Hi all,
Is there any way to activate Options on Sinumerik 840d sl control other than buying license from Siemens?
I have an old 2008 machine with HMI Advanced SW7.3 and like to activate Measurement in Jog option.
Can EKB be used to generate the kay? Or something else?
Here are the options i want to activate:
6FC5800-0AM43-0YB0
6FC5800-0AP28-0YB0
6FC5800-0AP18-0YB0
Cheers
Sinumerik 840d sl Options activation on CNC machine
-
yurimitev
- Posts: 3
- Joined: Thu Aug 26, 2021 11:32 am
-
CoMod
- Site Admin
- Posts: 4074
- Joined: Thu Feb 16, 2006 3:25 pm
- Location: Russia
Re: Sinumerik 840d sl Options activation on CNC machine
These options do not use EKB 
-
yurimitev
- Posts: 3
- Joined: Thu Aug 26, 2021 11:32 am
Re: Sinumerik 840d sl Options activation on CNC machine
I know but decided to ask anyway.
I read in Siemens forum an approach changing the MD and some other parameters. Making an backup without restarting and then loading the backup with the changed values. Not sure if this is possible workaround to activate some options?
“check your 840D system, if it is set to "0"?
Attention --if you want to change this kind of NCMD, you need follow the rule, otherwise your will have your system data lost.
#1--Back up your NC --NC archive.
#2--Change MD18342 to new value,! attention make sure DO NOT set NCMD actevated --DO NOT make POWER On reset,!!!!
at this moment --make NC archive (with new velue of MD 18342) , then reload this just backup archive, “
I read in Siemens forum an approach changing the MD and some other parameters. Making an backup without restarting and then loading the backup with the changed values. Not sure if this is possible workaround to activate some options?
“check your 840D system, if it is set to "0"?
Attention --if you want to change this kind of NCMD, you need follow the rule, otherwise your will have your system data lost.
#1--Back up your NC --NC archive.
#2--Change MD18342 to new value,! attention make sure DO NOT set NCMD actevated --DO NOT make POWER On reset,!!!!
at this moment --make NC archive (with new velue of MD 18342) , then reload this just backup archive, “
-
DannyBee
- Posts: 1
- Joined: Sun Jul 28, 2024 2:19 am
Re: Sinumerik 840d sl Options activation on CNC machine
Short answer - yes it's possible, but probably not worth it.
I had occasion to look at this while exploring the security of 828d and ONE, and how they verify system integrity/etc, vs other CNC controls and such.
That is actually fairly interwined with how licensing works.
The license keys are tied to the serial numbers + option code.
On 828d (at least < 4.95) it's fairly trivial you just need to be able to generate license strings from option codes + serial number. This is really not that hard to do. Ironically, not all options can be activated at once, there are some that are mutually exclusive and you'll crash the machine if you enable them
On ONE, the license files are signed, the filesystems are readonly cramfs and signed, etc. The actual license key generation algorithms are not different than (the complete) 828d one, it just requires working around all of this. Doing so is possible (at least on the NCU/PPU) but very non-trivial and requires doing a bunch of stuff to the machine and a whole bunch of arcane knowledge. At least, how I hacked them (which, again, my goal was not to hack the licensing, it's just a side-effect). Knowing what I know, I think it might be possible to make a bit easier but still a huge pain in the ass, honestly, and it's easy to get yourself into situations where recovery requires being able to poke around in bootloaders and hand wire JTAG debuggers to hardware chips and such. I guess you could try poking the values into the right spots of the realtime program while it's running, but it re-reads stuff from disk and verifies this stuff at various times. It also is in an isolated memory space (it's some commercial realtime-on-linux thingy that i forget the name of) and will watchdog if it's stopped for more than a few ms, making this approach .... painful.
On 840d, it's mixed, and i'm not sure for your specific version how much is signed vs not, but if any of it is signed it's not worth it (IMHO) given the cost of these options on, say, ebay (looks like it's <1000 total for all options to get license certs that would let you generate proper keys) vs the cost of possibly bricking your CNC machine very badly by stupid up the signatures or the hardware roots.
As for workarounds - at least on ONE, system verifies things in multiple ways at multiple times, so even if you, for example, hack the license code into the right place, you pretty mcuh can only get it to be okay until you reboot. Since a lot of options require NCK restart to work, this doesn't help you very much. 840D is much the same. That is why the workaround you mention says something about not doing PO reset.
Don't ask me for a license generator, I really was doing security research, I just ran across this post so thought i would try to be helpful.
I had occasion to look at this while exploring the security of 828d and ONE, and how they verify system integrity/etc, vs other CNC controls and such.
That is actually fairly interwined with how licensing works.
The license keys are tied to the serial numbers + option code.
On 828d (at least < 4.95) it's fairly trivial you just need to be able to generate license strings from option codes + serial number. This is really not that hard to do. Ironically, not all options can be activated at once, there are some that are mutually exclusive and you'll crash the machine if you enable them
On ONE, the license files are signed, the filesystems are readonly cramfs and signed, etc. The actual license key generation algorithms are not different than (the complete) 828d one, it just requires working around all of this. Doing so is possible (at least on the NCU/PPU) but very non-trivial and requires doing a bunch of stuff to the machine and a whole bunch of arcane knowledge. At least, how I hacked them (which, again, my goal was not to hack the licensing, it's just a side-effect). Knowing what I know, I think it might be possible to make a bit easier but still a huge pain in the ass, honestly, and it's easy to get yourself into situations where recovery requires being able to poke around in bootloaders and hand wire JTAG debuggers to hardware chips and such. I guess you could try poking the values into the right spots of the realtime program while it's running, but it re-reads stuff from disk and verifies this stuff at various times. It also is in an isolated memory space (it's some commercial realtime-on-linux thingy that i forget the name of) and will watchdog if it's stopped for more than a few ms, making this approach .... painful.
On 840d, it's mixed, and i'm not sure for your specific version how much is signed vs not, but if any of it is signed it's not worth it (IMHO) given the cost of these options on, say, ebay (looks like it's <1000 total for all options to get license certs that would let you generate proper keys) vs the cost of possibly bricking your CNC machine very badly by stupid up the signatures or the hardware roots.
As for workarounds - at least on ONE, system verifies things in multiple ways at multiple times, so even if you, for example, hack the license code into the right place, you pretty mcuh can only get it to be okay until you reboot. Since a lot of options require NCK restart to work, this doesn't help you very much. 840D is much the same. That is why the workaround you mention says something about not doing PO reset.
Don't ask me for a license generator, I really was doing security research, I just ran across this post so thought i would try to be helpful.
-
CoMod
- Site Admin
- Posts: 4074
- Joined: Thu Feb 16, 2006 3:25 pm
- Location: Russia
Re: Sinumerik 840d sl Options activation on CNC machine
DannyBee 
Thank you for the information
--------- About hardware hack S7-1200 ----------
Reverse Engineering Architecture And Pinout of Custom Asics
https://sec-consult.com/blog/detail/rev ... inout-plc/
Thank you for the information--------- About hardware hack S7-1200 ----------
Reverse Engineering Architecture And Pinout of Custom Asics
https://sec-consult.com/blog/detail/rev ... inout-plc/