Siemens: Can I access a locked PLC with an unlocked program?

strantor

Member
S
Join Date
Sep 2010
Location
katy tx
Posts
401
EDIT: Reworded after post #3. Original wording posted as a reply (#4) for reference


I have a Siemens IPC427D running WinLC RTX F, and every single FB and DB in it is password protected by the OEM. The OEM provided me an offline copy of the program with most of the FBs unlocked and I tried going online with it to view the online state but I'm still prompted for a password. Am I doing something wrong? Should I be able to view a locked FB online if I have the unlocked version of the FB in my laptop? Is there some action I need to take in order to be able for this to work?
 
Last edited:
You provided no info on the type of PLC, even if you did, this is really a legal question which none of us can really answer for you.
 
harryting said:
You provided no info on the type of PLC, even if you did, this is really a legal question which none of us can really answer for you.
Click to expand...

It's not a legal question. It's a technical question. Should I be able to view a locked FB online if I have the unlocked version of the FB in my laptop? It's a IPC327D with WinLC RTX running.

I guess I should have just left it at that and not volunteered all the other info, but I've seen how these threads go from all the googling I've done, and it seems anyone asking questions like this is automatically assumed to be trying to "crack" a program. I'm not. And I wanted it to be clear that I'm not. But apparently I made it anything but clear.
 
As op originally worded:

i have been neck-deep in a "battle" with a foreign oem trying to get access to the plcs in all our equipment which they have locked down so that they are the only ones who can diagnose it. What do i mean by "locked down"? Every single fb and db in the plc(s) is password protected. I cannot upload, download, or view them in any way that i'm aware of. I was not even able to view the hw config iirc.

At first i asked politely for the passwords and they flat-out said "no way" they would give them to me. So i escalated the issue on their end and then my end, and now it's with the owner of the company who is in negotiations with this oem to purchase a few $$m worth of more machinery from them and he basically made the deal contingent upon the release of the passwords for new machinery and existing machinery. So now they are in starts and fits of being begrudgingly "cooperative," or some approximation thereof. Giving only one breadcrumb at a time, i think to stall the issue, kick the can along, and hopefully make the sale before full cooperation has been reached.

In today's episode they have sent me a bunch of plc programs (not all of them, not even close), which i am able to open without a password, and actually see some of the logic. Keyword some. It would seem they have unlocked a handful of inconsequential dbs for me to pacify myself with while the meat of the program remains locked. So one of the coming battles will be getting those others unlocked as well, but before we get there i want to know, does this even help me?

I tried going online with one of the programs they provided and view of the b.s. Fbs they unlocked in online mode, and i'm still prompted for a password which they still refuse to hand over. Am i doing something wrong? Should i be able to view a locked fb online if i have the unlocked version of the fb in my laptop? Is there some action i need to take in order to be able for this to work? I feel like i'm being bamboozled (again) and i am preparing to launch another volley of emails as if that were fact, but i want to make sure i'm not being an idiot first.
Click to expand...
 
1) The PLC might have a password, in addition to the code. PLC password prevents access to the PLC. DIfferent PLCs have differnt numbers of password levels, but at the least could prevent reading (going online) or writing (downloading to PLC)


2) I've never tried it, but I would expect to have to download the unlocked block before you could view it online. I think with/without password would cause the online/offline to not match, and therefore you couldn't monitor.



In the older software versions, there is literally a flag set in the code that makes it so the software won't connect. In the newer software, it can be encrypted, which I'm sure provides additional hurdles.
 
As the later versions of IDE's & PLC's there seems to be more security options.
Some manufacturers have many different ways of password protection. originally source code was not so very often not supplied by the OEM, however now there are ways to lock the source code i.e. protect blocks so they cannot be viewed, or protected so that they cannot be edited. This allowed OEM's to supply source code either for monitoring (fault finding) or allow download in situations if the PLC lost the program. Also password protection on the PLC can be in various forms i.e. totally locked (No download or monitor), locked so that on-line monitoring is allowed but program changes or download is protected.
Password protection on PLC's to be honest is a thorn in the side of many engineers who are expected to maintain plant at their premises.
I have worked as an OEM & for a production facility so know both sides of the story.
I can sort of understand OEM's locking code (sort of), however even though I spent over 20 years doing OEM work I never locked the code or PLC unless it was requested by the user and then supplied documented code & passwords.
The excuse of "Your engineers don't know what they are doing" is a poor excuse as far as I'm concerned, If they $%^&£ it up then that's their fault, then they will call you in to sort it. The other excuse of we spent lots of time developing this code & we don't want anyone else to pinch it also does not wash with me. I have been called to many situations where either the supplier has gone to the wall etc. and in most cases it is just as quick to re-write the code than to try & decode what the programmer has done.
In my time working for a production facility I managed to negotiate with virtually all suppliers copies of the source code & PLC passwords locked or unlocked. In some cases it took a bit of persuasion others were very willing. I even signed agreements not to pass on source code to others.
If we could not get a response from a supplier we would go elsewhere and in some cases just replaced the PLC & re-wrote it.
"My rant for the day"
 
mk42 said:
1) The PLC might have a password, in addition to the code. PLC password prevents access to the PLC. DIfferent PLCs have differnt numbers of password levels, but at the least could prevent reading (going online) or writing (downloading to PLC)


2) I've never tried it, but I would expect to have to download the unlocked block before you could view it online. I think with/without password would cause the online/offline to not match, and therefore you couldn't monitor.



