Page 1 of 1

[?]: Unlock know how protection, Tia Portal V11

Posted: Wed Apr 24, 2013 9:29 am
by tmdca
Hey...

I need your help. Got this Tia Portal v 11 program with Know how proctection on almost all FC's! :evil:
How do i unlock it? I know the tools for unlock S7-projects/program but haven't found any for TiaPortal...



Cheers,
T

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Fri Jan 31, 2014 9:54 am
by Pierre3188
Hi,

I have the same question if anyone could help us please

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Tue Apr 08, 2014 7:56 am
by Aliasmarcos
I have the same problem.

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Thu Dec 11, 2014 1:18 pm
by joseumh
Aliasmarcos wrote:I have the same problem.
I have the same problem.we need help to this question... :_(

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Sat Mar 07, 2015 12:55 pm
by Draco Malfoy
I fear, there is no help in the whole world. No one has craked the TIAP Protection an this time.

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Sat Mar 07, 2015 1:23 pm
by CoMod

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Thu Aug 19, 2021 3:47 pm
by Sam N
you can find information about unlocking know-how
protection in darknet
(usearch)

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Sun Dec 26, 2021 7:06 pm
by Sam N
I see s7-project like this
Show

Code: Select all

FF FF FF FF 03 24 51 11  97 F4 83 5F 01 60 24 65  FF FF FF FF FF FF FF FF  61 9B D0 02 01 30 2F 21 
FF FF FF FF FF FF FF FF  E5 04 64 3D 00 F0 7B 61  FF FF FF FF FF FF FF FF 5A C0 9A FD 01 D0 2B 6C 

(A6 8A)  32 00 
01 
20   (30)
(A3 81 69 00 15)    04     (4D 61 69 6E)-Main
(A3 93 15 00 05 8B)      (A9 B2)      C0 C9 FD A8 97 EC 
(A3 93 16 00 04)          C5 77 
(A3 93 11  00 14 00)      84 1E 
(98 00 00  02 78 7D 58 14 B0 3B ) 

7D  95 DB 6E A3 30 10 86 5F 25 E2 BE 8A CF D8 2A 41  02 52 B4 91 92 66 D5 64  AF 57 16 38 29 5A 30 11  38 5D F1 F6 3B 90 26 2D 6C D3 1B 24 BE 19 7B 3C  33 BF C7 FF 17 82 0C 85  88 CE AE 7E 1E 24 F2 DE  84 4F 60 92 8D 2F 7C E6 23 84 29 52 54 52 26 27  D9 F4 DF 9D D3 D5 69 38  E2 1E 2D BC DB 12 E4 33  A2 7C A8 80 37 DB E3 3B 9C F4 9C 72 42 B8 C0 48  32 AC 38 78 00 A7 57 7F  A1 94 4F A8 52 5C 08 10  E0 9E DD F1 E7 77 B8 7F 87 CB 6F 26 CA 7D 59 AE  4C 96 BC 9A EC CF B5 61  B7 FF 6F DB B4 8D 7F 27  B5 6D 9D B6 6E F6 3C 5C 45 20 1B 5D D8 77 EB CA  3A D3 1C 74 36 5C C7 70  55 9D 9A FA CD E4 70 82  89 E5 A3 DF E9 54 F9 2F A6 34 BA 35 49 7D B6 2E  24 22 98 8F 40 B0 AC FF  DA B2 D6 F9 8F A2 75 75  D3 81 F6 F1 C3 B5 BC 52 41 89 B1 62 9C 3E 5E 31  57 50 2E C6 94 44 30 86  D4 08 23 4C 30 27 12 73  74 C5 5C C2 C4 A0 44 30 8C FB E6 8E 30 66 0C 4B  D8 06 7F C2 84 32 02 72  F2 95 24 84 8C 30 BC 94  8C 49 21 D5 08 53 C5 A8 00 BD 60 C2 47 58 52 A9  98 F4 25 27 8F C1 7C 9A  60 30 5C D6 B5 B6 C7 B3  3E 9A B5 79 33 65 08 F3 F4 0B 1A EC 75 73 34 2E  D5 55 51 76 E1 0E C2 20  14 CC 47 30 78 DA A5 67  9B 39 68 AA 2E 0B D7 5D 16 62 78 D8 BE 34 80 FB  38 C4 C5 73 12 76 13 25  21 4E 85 5A B2 A5 20 31  8D 30 11 7D 2E 71 CC 12 19 45 2A 51 4F 71 1A CC  7B AF 20 CA F3 E2 12 63  0D 29 C2 1B 60 E2 C2 EA  A6 1B D4 F6 D3 00 77 5D DC 39 D3 0E 9A FE 65 8D  CD 9A EE E4 4C 3E 4C AD  C1 75 6D EC D1 BD 2E 3C  8A 84 37 1B AA D0 0B 71 7B 38 B4 C6 2D BC 07 D0  69 AA 8B 72 A7 0F 26 69  B2 7E 19 0C 0A 9F 60 C6  09 93 6A 64 DC 9E 5C 01 E3 14 FB 48 61 68 09 6C  97 94 75 6B F2 55 55 99  BC D0 AE F7 01 BB 37 EB  CF BA 31 55 FD 11 5C 2A 7E B9 10 B7 F1 F4 0F 21  D0 5E B4 

