[?]: Unlock know how protection, Tia Portal V11
[?]: Unlock know how protection, Tia Portal V11
Hey...
I need your help. Got this Tia Portal v 11 program with Know how proctection on almost all FC's!
How do i unlock it? I know the tools for unlock S7-projects/program but haven't found any for TiaPortal...
Cheers,
T
I need your help. Got this Tia Portal v 11 program with Know how proctection on almost all FC's!
How do i unlock it? I know the tools for unlock S7-projects/program but haven't found any for TiaPortal...
Cheers,
T
-
- Posts: 1
- Joined: Fri Jul 13, 2012 11:45 am
Re: [?]: Unlock know how protection, Tia Portal V11
Hi,
I have the same question if anyone could help us please
I have the same question if anyone could help us please
-
- Posts: 1
- Joined: Wed Nov 06, 2013 5:50 pm
Re: [?]: Unlock know how protection, Tia Portal V11
I have the same problem.
Re: [?]: Unlock know how protection, Tia Portal V11
I have the same problem.we need help to this question... :_(Aliasmarcos wrote:I have the same problem.
-
- Posts: 94
- Joined: Mon Sep 23, 2013 10:41 pm
Re: [?]: Unlock know how protection, Tia Portal V11
I fear, there is no help in the whole world. No one has craked the TIAP Protection an this time.
Re: [?]: Unlock know how protection, Tia Portal V11
Only bruteforce, CIA, NSA, KGB, MOSSAD, ...
http://www.slideshare.net/AlexanderTimo ... lideshow=1
https://code.google.com/p/scada-tools/s ... tractor.py
http://www.slideshare.net/AlexanderTimo ... lideshow=1
https://code.google.com/p/scada-tools/s ... tractor.py
Re: [?]: Unlock know how protection, Tia Portal V11
you can find information about unlocking know-how
protection in darknet
protection in darknet
Re: [?]: Unlock know how protection, Tia Portal V11
I see s7-project like this
Show
Code: Select all
FF FF FF FF 03 24 51 11 97 F4 83 5F 01 60 24 65 FF FF FF FF FF FF FF FF 61 9B D0 02 01 30 2F 21
FF FF FF FF FF FF FF FF E5 04 64 3D 00 F0 7B 61 FF FF FF FF FF FF FF FF 5A C0 9A FD 01 D0 2B 6C
(A6 8A) 32 00
01
20 (30)
(A3 81 69 00 15) 04 (4D 61 69 6E)-Main
(A3 93 15 00 05 8B) (A9 B2) C0 C9 FD A8 97 EC
(A3 93 16 00 04) C5 77
(A3 93 11 00 14 00) 84 1E
(98 00 00 02 78 7D 58 14 B0 3B )
