plcforum.uz.ua

International PLC Forum
It is currently Mon May 29, 2017 8:13 pm

All times are UTC + 3 hours




Post new topic Reply to topic  [ 21 posts ] 
Author Message
PostPosted: Tue Apr 11, 2006 11:04 am 

Joined: Tue Apr 11, 2006 7:40 am
Posts: 43
Location: Russia
Unlock password for S7 200 and S7 300 MMC
Add: convert *.wld from MMC-image file
You can create image file from MMC by S7imgRD.exe or WINHEX
[dead] Simatic_S7-200_S7-300_MMC_Password_Unlock_2006_09_11.rar

in Russian wrote:
Программа по вычислению пароля из образа универсальна и для S7-200 и для S7-300. Процесс получения образа из 200 описывался ранее. Для 300 нужен образ MMC-карты (при помощи S7imgRD.exe, WINHEX и т.д.)
В программу S7Unlock добавлена опция по конвертации MMC-файла(*.wld) из образа MMC-Card, полученного любым доступным образом:



You can use ONLY EXTERNAL CardReader. Internal notebook CardReader not work propertly with Simatic MMC and show message "IOCTL_DISK_GET_DRIVE_GEOMETRY failed ".
smsasg in Russian wrote:
Физическое устройство для считывания образа MMC - только внешний CardReader. Встроенный в нотебук выдает ошибку чтения "IOCTL_DISK_GET_DRIVE_GEOMETRY failed ".
Чтение-запись возможны лишь при помощи внешнего CardReader... встроенные в ноут MMC DiskDevice выдают такую ошибку.
Вообщем, устройство чтения должно быть физическим устройством, а не логическим. Очень хорошо видно это при использовании WinHex в качестве программы для чтения-записи.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 19, 2006 10:54 am 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 2965
Location: Russia
http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. http://rapidshare.de/files/18271865/crypt_MMC.zip.html
-------------------------------------------------------------
http://plctalk.net/qanda/showthread.php?t=21591

jcarlos :

Hi everybody,

the S7ImgRd and S7ImgWr are updated. You can now try to bring back accidently formated MMC with other images.

Also the Password thing, earlier posted here, is build in, but please dont violate copyright.

http://personal.telefonica.terra.es/web/suwe/
Nuevo / new / neu V1.0 March 2006
S7ImgRd does try to retrieve Password if set ! please test and report !

http://www.telefonica.net/web/suwe/s7imgrd1.zip
http://www.telefonica.net/web/suwe/s7imgwr1.zip


Top
 Profile  
 
 Post subject: algorithm
PostPosted: Sun Apr 30, 2006 6:07 am 
smsasg wrote:
ну если настолько детали интересны, то принцип кодировки намного проще: http://rapidshare.com/files/361610612/Pass_for_S7.pdf
Size: 73 KB
Quote:
Address location in the password can be arbitrary, eg // Адрес местонахождения в пароле может быть произвольным, например:
Address 1E75 - protection level // уровень защиты (01-03)
Address 1E76-1E7D – crypted password // зашифрованный пароль
(1E76) = 1st char // 1-й символ
(1Е77) = 2nd char // 2-й символ
(1Е76) XOR (1E78) = char 3//3-й символ
(1Е77) XOR (1E79) = char 4//4-й символ
(1Е78) XOR (1E7A) = char 5//5-й символ
(1Е79) XOR (1E7B) = char 6//6-й символ
(1Е7A) XOR (1E7C) = char 7// 7-й символ
(1Е7B) XOR (1E7D) = char 8//8-й символ
Example // Пример: Содержимое адресов
1Е75-1Е7D: 03 FC EF 04 07 EF F9 0C 6F
Converted code // Преобразованный код :
FC EF F8 E8 EB FE E3 96
Password // Символьный пароль:
V E R B A T I <

Table char<>code ...



:shock:
Ну нифига себе, накуролесили, всё гораздо проще!
LenFW - Length Word / длина в WORD
Buff - buffer white S7-Password /буфер в памяти. В нём лежит зашифрованный S7-Password

for(int i = LenFW - 1; i>0; i--)
{
*(Buff+i) ^= *(Buff+i-1)^0xAAAA;
}
*Buff ^= 0xAAAA;

Voila !
Вот и всё! Вуаля!