A3 93 13 00 04     83 2E 
A3 A1 40 40 15 00  
A3 BF 03 00 10 16        A5 94 0B 4A CC 60 3C 
A3 93 6F  00 05 88 B8 CE 93 8F 8C  89 FF 78 
A3 A1 3F 40 15  88 1A 1C 22 4D 61 69 6E 20 50 72 6F 67 72 61 6D  20 53 77 65 65 70 20 28  43 79 63 6C 65 29 22 00  
A3 BE 0D 00 14 00 14 9E EF DC 71 2E 4A 90 93 DE  
A3 61 4F D0 E6 7B F9 AE  79 C5 F3 
A3 C0 09 00 10  00 00 00 00 00 00 00 00 
A3 93 59 00 03 00 01 
A3 93 5A 00 01 01 
A3 93 5B  00 03 00 02 
A3 93 5C 00  17 00 00 0D 77 9A 78 00  0B 00 00 9A 79 10 

02 14  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 
A3 93 5F 00 01 00 
A3 93 60 00 01  00 
A3 93 61 00 05 8B A9  B2 C0 88 DD BB AF D0 
A3  93 64 00 0C 00 00 00 00 
A3 98 4F 00 17 00 00 0D  A0 9B 21 00 08 00 9B 22  00 15 00 9B 23 00 08 00  00 
A3 93 69 00 14 00 82 33 EF BE AD DE 7C 00 00  00 01     00 00 00 02 00 00 00 32 00 00 00 00 04 00  00 00 00 00 00 65 4E 32 CB 76 E4 9B 
AC  04 01 00  00 00 00 00 00  56 
ED 08    0E 93 AD F8 72 01

 01 00  00 00 00 00 00 


3C 00 00

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Mon Jan 31, 2022 7:52 am
by Sam N
some one asks me to open protected FB
The best idea - dont throw for money developers

sega1234321
Некоторые пользователи не могут быть добавлены, так как они отключили получение личных сообщений. (h)

[?]: unPassword Siemens S7-1500

Posted: Tue Feb 01, 2022 6:41 pm
by Hoot27
Hello everybody,
Do you know if is there any method to recovery the password of a plc siemens s7-1500
or to reset it without losing the project on it?
thanks
regards

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Sat Feb 05, 2022 7:15 pm
by Sam N

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Sat Feb 05, 2022 9:22 pm
by Answers to FAQs
Reverse Engineering of S7-1200 via JTAG
https://sec-consult.com/blog/detail/rev ... inout-plc/

Code: Select all

https://sec-consult.com/blog/detail/reverse-engineering-architecture-pinout-plc/
Siemens PLC with hardware modification
Show
Image
The added port is a standard ARM -JTAG port which can be used with the J-Link Plus debug adapter from SEGGER.
(c) SEC Consult Vulnerabiltiy Lab
https://github.com/atimorin/scada-tools ... tractor.py

Code: Select all

https://github.com/atimorin/scada-tools/blob/master/s7_password_hashes_extractor.py
Image
Spoiler
Show

Code: Select all

#!/usr/bin/env python

"""
File: s7_password_hashes_extractor.py
Desc: password hashes extractor from Siemens Simatic TIA Portal project file
"""

__author__ = "Aleksandr Timorin"
__copyright__ = "Copyright 2013, Positive Technologies"
__license__ = "GNU GPL v3"
__version__ = "1.1"
__maintainer__ = "Aleksandr Timorin"
__email__ = "atimorin@gmail.com"
__status__ = "Development"

import sys
import os
import re
import optparse
from binascii import hexlify
from hashlib import sha1

cfg_result_hashes = 's7_password_hashes_extractor.hashes'

if __name__ == '__main__':
    parser = optparse.OptionParser()
    parser.add_option('-p', dest="project_file", help="PEData.plf filepath")
    options, args = parser.parse_args()
    
    if not options.project_file:
        parser.print_help()
        sys.exit()
    
