[Link]: S7_Unlock password for S7 200 and S7 300 MMC

Utilites for Simatic Automation
Post Reply
smsasg
Posts: 44
Joined: Tue Apr 11, 2006 4:40 am
Location: Russia

[Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by smsasg » Tue Apr 11, 2006 8:04 am

Unlock password for S7 200 and S7 300 MMC
Add: convert *.wld from MMC-image file
You can create image file from MMC by S7imgRD.exe or WINHEX
[dead] Simatic_S7-200_S7-300_MMC_Password_Unlock_2006_09_11.rar
in Russian wrote:Программа по вычислению пароля из образа универсальна и для S7-200 и для S7-300. Процесс получения образа из 200 описывался ранее. Для 300 нужен образ MMC-карты (при помощи S7imgRD.exe, WINHEX и т.д.)
В программу S7Unlock добавлена опция по конвертации MMC-файла(*.wld) из образа MMC-Card, полученного любым доступным образом:

You can use ONLY EXTERNAL CardReader. Internal notebook CardReader not work propertly with Simatic MMC and show message "IOCTL_DISK_GET_DRIVE_GEOMETRY failed ".
smsasg in Russian wrote:Физическое устройство для считывания образа MMC - только внешний CardReader. Встроенный в нотебук выдает ошибку чтения "IOCTL_DISK_GET_DRIVE_GEOMETRY failed ".
Чтение-запись возможны лишь при помощи внешнего CardReader... встроенные в ноут MMC DiskDevice выдают такую ошибку.
Вообщем, устройство чтения должно быть физическим устройством, а не логическим. Очень хорошо видно это при использовании WinHex в качестве программы для чтения-записи.
https://disk.yandex.ru/d/qA3JuMSnuSSXNA/PPP
https://mega.nz/#!LBJCkRAA!bofmUBFm8SDA ... BgQk2LKOUQ

Code: Select all

https://mega.nz/#!LBJCkRAA!bofmUBFm8SDAPwva-QEJQwUHsvyGY2yKfBgQk2LKOUQ
https://www.virustotal.com/gui/file/6db ... /detection
use in VirtualBox

CoMod
Site Admin
Posts: 3963
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Post by CoMod » Wed Apr 19, 2006 7:54 am

http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. Link_is_Dead :(/files/18271865/crypt_MMC.zip.html
-------------------------------------------------------------
http://plctalk.net/qanda/showthread.php?t=21591

jcarlos :

Hi everybody,

the S7ImgRd and S7ImgWr are updated. You can now try to bring back accidently formated MMC with other images.

Also the Password thing, earlier posted here, is build in, but please dont violate copyright.

http://personal.telefonica.terra.es/web/suwe/
Nuevo / new / neu V1.0 March 2006
S7ImgRd does try to retrieve Password if set ! please test and report !

http://www.telefonica.net/web/suwe/s7imgrd1.zip
http://www.telefonica.net/web/suwe/s7imgwr1.zip

Keygen

algorithm

Post by Keygen » Sun Apr 30, 2006 3:07 am

smsasg wrote:ну если настолько детали интересны, то принцип кодировки намного проще: Link_is_Dead :(/Pass_for_S7.pdf
Size: 73 KB
Address location in the password can be arbitrary, eg // Адрес местонахождения в пароле может быть произвольным, например:
Address 1E75 - protection level // уровень защиты (01-03)
Address 1E76-1E7D – crypted password // зашифрованный пароль
(1E76) = 1st char // 1-й символ
(1Е77) = 2nd char // 2-й символ
(1Е76) XOR (1E78) = char 3//3-й символ
(1Е77) XOR (1E79) = char 4//4-й символ
(1Е78) XOR (1E7A) = char 5//5-й символ
(1Е79) XOR (1E7B) = char 6//6-й символ
(1Е7A) XOR (1E7C) = char 7// 7-й символ
(1Е7B) XOR (1E7D) = char 8//8-й символ
Example // Пример: Содержимое адресов
1Е75-1Е7D: 03 FC EF 04 07 EF F9 0C 6F
Converted code // Преобразованный код :
FC EF F8 E8 EB FE E3 96
Password // Символьный пароль:
V E R B A T I <

