s7 1200 v11 block/cpu passwords

[iolostan]

I noticed you are very proficient regarding the subject so i decided to ask.
tip: block passwords in tia portal can ony be set in one session: if you close the block and reopen the button is greyed out.
tried using ollidbg but got dizzy.
My other approach was using content comparison between the project/system/PEData.idx(plf) files before and after intoducing/changing the password.

Passwords can be quite long so a brute force approach would be inconvenient.
Scenario 1: you have your designed software on your pc and you forgot the password of your ob1 function block.


Scenario 2: you access a s7-1200 plc in a factory and need to modify the recipe parameters and add a fail-safe functionality to the existing program. The cpu is read/write protected and the function block is password protected. The whole soft is saved on the plc memory.
Here is a sample project with passwords all over it for a s7-1214 http://www.filehosting.org/file/details/390795/newp.zip
Most of the passwords are long so a brute force attempt would take alot of time.

Spoiler

Show

the passwords are:
something like Passw0rdPr)tect or PasswordProtected for the processor
the main function: I actually forgot this one, should be a long string
Kn0wH)w for the datablock
"password" for Bleeper function
pa55w0rd for ownedscl function

[AjaySahu]

Hii..did you know how to block password find.

i am trying using Pedata.plf file

2fkzsAYPLKa5vJsPWy62PwByzrU= Drive_Unscale!
8u8pTUr6Dm1jE5Zc8ydcIw== p9kx3pUXtyV+6GYGjg8zLw==
FC43-637760077236107579;FC43-637167327064292140;FC43-637132206159957385;FC43-637131967400340242;FC43-637122444241382753;FC43-637114813171354700;FC43-637114805925700273;FC43-637111441970076908;FC43-636712074190354958;FC43-636588021809845967

some strange thing i have found of Drive Unscale FC43 block protected have
2fkzsAYPLKa5vJsPWy62PwByzrU= Drive_Unscale!
8u8pTUr6Dm1jE5Zc8ydcIw== p9kx3pUXtyV+6GYGjg8zLw== "

and other FC which is unprotected directly start with FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;

[AjaySahu]

Spoiler

Show

Code: Select all

import sys
import os
import re
#import re_pattern
import optparse
from binascii import hexlify
from hashlib import sha1
from functools import reduce

cfg_result_hashes = 'Removal.hashes'

if __name__ == '__main__':
    parser = optparse.OptionParser()
    parser.add_option('-p', dest="file", help="file.plf filepath")
    options, args = parser.parse_args()
    
    if not options.file:
        parser.print_help()
        sys.exit()
    
    data = open(options.file, 'rb').read()
    print ("read file %s, size 0x%X bytes" % (options.file, os.path.getsize(options.file)))
    
    print ("sample of hashes:")
    for p in ['123', '1234AaBb', '1234AaB', '1111111111aaaaaaaaaa']:
        print ("\t%s : %s" % (p, sha1("p".encode('utf-8')).hexdigest()))
       
    re_pattern = re.compile('456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40}')
    # Convert bytes to hex string
    hex_data = hexlify(data).decode('utf-8')

# Define your regex pattern as a string
    re_pattern = re.compile(r'your_pattern_here')

# Find all matches using the string pattern
    matches = re_pattern.findall(hex_data)

      # Extract the last 40 characters from each match
    possible_hashes = [s[-40:] for s in matches]

    print(possible_hashes)

   # possible_hashes = [s[-40:] for s in re_pattern.findall(hexlify(data))]
    possible_hashes = reduce(lambda x, y: x if y in x else x + [y], possible_hashes, [])
    open(cfg_result_hashes, 'w').write('\n'.join(possible_hashes))
    
    total_hashes = len(possible_hashes)
    print ("found %d sha1 hashes, ordered by histrory list:" % (total_hashes))
    for h in possible_hashes:
        pos = possible_hashes.index(h) + 1
        if pos == total_hashes:
            print ('\thash %d: %s\t(current)' % (pos, h))
        else:
            print ('\thash %d: %s' % (pos, h))

-------------------------------------------------------------------------------
tried this but Not working Code executed successfully.. but 0 result

[Bee_boo]

Can someone re-upload it and upload brute force?

[whitewolf]

Hi, i need help. I can't remember password which I set for function block in TIA portal. Can anyone help me, how I unlock fb files.

[osmos]

Could you please confirm which version of the TIA Portal you're using?
Was the password for your function block numeric only, or alphanumeric (containing both letters and numbers)?

[Jonnysmith]

Can someone re-upload it and upload brute force?

Hi,
I used brute force but still can not resolve the password, although i bypass the
Penaty time when put the password in 5 seconds.
I wrote a brute force program in C# for it.
Can some one have other way to do, i still try to read 2 files PEdata but still can not understand the content in these file.
But i'm thinking the password was encryped to SH1 + Salt, and all save in two file PEdata.
So may be if we can read where that string in these file PEdata, we can replace the old with the new password we want .

I still have other way is use a software to read siemens source and bypass this change password function easier,
Other way is: use a software to read these PEdata files and change password for it.

If some one have any opinion, can talk to me we will thinking for resolve it easier .

[CoMod]

this backDoor 2011 is closed after publication of this code
https://github.com/atimorin/scada-tools ... y260561818

Code: Select all

https://github.com/atimorin/scada-tools/blob/master/s7_password_hashes_extractor.py?ysclid=m9ci5imoby260561818

some info about reversing S7-1200
https://sec-consult.com/blog/detail/rev ... inout-plc/