    data = open(options.project_file, 'rb').read()
    print "read PEData file %s, size 0x%X bytes" % (options.project_file, os.path.getsize(options.project_file))
    
    print "sample of used passwords and hashes:"
    for p in ['123', '1234AaBb', '1234AaB', '1111111111aaaaaaaaaa']:
        print "\t%s : %s" % (p, sha1(p).hexdigest())

    re_pattern = re.compile('456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40}')
    possible_hashes = [s[-40:] for s in re_pattern.findall(hexlify(data))]
    possible_hashes = reduce(lambda x, y: x if y in x else x + [y], possible_hashes, [])
    open(cfg_result_hashes, 'w').write('\n'.join(possible_hashes))
    
    total_hashes = len(possible_hashes)
    print "found %d sha1 hashes, ordered by histrory list:" % (total_hashes)
    for h in possible_hashes:
        pos = possible_hashes.index(h) + 1
        if pos == total_hashes:
            print '\thash %d: %s\t(current)' % (pos, h)
        else:
            print '\thash %d: %s' % (pos, h)

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Sun Feb 20, 2022 1:53 am
by hotmaew
So far as I know, Siemens claims that no one can hack the password in TIA Portal.

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Sun Feb 20, 2022 12:42 pm
by Draco Malfoy
Its purblind to declare such things. First of all, there its no need to crack anything.
If i can extract the hash, the password can be finded by brutforce.
Second - based on my simotion expirience, i can tell you with confidence, that the only thing why we cannot unlock TIA at the time is the shortage of capable analyst and money, wicth was payd to solve the problem.

I belief that the "problem" in the reality does not exist.
Althought, to prevent the next fixing closing and security updates, the solution, if exist, will be keept confidentially.

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Thu Mar 17, 2022 9:16 am
by Sam N
JEB Decompiler for S7 PLC
The S7 PLC Decompiler extension for JEB allows reverse engineers
and security auditors to analyze Siemens Simatic S7 code.

-----------------
link deleted by sania

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Sun Mar 20, 2022 10:42 am
by Draco Malfoy
Sir, i suggest, you are from this firma and try to distribute this products here.

Please, stop (not_allow) .

First of all - we discuss here how to recover lost encrypted SourceCodes in TIA Portal V11 (and following).
NOT STEP7 CLASSIC, STEP7 INSIDE TIA PORTAL.
Its different type of software, not compatible to each other. Understood ?

Second - and more important. I don't need any software for recompiling ANYTHING from the PLC into the C-Code.
Because NOTHING inside the PLC was originally programming in C.
The Language, witch normally is used inside PLCs, is SCL.
So, if you don't have the source of a STEP/CLSSIC FB anymore (not encrypted, but lost source) you can easily recompile the remained STL Code from the FB into the original SCL Source by using either some accessories (for example, like in the neighbor tread) or by doing it manually.
I DONT NEED TO RECOMPILE IT TO C with that tool. Understood ?

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Tue Mar 22, 2022 10:27 am
by Sam N
each version of tiaP has own private key.
and i have to waste a huge machine time to create a new rainbow table.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Fri Mar 25, 2022 5:14 pm
by Draco Malfoy
Sam N wrote:
Tue Mar 22, 2022 10:27 am
each version of tiaP has own private key.
and i have to waste a huge machine time to create a new rainbow table.
You mean - you have a rainbow table for different TIA Versions and you are able to recovery the Password by extracting the Hash and using this table ?
Very interessting.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49
So, what do I need realistically to open, for example, a decrypted Library. I need the Project, and a Hardware-CPU to upload the Project and then i can recovery it from the SD-Card ?
The recovered sources will be comletely, i.e. with comments and originaly tag names, or not ?

Can you maybe open for example this library ?

https://support.industry.siemens.com/cs ... 0&lc=de-WW

Thanx in Advance

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Wed Apr 13, 2022 1:08 am
by Linkinx128
Can somebody help to program a brute-force tool to guess the password of KHP?

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Tue Feb 21, 2023 7:33 am
by Kubanez
Sam N wrote:
Tue Mar 22, 2022 10:27 am
each version of tiaP has own private key.
and i have to waste a huge machine time to create a new rainbow table.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49
Hello! I have plc with password and a tia v13 plc project with password, I can change the password in the project, but I can't see it, can you help me to see the password?

Re: [?]: Unlock know how protection, Tia Portal V11

Posted: Tue Nov 07, 2023 10:56 am
by PierreAlex64
Hi !
I would like to open block with know how protection in TIA V16 or more.
Anyone have a solution please ?

Thank you :D