[Link]: S7_Unlock password for S7 200 and S7 300 MMC

Utilites for Simatic Automation
Post Reply
smsasg
Posts: 44
Joined: Tue Apr 11, 2006 4:40 am
Location: Russia

[Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by smsasg »

Unlock password for S7 200 and S7 300 MMC
Add: convert *.wld from MMC-image file
You can create image file from MMC by S7imgRD.exe or WINHEX
[dead] Simatic_S7-200_S7-300_MMC_Password_Unlock_2006_09_11.rar
in Russian wrote:Программа по вычислению пароля из образа универсальна и для S7-200 и для S7-300. Процесс получения образа из 200 описывался ранее. Для 300 нужен образ MMC-карты (при помощи S7imgRD.exe, WINHEX и т.д.)
В программу S7Unlock добавлена опция по конвертации MMC-файла(*.wld) из образа MMC-Card, полученного любым доступным образом:

You can use ONLY EXTERNAL CardReader. Internal notebook CardReader not work propertly with Simatic MMC and show message "IOCTL_DISK_GET_DRIVE_GEOMETRY failed ".
smsasg in Russian wrote:Физическое устройство для считывания образа MMC - только внешний CardReader. Встроенный в нотебук выдает ошибку чтения "IOCTL_DISK_GET_DRIVE_GEOMETRY failed ".
Чтение-запись возможны лишь при помощи внешнего CardReader... встроенные в ноут MMC DiskDevice выдают такую ошибку.
Вообщем, устройство чтения должно быть физическим устройством, а не логическим. Очень хорошо видно это при использовании WinHex в качестве программы для чтения-записи.
https://disk.yandex.ru/d/qA3JuMSnuSSXNA/PPP
https://mega.nz/#!LBJCkRAA!bofmUBFm8SDA ... BgQk2LKOUQ

Code: Select all

https://mega.nz/#!LBJCkRAA!bofmUBFm8SDAPwva-QEJQwUHsvyGY2yKfBgQk2LKOUQ
https://www.virustotal.com/gui/file/6db ... /detection
use in VirtualBox
CoMod
Site Admin
Posts: 4016
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Post by CoMod »

http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. http://rapidshare.de/files/18271865/crypt_MMC.zip.html
-------------------------------------------------------------
http://plctalk.net/qanda/showthread.php?t=21591

jcarlos :

Hi everybody,

the S7ImgRd and S7ImgWr are updated. You can now try to bring back accidently formated MMC with other images.

Also the Password thing, earlier posted here, is build in, but please dont violate copyright.

http://personal.telefonica.terra.es/web/suwe/
Nuevo / new / neu V1.0 March 2006
S7ImgRd does try to retrieve Password if set ! please test and report !

http://www.telefonica.net/web/suwe/s7imgrd1.zip
http://www.telefonica.net/web/suwe/s7imgwr1.zip
Keygen

algorithm

Post by Keygen »

smsasg wrote:ну если настолько детали интересны, то принцип кодировки намного проще: http://plcforum.uz.ua//Pass_for_S7.pdf
Size: 73 KB
Address location in the password can be arbitrary, eg // Адрес местонахождения в пароле может быть произвольным, например:
Address 1E75 - protection level // уровень защиты (01-03)
Address 1E76-1E7D – crypted password // зашифрованный пароль
(1E76) = 1st char // 1-й символ
(1Е77) = 2nd char // 2-й символ
(1Е76) XOR (1E78) = char 3//3-й символ
(1Е77) XOR (1E79) = char 4//4-й символ
(1Е78) XOR (1E7A) = char 5//5-й символ
(1Е79) XOR (1E7B) = char 6//6-й символ
(1Е7A) XOR (1E7C) = char 7// 7-й символ
(1Е7B) XOR (1E7D) = char 8//8-й символ
Example // Пример: Содержимое адресов
1Е75-1Е7D: 03 FC EF 04 07 EF F9 0C 6F
Converted code // Преобразованный код :
FC EF F8 E8 EB FE E3 96
Password // Символьный пароль:
V E R B A T I <

Table char<>code ...
:shock:
Ну нифига себе, накуролесили, всё гораздо проще!
LenFW - Length Word / длина в WORD
Buff - buffer white S7-Password /буфер в памяти. В нём лежит зашифрованный S7-Password

for(int i = LenFW - 1; i>0; i--)
{
*(Buff+i) ^= *(Buff+i-1)^0xAAAA;
}
*Buff ^= 0xAAAA;

Voila !
Вот и всё! Вуаля!
scorp26
Posts: 3
Joined: Wed Sep 13, 2006 5:30 am
Location: Russia

Post by scorp26 »

With internal CardReader s7imgrd.exe show error
IOCTL_DISK_GET_DRIVE_GEOMETRY failed
with external CardReader all is Ok.
Russian wrote:Попробовал считать образ с помощью s7imgrd.exe
Выдала ошибку IOCTL_DISK_GET_DRIVE_GEOMETRY failed
Это что утилитка хандрит или с ММС проблемы (контроллер с нее работает).

Странно, вроде какая ему разница внешний или внутренний картридер. Хотя точно, использовался встроенный считыватель.

