-
- Posts: 431
- Joined: Sat Oct 22, 2005 7:17 am
- Location:
-
- Posts: 16
- Joined: Sun Aug 24, 2008 9:59 am
- Location:
-
- Posts: 406
- Joined: Mon Mar 31, 2008 11:29 am
- Location:
I not sure at RSlogix500, but for RSlogix5 its true!
Then you aplay 'abunlock' you can open your file and will found the processor's 'name' (in it's properties).
This 'name' you can seek also then you have connect to PLC - "Hwo active?" function in RSLinx.
For reply/reset the password you can find 'name' in the hex-dump of theyour program file.
The next byte after processor's 'name' is the numer of symbol in password.
Examle: 0A hex - 10 next letters is the password.
Then you aplay 'abunlock' you can open your file and will found the processor's 'name' (in it's properties).
This 'name' you can seek also then you have connect to PLC - "Hwo active?" function in RSLinx.
For reply/reset the password you can find 'name' in the hex-dump of theyour program file.
The next byte after processor's 'name' is the numer of symbol in password.
Examle: 0A hex - 10 next letters is the password.
-
- Posts: 18
- Joined: Tue Aug 10, 2010 1:01 pm
Dear All,
Help me link to download the software to remove keyword stored in the PLC program Rockwel.[
Now I have source programing. But I can't open it. Because it has passwords.
http://www.mediafire.com/?e78bi56z06n8hgi
Please help me to open it
Thanks and best regards
Help me link to download the software to remove keyword stored in the PLC program Rockwel.[
Now I have source programing. But I can't open it. Because it has passwords.
http://www.mediafire.com/?e78bi56z06n8hgi
Please help me to open it
Thanks and best regards
-
- Posts: 406
- Joined: Mon Mar 31, 2008 11:29 am
- Location:
Look to there viewtopic.php?f=12&t=13672 , but you need the %O ( not the %D ) to find in your HEX-dump.codientt wrote:thank you very much.
Can you share with people how to crack Pro keyword in the program SLC500
-
- Posts: 16
- Joined: Tue Jul 20, 2010 1:23 pm
http://plcplc.info/html/86/AB_RSLogix_5 ... ption.html
This is a example to unlock a SLC 500
For the HMI, just reboot the PanelView and click at the bottom left many until the HMI is boot. You will go to the configuration setup and you can see the IP address
This is a example to unlock a SLC 500
For the HMI, just reboot the PanelView and click at the bottom left many until the HMI is boot. You will go to the configuration setup and you can see the IP address
-
- Posts: 53
- Joined: Wed Nov 26, 2008 8:01 am
- Location:
hi every body. when i try to connect to AB plc the system wants to enter password, i use the universal password and micrologix connect to the plc but i cant monitor the block and software show me this program is protected. now i hove to know how i can take the safe backup and how i can modify programs.
thanks.
thanks.
-
- Posts: 148
- Joined: Fri May 23, 2008 4:00 pm
- Location:
Hi Tuan ,phanvantuan6 wrote:Try this http: http://www.4shared.com/rar/NC-KCC2G/AbKey.html
but you must register or have keygent.
Please help me ,how to use this software .
Thanks.
-
- Posts: 2
- Joined: Wed Nov 28, 2012 4:59 am
- Location:
Hi, I'm new here, and first want to thanks you people for share the tools to our work. In return I wanto to share my private solution for this problem and for all the rslogix 500 compatibles plcs (tested for real with micrologix 1100,1200,1400 Serial and ethernet comms).
Now it's simple, after some hours debugging the rslogix I found some interesting things inside this software.
Number 1: You can just patch some bytes and bypass the password check to upload(plc->pc) a program. (My patch is for RSLogix 500 Version 8.10.00 (CPR 9) Build 18 [CRC32="67AF5288"]
Patch the file rs500.exe
Offset | Old Byte | New Byte
----------------------------------------
00313C64 | 74 | 90
00313C65 | 14 | 90
-----------------------------------------
We replace some instruction by nops and it's done. Save this file with a new name like, rs500_nopw.exe and try.