In the older software versions, there is literally a flag set in the code that makes it so the software won't connect. In the newer software, it can be encrypted, which I'm sure provides additional hurdles.
Click to expand...

Thank you. Your point #2 is a bit unsettling and I will bring this up to the OEM. I should not have to take a leap of faith and overwrite an FB in a machine in service just to monitor when I can't even do an online/offline compare first.
 
parky said:
As the later versions of IDE's & PLC's there seems to be more security options.
Some manufacturers have many different ways of password protection. originally source code was not so very often not supplied by the OEM, however now there are ways to lock the source code i.e. protect blocks so they cannot be viewed, or protected so that they cannot be edited. This allowed OEM's to supply source code either for monitoring (fault finding) or allow download in situations if the PLC lost the program. Also password protection on the PLC can be in various forms i.e. totally locked (No download or monitor), locked so that on-line monitoring is allowed but program changes or download is protected.
Password protection on PLC's to be honest is a thorn in the side of many engineers who are expected to maintain plant at their premises.
I have worked as an OEM & for a production facility so know both sides of the story.
I can sort of understand OEM's locking code (sort of), however even though I spent over 20 years doing OEM work I never locked the code or PLC unless it was requested by the user and then supplied documented code & passwords.
The excuse of "Your engineers don't know what they are doing" is a poor excuse as far as I'm concerned, If they $%^&£ it up then that's their fault, then they will call you in to sort it. The other excuse of we spent lots of time developing this code & we don't want anyone else to pinch it also does not wash with me. I have been called to many situations where either the supplier has gone to the wall etc. and in most cases it is just as quick to re-write the code than to try & decode what the programmer has done.
In my time working for a production facility I managed to negotiate with virtually all suppliers copies of the source code & PLC passwords locked or unlocked. In some cases it took a bit of persuasion others were very willing. I even signed agreements not to pass on source code to others.
If we could not get a response from a supplier we would go elsewhere and in some cases just replaced the PLC & re-wrote it.
"My rant for the day"
Click to expand...

I'm sure we could ping-pong related rants back and forth for days; there's no shortage of material. I was a freelance programmer before this and I also never source protected unless specifically requested to do so. I find this PLC code protectionism to be most rife with European OEMs. They treat ladder logic like it's the source code to Adobe Acrobat. Well the difference is, I can't copy & paste an entire bottling line from Houston to Charleston, and I don't need to view the source code of Acrobat when it fails to print via USB. When an OEM won't give me the sole key that I need to service my own machinery, even under signed contract and threat of legal action in the event I share it, that can mean only one thing to me: they intend to maintain a monopoly on the service of these machines in perpetuity. They want one of their guys flying in from Germany every time one goes down. And I as-politely-as-possible called them out on this on Friday and they in no uncertain terms confirmed it: "Well this (customers having passwords) is not something that we allow. We have to make money somehow. If we let everyone service their own machines then we would have to charge much much more for them. Providing support is a value added service and we can't survive just on machine sales."
 

Similar Topics

Mas01
Siemens S7: WinCC Basic & access controls...
Hi Does anyone know if WinCC basic version has functionality in it for ACCESS CONTROL? By that, I mean we want the HMI to have a lock-out...
Replies
4
Views
1,169
Rob...
R
K
very slow online access to profibus Siemens plc
Kindly, we are trying to go online on an S7-300 plc, with profibus communication, using a CP5711 adapter. But when we open the Ladder and press...
Replies
0
Views
780
Kataeb
K
Z
Synchronizing access to PLC data block (Siemens S7 1200)
Hello all, PLC-programming noob here. I have multiple clients accessing some data on my Siemens S7 1211C PLC; some OPC clients and some direct...
2 3
Replies
30
Views
8,318
drbitboy
drbitboy
S
Siemens S7-1200 Remote Access
Hi, Here is my dilemma - I hope somebody has done this before. This involves equipment in three different locations (and countries). On site...
Replies
10
Views
5,992
JesperMP
JesperMP
C
Access to Certain Screens on Siemens KTP700
Hello, I have a Siemens Simatic KTP700 HMI and I am using TIA Portal V13. I have a simple issue. I am using keys F5 and F6 to open certain pages...
Replies
2
Views
2,251
Chris Hasler
C
Back
Top Bottom