fix: parse session challenge as USINT array at attribute 303

gijzelaerr · claude · gijzelaerr · commit f80dab3311d5 · 2026-05-11T18:47:17.000+02:00
The PLC sends the 20-byte challenge as a USINT array (flags=0x10,
type=0x02) at attribute 303, not as a BLOB. Confirmed from xBiggs's
S7-1200 FW v4.2.2 debug logs. The previous heuristic looking for
a BLOB never matched.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/s7/connection.py b/s7/connection.py
@@ -867,28 +867,31 @@ def _parse_create_object_response(self, payload: bytes) -> None:
                         offset += 2
                         offset = self._skip_typed_value(payload, offset, datatype, _flags)
 
-                else:
+                elif attr_id == 303 and self._session_challenge is None:
+                    # ServerSessionChallenge: 20-byte USINT array
                     if offset + 2 > len(payload):
                         break
                     _flags = payload[offset]
                     datatype = payload[offset + 1]
                     offset += 2
-                    # Capture 20-byte BLOB/array as the session challenge
-                    if datatype == DataType.BLOB and self._session_challenge is None:
-                        value_start = offset
-                        offset = self._skip_typed_value(payload, value_start, datatype, _flags)
-                        blob_length = offset - value_start
-                        if blob_length > 0:
-                            length, consumed = decode_uint32_vlq(payload, value_start)
-                            blob_data = bytes(payload[value_start + consumed : value_start + consumed + length])
-                            if len(blob_data) == 20:
-                                self._session_challenge = blob_data
-                                logger.info(
-                                    f"Session challenge captured (attr {attr_id}, {len(blob_data)} bytes): {blob_data.hex()}"
-                                )
+                    is_array = bool(_flags & 0x10)
+                    if is_array and datatype == DataType.USINT:
+                        count, consumed = decode_uint32_vlq(payload, offset)
+                        offset += consumed
+                        self._session_challenge = bytes(payload[offset : offset + count])
+                        offset += count
+                        logger.info(f"Session challenge captured ({count} bytes): {self._session_challenge.hex()}")
                     else:
                         offset = self._skip_typed_value(payload, offset, datatype, _flags)
 
+                else:
+                    if offset + 2 > len(payload):
+                        break
+                    _flags = payload[offset]
+                    datatype = payload[offset + 1]
+                    offset += 2
+                    offset = self._skip_typed_value(payload, offset, datatype, _flags)
+
             elif tag == ElementID.START_OF_OBJECT:
                 offset += 1
                 # Skip RelationId (4 bytes fixed) + ClassId (VLQ) + ClassFlags (VLQ) + AttributeId (VLQ)
