Siemens S7 CPU Locked

John Gaunt

Member
Join Date
Nov 2004
Location
Tasmania, Australia
Posts
362
I have an S7-300 PLC that has had its CPU password protected.

Can anybody help me unlock it?

I don't have its Step7 project and want to download its
blocks, create a symbol table and be able to make some
necessary changes to its program. I am familiar with Siemens
Statement List (STL) programming.

Again, can you help unlock this CPU.
 
Password Problem

I have received some assistance via private emails.
However, to date no resolution to this problem.

Obviously many others have had this problem and I
am sure sombody has the solution.

Regards..................John Gaunt
Tasmania, Australia.
 
Thanks JRW,

That seems to be the usual answer.
Through Siemens Singapore however, I understand that Siemens
Germany can do it but will not release the information.

I am still hopeful that somebody knows how and perhaps by
email can let me know.

Regards..............John Gaunt
 
S7 CPU Password

I have been told about using ComLite32 to monitor AB PLC
serial COMS to detect password.

Has anybody had any experience doing anything similar with
Siemens S7 ?

ComLite32 seems only to run under Win95/98. Is there a version
or something similar for 2000/XP ?
 
What are you trying to unlock? The blocks of the program? ie. protected functions? Or the PLC itself?

If its the PLC itself then I've never seen a 'locked' one so I'm afraid I can't help you. But if its the blocks then I do know a way of unlocking them without the source.

:)
 
CPU is password protected

Thanks Johnny T,
It is the PLC CPU that is password protected.

I know and understand that the individual blocks can
be Know How Protected with a password but that is not
my problem.

I hope that somebody knows how to get past the password
protection in the CPU and can email me if they don't
want to broadcast it.

Regards................John Gaunt.
 
You mentioned some other emails; what did they offer for suggestions? I haven't tried it before, but I wonder if SFC51 could be used to access some CPU details, and combine this with a sniffer that could catch the whole data stream. Then, by analyzing the data packets, maybe the password could be deduced (assuming it is broadcast in the first place). Just thinking off the top of my head.
 
this is a tricky one. I found a S7 "canopener", thru here I think but that's for know how protect on blocks. does the password entry routine reside in simatic manager on the PC/laptop or does it send your entered string to the cpu for a yea/nay? if it's on the PC there is a password revealer, i think on either MrPLC or PLCMan. i haven't used it but i think it displays passwords on windows systems.
 
CPU is password protected

Thanks S7Guy,
Unfortunately other suggestions were addressing slightly different
problems.
At present I am trying to detect a known password on my development S7-400 CPU by monitoring traffic on PC adaptor RS232 line.
Regards............John Gaunt
 
CPU is password protected

Thanks kennyb,

Yes, s7canopener is for toggling ON or OFF Know How Protection on individual blocks.
Unfortunately the CPU password resides in the CPU. I am hoping it is transmitted to the PC to verify any entered password.

Regards.........John Gaunt
 
ok its a long shot but if it does "go" to the pc can you grab the password there? as i write this i think not.sorry
 
CPU is Password Protected

Thanks KennyB,

I have been trying to intercept the password using a serial line monitor. I am using my software development S7-400 PLC with a known password AAAAAAAA and monitoring the data flow between the PC and PLC at the time that I enter a password to access data in the PLC. However, so far no luck. It seems that the data is encripted, compressed or encoded in some way.

Does anybody have details regarding the format of S7 data between the PC and PLC?

By the way the serial monitor I am using is HHD SerMon Pro.
www.hhdsoftware.com/sermon.html

Regards...............John Gaunt
 
If there is a MC-card in it, you're lucky... otherwise it's not possible to do it without a wizzkid from siemens..

Pull the MC-card out, make a MRES, put the card in and reset again..

... or read the MC-card with a PG...
 
S7-300 CPU Locked

Thanks Nak,

The PLC is S7-313 (313-5BE00-0AB0) and fitted with an MMC (Micro Memory Card)

I received the following in an email from Siemens Singapore:
1) The New CPU does not have a battery and the MMC is alway necessary for the CPU to be in operation.
2) CPU will go to stop mode if the MMC is remove.
3) In any case the system configuration ( hardware configuration + program + network configuration) is stored in the MMC card.
If you insert MMC to another CPU and power up the first action is all the data is loaded from the MMC to the CPU.
Thus the CPU will also be password protected.
In future even all the comment will be save in the MMC thus all documentation will be store digitally.

They had contacted Siemens Germany to obtain this information.
Basically they are saying that the password is in the MMC as well
as the CPU.

Please respond with your comments.
Regards...............John Gaunt
 

Similar Topics

Hey when I turn on my Siemens PLC CPU 216-2 after runing 10 minute it's stop and showing SF indication after I turn off and some time later turn...
Replies
0
Views
94
I was trying to communicate between Siemens ET200S IM-151-8 PN/DP CPU to Rockwell Allen Bradley L73 through Hilscher Gateway NT100-RE-EN. Using...
Replies
0
Views
98
I'll preface this by saying this is the first time I've worked on a Siemens system and I'm fairly unfamiliar with them. I might mess up some of...
Replies
29
Views
653
Has anyone come across this kind of problem: I have 1215FC cpu with profinet and profibus devices. Because of one device, I would have to...
Replies
10
Views
867
First of all, it's a pleasure to join this community, I already have a few years of exp in this sector but never registered on a plc forum, so...
Replies
4
Views
734
Back
Top Bottom