И правда, все отлично получилось на внешнем картридере. Спасибо за помощь.
vaiduakhu
Posts: 77
Joined: Thu Jun 14, 2007 5:21 pm
Location: Asia

Post by vaiduakhu »

CoMod wrote:http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. http://rapidshare.de/files/18271865/crypt_MMC.zip.html
Can anyone reupload the RS.de link?
CoMod
Site Admin
Posts: 4016
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Post by CoMod »

See Algoritm in message from Keygen
viewtopic.php?p=3229#3229
Keygen wrote:all much easier! //Ну нифига себе, накуролесили, всё гораздо проще!
LenFW - Length Word // длина в WORD
Buff - buffer white S7-Password //буфер в памяти. В нём лежит зашифрованный S7-Password

for(int i = LenFW - 1; i>0; i--)
{
*(Buff+i) ^= *(Buff+i-1)^0xAAAA;
}
*Buff ^= 0xAAAA;

Voila ! //Вуаля!
smsasg
Posts: 44
Joined: Tue Apr 11, 2006 4:40 am
Location: Russia

Post by smsasg »

Updated version S7_Unlock
Add: you can decode password of S7-200 project file *.mwp

http://narod.ru/disk/12236322000/Unlock ... 7.rar.html
or
http://plcforum.uz.ua//U ... age_S7.rar
Size: 181 KB
Huzulka
Posts: 6
Joined: Fri Apr 24, 2009 5:35 pm
Location: Ukraine

Re:

Post by Huzulka »

CoMod wrote: http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. http://rapidshare.de/files/18271865/crypt_MMC.zip.html
-------------------------------------------------- -----------
http://plctalk.net/qanda/showthread.php?t=21591
Has anyone seen this file? Does anyone a have a copy? There was alot of juicy information of how the siemens file system is set up, passwords and how to investigate. CoMod, in his usual super hero way, saved my ass again with how to get the password for a 400 MC card. But I have another project I am working on that is programming in nature and I really need to get around inside the cards.

to put it bluntly, I am trying to improve my programing/hacking skills. If anyone has any pointers, anything. I got myself a copy of win hex and I have had blast replicating every thing, but there must be a way to mount a siemens mc/mmc card image and look inside at the individual files.

Appreciate any help.

H
escueto
Posts: 2
Joined: Thu Oct 28, 2010 4:25 pm

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by escueto »

Please have a serious problem with S7 200 but we can not guess the password of the PLC.
The key S7 program does not work with the PPI cable / USB.

I would appreciate the help.
smsasg
Posts: 44
Joined: Tue Apr 11, 2006 4:40 am
Location: Russia

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by smsasg »

Updated Version 5.01 of the "Unlock_and_converter_MMC_Image_S7":
http://www.2shared.com/file/YQ1sgNFX/Un ... Image.html
AndreyUA
Posts: 11
Joined: Tue Sep 28, 2010 7:39 am

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by AndreyUA »

smsasg wrote:Updated Version 5.01 of the "Unlock_and_converter_MMC_Image_S7":
http://www.2shared.com/file/YQ1sgNFX/Un ... Image.html
Unfortunately, download the file is not possible. Could someone upload the file to another hosting?
Schtiel
Site Admin
Posts: 1122
Joined: Wed Sep 06, 2006 12:03 pm
Location: CIS

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by Schtiel »

AndreyUA wrote:Unfortunately, download the file is not possible. Could someone upload the file to another hosting?
Download is possible - I tried and there were no problem. Anyway, mirror is here: http://ifile.it/d5y6kfg
Erivaldo
Posts: 1
Joined: Wed May 23, 2012 12:24 am

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by Erivaldo »

Hi, I have a machine with PLC s7 200 cpu 226, and need to do the backup but this protected with password, is there any way to unlock this password for the machine cause is the manufacturer closed.

Thank you
romex
Posts: 3
Joined: Wed Jul 25, 2012 4:30 pm

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by romex »

did any body use the s7 200CN and worked with him ??????
smsasg
Posts: 44
Joined: Tue Apr 11, 2006 4:40 am
Location: Russia

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by smsasg »

Updated Version 6.01 of the "Unlock_and_converter_MMC_Image_S7" (added option for S7-300F):
http://www.4shared.com/rar/8UK3Ip0d/Unl ... Image.html
kostawr
Posts: 6
Joined: Fri Jun 22, 2012 3:22 pm

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by kostawr »

hello,
Is it possible someone to unlock the attached s7 200 routines for me ?

(dlink) https://www.dropbox.com/s/fepvy3xt32fbqf8/Project1.mwp

thanks in advance,
xflash
Posts: 199
Joined: Sat May 21, 2011 3:28 am

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by xflash »

smsasg wrote:Updated Version 6.01 of the "Unlock_and_converter_MMC_Image_S7" (added option for S7-300F):
http://www.4shared.com/rar/8UK3Ip0d/Unl ... Image.html
(gpost) (gpost)
It is not available now, could you please reupload? Please.... (tyou) (tyou) (sos) (sos) (sos)

I searched Internet, found one combined with malware, so please here some good guy upload a good to mega or some where else.
Great thanks!
CoMod
Site Admin
Posts: 4016
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by CoMod »

Kaspersky delete this version (h) (boom)
https://www.virustotal.com/ru/file/6dbb ... 473833447/
Касперский удаляет эту версию... можешь поменять упаковщик или раздавать её в архиве с паролём 1 ? и чтоб в архиве был незапоролированный файл с текстом пароля
или в его имени был ***_password_1.zip ?
xflash
Posts: 199
Joined: Sat May 21, 2011 3:28 am

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by xflash »

I believe in you and believe it is clear and virus-free.
Post Reply