[?]: Unlock know how protection, Tia Portal V11

Utilites for Simatic Automation
Post Reply
tmdca
Posts: 1
Joined: Sun Sep 19, 2010 10:37 am

[?]: Unlock know how protection, Tia Portal V11

Post by tmdca » Wed Apr 24, 2013 9:29 am

Hey...

I need your help. Got this Tia Portal v 11 program with Know how proctection on almost all FC's! :evil:
How do i unlock it? I know the tools for unlock S7-projects/program but haven't found any for TiaPortal...



Cheers,
T

Pierre3188
Posts: 1
Joined: Fri Jul 13, 2012 11:45 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Pierre3188 » Fri Jan 31, 2014 9:54 am

Hi,

I have the same question if anyone could help us please

Aliasmarcos
Posts: 1
Joined: Wed Nov 06, 2013 5:50 pm

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Aliasmarcos » Tue Apr 08, 2014 7:56 am

I have the same problem.

joseumh
Posts: 1
Joined: Mon Nov 05, 2012 5:46 pm

Re: [?]: Unlock know how protection, Tia Portal V11

Post by joseumh » Thu Dec 11, 2014 1:18 pm

Aliasmarcos wrote:I have the same problem.
I have the same problem.we need help to this question... :_(

Draco Malfoy
Posts: 94
Joined: Mon Sep 23, 2013 10:41 pm

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Draco Malfoy » Sat Mar 07, 2015 12:55 pm

I fear, there is no help in the whole world. No one has craked the TIAP Protection an this time.

CoMod
Site Admin
Posts: 3963
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [?]: Unlock know how protection, Tia Portal V11

Post by CoMod » Sat Mar 07, 2015 1:23 pm


Sam N
Posts: 13
Joined: Sun Aug 08, 2021 10:00 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Sam N » Thu Aug 19, 2021 3:47 pm

you can find information about unlocking know-how
protection in darknet
(usearch)

Sam N
Posts: 13
Joined: Sun Aug 08, 2021 10:00 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Sam N » Sun Dec 26, 2021 7:06 pm

I see s7-project like this
Show

Code: Select all

FF FF FF FF 03 24 51 11  97 F4 83 5F 01 60 24 65  FF FF FF FF FF FF FF FF  61 9B D0 02 01 30 2F 21 
FF FF FF FF FF FF FF FF  E5 04 64 3D 00 F0 7B 61  FF FF FF FF FF FF FF FF 5A C0 9A FD 01 D0 2B 6C 

(A6 8A)  32 00 
01 
20   (30)
(A3 81 69 00 15)    04     (4D 61 69 6E)-Main
(A3 93 15 00 05 8B)      (A9 B2)      C0 C9 FD A8 97 EC 
(A3 93 16 00 04)          C5 77 
(A3 93 11  00 14 00)      84 1E 
(98 00 00  02 78 7D 58 14 B0 3B ) 

