Siemens S7 IP Concerns

[STL???]

You lot obviously dont care about repeat business then.

BTW - I'm one of the people who has to decifier your creativity on a daily basis.

 

[Saperov]

You lot obviously dont care about repeat business then.

BTW - I'm one of the people who has to decifier your creativity on a daily basis.

Very very old post about pseudoprotection

To see the "hidden" part can do so:
1) to make sure that you are using such "protection", it is necessary to open the project in which anything notSiemens program (eg S7-Doctor or S7 for Windows® Version 6 http://www.ibhsoftec-sps.de/english/Product_S7_V6_3.htm)
or
2) To open and work in the step7: in the hex editor replace in the project file command code BLD 7 (0x10 0x07) in the NOP command code 0 (0x00 0x00) in file
<Project folder>\ombstx\offline\00000001\SUBBLK.DBT (instead of "00000001" may be another folder name)
and the opening in the step7 see (FC1 of the project "PROTECT"):

 

[Jeebs]

Due to not having a test bench atm (yay for re-organizations) I can't test it. But how does it react when you don' have the source code. When all you have is the program within the PLC.
When uploading the program, can you still make it visible?
And among all the BLD7/BLD8's how do you know which ones you need? Have you tried it with a regular FC call with parameters?

Since it's digital, it can be cracked. That's a given. All you can do is make it harder for them to crack it.

 

[Saperov]

Due to not having a test bench atm (yay for re-organizations) I can't test it. But how does it react when you don' have the source code. When all you have is the program within the PLC.
When uploading the program, can you still make it visible?
And among all the BLD7/BLD8's how do you know which ones you need? Have you tried it with a regular FC call with parameters?

Since it's digital, it can be cracked. That's a given. All you can do is make it harder for them to crack it.

See very old topic - you need a lots of coffee and cigarettes
http://www.automation.siemens.com/forum/guests/PostShow.aspx?PostID=19034&language=en&PageIndex=3

Without getting into stuffy STEP7 (dbase) database formats the easy way to start is using OPC S7 &blockread () / &blockwrite().
Open the block with a binary editor.
First 0x24 bytes makes the block header (attributes, time stamps, language, block type, number etc).
MC5 STL starts at offset 0x24 and ends with 0x65 00(Block End BE).
Last part is block param. and block info (author, family, name, version etc).
In this example BLD 7 opcode is 0x10 0x07; BLD 8 is 0x10 0x08.
To unprotect the function modify BLD 7 with NOP 0 (0x00 0x00).
Write back the block with OPC S7 &writeblock() and open with STEP7.
The reduced CALL goes away and you will see the underlying MC5 STL code.
......
PS There are many companies that know how to communicate to S7-PLCs (S7-Protocol) and for example VIPA makes”Like S7-300" PLCs.
How do you think these guys know this information?
To figure out a "Proprietary protocol" like S7 you need a good bus analyzer and some helper software (S7-API) and in 2-monts you are up and running.
To figure out the intimate PLC functionality (S7-300 old style not MMC) you need a good C165 Emulator and lots of coffee and cigarettes and you have all approximately 1M (~3k functions) of firmware documented.
If you want to know the guys name (Credits) of the PLC-300 Team read SZL 0x1FE index 0x4344 and make sure you have enough room for DR (make 1k bytes char DB).

The hardest part is to figure out the legal aspects of your commercial business after you go on the market because you don't expect that Siemens will congratulate you for your work

 

[KalleOlsen]

@rvdbijl

If you can use S7300-clones from Vipa, you might find this knowhow protection interesting: (The complete handbook is here).

Kalle