Ripping a password from a s7-300

Dryhops

Member
D
Join Date
Jan 2018
Location
California
Posts
90
We have a piece of used equipment we are recomissioning that I need to find a password for. The defaults that the OEM sent us are not working.

I only have experience with AB controllers, so this is my first attempt at working with a Siemens controller. After a lot of jumping through hoops, I finally got S7 professional installed and stumbled my way through the archaic connection process to access the project files on the S7-300.

My understanding of the program organization on Siemens controllers is limited, so I'm actively reading the docs, but hopefully someone here can steer me in the right direction.

There is both a username and a password. My first though would be that the credentials are stored in one of the data blocks (DBXX). I only found one string reference. I tried it both for the user name and password, as well as permutations with the credentials that the OEM gave me - no dice.

I've seen some references to SFC blocks, as built in functions of the OS. I cannot view these blocks online. Is authentication a protected function that the OS provides? Or it the password likely stored in the user program somewhere? Could the password instead be located in a byte array, or different data type?

Any other ideas where I should try looking?
 
Didn't mention in my OP, sorry. We need to configure alarm settings for the system. The username and password are entered via the HMI. A Siemens DESIGN TP177A
 
No I don't have any of the original project, is this something I can pull from the HMI?

Basically all I have is the software and a Programming cable.
 
Last edited:
Maybe. IF they transferred the project to the HMI as part of their download. It requires a memory card to be installed in the hmi so it has somewhere to store the project. You can surely try to upload, worst case it just doesn't work. If you can upload, just change the user passwords and redownload. Other than that, this forum frowns upon any kind of password hacking or bypassing.
 
travispedley said:
Maybe. IF they transferred the project to the HMI as part of their download. It requires a memory card to be installed in the hmi so it has somewhere to store the project. You can surely try to upload, worst case it just doesn't work. If you can upload, just change the user passwords and redownload. Other than that, this forum frowns upon any kind of password hacking or bypassing.
Click to expand...

Thanks for your help. There does not appear to be an SD card on the HMI, only on the controller.

Pretty much, it'll come down to either figuring out this password, or writing the controls from scratch. It seems like a basic requirement to configure anything on the machine, including operator level parameters. So I wouldn't consider it bypassing or hacking, we just need it to be able to use the machine as intended. Obviously I could just change the parameters for the system when I'm online with the controller, but I'd rather do it with the HMI as it was designed (along with input sanitizing and such).

But whatever help you're comfortable providing, would be greatly appreciated.
 
I'm an SI, so when i put a password in something, it's for a reason. Making passwords easy to bypass kind of defeats the purpose of having them. I wouldn't try to bypass a password, I'd just charge the end user to rewrite the project. Luckily, i don't have to maintain equipment long-term, where this issue usually pops up.
Good luck, hope you get it going.
 
Is it possible your OEM speaks a foreign language and copied ”ton mot de passe est rogue" into Google translate and then emailed you to say "your password is red"?
 
travispedley said:
I'm an SI, so when i put a password in something, it's for a reason. Making passwords easy to bypass kind of defeats the purpose of having them. I wouldn't try to bypass a password, I'd just charge the end user to rewrite the project. Luckily, i don't have to maintain equipment long-term, where this issue usually pops up.
Good luck, hope you get it going.
Click to expand...

I can definitely understand that. All of the projects that I've created have some sections that are password protected, since operators have an uncanny ability to figure out the best way to do cause the most damage when 'troubleshooting'.

Unfortunately, I am the end user in this situation o_O. In this case, the password is applied to all sections of the HMI, so any modifications require it. This includes even basic stuff, like the name of the machine or the current date. More specifically, I need to install a new O2 monitor with different scaling, and need to adjust the range via a menu. Again, I don't think this is in the realm of 'bypassing'. If someone took the time to make a menu to modify parameters, then they though it was important that it was possible to change them.

James Mcquade said:
can you go to the equipment manufacturer and ask them for the required files / information?

as already stated, there may be a legitimate reason for the password.
for example, punch presses.

regards,
james
Click to expand...

We are in touch with the equipment manufacturer. They have suggested the passwords that they have on file, as well as the defaults their engineers use. I have tried all permutations from the set they offered. I assume if they didn't want us to change setpoints and other parameters, they would have made that clear. That said, I'm sure they want to sell us the newest version of their system and our failure is their gain.

AustralIan said:
Is it possible your OEM speaks a foreign language and copied ”ton mot de passe est rogue" into Google translate and then emailed you to say "your password is red"?
Click to expand...

Funny enough, the HMI is in German, the machine is from Singapore, and the block headers are in Swedish. Truly and international endeavor. The passwords the company suggested are in english though - I think ADMIN/ADMIN and ENG/ENG transcends the language barrier.
 
Dryhops said:
Didn't mention in my OP, sorry. We need to configure alarm settings for the system. The username and password are entered via the HMI. A Siemens DESIGN TP177A
Click to expand...




The default setting in wincc for op panels is to block users if there have been more than 3 failed logon attempts.
So my guess is that the user is blocked because of too many failed logon attempts and to fix it you eighter have to have some user administration enabled on the op (and to be able to login with administrator rights) or just download the project to the panel again.
 

Similar Topics

P
My R55 Ingersollrand is tripping on motor overload and im falling to see the trip history it is writing Acquarring texts
My R55 Ingersollrand is tripping on motor overload and im falling to see the trip history it is writing Acquarring texts
Replies
0
Views
128
Prosper
P
K
KEB-VFD is not tripping at higher current
VFD is not tripping at higher current , resulting in motor failure . VFD Model : Make - KEB Type - H6- 10H6BBBB-21B0
Replies
2
Views
506
5618
5618
C
Powerflex 753 VFD Tripping on overheat
Hello all! I am fairly new to the world of PLC's and this forum, so I apologize for my lack of knowledge. I have a Powerflex 753 that keeps...
Replies
6
Views
538
Charles0522
C
T
AB Servo Motor Keeps tripping out on excessive velocity error
Hi all, I am having a problem with my servo motor and I'm absolutely stuck as to why it wont run. Without any gearbox or any load attached to...
Replies
9
Views
3,622
tetcie
T
M
Click PLC doing bit stripping.
Hi All, I have a click plc the I need to bit strip and 16Bit int. This is to get the alarms from these bits in the int. Do anyone know how to bit...
Replies
1
Views
500
OkiePC
OkiePC
Back
Top Bottom