If a had some more time I'll try to port this patch to other versions of RSLogix.
Number 2: I also found a master password that I use to clear the protection. Go to the "Controller Properties" > "Passwords". PW 22865625 (erase any password).
If you just want to check if this method works, try to clear your own project's password with this number.
Thank everyon again. Cheers. (Sorry for my bad english, isn't my native language)
Now it's simple, after some hours debugging the rslogix I found some interesting things inside this software.
Number 1: You can just patch some bytes and bypass the password check to upload(plc->pc) a program. (My patch is for RSLogix 500 Version 8.10.00 (CPR 9) Build 18 [CRC32="67AF5288"]
Patch the file rs500.exe
Offset | Old Byte | New Byte
----------------------------------------
00313C64 | 74 | 90
00313C65 | 14 | 90
-----------------------------------------
We replace some instruction by nops and it's done. Save this file with a new name like, rs500_nopw.exe and try.
If a had some more time I'll try to port this patch to other versions of RSLogix.
Number 2: I also found a master password that I use to clear the protection. Go to the "Controller Properties" > "Passwords". PW 22865625 (erase any password).
If you just want to check if this method works, try to clear your own project's password with this number.
Thank everyon again. Cheers. (Sorry for my bad english, isn't my native language)
-
- Posts: 5
- Joined: Fri Jul 01, 2011 10:14 pm
*******rhddev wrote:Patch the file rs500.exe
Offset | Old Byte | New Byte
----------------------------------------
00313C64 | 74 | 90
00313C65 | 14 | 90
-----------------------------------------
Great Work!
I have RS500 version 7.30.10 and I copied the executable to a separate folder, opened it with my hex editor. The line of code in this version for the bytes you mention above are as follows:
Offset: 00313C64 = 89
Offset: 00313C65 = 4D
I'm not sure if the password ignore parameter is a this byte address, and what the new values should be.
I am dealing with a dead beat OEM and our only option is build new equipment, but we really would like to start with the old code if possible. The code is in a Micrologix 1500.
Thanks for any advice,
Mark Monitor
*******
-
- Posts: 5
- Joined: Fri Jul 01, 2011 10:14 pm
Thanks again rhddev!
I installed RSLogix 500 Version 8.10.00 and followed your instructions. This allowed me to upload the passworded code. Then I was able to use my hex editor and search for %D. This took me right to the existing password. I tested it with Micrologix 1000 and two Micrologix 1500's.
Great Job!
I'd like to do this with RSLogix Version 9 and RSLogix 5000- all versions.
MM
-
- Posts: 1
- Joined: Sun Dec 21, 2014 5:47 pm
If anyone need help regard cracking of micrologix password in windows 7 contact me at faiz52uet@mail.com
-
- Posts: 3
- Joined: Mon Oct 26, 2015 2:29 pm
Hello everyone I 'am trying to get into a Micrologix 1500 and yes it is password protected. I saw some post describing a hex editor program that allows you to see the PW using %D command, if I 'am correct. I never used this hex editor before and would like to try it in my lab with a slc 500. After succeeding with the SLC 500 I'm hoping it will work with the Micro logix family of processors. Can anyone provide a procedure using Hex Editor to do this
-
- Posts: 89
- Joined: Thu Aug 08, 2013 6:00 pm
-
- Posts: 89
- Joined: Thu Aug 08, 2013 6:00 pm
NOPing is changing an Assembly command from what it was to having no operation. So, that is what changing the 74 14 to 90 90 really means. 74 14 is a Jump equals short to a different address in the program after a test eax,eax is bening completed.
I just gave version 9.05.00 (CPR 9) a quick once over, but I don't have a micrologix or any SLC 500 processor to test anything on right now. Obviously, make yourself a backup of your rs500.exe , and test on a processor with your own project first.
I found 2 Short Jumps near the ABUNLOCK master password. In version 9.05.00 (CPR 9)
OFFSET 3566D3
74 14 Change to 90 90
Editing will skip offline file open password verification.
