Dead PLC recovery (S7-200 SMART v2.01)

SIMATIC S7-200/300/400, Step7, PCS7, CFC, SFC, PDM, PLCSIM,
SCL, Graph, SPS-VISU S5/S7, IBHsoftec, LOGO ...
Post Reply
ffstest
Posts: 2
Joined: Thu Apr 11, 2019 2:14 pm

Dead PLC recovery (S7-200 SMART v2.01)

Post by ffstest » Thu Apr 11, 2019 2:18 pm

Hello,

Unfortunately I have a S7-200 SMART (SR40 CPU) v2.01 on a machine from China that has a dead output. I cannot read nor write to the PLC because of Level 4 protection.

Is it possible to swap the EEPROM to another working PLC (without burned output) of the same model to keep the program and parameters?


The program is level 4 protected and the manufacturer of the machine is out of business.

I hope EEPROM swap could work or is there a way to downgrade to level 3 on the SMART S7-200 v2.01? I could modify the program to use another output which is fine (unused)


Image


I have some tools for the S7-200 to decrypt bin file from EEPROM but I have S7-200 SMART (SR40 CPU) v2.01 will this work on this newer unit??


Any clues will greatly help!

Thank you very much!!!

Steve

cedricliu
Posts: 5
Joined: Fri Apr 06, 2007 6:03 am
Location: China

Re: Dead PLC recovery (S7-200 SMART v2.01)

Post by cedricliu » Fri Apr 12, 2019 7:32 am

If you are in China,you can contact the cracker who can erase the Smart password and upload the program.
The fee is about 1800RMB.
http://www.jiemiplc.com/

ffstest
Posts: 2
Joined: Thu Apr 11, 2019 2:14 pm

Re: Dead PLC recovery (S7-200 SMART v2.01)

Post by ffstest » Fri Apr 12, 2019 12:35 pm

Thanks!

I guess this unit is very hard to crack.

Another question... where is the program block / parameters stored in the PLC? On the EEPROM or inside the MCU?

Post Reply