How to connect and use a Siemens S7 device

Jari Krützfeldt 2018-08-09


In order to follow along, it would be helpful if you know a bit about:


Example Project Repo


This lesson goes through the required steps to connect and use your Siemens SIMATIC S7 device with the Cybus Connectware. Following this tutorial will enable you to connect and use your own SIMATIC S7 device on the Connectware with ease!

The SIMATIC S7 is a product line of PLCs by Siemens that are widely used in industrial automation. The S7 is capable of connecting several sensors and actuators through digital or analog IOs which can be modular extended.

The read and write access to data on the PLC can be realized through the S7 Communication Services based on ISO-on-TCP (RFC1006). In this case the PLC acts as a server allowing communication partners to access PLC data without the need of projecting the incoming connections during PLC programming. We will use this feature to access the S7 from the Connectware.


To follow the lesson you need to have a computer (!), a running Cybus Connectware instance and one of the following

a) A Siemens S7 PLC and access to STEP7 (TIA Portal) The S7 PLC needs to be configured using STEP7 in order to work correctly. The following configuration settings on your S7 device are needed:

  • To activate the S7 Communication Services you need to enable PUT/GET access in PLC Settings. You should keep in mind that this opens up the controller access by other applications as well.
  • To access data from data blocks you need to disable “Optimized Block Access”in data block attributes

b) Conpot PLC Emulator Conpot can be used to emulate a Siemens S7 PLC.

Writing the Device Commissioning File

The YAML format based Device Commissioning File tells the Cybus Connectware the type of device to be connected, its connection configuration and specifies the data-points that should be accessed. Device Commissioning File details can be found in the Reference docs. For now lets focus on the three main sections in the file, which are

  • Source protocol
  • Target protocol
  • Data-endpoint mappings

In the following chapters we will go through the three sections and create an example Device Commissioning File in which we connect to a S7 device and enable read/write access to a data endpoint.

Source protocol

The source protocol section of the device commissioning describes the device we want to connect to and it's connection parameters, i.e. it defines what kind of device we are using and which protocol the Connectware should use to talk to it. The configuration needs to include the Connectware driver and connection parameters. Our source section could look like the following:

# ----------------------------------------------------------------------------#
# Source Interface Definition - S7 Protocol
# ----------------------------------------------------------------------------#
  driver: s7
    protocol: s7.tcp
    port: 102
    rack: 0
    slot: 1
    operation: write

We define that we want to use the s7 Connectware driver, which tells the Connectware, that the device will be a Siemens S7 device. In order to be able to establish a connection to the device, we need to specify the connection settings as well. Here we want to use the s7.tcp protocol to connect to our S7 device on the given host IP, port, rack and slot number.

Furthermore, we specified that the default operation (see mappings below) for the source should be write, i.e. usually we want to write data to our S7 device.

Target protocol

We want to map the S7 protocol of our PLC onto the Connectware MQTT Broker and thus get access to the data via MQTT. Similar to the source section of the commissioning file, we define the target section:

# ----------------------------------------------------------------------------#
# Target Interface Definition - MQTT (Cybus Connectware Broker)
# ----------------------------------------------------------------------------#
  driver: mqtt
    operation: subscribe
    topicPrefix: io/cybus/learn

We define that we are using MQTT as target driver and the that the default operation is subscribe (corresponding to the write operation on source). Further, we can define a MQTT topic prefix which will be prefixed to all topics defined in the mapping below. As you may have noticed, the connection parameters are missing from the target section - this is due to the fact that by default the target section is connecting to the Connectware MQTT Broker. It is however possible to connect to any other MQTT Broker by specifying its connection parameters.


A mapping maps a data-point from S7 source to MQTT target by translating the source protocol to the target protocol. The operation defines the direction of this specific mapping. Here is an example S7 mapping:

- source:
    typeAddress: <S7-address>
    topic: <MQTT-topic>

Our example mapping transfers data from the target (MQTT, target-default-operation = subscribe) on topic <MQTT-topic> to the source (S7, source-default-operation = write) on address <S7-address>. In order to use our S7 device we need to find out which addresses we want to use and how to define those addresses in the Commissioning File.


In this lesson we want to control the S7 device by writing data to it as well as read data from it. This can be achieved by accessing the Bit registers on the PLC - of course that means we need to find out which registers to access!

By looking at the table of variables in the corresponding TIA project we can see that the registers on the S7 we want to access are "QB0" and "IB0", i.e. we are addressing the same Byte once as output and once as input.

  • QB0: Byte access (Output-Byte-0)
  • IB0: Byte access (Input-Byte-0)
  • QX0.0: (Bit access) Output-Byte-0-Bit-0

The type address is specified as:

  • Q or I: Memory Area where the value is stored
  • B: Data type of the addressed value (B:Byte / X:Bit)
  • 0: Byte offset to the address
  • .0: Bit offset of the byte

See Cybus Reference docs for a more detailed description of S7 addressing.

Mappings definition

Following the addressing described above, we can fill out the Device Commissioning File Mappings section:

- source:
    typeAddress: QX0.0
    topic: "out/0"
- source:
    typeAddress: QX0.1
    topic: "out/1"
- source:
    typeAddress: QX0.2
    topic: "out/2"
- source:
    typeAddress: QX0.3
    topic: "out/3"
- source:
    typeAddress: QB0
    topic: "out/all"
- source:
    operation: subscribe
    typeAddress: IB0
    operation: write
    topic: "in/all"

We are mapping e.g. S7 address QX0.0 to MQTT topic 0. In other words, we are subscribing to the MQTT topic io/cybus/learn/to-s7/0 (remember that we set the target default operation to subscribe) and writing this data to S7 address QX0.0 (source default operation: write). In the same manner, we can define similar source/target mappings to add functionality to the device.

As you may have noticed already, the last source/target mapping is a bit different from the previous ones - here we are reversing the data flow. To make this work, we need to specify the intended operation again, because it differs from the default settings. We are defining that we want to subscribe to a S7 address and write the data to a MQTT topic.

Commission the device on the Connectware

We are finally ready to connect to our Siemens S7 PLC and use it! Go to the Devices tab in the Connectware, click on the (+) button in the lower right corner and choose the Device Commissioning File that we just created. Choose localhost as location.

Uploading the device commissioning file

In case you used variables in the file, you will be prompted now to fill those in.

Using a configurable Device Commissioning File

If you are ready, press Install and the device will be installed. The status section indicates if the connection to your device and to the MQTT Broker could be established. If everything went well, both connections should change to connected.

Connectware Device Tab

To see the incoming data go to the Explorer Tab in the Connectware and see the MQTT topic we specified in the Device Commissioning Files.

Connectware MQTT Explorer


In this Cybus Learn article we learned how to connect and use a S7 device on the Connectware. See Example Project Repo for the complete Device Commissioning file. If you want to keep going and get started with connecting your own S7 device with custom addressing, please visit the Reference docs to get to know all the Connectware S7 protocol features.

Going further

A good point to go further from here is the Service Basics Lesson, it covers how to use the data from your S7 device.

Disclaimer: Step7, TIA Portal, S7, S7-1200, Sinamics are trademarks of Siemens AG