Top
  
 
 Post subject:
PostPosted: Wed Sep 13, 2006 8:38 am 

Joined: Wed Sep 13, 2006 8:30 am
Posts: 3
Location: Russia
With internal CardReader s7imgrd.exe show error
Quote:
IOCTL_DISK_GET_DRIVE_GEOMETRY failed

with external CardReader all is Ok.
Russian wrote:
Попробовал считать образ с помощью s7imgrd.exe
Выдала ошибку IOCTL_DISK_GET_DRIVE_GEOMETRY failed
Это что утилитка хандрит или с ММС проблемы (контроллер с нее работает).

Странно, вроде какая ему разница внешний или внутренний картридер. Хотя точно, использовался встроенный считыватель.

И правда, все отлично получилось на внешнем картридере. Спасибо за помощь.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jun 07, 2008 10:42 am 

Joined: Thu Jun 14, 2007 8:21 pm
Posts: 77
Location: Asia
CoMod wrote:
http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. http://rapidshare.de/files/18271865/crypt_MMC.zip.html


Can anyone reupload the RS.de link?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jun 07, 2008 11:34 am 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 2965
Location: Russia
See Algoritm in message from Keygen
viewtopic.php?p=3229#3229
Keygen wrote:
all much easier! //Ну нифига себе, накуролесили, всё гораздо проще!
LenFW - Length Word // длина в WORD
Buff - buffer white S7-Password //буфер в памяти. В нём лежит зашифрованный S7-Password

for(int i = LenFW - 1; i>0; i--)
{
*(Buff+i) ^= *(Buff+i-1)^0xAAAA;
}
*Buff ^= 0xAAAA;

Voila ! //Вуаля!


Top
 Profile  
 
 Post subject:
PostPosted: Thu Aug 20, 2009 10:35 pm 

Joined: Tue Apr 11, 2006 7:40 am
Posts: 43
Location: Russia
Updated version S7_Unlock
Add: you can decode password of S7-200 project file *.mwp

http://narod.ru/disk/12236322000/Unlock_and_converter_MMC_Image_S7.rar.html
or
http://rapidshare.com/files/269738783/Unlock_and_converter_MMC_Image_S7.rar
Size: 181 KB


Top
 Profile  
 
 Post subject: Re:
PostPosted: Wed Mar 10, 2010 9:00 pm 

Joined: Fri Apr 24, 2009 8:35 pm
Posts: 6
Location: Ukraine
CoMod wrote:
http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. http://rapidshare.de/files/18271865/crypt_MMC.zip.html
-------------------------------------------------- -----------
http://plctalk.net/qanda/showthread.php?t=21591


Has anyone seen this file? Does anyone a have a copy? There was alot of juicy information of how the siemens file system is set up, passwords and how to investigate. CoMod, in his usual super hero way, saved my ass again with how to get the password for a 400 MC card. But I have another project I am working on that is programming in nature and I really need to get around inside the cards.

to put it bluntly, I am trying to improve my programing/hacking skills. If anyone has any pointers, anything. I got myself a copy of win hex and I have had blast replicating every thing, but there must be a way to mount a siemens mc/mmc card image and look inside at the individual files.

Appreciate any help.

H


Top
 Profile  
 
PostPosted: Thu Oct 28, 2010 7:28 pm 

Joined: Thu Oct 28, 2010 7:25 pm
Posts: 2
Please have a serious problem with S7 200 but we can not guess the password of the PLC.
The key S7 program does not work with the PPI cable / USB.

I would appreciate the help.


Top
 Profile  
 
PostPosted: Wed Aug 10, 2011 10:54 am 

Joined: Tue Apr 11, 2006 7:40 am
Posts: 43
Location: Russia
Updated Version 5.01 of the "Unlock_and_converter_MMC_Image_S7":
http://www.2shared.com/file/YQ1sgNFX/Unlock_and_converter_MMC_Image.html


Top
 Profile  
 
PostPosted: Tue Sep 20, 2011 12:36 pm 

Joined: Tue Sep 28, 2010 10:39 am
Posts: 9
smsasg wrote:
Updated Version 5.01 of the "Unlock_and_converter_MMC_Image_S7":
http://www.2shared.com/file/YQ1sgNFX/Unlock_and_converter_MMC_Image.html
Unfortunately, download the file is not possible. Could someone upload the file to another hosting?