7D 95 DB 6E A3 30 10 86 5F 25 E2 BE 8A CF D8 2A 41 02 52 B4 91 92 66 D5 64 AF 57 16 38 29 5A 30 11 38 5D F1 F6 3B 90 26 2D 6C D3 1B 24 BE 19 7B 3C 33 BF C7 FF 17 82 0C 85 88 CE AE 7E 1E 24 F2 DE 84 4F 60 92 8D 2F 7C E6 23 84 29 52 54 52 26 27 D9 F4 DF 9D D3 D5 69 38 E2 1E 2D BC DB 12 E4 33 A2 7C A8 80 37 DB E3 3B 9C F4 9C 72 42 B8 C0 48 32 AC 38 78 00 A7 57 7F A1 94 4F A8 52 5C 08 10 E0 9E DD F1 E7 77 B8 7F 87 CB 6F 26 CA 7D 59 AE 4C 96 BC 9A EC CF B5 61 B7 FF 6F DB B4 8D 7F 27 B5 6D 9D B6 6E F6 3C 5C 45 20 1B 5D D8 77 EB CA 3A D3 1C 74 36 5C C7 70 55 9D 9A FA CD E4 70 82 89 E5 A3 DF E9 54 F9 2F A6 34 BA 35 49 7D B6 2E 24 22 98 8F 40 B0 AC FF DA B2 D6 F9 8F A2 75 75 D3 81 F6 F1 C3 B5 BC 52 41 89 B1 62 9C 3E 5E 31 57 50 2E C6 94 44 30 86 D4 08 23 4C 30 27 12 73 74 C5 5C C2 C4 A0 44 30 8C FB E6 8E 30 66 0C 4B D8 06 7F C2 84 32 02 72 F2 95 24 84 8C 30 BC 94 8C 49 21 D5 08 53 C5 A8 00 BD 60 C2 47 58 52 A9 98 F4 25 27 8F C1 7C 9A 60 30 5C D6 B5 B6 C7 B3 3E 9A B5 79 33 65 08 F3 F4 0B 1A EC 75 73 34 2E D5 55 51 76 E1 0E C2 20 14 CC 47 30 78 DA A5 67 9B 39 68 AA 2E 0B D7 5D 16 62 78 D8 BE 34 80 FB 38 C4 C5 73 12 76 13 25 21 4E 85 5A B2 A5 20 31 8D 30 11 7D 2E 71 CC 12 19 45 2A 51 4F 71 1A CC 7B AF 20 CA F3 E2 12 63 0D 29 C2 1B 60 E2 C2 EA A6 1B D4 F6 D3 00 77 5D DC 39 D3 0E 9A FE 65 8D CD 9A EE E4 4C 3E 4C AD C1 75 6D EC D1 BD 2E 3C 8A 84 37 1B AA D0 0B 71 7B 38 B4 C6 2D BC 07 D0 69 AA 8B 72 A7 0F 26 69 B2 7E 19 0C 0A 9F 60 C6 09 93 6A 64 DC 9E 5C 01 E3 14 FB 48 61 68 09 6C 97 94 75 6B F2 55 55 99 BC D0 AE F7 01 BB 37 EB CF BA 31 55 FD 11 5C 2A 7E B9 10 B7 F1 F4 0F 21 D0 5E B4
A3 93 13 00 04 83 2E
A3 A1 40 40 15 00
A3 BF 03 00 10 16 A5 94 0B 4A CC 60 3C
A3 93 6F 00 05 88 B8 CE 93 8F 8C 89 FF 78
A3 A1 3F 40 15 88 1A 1C 22 4D 61 69 6E 20 50 72 6F 67 72 61 6D 20 53 77 65 65 70 20 28 43 79 63 6C 65 29 22 00
A3 BE 0D 00 14 00 14 9E EF DC 71 2E 4A 90 93 DE
A3 61 4F D0 E6 7B F9 AE 79 C5 F3
A3 C0 09 00 10 00 00 00 00 00 00 00 00
A3 93 59 00 03 00 01
A3 93 5A 00 01 01
A3 93 5B 00 03 00 02
A3 93 5C 00 17 00 00 0D 77 9A 78 00 0B 00 00 9A 79 10
02 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A3 93 5F 00 01 00
A3 93 60 00 01 00
A3 93 61 00 05 8B A9 B2 C0 88 DD BB AF D0
A3 93 64 00 0C 00 00 00 00
A3 98 4F 00 17 00 00 0D A0 9B 21 00 08 00 9B 22 00 15 00 9B 23 00 08 00 00
A3 93 69 00 14 00 82 33 EF BE AD DE 7C 00 00 00 01 00 00 00 02 00 00 00 32 00 00 00 00 04 00 00 00 00 00 00 65 4E 32 CB 76 E4 9B
AC 04 01 00 00 00 00 00 00 56
ED 08 0E 93 AD F8 72 01
01 00 00 00 00 00 00
3C 00 00
Re: [?]: Unlock know how protection, Tia Portal V11
some one asks me to open protected FB
The best idea - dont throw for money developers
sega1234321
Некоторые пользователи не могут быть добавлены, так как они отключили получение личных сообщений.
The best idea - dont throw for money developers
sega1234321
Некоторые пользователи не могут быть добавлены, так как они отключили получение личных сообщений.