7D  95 DB 6E A3 30 10 86 5F 25 E2 BE 8A CF D8 2A 41  02 52 B4 91 92 66 D5 64  AF 57 16 38 29 5A 30 11  38 5D F1 F6 3B 90 26 2D 6C D3 1B 24 BE 19 7B 3C  33 BF C7 FF 17 82 0C 85  88 CE AE 7E 1E 24 F2 DE  84 4F 60 92 8D 2F 7C E6 23 84 29 52 54 52 26 27  D9 F4 DF 9D D3 D5 69 38  E2 1E 2D BC DB 12 E4 33  A2 7C A8 80 37 DB E3 3B 9C F4 9C 72 42 B8 C0 48  32 AC 38 78 00 A7 57 7F  A1 94 4F A8 52 5C 08 10  E0 9E DD F1 E7 77 B8 7F 87 CB 6F 26 CA 7D 59 AE  4C 96 BC 9A EC CF B5 61  B7 FF 6F DB B4 8D 7F 27  B5 6D 9D B6 6E F6 3C 5C 45 20 1B 5D D8 77 EB CA  3A D3 1C 74 36 5C C7 70  55 9D 9A FA CD E4 70 82  89 E5 A3 DF E9 54 F9 2F A6 34 BA 35 49 7D B6 2E  24 22 98 8F 40 B0 AC FF  DA B2 D6 F9 8F A2 75 75  D3 81 F6 F1 C3 B5 BC 52 41 89 B1 62 9C 3E 5E 31  57 50 2E C6 94 44 30 86  D4 08 23 4C 30 27 12 73  74 C5 5C C2 C4 A0 44 30 8C FB E6 8E 30 66 0C 4B  D8 06 7F C2 84 32 02 72  F2 95 24 84 8C 30 BC 94  8C 49 21 D5 08 53 C5 A8 00 BD 60 C2 47 58 52 A9  98 F4 25 27 8F C1 7C 9A  60 30 5C D6 B5 B6 C7 B3  3E 9A B5 79 33 65 08 F3 F4 0B 1A EC 75 73 34 2E  D5 55 51 76 E1 0E C2 20  14 CC 47 30 78 DA A5 67  9B 39 68 AA 2E 0B D7 5D 16 62 78 D8 BE 34 80 FB  38 C4 C5 73 12 76 13 25  21 4E 85 5A B2 A5 20 31  8D 30 11 7D 2E 71 CC 12 19 45 2A 51 4F 71 1A CC  7B AF 20 CA F3 E2 12 63  0D 29 C2 1B 60 E2 C2 EA  A6 1B D4 F6 D3 00 77 5D DC 39 D3 0E 9A FE 65 8D  CD 9A EE E4 4C 3E 4C AD  C1 75 6D EC D1 BD 2E 3C  8A 84 37 1B AA D0 0B 71 7B 38 B4 C6 2D BC 07 D0  69 AA 8B 72 A7 0F 26 69  B2 7E 19 0C 0A 9F 60 C6  09 93 6A 64 DC 9E 5C 01 E3 14 FB 48 61 68 09 6C  97 94 75 6B F2 55 55 99  BC D0 AE F7 01 BB 37 EB  CF BA 31 55 FD 11 5C 2A 7E B9 10 B7 F1 F4 0F 21  D0 5E B4 

A3 93 13 00 04     83 2E 
A3 A1 40 40 15 00  
A3 BF 03 00 10 16        A5 94 0B 4A CC 60 3C 
A3 93 6F  00 05 88 B8 CE 93 8F 8C  89 FF 78 
A3 A1 3F 40 15  88 1A 1C 22 4D 61 69 6E 20 50 72 6F 67 72 61 6D  20 53 77 65 65 70 20 28  43 79 63 6C 65 29 22 00  
A3 BE 0D 00 14 00 14 9E EF DC 71 2E 4A 90 93 DE  
A3 61 4F D0 E6 7B F9 AE  79 C5 F3 
A3 C0 09 00 10  00 00 00 00 00 00 00 00 
A3 93 59 00 03 00 01 
A3 93 5A 00 01 01 
A3 93 5B  00 03 00 02 
A3 93 5C 00  17 00 00 0D 77 9A 78 00  0B 00 00 9A 79 10 

02 14  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 
A3 93 5F 00 01 00 
A3 93 60 00 01  00 
A3 93 61 00 05 8B A9  B2 C0 88 DD BB AF D0 
A3  93 64 00 0C 00 00 00 00 
A3 98 4F 00 17 00 00 0D  A0 9B 21 00 08 00 9B 22  00 15 00 9B 23 00 08 00  00 
A3 93 69 00 14 00 82 33 EF BE AD DE 7C 00 00  00 01     00 00 00 02 00 00 00 32 00 00 00 00 04 00  00 00 00 00 00 65 4E 32 CB 76 E4 9B 
AC  04 01 00  00 00 00 00 00  56 
ED 08    0E 93 AD F8 72 01

 01 00  00 00 00 00 00 


3C 00 00

Sam N
Posts: 13
Joined: Sun Aug 08, 2021 10:00 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Sam N » Mon Jan 31, 2022 7:52 am

some one asks me to open protected FB
The best idea - dont throw for money developers

sega1234321
Некоторые пользователи не могут быть добавлены, так как они отключили получение личных сообщений. (h)