I just gave version 9.05.00 (CPR 9) a quick once over, but I don't have a micrologix or any SLC 500 processor to test anything on right now. Obviously, make yourself a backup of your rs500.exe , and test on a processor with your own project first.
I found 2 Short Jumps near the ABUNLOCK master password. In version 9.05.00 (CPR 9)
OFFSET 3566D3
74 14 Change to 90 90
Editing will skip offline file open password verification.
Last edited by psgama on Thu Oct 29, 2015 4:43 am, edited 1 time in total.
-
- Posts: 89
- Joined: Thu Aug 08, 2013 6:00 pm
No problem. Making that change should allow you to download the password protected code, mind you I haven't tested it yet, I'm just assuming it will since it allowed me to view protected code without the password. You can save the project file, and then open it in a hex editor. You will then need to search for the processor name in the project. Or you can try to search for %D or %O Shortly after the processor name, you will find the password if it is not encrypted.
-
- Posts: 4
- Joined: Tue Feb 24, 2015 8:40 pm
Hello!
Could someone help me find out the password for this program. The password has been encrypted.
Best regards
https://drive.google.com/file/d/1UkoohA ... sp=sharing
Could someone help me find out the password for this program. The password has been encrypted.
Best regards
https://drive.google.com/file/d/1UkoohA ... sp=sharing
-
- Posts: 1
- Joined: Tue Dec 21, 2010 11:42 am
Use a USB sniffer program. The password is sent from the PLC to the PC (RSLogix Micro or 500) so it compares what you type to what is sent. The plc send it mixed with a lot of other data, but usually it is possible to identify the password.rmaj4 wrote: ↑Mon Oct 26, 2015 2:45 pmHello everyone I 'am trying to get into a Micrologix 1500 and yes it is password protected. I saw some post describing a hex editor program that allows you to see the PW using %D command, if I 'am correct. I never used this hex editor before and would like to try it in my lab with a slc 500. After succeeding with the SLC 500 I'm hoping it will work with the Micro logix family of processors. Can anyone provide a procedure using Hex Editor to do this
-
- Posts: 4
- Joined: Mon Apr 05, 2010 10:12 pm
AB RSLogix 500 SLC500 decryptionPLC experience cracking password summarized as follows, for all to share.
1, the password for the existing procedures : use Notepad to open, the file can be found in the latter part of the password for the consecutive number.
You can use RSLOGIX500 write a program or did not set a password to open procedure and saved after the password is set, then use Notepad to open and find your own set of passwords. Set the password for the program as well.
2, declassified for the PLC KEY: When you use RSLOGIX500 and PLC to establish communication , the prompt for a password before you visit
PLC, if the password wrong, will not be able to access PLC. I use the serial monitoring software, but software can not occupy the port to be monitored.
With the PLC in use RSLINK establish communication , the start serial monitoring software, and then start RSLOGIX500 to connect with the PLC,
When prompted for a password, enter 10 for the random number, and then determine, PLC Password prompt to return an error, this time, once again repeated. Switch to the serial monitoring software, you can see line by line monitoring data. Found adjacent rows of 3 consecutive 2-digit prefix. For example: 32 3,637,393,034,313,330 36, then, PLC password is: 2679041306.
1, the password for the existing procedures : use Notepad to open, the file can be found in the latter part of the password for the consecutive number.
You can use RSLOGIX500 write a program or did not set a password to open procedure and saved after the password is set, then use Notepad to open and find your own set of passwords. Set the password for the program as well.
2, declassified for the PLC KEY: When you use RSLOGIX500 and PLC to establish communication , the prompt for a password before you visit
PLC, if the password wrong, will not be able to access PLC. I use the serial monitoring software, but software can not occupy the port to be monitored.
With the PLC in use RSLINK establish communication , the start serial monitoring software, and then start RSLOGIX500 to connect with the PLC,
When prompted for a password, enter 10 for the random number, and then determine, PLC Password prompt to return an error, this time, once again repeated. Switch to the serial monitoring software, you can see line by line monitoring data. Found adjacent rows of 3 consecutive 2-digit prefix. For example: 32 3,637,393,034,313,330 36, then, PLC password is: 2679041306.