[?]: unPassword Siemens S7-1500
Hello everybody,
Do you know if is there any method to recovery the password of a plc siemens s7-1500
or to reset it without losing the project on it?
thanks
regards
Do you know if is there any method to recovery the password of a plc siemens s7-1500
or to reset it without losing the project on it?
thanks
regards
-
- Faq & Info
- Posts: 173
- Joined: Thu Oct 13, 2005 6:42 pm
- Location: Frequently Asked Questions – Часто Задаваемые Вопросы
Re: [?]: Unlock know how protection, Tia Portal V11
Reverse Engineering of S7-1200 via JTAG
https://sec-consult.com/blog/detail/rev ... inout-plc/
The added port is a standard ARM -JTAG port which can be used with the J-Link Plus debug adapter from SEGGER.
(c) SEC Consult Vulnerabiltiy Lab
https://github.com/atimorin/scada-tools ... tractor.py
https://sec-consult.com/blog/detail/rev ... inout-plc/
Code: Select all
https://sec-consult.com/blog/detail/reverse-engineering-architecture-pinout-plc/
Siemens PLC with hardware modification
Show
The added port is a standard ARM -JTAG port which can be used with the J-Link Plus debug adapter from SEGGER.
(c) SEC Consult Vulnerabiltiy Lab
Code: Select all
https://github.com/atimorin/scada-tools/blob/master/s7_password_hashes_extractor.py
Spoiler
Show
Code: Select all
#!/usr/bin/env python
"""
File: s7_password_hashes_extractor.py
Desc: password hashes extractor from Siemens Simatic TIA Portal project file
"""
__author__ = "Aleksandr Timorin"
__copyright__ = "Copyright 2013, Positive Technologies"
__license__ = "GNU GPL v3"
__version__ = "1.1"
__maintainer__ = "Aleksandr Timorin"
__email__ = "atimorin@gmail.com"
__status__ = "Development"
import sys
import os
import re
import optparse
from binascii import hexlify
from hashlib import sha1
cfg_result_hashes = 's7_password_hashes_extractor.hashes'
if __name__ == '__main__':
parser = optparse.OptionParser()
parser.add_option('-p', dest="project_file", help="PEData.plf filepath")
options, args = parser.parse_args()
if not options.project_file:
parser.print_help()
sys.exit()
data = open(options.project_file, 'rb').read()
print "read PEData file %s, size 0x%X bytes" % (options.project_file, os.path.getsize(options.project_file))
print "sample of used passwords and hashes:"
for p in ['123', '1234AaBb', '1234AaB', '1111111111aaaaaaaaaa']:
print "\t%s : %s" % (p, sha1(p).hexdigest())
re_pattern = re.compile('456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40}')
possible_hashes = [s[-40:] for s in re_pattern.findall(hexlify(data))]
possible_hashes = reduce(lambda x, y: x if y in x else x + [y], possible_hashes, [])
open(cfg_result_hashes, 'w').write('\n'.join(possible_hashes))
total_hashes = len(possible_hashes)
print "found %d sha1 hashes, ordered by histrory list:" % (total_hashes)
for h in possible_hashes:
pos = possible_hashes.index(h) + 1
if pos == total_hashes:
print '\thash %d: %s\t(current)' % (pos, h)
else:
print '\thash %d: %s' % (pos, h)
Re: [?]: Unlock know how protection, Tia Portal V11
So far as I know, Siemens claims that no one can hack the password in TIA Portal.
-
- Posts: 94
- Joined: Mon Sep 23, 2013 10:41 pm
Re: [?]: Unlock know how protection, Tia Portal V11
Its purblind to declare such things. First of all, there its no need to crack anything.
If i can extract the hash, the password can be finded by brutforce.
Second - based on my simotion expirience, i can tell you with confidence, that the only thing why we cannot unlock TIA at the time is the shortage of capable analyst and money, wicth was payd to solve the problem.
I belief that the "problem" in the reality does not exist.
Althought, to prevent the next fixing closing and security updates, the solution, if exist, will be keept confidentially.
If i can extract the hash, the password can be finded by brutforce.
Second - based on my simotion expirience, i can tell you with confidence, that the only thing why we cannot unlock TIA at the time is the shortage of capable analyst and money, wicth was payd to solve the problem.
I belief that the "problem" in the reality does not exist.
