plcforum.uz.ua

International PLC Forum
It is currently Sat Aug 18, 2018 9:56 pm

All times are UTC + 3 hours




Post new topic Reply to topic  [ 15 posts ] 
Author Message
PostPosted: Tue Mar 08, 2011 9:47 am 

Joined: Sun May 23, 2010 3:44 pm
Posts: 9
The Q-Series PLc password is a little more difficult to find than the previous serial interfaced units as now you have to trace the usb data packets.
The password is read back to the PC and you can find it.
What happens is the numbers are encapsulated by a 9 before it.
Where to find these nines is easy.
look for a whole lot of fffffff's after and then look just before and you will find the answer.
90 91 93 95 04 07 00 06 ff ff ff ff ff ff ff ff.
here you can see the answer is 0135 for password.
Use any USB data sniffer and search through the up data streams.
It took us a while to figure this out so hopefully your life is made that much easier.
Lada cuzzies.Keep it clean or take pictures.


Top
 Profile  
 
PostPosted: Sat Apr 02, 2011 12:07 am 

Joined: Fri Jun 26, 2009 2:29 am
Posts: 54
Location: Turkey
There is something I do not understand me. Old Mitsubishi PLCs ACPU series with the COM-LITE32 cracking passwords given as hexadecimal numbers
But this QCPU series PLC's A-a, Z-z ,0 to 9 can be assigned as small or large alphabet. But with the USB sniffing programs such as the example you have posted verify allows only passwords are hexadecimal. The characters other than alphabets and numbers in passwords, this program can not be broken given QCPU...

You've broken with this method is QCPU password?


Top
 Profile  
 
PostPosted: Tue Apr 12, 2011 12:25 pm 

Joined: Fri Jun 26, 2009 2:29 am
Posts: 54
Location: Turkey
If you would like to help in this regard!!! Thank you.... (oo)


Top
 Profile  
 
PostPosted: Sun Jun 19, 2011 9:10 pm 

Joined: Sun Jun 19, 2011 8:05 pm
Posts: 3
Thanks
any body have interest?


Top
 Profile  
 
PostPosted: Sun Jun 19, 2011 11:49 pm 

Joined: Sat Dec 10, 2005 11:21 pm
Posts: 34
Location: Europe
Yes, of course.


Top
 Profile  
 
PostPosted: Wed Oct 10, 2012 8:48 am 

Joined: Wed Aug 05, 2009 8:26 am
Posts: 24
Location: Pakistan
We are using q series CPU.I want to upload project but it is password protected.Can anybody help me


Top
 Profile  
 
PostPosted: Wed Oct 10, 2012 10:41 pm 

Joined: Sat Dec 10, 2005 11:21 pm
Posts: 34
Location: Europe
I did not understand. Is your PLC protect, or is the software protect?
GX IEC Developer or GX Developer?
Library or Function Blocks?

For GX IEC Developer (Library and Function Blocks)I can help you, but not with PLC.

Henk


Top
 Profile  
 
PostPosted: Fri Oct 12, 2012 12:57 am 

Joined: Sat Dec 10, 2005 11:21 pm
Posts: 34
Location: Europe
Of course,

I will translate my document into english and post it here next week.

Henk


Top
 Profile  
 
PostPosted: Sun Oct 14, 2012 4:36 pm 

Joined: Fri Jun 26, 2009 2:29 am
Posts: 54
Location: Turkey
Not usb cracking. Use serial port. Port analizer good.


Top
 Profile  
 
PostPosted: Sun Oct 14, 2012 5:22 pm 

Joined: Tue Aug 21, 2007 10:05 am
Posts: 797
not all models have RS232


Top
 Profile  
 
PostPosted: Tue Nov 13, 2012 6:24 pm 

Joined: Tue Nov 13, 2012 6:12 pm
Posts: 6
What about password breaking for Q-series Mitsubishi PLC?
I have password protected projects for Q-series Mitsubishi PLC. I need to change something in that projects, but I cann't. All Function Block are blocked and unvisible for me, but POU - read only.
Maybe somebody know how to break the password or bypass it?
For POU security level - 3
For FB - 7


Top
 Profile  
 
PostPosted: Tue Nov 13, 2012 7:02 pm 

Joined: Tue Aug 21, 2007 10:05 am
Posts: 797
http://forums.mrplc.com/index.php?showforum=15 тут ещё спроси.а на профильном форуме вам не помогли ? http://www.melsec.ru/forum/index.php?showtopic=4744


Top
 Profile  
 
PostPosted: Tue Nov 20, 2012 5:57 pm 

Joined: Tue Nov 13, 2012 6:12 pm
Posts: 6
К сожалению на профильном форуме ничего узнать не удалось. Пока пытаюсь ковырять сам. Пробовал сравнивать одинаковые проекты (один с паролем, другой без) при помощи TextPad'a. Пока разобраться куда именно пишется пароль не удалось. Но проекты, после введения в один из них пароля, стали отличаться.


Top
 Profile  
 
PostPosted: Tue Nov 20, 2012 6:36 pm 

Joined: Tue Aug 21, 2007 10:05 am
Posts: 797
если стоит многоуровневый пароль (разные уровни на FB и сам проект) то открыть проект не получится.впрочем если появятся результаты озвучивайте,поучимся у вас.


Top
 Profile  
 
PostPosted: Wed Apr 25, 2018 4:56 pm 

Joined: Fri Feb 26, 2016 9:18 pm
Posts: 1
Спасибо автору за пост.
Повторил описанную процедуру и разблокировал 1 блок на контроллере.
Последовательность действий такая
1. Открываем окно чтения блоков программы из CPU, выбираем нужный, запароленный блок.
2. Запускаем сниффер
3. Нажимаем "Execute" (выполнить чтение) и видим окно с запросом пароля.
4. Ищем в логе снифера много ff ff ff ff ff ff ff ff. 4 байта перед ними нам не интересны, следующие 4 байта - это пароль. Например: наш пароль 1234, то ищем 91 92 93 94 04 07 00 00 ff ff ff ff ff ff ff ff ff.
5. Вводим пароль, читаем блок, удаляем пароль.


Скриншот сниффера по ссылке
_https://yadi.sk/i/HR_GMf7L3UmP3F


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

All times are UTC + 3 hours


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by International PLCforum® Forum Software © PLCforum
Mobile version