[S7-300] program copy protection

kyoq · Oct 12, 2006

hi, I am wondering how to protect program code to prevent copy to another PLC. I mean the same code will not run with another PLC. I thing it have to be connect with strut register code, fore sure I have to use individual PLC features. can you help me to solve this task ?

PeterW · Oct 12, 2006

The CPU can be named, this will give a warning on downloading, but will not stop you overiding the warning and downloading if you wanted to. (EDIT: this only happens if the PLC already has a program installed, perhaps not what you are looking for).

I don't know of any way to do other checks within the code.

The only way I can think that you can physically do this is to reserve some inputs to give some binary code. For each PLC you can then hardwire links to the inputs and for each program have a section of code to test the inputs against the pattern expected for this software.

The number of inputs depends on the numberc of PLC's you want to do this for.

I am assuming here that the machines are identical with identical CPU's and I/O layout of course, where you only have software parameter differences.

SimonGoldsworthy · Oct 12, 2006

You can read the serial number of the CPU out of the SSL-List. Once you know this, your code could check for the correct serial number and halt if they don't match. Of course if the CPU ever gets replaced then you will have to change the serial number in your code.

The assumption is you are copying all the program into another plc - do you need to cater for someone copying individual blocks as well ?

PLucas · Oct 12, 2006

Simon

I know it's possible to read the CPU serial number using SFC51 from S7 400s, I don't think you can do this with 300's.

It is 300's that kyoq is refering to.

Paul

kyoq · Oct 12, 2006

Wchich command handle checking correct CPU serial number ?
Parts of my program are protected functions and it would be great to copy protect them also.

PLucas · Oct 12, 2006

kyoq said:
Wchich command handle checking correct CPU serial number ?

SFC51 is used to read out the CPU serial number, the SSL ID is W#16#011C, the SSL index is W#16#0005.

But as I stated above, I don't think this is possible with S7 300's.

Paul

RMA · Oct 12, 2006

I'm not sure you're right about that Paul. After extensive reading of the help file, I found the following:

SZL xy11 - Object name example given CPU 314 - 6ES7 314-0AE01-0AB0

SZL xy1C, Index 5 - 24 character Serial number which is quote a "worldwide unique identifier for SIMATIC products. This number is linked to the hardware itself and is not affected b firmware upgrades". Nowhere is there a qualifier that it is not supported for some products.

However, in the general description, there is a comment that the number of requests that can be made at one time is system resource dependant, which might mean that in a smaller CPU you wouldn't get at the serial number on the first attempt.

I'll leave it to you to try it out though, if you've got the time - I didn't like the look of SFC51 the first time I met it and I haven't changed my mind!

[FIN]Pete · Oct 12, 2006

Hi Kyoq and all of you

This is "a little bit" out of topic but still I cannot "keep" my mouth shut. I don't want to judge anyone but think TWICE before you "Protect" your PLC's by password or some other trick. If someone (your competitor) wants to use your code, they know how to do it. So, the only one who suffers this kind of things is the end customer maintenance team. Is it worth of it??

Pete ☯

Peace, love and unprotected plc's

PeterW · Oct 12, 2006

[FIN]Pete said:
Hi Kyoq and all of you

This is "a little bit" out of topic but still I cannot "keep" my mouth shut. I don't want to judge anyone but think TWICE before you "Protect" your PLC's by password or some other trick. If someone (your competitor) wants to use your code, they know how to do it. So, the only one who suffers this kind of things is the end customer maintenance team. Is it worth of it??

Pete ☯

Peace, love and unprotected plc's

I think you have him wrong here, I believe he's talking about the same machine type, multiple times, where he does not want to accidently download and run the code from one PLC in another the same.

The method I mentioned above (hard wired code) we used in a packaging hall with about 10 identical labelling machines.

PLucas · Oct 12, 2006

Roy,

I am certain that I read somewhere that the serial number part doesn't work with 300's only 400's.

That was a few years ago when I was 'introduced' to the wonderful SFC51. Back then I did a bit of experimenting with it on an old 315-2DP.

I have a 315-2DP (latest version) in my office and I set this up with SFC51 and the 12 word serial number string returned from SFC51 contained nothing but zeros, so I would be interested to know if anyone else has succesfully read a serial number from a 300.

By the way, I have successfully, in the past, read out the CPU part number, 6ES7 315 etc, using SFC51

Paul

SimonGoldsworthy · Oct 13, 2006

I've tried SFC51 in both a 317-2DP and a 315-2DP using SSL-ID=w#16#011C
and they both operate as follows:

Index = 1 , RET_VALUE= 8083 (Index wrong or not allowed)
Index = 2 , RET_VALUE= 8083 (Index wrong or not allowed)
Index = 3 , RET_VALUE= 8083 (Index wrong or not allowed)
Index = 4 , RET_VALUE= 8083 (Index wrong or not allowed)
Index = 5 , RET_VALUE= 8083 (Index wrong or not allowed)
Index = 6 , RET_VALUE= 8083 (Index wrong or not allowed)
Index = 7 , RET_VALUE= 8083 (Index wrong or not allowed)
Index = 8 , RET_VALUE= 0, Returns data serial number of MMC card
Index = 9 , RET_VALUE= 8083 (Index wrong or not allowed)
Index = A , RET_VALUE= 0, Returns data OEM ID
Index = B , RET_VALUE= 8083 (Index wrong or not allowed)

Anyone got a 314 that RMA mentioned previously ?

PeterW · Oct 13, 2006

I still say using inputs is the better idea, using serial numbers hard coded, means if you change the CPU you will need to make a software change, otherwise it will not run.

SimonGoldsworthy · Oct 13, 2006

I agree with PeterW - if it's a line of several machines then coding the machine number with digital inputs is the way to go - perhaps kyog could clarify his precise requirements.

JesperMP · Oct 13, 2006

PeterW said:
I still say using inputs is the better idea, using serial numbers hard coded, means if you change the CPU you will need to make a software change, otherwise it will not run.

I once considered (and partly still consider) to use a scheme where the CPU serial number is used to generate a release code.
Without the release code, the machine will not stop, but the more advanced options are blocked.
So, if the CPU would have to be replaced the machine will operate but the HMI will display a message "Please enter correct release code". The customer will then have to contact me to get the code which he then enters on the HMI.
In this way I would effectively have blocked my know-how from being simply copied.

PeterW · Oct 13, 2006

JesperMP said:
I once considered (and partly still consider) to use a scheme where the CPU serial number is used to generate a release code.
Without the release code, the machine will not stop, but the more advanced options are blocked.
So, if the CPU would have to be replaced the machine will operate but the HMI will display a message "Please enter correct release code". The customer will then have to contact me to get the code which he then enters on the HMI.
In this way I would effectively have blocked my know-how from being simply copied.

If you slip on the ice and find yourself in a coma or worse, the customers screwed.

[S7-300] program copy protection

kyoq

Member

PeterW

Member

SimonGoldsworthy

Member

PLucas

Member

kyoq

Member

PLucas

Member

RMA

Member

[FIN]Pete

Member

PeterW

Member

PLucas

Member

SimonGoldsworthy

Member

PeterW

Member

SimonGoldsworthy

Member

JesperMP

Lifetime Supporting Member + Moderator

PeterW

Member

Similar Topics