Hoot27
Posts: 1
Joined: Tue Feb 01, 2022 6:37 pm

[?]: unPassword Siemens S7-1500

Post by Hoot27 » Tue Feb 01, 2022 6:41 pm

Hello everybody,
Do you know if is there any method to recovery the password of a plc siemens s7-1500
or to reset it without losing the project on it?
thanks
regards


Answers to FAQs
Faq & Info
Faq & Info
Posts: 173
Joined: Thu Oct 13, 2005 6:42 pm
Location: Frequently Asked Questions – Часто Задаваемые Вопросы

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Answers to FAQs » Sat Feb 05, 2022 9:22 pm

Reverse Engineering of S7-1200 via JTAG
https://sec-consult.com/blog/detail/rev ... inout-plc/

Code: Select all

https://sec-consult.com/blog/detail/reverse-engineering-architecture-pinout-plc/
Siemens PLC with hardware modification
Show
Image
The added port is a standard ARM -JTAG port which can be used with the J-Link Plus debug adapter from SEGGER.
(c) SEC Consult Vulnerabiltiy Lab
https://github.com/atimorin/scada-tools ... tractor.py

Code: Select all

https://github.com/atimorin/scada-tools/blob/master/s7_password_hashes_extractor.py
Image
Spoiler
Show

Code: Select all

#!/usr/bin/env python

"""
File: s7_password_hashes_extractor.py
Desc: password hashes extractor from Siemens Simatic TIA Portal project file
"""

__author__ = "Aleksandr Timorin"
__copyright__ = "Copyright 2013, Positive Technologies"
__license__ = "GNU GPL v3"
__version__ = "1.1"
__maintainer__ = "Aleksandr Timorin"
__email__ = "atimorin@gmail.com"
__status__ = "Development"

import sys
import os
import re
import optparse
from binascii import hexlify
from hashlib import sha1

cfg_result_hashes = 's7_password_hashes_extractor.hashes'

if __name__ == '__main__':
    parser = optparse.OptionParser()
    parser.add_option('-p', dest="project_file", help="PEData.plf filepath")
    options, args = parser.parse_args()
    
    if not options.project_file:
        parser.print_help()
        sys.exit()
    
    data = open(options.project_file, 'rb').read()
    print "read PEData file %s, size 0x%X bytes" % (options.project_file, os.path.getsize(options.project_file))
    
    print "sample of used passwords and hashes:"
    for p in ['123', '1234AaBb', '1234AaB', '1111111111aaaaaaaaaa']:
        print "\t%s : %s" % (p, sha1(p).hexdigest())

    re_pattern = re.compile('456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40}')
    possible_hashes = [s[-40:] for s in re_pattern.findall(hexlify(data))]
    possible_hashes = reduce(lambda x, y: x if y in x else x + [y], possible_hashes, [])
    open(cfg_result_hashes, 'w').write('\n'.join(possible_hashes))
    
    total_hashes = len(possible_hashes)
    print "found %d sha1 hashes, ordered by histrory list:" % (total_hashes)
    for h in possible_hashes:
        pos = possible_hashes.index(h) + 1
        if pos == total_hashes:
            print '\thash %d: %s\t(current)' % (pos, h)
        else:
            print '\thash %d: %s' % (pos, h)

hotmaew
Posts: 5
Joined: Sun May 28, 2017 3:41 pm

Re: [?]: Unlock know how protection, Tia Portal V11

Post by hotmaew » Sun Feb 20, 2022 1:53 am

So far as I know, Siemens claims that no one can hack the password in TIA Portal.

Draco Malfoy
Posts: 94
Joined: Mon Sep 23, 2013 10:41 pm

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Draco Malfoy » Sun Feb 20, 2022 12:42 pm

Its purblind to declare such things. First of all, there its no need to crack anything.
If i can extract the hash, the password can be finded by brutforce.
Second - based on my simotion expirience, i can tell you with confidence, that the only thing why we cannot unlock TIA at the time is the shortage of capable analyst and money, wicth was payd to solve the problem.

