How to unlock password S7-200 plc? or program from an S7-200? easy way.

How to unlock password s7-200 plc many beginner automation Engineers ask me. I was caused to write this article by the situation with the “ALBA” machine for water-jet cutting of sheet materials, bought at our pilot production facility, supplied by our Chinese colleagues, machine builders from the Sunrise company. The machine worked fine for a couple of years, and suddenly the message “Emergency Stop” appeared on the display of the CNC system and the machine refused to perform any actions.
At the same time, two red LED lamps flashed beautifully on the control panel in the binary counter mode. Since there was no normal technical documentation, they called the seller’s service center. They answered – send an application, pay the money, after which we will come and see. The proposal, probably, would have been accepted, if the company had not been sitting on the file cabinet, of course, there was no money.
Then the superiors asked me to look, although the duties of the deputy chief designer for the process control system of the design institute do not include the maintenance of the machine tool park of the pilot production.

How to unlock password S7-200 PLC

Phase one is preparatory. (how to unlock password s7-200 plc)

Inspection showed that the entire crap is controlled by a small S7-200 with one additional I / O module. Although we did not use the 200 series in our equipment, the PPI adapter was available. Everything is simple – you need to download the software from the controller and see what sets the error to the controller output only burned one, and when it was taken off the controller, the error from the CNC screen disappeared, which, however, did not allow the machine to work.

How to unlock password S7-200 PLC

Further, everything seemed very trivial. I installed Step-7 Micro / Win on my laptop, connected the controller, set up the interface, Uploaded, and then the Password entry window. Attempts by ALBA, SUNRISE, SUNSHINE gave nothing.
The call to the technical support of the seller was somewhat discouraged. “We do not have a password, the Chinese do not give it. If something is wrong with the controller, It was hard to believe, and the question of the quack of this entire economy became a matter of professional honor. Mitsubishi FX3U PLC password unlock service get from us at a reasonable price.

Looked at the port sniffer what is being transmitted/received during the authorization process. The controller transmits the password in encrypted form, so the information is of little use since the encryption algorithm is unknown and there can be an unlimited number of options.

Phase two – collecting information.

Went to the office to smoke the Internet. I dismantled the controller from the machine cabinet and took it with me. A lot of interesting things were found, mainly on. The site is very useful, I highly recommend it to everyone!

Program for un-passing the S7-200 project

how to unlock password s7-200 plc

Further searches led to a technique for reading a dump from a 24C64 chip – memory with sequential access. Having a dump, you can also extract the password.

There is one more link there, which is designed to read the password directly from the controller via the standard PPI interface.

The program actually addresses the controller, even reads the CPU type and firmware version, but, alas, the password does not show – the field is empty. I suspect this once worked, but on early versions of CPU firmware.
The program is really outdated and no longer relevant for new processors.

How to unlock password S7-200 PLC

Phase three – hardware.

The next step is to design the programmer. Without thinking twice, I welded with surface mounting what CoMod recommended in link No. 2 based on the LPT port. Two KT315, four resistors. I welded the wires to the ROM chip, If you want to know how to unlock password s7-200 plc please read the full blog.
Dancing with a tambourine and probing signals with a multimeter did not give any results. As it turned out later, I did not feel it well with a multimeter, but more on that later.
I went to smoke the Internet further in search of a solution. As a result, I settled on the scheme of the EXTRA PIC programmer. I threw out everything that was not needed to read the 24C64, which is a lot. There are two MAX232 and 555LA3 microcircuits, four capacitors, a resistor, and a diode. When I went to the store for MAX232. I decided to buy 24C64 for experiments with the programmer. We took 5 Volt power from USB. I welded the wires to the ROM microcircuit.

Phase four – dancing with a tambourine.

The program is very useful for configuring and testing the programmer – you can select the signals of the ports that are connected to the ROM microcircuit and switch them programmatically in statics, thus checking the passage and normalization of signals. Along the way, I looked closely at the markings of the purchased 24С64 and did not find anything similar to the case? Not that they slipped it in the store. I went to another store and bought a 24C08 there.
No response from ROM chip! I began to probe the signals with a multimeter and I found a short circuit, not entirely short, but still, of the signal wires to each other in the cable connecting the programmer to the ROM microcircuit. This cable was cut the day before from the dead mouse. I connected the wiring to the 24C64 microcircuit of the S7-200 controller, launched WinPic800

How to unlock password S7-200 PLC

The control program, in fact, does not represent anything tricky. The usual “relay” control of all sorts of things, such as hydraulics, pumps, valves, and other rubbish, but … There is a timer code for 360 work shifts of 8 hours. The timer counts only when some output is turned on, such as turning on the hydraulic pump of the pressure booster, that is, when the machine is running. When the timer counts down to the end, the flag with the address M13.0 is set like, all guys, pay money! What is this if not extortion! It is impossible to clear the flag in any way other than connecting the debugger, which requires a password!
How ugly it is and who programmed it, either the Chinese or our mediators from Moscow, I, of course, do not know. But I want to say: Well, you guys are goats!

PS: Interestingly, 360D is written on the PLC case with a marker. At first, I took it for a password, then, of course, the real meaning of this inscription became clear.

By the way, the first version of the programmer was most likely a working one. This rotten stub of the mouse cable was to blame!