Page 1 of 1

[Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Tue Apr 11, 2006 8:04 am
by smsasg
Unlock password for S7 200 and S7 300 MMC
Add: convert *.wld from MMC-image file
You can create image file from MMC by S7imgRD.exe or WINHEX
[dead] Simatic_S7-200_S7-300_MMC_Password_Unlock_2006_09_11.rar
in Russian wrote:Программа по вычислению пароля из образа универсальна и для S7-200 и для S7-300. Процесс получения образа из 200 описывался ранее. Для 300 нужен образ MMC-карты (при помощи S7imgRD.exe, WINHEX и т.д.)
В программу S7Unlock добавлена опция по конвертации MMC-файла(*.wld) из образа MMC-Card, полученного любым доступным образом:

You can use ONLY EXTERNAL CardReader. Internal notebook CardReader not work propertly with Simatic MMC and show message "IOCTL_DISK_GET_DRIVE_GEOMETRY failed ".
smsasg in Russian wrote:Физическое устройство для считывания образа MMC - только внешний CardReader. Встроенный в нотебук выдает ошибку чтения "IOCTL_DISK_GET_DRIVE_GEOMETRY failed ".
Чтение-запись возможны лишь при помощи внешнего CardReader... встроенные в ноут MMC DiskDevice выдают такую ошибку.
Вообщем, устройство чтения должно быть физическим устройством, а не логическим. Очень хорошо видно это при использовании WinHex в качестве программы для чтения-записи.
https://disk.yandex.ru/d/qA3JuMSnuSSXNA/PPP
https://mega.nz/#!LBJCkRAA!bofmUBFm8SDA ... BgQk2LKOUQ

Code: Select all

https://mega.nz/#!LBJCkRAA!bofmUBFm8SDAPwva-QEJQwUHsvyGY2yKfBgQk2LKOUQ
https://www.virustotal.com/gui/file/6db ... /detection
use in VirtualBox

Posted: Wed Apr 19, 2006 7:54 am
by CoMod
http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. Link_is_Dead :(/files/18271865/crypt_MMC.zip.html
-------------------------------------------------------------
http://plctalk.net/qanda/showthread.php?t=21591

jcarlos :

Hi everybody,

the S7ImgRd and S7ImgWr are updated. You can now try to bring back accidently formated MMC with other images.

Also the Password thing, earlier posted here, is build in, but please dont violate copyright.

http://personal.telefonica.terra.es/web/suwe/
Nuevo / new / neu V1.0 March 2006
S7ImgRd does try to retrieve Password if set ! please test and report !

http://www.telefonica.net/web/suwe/s7imgrd1.zip
http://www.telefonica.net/web/suwe/s7imgwr1.zip

algorithm

Posted: Sun Apr 30, 2006 3:07 am
by Keygen
smsasg wrote:ну если настолько детали интересны, то принцип кодировки намного проще: Link_is_Dead :(/Pass_for_S7.pdf
Size: 73 KB
Address location in the password can be arbitrary, eg // Адрес местонахождения в пароле может быть произвольным, например:
Address 1E75 - protection level // уровень защиты (01-03)
Address 1E76-1E7D – crypted password // зашифрованный пароль
(1E76) = 1st char // 1-й символ
(1Е77) = 2nd char // 2-й символ
(1Е76) XOR (1E78) = char 3//3-й символ
(1Е77) XOR (1E79) = char 4//4-й символ
(1Е78) XOR (1E7A) = char 5//5-й символ
(1Е79) XOR (1E7B) = char 6//6-й символ
(1Е7A) XOR (1E7C) = char 7// 7-й символ
(1Е7B) XOR (1E7D) = char 8//8-й символ
Example // Пример: Содержимое адресов
1Е75-1Е7D: 03 FC EF 04 07 EF F9 0C 6F
Converted code // Преобразованный код :
FC EF F8 E8 EB FE E3 96
Password // Символьный пароль:
V E R B A T I <

Table char<>code ...
:shock:
Ну нифига себе, накуролесили, всё гораздо проще!
LenFW - Length Word / длина в WORD
Buff - buffer white S7-Password /буфер в памяти. В нём лежит зашифрованный S7-Password

for(int i = LenFW - 1; i>0; i--)
{
*(Buff+i) ^= *(Buff+i-1)^0xAAAA;
}
*Buff ^= 0xAAAA;

Voila !
Вот и всё! Вуаля!

Posted: Wed Sep 13, 2006 5:38 am
by scorp26
With internal CardReader s7imgrd.exe show error
IOCTL_DISK_GET_DRIVE_GEOMETRY failed
with external CardReader all is Ok.
Russian wrote:Попробовал считать образ с помощью s7imgrd.exe
Выдала ошибку IOCTL_DISK_GET_DRIVE_GEOMETRY failed
Это что утилитка хандрит или с ММС проблемы (контроллер с нее работает).

Странно, вроде какая ему разница внешний или внутренний картридер. Хотя точно, использовался встроенный считыватель.

И правда, все отлично получилось на внешнем картридере. Спасибо за помощь.