Table char<>code ...
:shock:
Ну нифига себе, накуролесили, всё гораздо проще!
LenFW - Length Word / длина в WORD
Buff - buffer white S7-Password /буфер в памяти. В нём лежит зашифрованный S7-Password

for(int i = LenFW - 1; i>0; i--)
{
*(Buff+i) ^= *(Buff+i-1)^0xAAAA;
}
*Buff ^= 0xAAAA;

Voila !
Вот и всё! Вуаля!

scorp26
Posts: 3
Joined: Wed Sep 13, 2006 5:30 am
Location: Russia

Post by scorp26 » Wed Sep 13, 2006 5:38 am

With internal CardReader s7imgrd.exe show error
IOCTL_DISK_GET_DRIVE_GEOMETRY failed
with external CardReader all is Ok.
Russian wrote:Попробовал считать образ с помощью s7imgrd.exe
Выдала ошибку IOCTL_DISK_GET_DRIVE_GEOMETRY failed
Это что утилитка хандрит или с ММС проблемы (контроллер с нее работает).

Странно, вроде какая ему разница внешний или внутренний картридер. Хотя точно, использовался встроенный считыватель.

И правда, все отлично получилось на внешнем картридере. Спасибо за помощь.

vaiduakhu
Posts: 77
Joined: Thu Jun 14, 2007 5:21 pm
Location: Asia

Post by vaiduakhu » Sat Jun 07, 2008 7:42 am

CoMod wrote:http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. Link_is_Dead :(/files/18271865/crypt_MMC.zip.html
Can anyone reupload the RS.de link?

CoMod
Site Admin
Posts: 3963
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Post by CoMod » Sat Jun 07, 2008 8:34 am

See Algoritm in message from Keygen
viewtopic.php?p=3229#3229
Keygen wrote:all much easier! //Ну нифига себе, накуролесили, всё гораздо проще!
LenFW - Length Word // длина в WORD
Buff - buffer white S7-Password //буфер в памяти. В нём лежит зашифрованный S7-Password

for(int i = LenFW - 1; i>0; i--)
{
*(Buff+i) ^= *(Buff+i-1)^0xAAAA;
}
*Buff ^= 0xAAAA;

Voila ! //Вуаля!

smsasg
Posts: 44
Joined: Tue Apr 11, 2006 4:40 am
Location: Russia

Post by smsasg » Thu Aug 20, 2009 7:35 pm

Updated version S7_Unlock
Add: you can decode password of S7-200 project file *.mwp

http://narod.ru/disk/12236322000/Unlock ... 7.Link_is_Dead :(
or
Link_is_Dead :(/U ... age_S7.rar
Size: 181 KB

Huzulka
Posts: 6
Joined: Fri Apr 24, 2009 5:35 pm
Location: Ukraine

Re:

Post by Huzulka » Wed Mar 10, 2010 6:00 pm

CoMod wrote: http://www.plctalk.net/qanda/showthread.php?t=21591
tischer:
As you have got program for unprotecting S7 pwd, here is algorithm how is the pwd protected. Link_is_Dead :(/files/18271865/crypt_MMC.zip.html
-------------------------------------------------- -----------
http://plctalk.net/qanda/showthread.php?t=21591
Has anyone seen this file? Does anyone a have a copy? There was alot of juicy information of how the siemens file system is set up, passwords and how to investigate. CoMod, in his usual super hero way, saved my ass again with how to get the password for a 400 MC card. But I have another project I am working on that is programming in nature and I really need to get around inside the cards.

to put it bluntly, I am trying to improve my programing/hacking skills. If anyone has any pointers, anything. I got myself a copy of win hex and I have had blast replicating every thing, but there must be a way to mount a siemens mc/mmc card image and look inside at the individual files.

Appreciate any help.

