CRACKING THE ALLEN BRADLEY “KEYWORD”
A Technique to discover the password or “keyword” stored in Allen-Bradley SLC series PLC’s
Written By Ian Sullivan
This technique is intended as a work around when you have been left with a password protected PLC and the original installer has gone bust!
The keywords within an Allen-Bradley processor consists
of a string of up to ten characters in the range 0-9 for the main password and
the same again for the master password. If a keyword has been set within the
processor, it is required in order to read the program from the PLC to be able
to monitor / modify the program. If you haven’t got the key, you
can’t get in.
Rockwells UK technical support have been asked if it is possible to identify or get round the keyword, their answer is no, you must clear the PLC memory and start again. Not very good if you do not have the original code to begin with! I recently found a way of finding the keyword in Mitsubishi processors, therefore the next logical step was to try the SLC processor. I thought it would be more difficult, I was wrong!
(Note that ComLite32 does not work with NT/2000 – I used W98)
Setting The Keyword
I had a distinct advantage over some users, whereby I did not have a protected PLC to crack, I had an unprotected one which I could set any keyword in it so I knew what I was looking for. On the SLC processor, using Logix 500, I set the main password to "0123456789" and the master password to "5555566666", downloaded it to the processor, then closed the file. I started ComLite32 to monitor com1 in single line mode. I then did a “who active - go online" into a blank project. When “No Matching File Found" dialog is shown, switch to ComLite and start logging. Switch back to Logix and hit the "Create New File" button. A dialog then appears asking for the passowrd, at this point type in any keyword (e.g. 123456), the dialog will appear again (because the keywords don’t match), you can try this three times. At this point, switch back to ComLite and see what you’ve got. It will appear something like this:
The red data is what your PC is sending, Blue data is sent from the PLC.
It looks like the PC sends a command to the PLC asking for the keyword, the PLC then sends it back and Logix compares the two, if they match, it allows you to continue. The red <todo> looks like a request for data, the plc then sends back data (blue) which inlcudes the tow passwords. The strange thing is that the PC again sends a request for data, this time the PLC sends another packet back, this time a different length, but still includes the passwords. Thus even if you are not sure where to look, it makes it easier to spot two sets of passwords.
From the picture above we get this pattern twice:
30 31 32 33 34 35 36 37 38 39 35 35 35 35 35 36 36 36 36 36
Translate it into the ASCII character and you get 0123456789 5555566666
Lets try that again, this time using different passwords
Matching pattern of data this time was:
30 36 30 32 34 35 33 34 32 33 34 34 35 35 36 36 37 37 38 38
Translated to ASCII character gives 0602453234 4455667788
OK, so which one is which? The first set is the main password,
the second is the master password.
Thus the main password was 0602453234 and the master password was 4455667788
The packets that the PC sends each time appear to be different, but the start and end of each packet is quite close.
This is all fine for ten digit passwords that we tried above, but, each password can be UP TO ten digits long, how does this appear?
Same sequence, same results, only difference this time is that if you only have five digits in your password, the remaining five "spaces" are null - given as 00h - the ASCII code for a NUL
As seen previously, when the PC sends a request, the data is not always the
same, so I was looking for a pattern which may make discovering the password
easier. The only pattern that I can ascertain (new ideas are welcome) is that:
After the first packet of data, starting in this instance at 10 06 10 02 01 00 0F 00 - the first passwords first digit starts 33 characters after the transmit ends, following that there is another send of data from the PC, in the PLC's response the first passwords first digit starts 11 characters after the transmit ends.
See the "Mitsubishi Keyword Method" HERE
What's Next?? Siemens password protection?
Ideas & Comments are welcome at firstname.lastname@example.org
As well as solving password problems, I can also offer PLC Support and
Training Services in the UK
Course examples include:
Mitsubishi A, FX & Q series hardware,
GX & GX IEC Developer
Beijer HMI's & E-Designer
Allen-Bradley SLC500 & ControlLogix
RS Logix 5, 500 & 5000
Panelview Terminals & Panelbuilder software
Please e-mail for details