PLC encryption technology and decryption method

PLC encryption technology is actually a developer's idea. As long as you understand the author's encryption idea, you can quickly decrypt it. In fact, in nature, whether it is PLC or elevator motherboard, as long as there is encryption, there will be a secret to crack it. The two are always a combination of spear and shield.

First introduce two PLC decryption methods:

1 Direct reading method

Take Mitsubishi FX2 as an example: first open the serial port monitoring software (there are many on Baidu) to monitor the serial port data in and out. Then run FXWIN (PLC programming software) and connect it to PLC. After selecting the model, click program reading. At this time, you can see in the serial port monitoring software that the computer and PLC have exchanged several strings of characters. The last line sent by the PLC to the computer is the password, but it is ASII code. Compare it with the table and translate it into characters to get the password. Oh, this is a loophole in Mitsubishi PLC. Its programming software first reads the password into the computer memory and compares it with the password entered by the user. If the password is correct, the program can be read out. I tried it and sent the second to last line of characters to the PLC using the serial port software. The PLC also returned the password. At this point, everyone knows how to do this decryption software? The entire decryption software only needs to send a string of characters to the PLC, and then translate the characters with the password returned by the PLC into the password. Some PLCs do not have such vulnerabilities, such as OMRON and FUJINB2. They all transmit the password entered by the user to the PLC, and the PLC determines whether the password is correct before determining whether it can read the program.

2 Brute Force

Similarly, run the serial port monitoring software, open the programming software online, click program reading, and then enter the password 1234. If the program is read out, there is no need to solve it. If it shows that the password is wrong, then look at the data in the monitoring software. Find the string 1234. After the characters containing 1234, there will be a line of information returned by the PLC indicating that the password is wrong. Record this line of error information. Then open VB and do a small project: let the computer send the line containing 1234 to the serial port. Of course, there must be a loop statement, that is, change 1234 to from 0000 to FFFF, and let the computer keep trying. Use the IF statement to compare the returned information with the error message just recorded. If the information is different, stop trying. The password tried is the password of the PLC.

Have you seen this and felt that PLC encryption technology is just like this? The feeling of the vast sea and sky. Congratulations, it means that you have understood the truth of encryption and decryption. There are many specific implementation methods. But understanding the truth is the most important and the most difficult. As the saying goes: The great way has no method, the middle way has a form, and the small way is clever. Haha, let's talk about this first. Some details cannot be introduced too clearly for a while. Everyone will try more by themselves, use their brains more, and understand more, and you will definitely gain something.