I belief that the "problem" in the reality does not exist.
Althought, to prevent the next fixing closing and security updates, the solution, if exist, will be keept confidentially.

Sam N
Posts: 13
Joined: Sun Aug 08, 2021 10:00 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Sam N » Thu Mar 17, 2022 9:16 am

JEB Decompiler for S7 PLC
The S7 PLC Decompiler extension for JEB allows reverse engineers
and security auditors to analyze Siemens Simatic S7 code.

-----------------
link deleted by sania

Draco Malfoy
Posts: 94
Joined: Mon Sep 23, 2013 10:41 pm

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Draco Malfoy » Sun Mar 20, 2022 10:42 am

Sir, i suggest, you are from this firma and try to distribute this products here.

Please, stop (not_allow) .

First of all - we discuss here how to recover lost encrypted SourceCodes in TIA Portal V11 (and following).
NOT STEP7 CLASSIC, STEP7 INSIDE TIA PORTAL.
Its different type of software, not compatible to each other. Understood ?

Second - and more important. I don't need any software for recompiling ANYTHING from the PLC into the C-Code.
Because NOTHING inside the PLC was originally programming in C.
The Language, witch normally is used inside PLCs, is SCL.
So, if you don't have the source of a STEP/CLSSIC FB anymore (not encrypted, but lost source) you can easily recompile the remained STL Code from the FB into the original SCL Source by using either some accessories (for example, like in the neighbor tread) or by doing it manually.
I DONT NEED TO RECOMPILE IT TO C with that tool. Understood ?

Sam N
Posts: 13
Joined: Sun Aug 08, 2021 10:00 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Sam N » Tue Mar 22, 2022 10:27 am

each version of tiaP has own private key.
and i have to waste a huge machine time to create a new rainbow table.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49

Draco Malfoy
Posts: 94
Joined: Mon Sep 23, 2013 10:41 pm

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Draco Malfoy » Fri Mar 25, 2022 5:14 pm

Sam N wrote:
Tue Mar 22, 2022 10:27 am
each version of tiaP has own private key.
and i have to waste a huge machine time to create a new rainbow table.
You mean - you have a rainbow table for different TIA Versions and you are able to recovery the Password by extracting the Hash and using this table ?
Very interessting.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49
So, what do I need realistically to open, for example, a decrypted Library. I need the Project, and a Hardware-CPU to upload the Project and then i can recovery it from the SD-Card ?
The recovered sources will be comletely, i.e. with comments and originaly tag names, or not ?

Can you maybe open for example this library ?

https://support.industry.siemens.com/cs ... 0&lc=de-WW

Thanx in Advance

Linkinx128
Posts: 12
Joined: Fri Feb 14, 2020 1:56 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Linkinx128 » Wed Apr 13, 2022 1:08 am

Can somebody help to program a brute-force tool to guess the password of KHP?

Kubanez
Posts: 5
Joined: Tue Aug 23, 2022 11:45 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by Kubanez » Tue Feb 21, 2023 7:33 am

Sam N wrote:
Tue Mar 22, 2022 10:27 am
each version of tiaP has own private key.
and i have to waste a huge machine time to create a new rainbow table.
But,
from Sd card i can upload hole project
and decode its structure
and from mc7+ bytecode get IL program.
for example :
empty network looks like
a3 d8 11c0c6646 a515e22 a84997980377 0b2840802607e41783d948ee020083 e6258415002d 98000002787 defaeae49
Hello! I have plc with password and a tia v13 plc project with password, I can change the password in the project, but I can't see it, can you help me to see the password?

PierreAlex64
Posts: 2
Joined: Tue Nov 07, 2023 10:32 am

Re: [?]: Unlock know how protection, Tia Portal V11

Post by PierreAlex64 » Tue Nov 07, 2023 10:56 am

Hi !
I would like to open block with know how protection in TIA V16 or more.
Anyone have a solution please ?

Thank you :D

Post Reply