use TIA Portal EXPLORE format for V1-initial PLCs

V1-initial PLCs expect a 4-byte big-endian InObjectId in the EXPLORE
payload instead of a VLQ-encoded explore_id. Match the format observed
in TIA Portal v19 pcaps: InObjectId + fixed params + sequence byte.

Default explore target is 0x38 (system object for PLC program tree),
matching what TIA Portal sends.

Author: gijzelaerr

s7/_s7commplus_client.py

@@ -261,7 +261,10 @@ def explore(self, explore_id: int = 0) -> bytes:
         if self._connection is None:
             raise RuntimeError("Not connected")
 
-        payload = _build_explore_payload(explore_id)
+        if self._connection._session_key is not None:
+            payload = _build_explore_payload_v3(explore_id if explore_id else 0x38)
+        else:
+            payload = _build_explore_payload(explore_id)
         response = self._connection.send_request(FunctionCode.EXPLORE, payload)
         return response
 
@@ -720,6 +723,19 @@ def _build_explore_payload(explore_id: int = 0) -> bytes:
     return bytes(payload)
 
 
+def _build_explore_payload_v3(explore_id: int, sequence: int = 10) -> bytes:
+    """Build a V3-style EXPLORE request payload matching TIA Portal format.
+
+    V1-initial PLCs use a 4-byte big-endian InObjectId followed by
+    fixed parameters, rather than the VLQ-based format.
+    """
+    payload = struct.pack(">I", explore_id)
+    payload += bytes([0x00, 0x01, 0x00, 0x01, 0x00, 0x00])
+    payload += bytes([sequence & 0xFF])
+    payload += bytes([0x00, 0x00, 0x00, 0x00, 0x00])
+    return payload
+
+
 def _build_invoke_payload(state: int) -> bytes:
     """Build an INVOKE request payload for SetPlcOperatingState.