I noticed you are very proficient regarding the subject so i decided to ask.
tip: block passwords in tia portal can ony be set in one session: if you close the block and reopen the button is greyed out.
tried using ollidbg but got dizzy.
My other approach was using content comparison between the project/system/PEData.idx(plf) files before and after intoducing/changing the password.
Passwords can be quite long so a brute force approach would be inconvenient.
Scenario 1: you have your designed software on your pc and you forgot the password of your ob1 function block.
Scenario 2: you access a s7-1200 plc in a factory and need to modify the recipe parameters and add a fail-safe functionality to the existing program. The cpu is read/write protected and the function block is password protected. The whole soft is saved on the plc memory.
Here is a sample project with passwords all over it for a s7-1214 http://www.filehosting.org/file/details/390795/newp.zip
Most of the passwords are long so a brute force attempt would take alot of time.
Spoiler
Show
the passwords are:
something like Passw0rdPr)tect or PasswordProtected for the processor
the main function: I actually forgot this one, should be a long string
Kn0wH)w for the datablock
"password" for Bleeper function
pa55w0rd for ownedscl function
some strange thing i have found of Drive Unscale FC43 block protected have
2fkzsAYPLKa5vJsPWy62PwByzrU= Drive_Unscale!
8u8pTUr6Dm1jE5Zc8ydcIw== p9kx3pUXtyV+6GYGjg8zLw== "
and other FC which is unprotected directly start with FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;FC41-637760077236107571;
import sys
import os
import re
#import re_pattern
import optparse
from binascii import hexlify
from hashlib import sha1
from functools import reduce
cfg_result_hashes = 'Removal.hashes'
if __name__ == '__main__':
parser = optparse.OptionParser()
parser.add_option('-p', dest="file", help="file.plf filepath")
options, args = parser.parse_args()
if not options.file:
parser.print_help()
sys.exit()
data = open(options.file, 'rb').read()
print ("read file %s, size 0x%X bytes" % (options.file, os.path.getsize(options.file)))
print ("sample of hashes:")
for p in ['123', '1234AaBb', '1234AaB', '1111111111aaaaaaaaaa']:
print ("\t%s : %s" % (p, sha1("p".encode('utf-8')).hexdigest()))
re_pattern = re.compile('456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40}')
# Convert bytes to hex string
hex_data = hexlify(data).decode('utf-8')
# Define your regex pattern as a string
re_pattern = re.compile(r'your_pattern_here')
# Find all matches using the string pattern
matches = re_pattern.findall(hex_data)
# Extract the last 40 characters from each match
possible_hashes = [s[-40:] for s in matches]
print(possible_hashes)
# possible_hashes = [s[-40:] for s in re_pattern.findall(hexlify(data))]
possible_hashes = reduce(lambda x, y: x if y in x else x + [y], possible_hashes, [])
open(cfg_result_hashes, 'w').write('\n'.join(possible_hashes))
total_hashes = len(possible_hashes)
print ("found %d sha1 hashes, ordered by histrory list:" % (total_hashes))
for h in possible_hashes:
pos = possible_hashes.index(h) + 1
if pos == total_hashes:
print ('\thash %d: %s\t(current)' % (pos, h))
else:
print ('\thash %d: %s' % (pos, h))
-------------------------------------------------------------------------------
tried this but Not working Code executed successfully.. but 0 result
Could you please confirm which version of the TIA Portal you're using?
Was the password for your function block numeric only, or alphanumeric (containing both letters and numbers)?