Secret counter in SLC503

[Beryl]

Unless you can lock out the PLC and the counter all you have to do is remove the output wire to the counter and you...unless you have a hardware and software counter that have to match.

 

[PhilipW]

I still like the method I posted back at #6. The cost of a 1761-10BXB must be actually less than U$100. All that is needed is a simple point to point RS232 link from Ch0 to Ch0.

The 5/03 simply MSG's across an incremental count for the production value . The Micro program can then limit check it and go on to obscure the actual storage values to its hearts content. OR the IO on the Micro can be used directly to read production events (if a sensor or switch exists for the purpose).

The 5/03 can then read back the stored values via another MSG.

The Micro program can be protected and best of all if the power fails the memory in the Micro's is non-volatile. This approach is simple, protected against downloads and can be made as fiddle-proof as you like.

 

[Fred Floggle]

Micro sounds nice , but the same things apply - unplug the rs232 link and then what happens ? if you are just incrementing a counter then it will stop . I suppose who could go the whole hog and also do a read from the micro , and if it fails for any more than 10 seconds , stop the machine , but still you don't stop anything , as all you need is access to the slc , and interfere with the message .
Everytime you have a physical link , you can cheat it -
In this case , the only way you could prevent cheating is with physical seals , unless you fancy ensuring that the customer doesn't have the as commissioned software , passwording it , and disallowing future access , even that is a waste of time as too many people know the AB backdoor (don't they ?)

 

[Pierre]

Lots of nice ideas.

Plain view and an adaptation of Allen's code will do it.

Here my intention is not to prevent a programmer from reseting the counts. My intention is to prevent a dumb a$s programmer from showing off by reseting the counts.

Nuances is everything.

We have always "given" away the code for our system to whoever wanted it. I have installed the software in other technicians laptop and explained to them most of what they needed to troubleshoot it.

We trust very much our clients. We trust there checking account too.

What I am more concern is one stupid programmer setting up a networked HMI and just to show off telling his co-workers "Hey guys, look, I can change there warranty counts".

I'm willing to let them mess it up. But I will play a little game with there minds before they can yell success.

I have more things up my sleeve, don't worry. The day the count deacreases is the last day this machine operates under warranty.

This code is more of an easter egg than anything else.

Haven't anybody setup easter eggs in PLC before?

You should ear the sound my programs make ... only if you do thing in a special sequence...

In hotel rooms and planes, I've been trying for a year know to accomplish a special musical code with PLC. I still have a long way to go. PLCs are fun.

I work hard and I play hard. When I'm away from home, sometime play is part of my work and work is part of my play.

 

[john paley]

The day the count deacreases is the last day this machine operates under warranty.

Posted by Pierre---Bravo, by the way.

Or operates at all, perhaps, without OEM intervention! Similar to the Pay us by a certain date or else option.

 

[Pierre]

Posted by Pierre---Bravo, by the way.

Or operates at all, perhaps, without OEM intervention! Similar to the Pay us by a certain date or else option.

It happened once in about 50 units. Got a call from a distressed End-user.

He said the system was working properly BUT making funny sounds.

I asked him to sing me the exact sound. And he did!

I told him to let me talk with his programmer (altough I knew they did not have in-house programmers) and he told me that by chance they had an outside source actually in there plant at the time...

Tough luck.

That was an OMRON PLC for an unwinder with absolutly no input for speed control (from coild diameter or accumulator) and it was unwinding different thickness of to a precise length (± 0.5 inch on a 72 inches section) all through the length of the roll (3000 feet). There was so much math in there that I could easaly hide my egg.

In the AB, its back to the drawing board

 

[Fred Floggle]

Precise ? thats why challenger went pop , they machined the rocket housings to loads more tolerance than you can machine engine cylinders , then blamed it on parker hanifin . You imply in your post that the customer will allow protection if it takes a programmer more than 4 hours to find and frig the counter - If this guy is serious , he will frig it in 4 minutes . Give me your solution , I would like to try . As for trying to incorporate nuisance code , no , not unless they don't pay , then they DO pay . However , the customer buys the right to use my code , not to decompile it , modify it or copy it in any way , Listen to Bon Jovi by any means , but he won't actively allow you to sell his work or copy it for others , why should I ?
Hide your egg by all means , any one who isn't a muppett will find it , and disarm it .
if this is serious then treat it that way and take the necessary steps - I can decode software written by some of our cousins who didn't know what it was supposed to do when they wrote it - this is nothing more than a game .
What was the AB backdoor password again ?>

 

[504bloke]

What was the AB backdoor password again ?>

Is it r&c$w!l* ?

 

[ChuckM]

I'd think Allen Nelson's idea would work. But instead of using an XIC of whatever bit you use to increment the count, use a MEQ to hide even that somewhat. Also, after you download before shipping the machine, set an integer to some value and then add a rung in that will on the first scan MOV a certain value to another integer if the value in the first integer is NEQ to the value you put in. Then you at least have an idea that someone possible downloaded to it since you were online.

 

[Doug_P]

Why not build it out of bits? Something like:

   I1                    B0

---| |---|OSR|--------(toggle)--



   B0                    B1

---| |---|OSR|--------(toggle)--



   B1                    B2

---| |---|OSR|--------(toggle)--

and so on.

Of course, B0, B1, etc. are randomly selected unused bits in any data table word (except inputs and probably floats). The toggle logic is left to you to do however you please. Also, I wouldn't even gather them together in a single word - just leave them scattered. When you want to see the count, open the windows calculator, gather up all the various bits and enter the value in raw binary form and then hit the decimal button to convert to something readable. A little harder on you, but you know which bits mean what and the other guy doesn't.

 

[Pierre]

Product counts and many other counters are used.

Maintanance (Clean, tighten, lube, adjust, etc)
Production (Starup, long stop, operator interventions, etc)
IT (Stock used, origin and destination, etc)
This one will be in a sea of data and WILL be displayed on HMI.

This is what makes this code intellectually chanlenging although I doubt very much that anyone will give it a good shot once they discover that is not so easy to "crack".