component. If a manufacturer stops producing a certain system…you’re screwed.

Standard bus systems

EIB/KNX is a standard bus system supported by many manufacturers. A lot of brands make components for the KNX home automation system. This is a gigantic pro because you can be sure that in the future spare parts will still be available. It can be easily installed as a DIY home automation system but you need software (or someone with the software) to configure the components on the bus. This is a favorite for DIY home automation!

X10 is a home automation system widely used in the US and a bit less known is Europe. It can be used as a wireless bus automation system. X10 is a very easy to install system, perfect for DIY home automation.

Central systems

In a centralized system every button and every light has a wire to a central cabinet. The controller has some (or a lot) inputs and outputs to switch lights, blinds,…  A central system has the advantage that it can easily be replaced by another central system. It can be hard wired with ‘teleruptors’ or a logic controller can be used. Depending on the system it can be configured by anyone or only by a ’system expert’.

The industrial way

Industrial systems must be reliable, more reliable as home automation systems (unfortunately). So, why not use them for home automation? A PLC (Programmable Logical Controller) can be used as a centralized home automation system but can also be configured with remote input and output islands. Most industrial controllers are guaranteed to have 10 years or more manufacturer support. Which is nice. Maybe a little bit harder to configure as a DIY home automation system but certainly worth the effort.

Automating your home is one thing, having a good interface to control it is another. Home automation can do a lot of useful tasks for you and make your life easier but in the end you must be the one who’s in control.

As automation system in my apartment I use a Siemens S7-1200 PLC (Programmable Logical Controller). It is a low priced but powerful PLC, which doesn’t take to much space. The controller is connected to every light point, the door opener and the central heating system. This means it takes care of lighting, heating and access control.

Since Windows Media Center is an easy way to store and play music, movies and pictures integrating a small touch panel in the wall seemed fun. Even more fun would be the integration of a HMI (Human Machine Interface) to control the S7-1200 PLC using the touch screen. Using different applications would be possible but it brings the hassle of having to switch every time from Media Center to the HMI application and back.

The solution is to make a Windows Media Center plugin that is able to communicate with the S7-1200 PLC over the local network. To transfer bits and bytes from the plugin to the PLC the dataflow shown in the diagram below is used.

The PLC is connected to the local network which is ideal for communication between the PLC and the server. To read and write date from and to the PLC the open source library libnodave is used. A C# application gets and sets data in the PLC according to the points configured in a MySQL database. Creating and editing points is done through a web interface.

Whenever data needs to be send to the PLC a row is added in a MySQL table that functions as a stack. The actual values are read cyclically and updated in the points table.

On the webserver a php script is running to create MCML (Media Center Markup Language) data. These MCML pages can be registered as a plugin in Windows Media Center. At this time the plugin is very basic. It is a tree containing rooms and lights. The php script shows one level of the tree at a time. Clicking an area will open the level of that specific area. Clicking a light will toggle the status of the light.

Using a Windows Media Center plugin to control your home is very intuitive, and incredibly cool. And maybe one time it will be open source…

A while ago I started the home automation over ethernet project. Based on microcontrollers I was able to switch lights remotely, set dimmers to a certain value and measure temperatures.

The disadvantage of home automation with a homemade system based on a microcontroller is reliability and lack of spare parts. In addition, the value of the property in which it is installed does not increase but may even decrease.

To avoid the problems mentioned above, I decided not to use a control system based on a microcontroller, but one based on a PLC (Programmable Logic Controller). A Siemens S7-1200 is the heart of the home automation system. It is a PLC by default equipped with an ethernet port.

Programming a PLC is much easier than programming a µC and spare parts are guarantied by Siemens for 10 years after production. The system is centralized and can be replaced by trip switches.

Creating a user interface for a touch panel or a simple computer interface can be made with one of the many available scada packages like WinCC flexible runtime, InTouch, iFix,… I will probably start with WinCC flexible runtime to continue with a web based opc client.

Related posts:
Home automation over IP
Home automation over ethernet

The home automation over IP controller

It has been a while since I started with my home automation over IP project. There has been a lot of progress but also some changes in the original design.

Previous posts:

Home automation over ethernet
The home automation over IP controller

Software

Right now the micro controller board with the Atmega168 can read analog inputs, switch relays and dim LEDs using pulse width modulation. However no logical decisions are made by the micro controller.

To do the logics I made a client and server application with Java that’s able to run JavaScript files in a script engine. The Java application retrieves the values from the micro controllers, executes the JavaScript and sends the updated values back to the micro controllers. It acts like some kind of soft PLC, running on a simple language like JavaScript.

Because the JavaScript based soft PLC has no GUI I integrated an extra webserver in it. Now it’s possible to create fancy interfaces with Adobe Flash or any other development tool that’s able to get and send data over HTTP.

A complete cycle is as follows:

1. retrieve IO status from micro controllers
2. execute script
3. retrieve modified IO status from script engine and put it in the IO buffer
4. apply modifications received by the server in IO buffer
5. flush the buffer to the micro controllers
6. goto step 1…

To avoid to much load on the network a cycle is only ran once every 200ms. For industrial purposes this could be to slow but for switching on and of lights in your house this is fast enough. When pushing a button in a Flash movie the delay is barely noticed.

Hardware

Beside the point that the modules will not be build in to a housing that can be mounted on a DIN rail there are no changes on the hardware part.

Can I get the source and schematics from this project?

At the moment, no. It might get open source one day, it might be not.

Finally some progress  in the home automation over IP project. The controller is put into it’s housing, there is some firmware written and there’s also some progress on the computer software.

To make it possible to mount the controller in a common electric cabinet it will be housed in a DIN Rail mountable enclosure.

DIN Rail housing

To bring the micro controller outputs to the exterior I made a PCB using the toner transfer method.

Continue reading →