s7 1200 v11 block/cpu passwords

[iolostan]

I noticed you are very proficient regarding the subject so i decided to ask.
tip: block passwords in tia portal can ony be set in one session: if you close the block and reopen the button is greyed out.
tried using ollidbg but got dizzy.
My other approach was using content comparison between the project/system/PEData.idx(plf) files before and after intoducing/changing the password.

Passwords can be quite long so a brute force approach would be inconvenient.
Scenario 1: you have your designed software on your pc and you forgot the password of your ob1 function block.


Scenario 2: you access a s7-1200 plc in a factory and need to modify the recipe parameters and add a fail-safe functionality to the existing program. The cpu is read/write protected and the function block is password protected. The whole soft is saved on the plc memory.
Here is a sample project with passwords all over it for a s7-1214 http://www.filehosting.org/file/details/390795/newp.zip
Most of the passwords are long so a brute force attempt would take alot of time.

Spoiler

Show

the passwords are:
something like Passw0rdPr)tect or PasswordProtected for the processor
the main function: I actually forgot this one, should be a long string
Kn0wH)w for the datablock
"password" for Bleeper function
pa55w0rd for ownedscl function

[AjaySahu]

Hii..did you know how to block password find.

i am trying using Pedata.plf file

2fkzsAYPLKa5vJsPWy62PwByzrU= Drive_Unscale!
8u8pTUr6Dm1jE5Zc8ydcIw== p9kx3pUXtyV+6GYGjg8zLw==
FC43-637760077236107579;FC43-637167327064292140;FC43-637132206159957385;FC43-637131967400340242;FC43-637122444241382753;FC43-637114813171354700;FC43-637114805925700273;FC43-637111441970076908;FC43-636712074190354958;FC43-636588021809845967

some strange thing i have found of Drive Unscale FC43 block protected have
2fkzsAYPLKa5vJsPWy62PwByzrU= Drive_Unscale!
8u8pTUr6Dm1jE5Zc8ydcIw== p9kx3pUXtyV+6GYGjg8zLw== "

and other FC which is unprotected directly start with FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;

[AjaySahu]

Spoiler

Show

Code: Select all

import sys
import os
import re
#import re_pattern
import optparse
from binascii import hexlify
from hashlib import sha1
from functools import reduce

cfg_result_hashes = 'Removal.hashes'

if __name__ == '__main__':
    parser = optparse.OptionParser()
    parser.add_option('-p', dest="file", help="file.plf filepath")
    options, args = parser.parse_args()
    
    if not options.file:
        parser.print_help()
        sys.exit()
    
    data = open(options.file, 'rb').read()
    print ("read file %s, size 0x%X bytes" % (options.file, os.path.getsize(options.file)))
    
    print ("sample of hashes:")
    for p in ['123', '1234AaBb', '1234AaB', '1111111111aaaaaaaaaa']:
        print ("\t%s : %s" % (p, sha1("p".encode('utf-8')).hexdigest()))
       
    re_pattern = re.compile('456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40}')
    # Convert bytes to hex string
    hex_data = hexlify(data).decode('utf-8')

# Define your regex pattern as a string
    re_pattern = re.compile(r'your_pattern_here')

# Find all matches using the string pattern
    matches = re_pattern.findall(hex_data)

      # Extract the last 40 characters from each match
    possible_hashes = [s[-40:] for s in matches]

    print(possible_hashes)

   # possible_hashes = [s[-40:] for s in re_pattern.findall(hexlify(data))]
    possible_hashes = reduce(lambda x, y: x if y in x else x + [y], possible_hashes, [])
    open(cfg_result_hashes, 'w').write('\n'.join(possible_hashes))
    
    total_hashes = len(possible_hashes)
    print ("found %d sha1 hashes, ordered by histrory list:" % (total_hashes))
    for h in possible_hashes:
        pos = possible_hashes.index(h) + 1
        if pos == total_hashes:
            print ('\thash %d: %s\t(current)' % (pos, h))
        else:
            print ('\thash %d: %s' % (pos, h))

-------------------------------------------------------------------------------
tried this but Not working Code executed successfully.. but 0 result