- This topic has 2 replies, 2 voices, and was last updated 2 years, 2 months ago by
.
Viewing 3 posts - 1 through 3 (of 3 total)
Viewing 3 posts - 1 through 3 (of 3 total)
- You must be logged in to reply to this topic.
Signup for our newsletter to get notified about sales and new products. Add any text here or remove it.
IA-Prof-Forum › IA Professionals Forum › Password protected Siemens S7-200
Bouke Boumeester.Dear,
I want to upload a program form a S7-200 (CPU222 DC/DC/DC), but the program is password protected.
I also dont have the project anywhere, so using the password protected file is not a option (unless it can be uploaded from the PLC without password?)
Some general information: I use STEP-7 Micro/WIN for the connection.
Does anyone know a way to obtain the program?
I look forward to hearing from you soon!
I’m not sure if there is a standard way of uploading the program without the password. I don’t know about one and I couldn’t really find anything about it either.
What I did find after a quick google search are some hacky ways of obtaining the program.
1:
The S7-200 contains a security vulnerability (https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-11-186-01 & https://www.wired.com/2011/08/siemens-hardcoded-password/).
In short, if you have another S7-200 you could try to sniff the authentication packet with for example wireshark. Once you sniffed the packet, you should be able to replay it to the plc inside the machine. This way you can send a command to disable the password protection, which should allow you to upload the program to your computer.
I’m not a 100% sure if it will work, maybe the plc inside the machine has received a patch to protect it against this vulnerability.
2:
Another option would be to desolder the memory IC, I guess. After you have desoldered it, you could try reading it out with a microcontroller of some sort perhaps. When you have dumped it’s memory contents, there is supposed to be a way of finding the password in there. Which then allows you to read the rest of the memory.
For both of these options I’d recommend you try it with another PLC first, because you might mess up (or even kill) the PLC in the process.
Update: A few months later and still no password… The short story: after thorough investigation, there is no easy and/or low risk way to obtain the program.
A more detailed story:
All the “password recovery” solutions I found were resetting the memory instead and Siemens support couldn’t do anything about it due to potential “legal claims”.
I found one potential way to obtain the password (something with reading data directly from two pins of a chip), however, estimated too risky without the guarantee for success.
Ended up with completely reverse engineering the machine by studying its functionality, reading the wire diagrams & following the wires in the field and theoretical studies about the process.
It was a fun experience 🙂
Thanks for thinking along and till next time!