Posted: Sat Jun 07, 2008 7:42 am
by vaiduakhu
CoMod wrote:http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. Link_is_Dead :(/files/18271865/crypt_MMC.zip.html
Can anyone reupload the RS.de link?

Posted: Sat Jun 07, 2008 8:34 am
by CoMod
See Algoritm in message from Keygen
viewtopic.php?p=3229#3229
Keygen wrote:all much easier! //Ну нифига себе, накуролесили, всё гораздо проще!
LenFW - Length Word // длина в WORD
Buff - buffer white S7-Password //буфер в памяти. В нём лежит зашифрованный S7-Password

for(int i = LenFW - 1; i>0; i--)
{
*(Buff+i) ^= *(Buff+i-1)^0xAAAA;
}
*Buff ^= 0xAAAA;

Voila ! //Вуаля!

Posted: Thu Aug 20, 2009 7:35 pm
by smsasg
Updated version S7_Unlock
Add: you can decode password of S7-200 project file *.mwp

http://narod.ru/disk/12236322000/Unlock ... 7.Link_is_Dead :(
or
Link_is_Dead :(/U ... age_S7.rar
Size: 181 KB

Re:

Posted: Wed Mar 10, 2010 6:00 pm
by Huzulka
CoMod wrote: http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. Link_is_Dead :(/files/18271865/crypt_MMC.zip.html
-------------------------------------------------- -----------
http://plctalk.net/qanda/showthread.php?t=21591
Has anyone seen this file? Does anyone a have a copy? There was alot of juicy information of how the siemens file system is set up, passwords and how to investigate. CoMod, in his usual super hero way, saved my ass again with how to get the password for a 400 MC card. But I have another project I am working on that is programming in nature and I really need to get around inside the cards.

to put it bluntly, I am trying to improve my programing/hacking skills. If anyone has any pointers, anything. I got myself a copy of win hex and I have had blast replicating every thing, but there must be a way to mount a siemens mc/mmc card image and look inside at the individual files.

Appreciate any help.

H

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Thu Oct 28, 2010 4:28 pm
by escueto
Please have a serious problem with S7 200 but we can not guess the password of the PLC.
The key S7 program does not work with the PPI cable / USB.

I would appreciate the help.

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Wed Aug 10, 2011 7:54 am
by smsasg
Updated Version 5.01 of the "Unlock_and_converter_MMC_Image_S7":
http://www.2shared.com/file/YQ1sgNFX/Un ... Image.html

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Tue Sep 20, 2011 9:36 am
by AndreyUA
smsasg wrote:Updated Version 5.01 of the "Unlock_and_converter_MMC_Image_S7":
http://www.2shared.com/file/YQ1sgNFX/Un ... Image.html
Unfortunately, download the file is not possible. Could someone upload the file to another hosting?

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Tue Sep 20, 2011 9:57 am
by Schtiel
AndreyUA wrote:Unfortunately, download the file is not possible. Could someone upload the file to another hosting?
Download is possible - I tried and there were no problem. Anyway, mirror is here: http://ifile.it/d5y6kfg

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Thu Aug 09, 2012 1:29 am
by Erivaldo
Hi, I have a machine with PLC s7 200 cpu 226, and need to do the backup but this protected with password, is there any way to unlock this password for the machine cause is the manufacturer closed.

Thank you

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Sun Jan 27, 2013 1:50 pm
by romex
did any body use the s7 200CN and worked with him ??????

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Fri Apr 19, 2013 3:54 pm
by smsasg
Updated Version 6.01 of the "Unlock_and_converter_MMC_Image_S7" (added option for S7-300F):
http://www.4shared.com/rar/8UK3Ip0d/Unl ... Image.html

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Mon Jun 30, 2014 8:40 pm
by kostawr
hello,
Is it possible someone to unlock the attached s7 200 routines for me ?

(dlink) https://www.dropbox.com/s/fepvy3xt32fbqf8/Project1.mwp

thanks in advance,

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Tue Jul 01, 2014 5:51 am
by smsasg

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Wed Sep 07, 2016 3:08 am
by xflash
smsasg wrote:Updated Version 6.01 of the "Unlock_and_converter_MMC_Image_S7" (added option for S7-300F):
http://www.4shared.com/rar/8UK3Ip0d/Unl ... Image.html
(gpost) (gpost)
It is not available now, could you please reupload? Please.... (tyou) (tyou) (sos) (sos) (sos)

I searched Internet, found one combined with malware, so please here some good guy upload a good to mega or some where else.
Great thanks!

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Wed Sep 14, 2016 4:06 am
by smsasg

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Wed Sep 14, 2016 5:58 am
by CoMod
Kaspersky delete this version (h) (boom)
https://www.virustotal.com/ru/file/6dbb ... 473833447/
Касперский удаляет эту версию... можешь поменять упаковщик или раздавать её в архиве с паролём 1 ? и чтоб в архиве был незапоролированный файл с текстом пароля
или в его имени был ***_password_1.zip ?

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Posted: Sat Sep 17, 2016 1:10 pm
by xflash
I believe in you and believe it is clear and virus-free.