Top
 Profile  
 
PostPosted: Tue Sep 20, 2011 12:57 pm 
Site Admin

Joined: Wed Sep 06, 2006 3:03 pm
Posts: 1083
Location: CIS
AndreyUA wrote:
Unfortunately, download the file is not possible. Could someone upload the file to another hosting?

Download is possible - I tried and there were no problem. Anyway, mirror is here: http://ifile.it/d5y6kfg


Top
 Profile  
 
PostPosted: Thu Aug 09, 2012 4:29 am 

Joined: Wed May 23, 2012 3:24 am
Posts: 1
Hi, I have a machine with PLC s7 200 cpu 226, and need to do the backup but this protected with password, is there any way to unlock this password for the machine cause is the manufacturer closed.

Thank you


Top
 Profile  
 
PostPosted: Sun Jan 27, 2013 4:50 pm 

Joined: Wed Jul 25, 2012 7:30 pm
Posts: 3
did any body use the s7 200CN and worked with him ??????


Top
 Profile  
 
PostPosted: Fri Apr 19, 2013 6:54 pm 

Joined: Tue Apr 11, 2006 7:40 am
Posts: 43
Location: Russia
Updated Version 6.01 of the "Unlock_and_converter_MMC_Image_S7" (added option for S7-300F):
http://www.4shared.com/rar/8UK3Ip0d/Unlock_and_converter_MMC_Image.html


Top
 Profile  
 
PostPosted: Mon Jun 30, 2014 11:40 pm 

Joined: Fri Jun 22, 2012 6:22 pm
Posts: 6
hello,
Is it possible someone to unlock the attached s7 200 routines for me ?

(dlink) https://www.dropbox.com/s/fepvy3xt32fbqf8/Project1.mwp

thanks in advance,


Top
 Profile  
 
PostPosted: Tue Jul 01, 2014 8:51 am 

Joined: Tue Apr 11, 2006 7:40 am
Posts: 43
Location: Russia
https://www.dropbox.com/s/xfn51mbe9wg7ca1/Project1_without_pass.mwp


Top
 Profile  
 
PostPosted: Wed Sep 07, 2016 6:08 am 

Joined: Sat May 21, 2011 6:28 am
Posts: 78
smsasg wrote:
Updated Version 6.01 of the "Unlock_and_converter_MMC_Image_S7" (added option for S7-300F):
http://www.4shared.com/rar/8UK3Ip0d/Unlock_and_converter_MMC_Image.html

(gpost) (gpost)
It is not available now, could you please reupload? Please.... (tyou) (tyou) (sos) (sos) (sos)

I searched Internet, found one combined with malware, so please here some good guy upload a good to mega or some where else.
Great thanks!


Top
 Profile  
 
PostPosted: Wed Sep 14, 2016 7:06 am 

Joined: Tue Apr 11, 2006 7:40 am
Posts: 43
Location: Russia
https://mega.nz/#!LBJCkRAA!bofmUBFm8SDAPwva-QEJQwUHsvyGY2yKfBgQk2LKOUQ


Top
 Profile  
 
PostPosted: Wed Sep 14, 2016 8:58 am 
Site Admin

Joined: Thu Feb 16, 2006 6:25 pm
Posts: 2965
Location: Russia
smsasg wrote:

Kaspersky delete this version (h) (boom)
https://www.virustotal.com/ru/file/6dbb84b61f18d7a8a6427cb6a505568a173b87c53f3b6bbdfc3f30471bd7c5e7/analysis/1473833447/
Касперский удаляет эту версию... можешь поменять упаковщик или раздавать её в архиве с паролём 1 ? и чтоб в архиве был незапоролированный файл с текстом пароля
или в его имени был ***_password_1.zip ?


Top
 Profile  
 
PostPosted: Sat Sep 17, 2016 4:10 pm 

Joined: Sat May 21, 2011 6:28 am
Posts: 78
smsasg wrote:


I believe in you and believe it is clear and virus-free.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ] 

All times are UTC + 3 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by International PLCforum® Forum Software © PLCforum
Mobile version