H

escueto
Posts: 2
Joined: Thu Oct 28, 2010 4:25 pm

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by escueto » Thu Oct 28, 2010 4:28 pm

Please have a serious problem with S7 200 but we can not guess the password of the PLC.
The key S7 program does not work with the PPI cable / USB.

I would appreciate the help.

smsasg
Posts: 44
Joined: Tue Apr 11, 2006 4:40 am
Location: Russia

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by smsasg » Wed Aug 10, 2011 7:54 am

Updated Version 5.01 of the "Unlock_and_converter_MMC_Image_S7":
http://www.2shared.com/file/YQ1sgNFX/Un ... Image.html

AndreyUA
Posts: 11
Joined: Tue Sep 28, 2010 7:39 am

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by AndreyUA » Tue Sep 20, 2011 9:36 am

smsasg wrote:Updated Version 5.01 of the "Unlock_and_converter_MMC_Image_S7":
http://www.2shared.com/file/YQ1sgNFX/Un ... Image.html
Unfortunately, download the file is not possible. Could someone upload the file to another hosting?

Schtiel
Site Admin
Posts: 1121
Joined: Wed Sep 06, 2006 12:03 pm
Location: CIS

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by Schtiel » Tue Sep 20, 2011 9:57 am

AndreyUA wrote:Unfortunately, download the file is not possible. Could someone upload the file to another hosting?
Download is possible - I tried and there were no problem. Anyway, mirror is here: http://ifile.it/d5y6kfg

Erivaldo
Posts: 1
Joined: Wed May 23, 2012 12:24 am

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by Erivaldo » Thu Aug 09, 2012 1:29 am

Hi, I have a machine with PLC s7 200 cpu 226, and need to do the backup but this protected with password, is there any way to unlock this password for the machine cause is the manufacturer closed.

Thank you

romex
Posts: 3
Joined: Wed Jul 25, 2012 4:30 pm

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by romex » Sun Jan 27, 2013 1:50 pm

did any body use the s7 200CN and worked with him ??????

smsasg
Posts: 44
Joined: Tue Apr 11, 2006 4:40 am
Location: Russia

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by smsasg » Fri Apr 19, 2013 3:54 pm

Updated Version 6.01 of the "Unlock_and_converter_MMC_Image_S7" (added option for S7-300F):
http://www.4shared.com/rar/8UK3Ip0d/Unl ... Image.html

kostawr
Posts: 6
Joined: Fri Jun 22, 2012 3:22 pm

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by kostawr » Mon Jun 30, 2014 8:40 pm

hello,
Is it possible someone to unlock the attached s7 200 routines for me ?

(dlink) https://www.dropbox.com/s/fepvy3xt32fbqf8/Project1.mwp

thanks in advance,


xflash
Posts: 195
Joined: Sat May 21, 2011 3:28 am

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by xflash » Wed Sep 07, 2016 3:08 am

smsasg wrote:Updated Version 6.01 of the "Unlock_and_converter_MMC_Image_S7" (added option for S7-300F):
http://www.4shared.com/rar/8UK3Ip0d/Unl ... Image.html
(gpost) (gpost)
It is not available now, could you please reupload? Please.... (tyou) (tyou) (sos) (sos) (sos)

I searched Internet, found one combined with malware, so please here some good guy upload a good to mega or some where else.
Great thanks!


CoMod
Site Admin
Posts: 3963
Joined: Thu Feb 16, 2006 3:25 pm
Location: Russia
Contact:

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by CoMod » Wed Sep 14, 2016 5:58 am

Kaspersky delete this version (h) (boom)
https://www.virustotal.com/ru/file/6dbb ... 473833447/
Касперский удаляет эту версию... можешь поменять упаковщик или раздавать её в архиве с паролём 1 ? и чтоб в архиве был незапоролированный файл с текстом пароля
или в его имени был ***_password_1.zip ?

xflash
Posts: 195
Joined: Sat May 21, 2011 3:28 am

Re: [Link]: S7_Unlock password for S7 200 and S7 300 MMC

Post by xflash » Sat Sep 17, 2016 1:10 pm

I believe in you and believe it is clear and virus-free.

Post Reply