CPU Protection

Nathan@ISL

Member
N
Join Date
Sep 2010
Location
sheffield
Posts
9
Hi all!!

I'm currently working on a Siemens S7 system of German origin that I have found to be read/write protected (CPU not the blocks) when trying to download a modified block.

The customer doesn't have the password and it appears that they may be held to ransom over the issue, if this is the case does anyone know of a backdoor, I have the project and just need to download a small mod!!!

Nathan :unsure:
 
If you have the STEP7 project, but dont know the password as set in the CPU properties, simply install a new MMC card.

Before downloading the program, remove the password, or set it to something new and remember it (!).
 
Tak Jesper,

If we could be sure that what we have is totally up to date this would be a good fix, unfortunately the system involves numerous recipes and although there shouldn't be any issues we're a little nervous about taking this action (we only want to download 1 FC)

Nathan
 
Cheers

You can compare blocks but if they aren't consistant they can't be accessed to specify the variation, we've compared and found nothing unexpected but without full access to the CPU we're not totally confident about further action, "measure twice, cut once"

Nathan
 
If there are only timestamp differences, then you should not worry.

I would do an upload (to a separate "upload" project).
Then, after downloading the new program, the one without password, you can download the recipes from the uploaded program.
 
Yeah, i've tried to upload to a new project and it won't allow it, I know Siemens had the best intentions but when protection functions are misused purely to generate money I think something should be in place, we're all customers after all!!
 
How much time/effort are you willing to put into implementing this mod ?

e.g. a few hours/days/weeks/months ?
 
You are sure you have a valid STEP7 project backup. Only, the password is unknown.
So the problem is that you need to backup all the recipes before you perform a download with a new password-less program.

Retrieving the contents of existing DBs does not require to specify the password.
There are numerous ways to do it..
Any HMI program that can store values as backups, logs, recipes, whatever can be used.

I have seen someone using a slightly risky way of using the HMI panel as the backup buffer.
One button reads all the DBs and stores the values in internal tags (=RAM).
Another button reads the internal tags and writes them back to the PLC.

NB. Use the existing MMC card as the means to get back to the old program in case it turns out you backup is less than uptodate.
 
The modified block has to be downloaded, if need be we'll acquire a replacement module and squirt the code/config into that, at least then we have the original to fall back on in case anything is missing, it may be that the original programmer will release the password to the customer but I doubt it!!
 
If necessary, you can modify the FC by changing the memory card contents using a hex editor. Here's an example of a simple change:

mem1.JPG
 
JesperMP said:
You are sure you have a valid STEP7 project backup. Only, the password is unknown.
So the problem is that you need to backup all the recipes before you perform a download with a new password-less program.

Retrieving the contents of existing DBs does not require to specify the password.
There are numerous ways to do it..
Any HMI program that can store values as backups, logs, recipes, whatever can be used.

I have seen someone using a slightly risky way of using the HMI panel as the backup buffer.
One button reads all the DBs and stores the values in internal tags (=RAM).
Another button reads the internal tags and writes them back to the PLC.

NB. Use the existing MMC card as the means to get back to the old program in case it turns out you backup is less than uptodate.
Click to expand...
The recipes are executed in a very convoluted way (on purpose I believe) and i'm not comfortable enough to take any risks as the recipes are extremely valuable, I can neither read from or write to the PLC without the password and so can't download the modified code without an element of risk, this is the problem. I think that unless we can get the password or bypass it, we'll just have to buy another unit to play with, this is not a bad thing for development's sake anyway I suppose,

Thanks for all your inputs, they're much appreciated guys!!

Nathan
 

Similar Topics

E
Siemens S7 200 CPU 224XP CN Block protection
Dear Experts I have Siemens S7 200 CPU 224XP CN project file. can anybody tell me the details how can i unprotect all blocks. see attached file...
Replies
0
Views
3,484
engrmunir786
E
G
Is there are way to change CPU protection?
I want to put a password on mine program, but when i clicked the CPU * its read only * is there way to enable those 1 2 3 protection level...
Replies
1
Views
1,611
Steve Etter
Steve Etter
K
OMRO PLC CQM1H CPU 51 Program Protection
Can anybody help me how to protect the programs in Omron PLC CQM1H CPU 51? I want that the program I download to PLC cannot be uploaded to...
2
Replies
22
Views
11,162
khirad
K
C
How to Time Sync? S7-400H CPU (Time Master) With Wincc Runtime V7.5(Time Slaves)
hello s7-400h and wincc are connected to each other via Ethernet. I need help on how to do time synchronization
Replies
0
Views
41
Controller5848
C
C
Mitsubishi R08SFCPU and RD78G8 communication to FR-E800SCE (Safety Version) on CC-link IE TSN
I'm struggling to get an FR-E800SCE to work on CC-Link IE TSN. I'm sure the issue is with the drive, when I plug in the network cable I get no...
Replies
1
Views
89
cottagewood
C
Back
Top Bottom