Althought, to prevent the next fixing closing and security updates, the solution, if exist, will be keept confidentially.
Re: [?]: Unlock know how protection, Tia Portal V11
JEB Decompiler for S7 PLC
The S7 PLC Decompiler extension for JEB allows reverse engineers
and security auditors to analyze Siemens Simatic S7 code.
-----------------
link deleted by sania
The S7 PLC Decompiler extension for JEB allows reverse engineers
and security auditors to analyze Siemens Simatic S7 code.
-----------------
link deleted by sania
-
- Posts: 94
- Joined: Mon Sep 23, 2013 10:41 pm
Re: [?]: Unlock know how protection, Tia Portal V11
Sir, i suggest, you are from this firma and try to distribute this products here.
Please, stop .
First of all - we discuss here how to recover lost encrypted SourceCodes in TIA Portal V11 (and following).
NOT STEP7 CLASSIC, STEP7 INSIDE TIA PORTAL.
Its different type of software, not compatible to each other. Understood ?
Second - and more important. I don't need any software for recompiling ANYTHING from the PLC into the C-Code.
Because NOTHING inside the PLC was originally programming in C.
The Language, witch normally is used inside PLCs, is SCL.
So, if you don't have the source of a STEP/CLSSIC FB anymore (not encrypted, but lost source) you can easily recompile the remained STL Code from the FB into the original SCL Source by using either some accessories (for example, like in the neighbor tread) or by doing it manually.
I DONT NEED TO RECOMPILE IT TO C with that tool. Understood ?
Please, stop .
First of all - we discuss here how to recover lost encrypted SourceCodes in TIA Portal V11 (and following).
NOT STEP7 CLASSIC, STEP7 INSIDE TIA PORTAL.
Its different type of software, not compatible to each other. Understood ?
Second - and more important. I don't need any software for recompiling ANYTHING from the PLC into the C-Code.
Because NOTHING inside the PLC was originally programming in C.
The Language, witch normally is used inside PLCs, is SCL.
So, if you don't have the source of a STEP/CLSSIC FB anymore (not encrypted, but lost source) you can easily recompile the remained STL Code from the FB into the original SCL Source by using either some accessories (for example, like in the neighbor tread) or by doing it manually.
I DONT NEED TO RECOMPILE IT TO C with that tool. Understood ?
Re: [?]: Unlock know how protection, Tia Portal V11
each version of tiaP has own private key.
and i have to waste a huge machine time to create a new rainbow table.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49
and i have to waste a huge machine time to create a new rainbow table.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49
-
- Posts: 94
- Joined: Mon Sep 23, 2013 10:41 pm
Re: [?]: Unlock know how protection, Tia Portal V11
You mean - you have a rainbow table for different TIA Versions and you are able to recovery the Password by extracting the Hash and using this table ?
Very interessting.
So, what do I need realistically to open, for example, a decrypted Library. I need the Project, and a Hardware-CPU to upload the Project and then i can recovery it from the SD-Card ?But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49
The recovered sources will be comletely, i.e. with comments and originaly tag names, or not ?
Can you maybe open for example this library ?
https://support.industry.siemens.com/cs ... 0&lc=de-WW
Thanx in Advance
-
- Posts: 12
- Joined: Fri Feb 14, 2020 1:56 am
Re: [?]: Unlock know how protection, Tia Portal V11
Can somebody help to program a brute-force tool to guess the password of KHP?
Re: [?]: Unlock know how protection, Tia Portal V11
Hello! I have plc with password and a tia v13 plc project with password, I can change the password in the project, but I can't see it, can you help me to see the password?Sam N wrote: ↑Tue Mar 22, 2022 10:27 ameach version of tiaP has own private key.
and i have to waste a huge machine time to create a new rainbow table.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49
-
- Posts: 2
- Joined: Tue Nov 07, 2023 10:32 am
Re: [?]: Unlock know how protection, Tia Portal V11
Hi !
I would like to open block with know how protection in TIA V16 or more.
Anyone have a solution please ?
Thank you
I would like to open block with know how protection in TIA V16 or more.
Anyone have a solution please ?
Thank you