三菱FX3U PLC解密方法的研究
发布时间:2011-11-21 13:46|来源:万胜PLC解密网|点击:
虽然目前已经研究成功了FX3UPLC解密,免拆机的,读出正确程序和参数,包括禁止上载的问题也能读出正确程序和参数。但还是把当时研究解密的过程整理出来,供有兴趣的朋友参考。
1、三菱FX3U PLC用的编程软件必须采用GX Developer8.10以上的版本,启动GX Developer,从帮助菜单就可以看到编程软件的版本号,从工程菜单,创建新工程,PLC系列中选择FXCPU,PLC类型中选FX3U(C)就可以对FX3U进行编程的各种操作。
2、FX3U的加密方法是:打开GX Developer 后从菜单 "在线—》登录关键字—》新建登录,改变....."进入,
3、首先随便编个测试程序,不加密,两个关键字都不设定,写入FX3U,然后用FXWIN软件选取FX2N型号读出程式,竟然能读出正确的程序来。相信三菱FX PLC的FXWIN程软件大家应该很熟悉了。
4、用自编的FX三菱解密软件(可解FX0N、1N、2N、1S、FX2),进行解密。竟然解出密码来。按FX2N型号进行下载也能下载程序,说明当只设一个关键字的时候,FX3U加密机制和FX2N的是一模一样的。
5、用 GX Developer 同时设定第1关键字,第2关键字。用 GX Developer 同时设定第1关键字,第2关键字。
6、用PLC解密通用的法宝串口监控软件。先启用串口监控软件,设置好开始监控,然后运行编程软件。从菜单-》在线-》传输设置,进入传输设置界面,然后“按通信测试”键,显示CPU类型为FX3U,通信成功。
此时从串口监控到的数据是:
# Time Function Data ( Hex )
1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe
2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200
3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
4 [00000001] IRP_MJ_WRITE Length: 0001, Data: 05
5 [00000002] IRP_MJ_READ Length: 0001, Data: 06
6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43
7 [00000003] IRP_MJ_READ Length: 0001, Data: 02
8 [00000003] IRP_MJ_READ Length: 0001, Data: 42
9 [00000003] IRP_MJ_READ Length: 0001, Data: 31
10 [00000003] IRP_MJ_READ Length: 0001, Data: 35
11 [00000003] IRP_MJ_READ Length: 0001, Data: 45
12 [00000003] IRP_MJ_READ Length: 0001, Data: 03
13 [00000003] IRP_MJ_READ Length: 0001, Data: 46
14 [00000003] IRP_MJ_READ Length: 0001, Data: 30
15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45
16 [00000004] IRP_MJ_READ Length: 0001, Data: 02
17 [00000004] IRP_MJ_READ Length: 0001, Data: 37
18 [00000004] IRP_MJ_READ Length: 0001, Data: 31
19 [00000004] IRP_MJ_READ Length: 0001, Data: 33
20 [00000004] IRP_MJ_READ Length: 0001, Data: 46
21 [00000004] IRP_MJ_READ Length: 0001, Data: 03
22 [00000004] IRP_MJ_READ Length: 0001, Data: 45
23 [00000004] IRP_MJ_READ Length: 0001, Data: 34
24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43
25 [00000006] IRP_MJ_READ Length: 0001, Data: 02
26 [00000006] IRP_MJ_READ Length: 0001, Data: 42
27 [00000006] IRP_MJ_READ Length: 0001, Data: 31
28 [00000006] IRP_MJ_READ Length: 0001, Data: 35
29 [00000006] IRP_MJ_READ Length: 0001, Data: 45
30 [00000006] IRP_MJ_READ Length: 0001, Data: 03
31 [00000006] IRP_MJ_READ Length: 0001, Data: 46
32 [00000006] IRP_MJ_READ Length: 0001, Data: 30
33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45
34 [00000007] IRP_MJ_READ Length: 0001, Data: 02
35 [00000007] IRP_MJ_READ Length: 0001, Data: 37
36 [00000007] IRP_MJ_READ Length: 0001, Data: 31
37 [00000007] IRP_MJ_READ Length: 0001, Data: 33
38 [00000007] IRP_MJ_READ Length: 0001, Data: 46
39 [00000007] IRP_MJ_READ Length: 0001, Data: 03
40 [00000007] IRP_MJ_READ Length: 0001, Data: 45
41 [00000007] IRP_MJ_READ Length: 0001, Data: 34
42 [00000015] IRP_MJ_CLOSE Port Closed 花大量时间来分析这些数据吧。
上述 从串口监控到的数据是十六进制的数据,先转换成ASC码,就好看多了。
# Time Function Data ( String )
1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe
2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200
3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
4 [00000001] IRP_MJ_WRITE Length: 0001, Data:
5 [00000002] IRP_MJ_READ Length: 0001, Data:
6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 00E02026C
7 [00000003] IRP_MJ_READ Length: 0001, Data:
8 [00000003] IRP_MJ_READ Length: 0001, Data: B
9 [00000003] IRP_MJ_READ Length: 0001, Data: 1
10 [00000003] IRP_MJ_READ Length: 0001, Data: 5
11 [00000003] IRP_MJ_READ Length: 0001, Data: E
12 [00000003] IRP_MJ_READ Length: 0001, Data:
13 [00000003] IRP_MJ_READ Length: 0001, Data: F
14 [00000003] IRP_MJ_READ Length: 0001, Data: 0
15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E
16 [00000004] IRP_MJ_READ Length: 0001, Data:
17 [00000004] IRP_MJ_READ Length: 0001, Data: 7
18 [00000004] IRP_MJ_READ Length: 0001, Data: 1
19 [00000004] IRP_MJ_READ Length: 0001, Data: 3
20 [00000004] IRP_MJ_READ Length: 0001, Data: F
21 [00000004] IRP_MJ_READ Length: 0001, Data:
22 [00000004] IRP_MJ_READ Length: 0001, Data: E
23 [00000004] IRP_MJ_READ Length: 0001, Data: 4
24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 00E02026C
25 [00000006] IRP_MJ_READ Length: 0001, Data:
26 [00000006] IRP_MJ_READ Length: 0001, Data: B
27 [00000006] IRP_MJ_READ Length: 0001, Data: 1
28 [00000006] IRP_MJ_READ Length: 0001, Data: 5
29 [00000006] IRP_MJ_READ Length: 0001, Data: E
30 [00000006] IRP_MJ_READ Length: 0001, Data:
31 [00000006] IRP_MJ_READ Length: 0001, Data: F
32 [00000006] IRP_MJ_READ Length: 0001, Data: 0
33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E
34 [00000007] IRP_MJ_READ Length: 0001, Data:
35 [00000007] IRP_MJ_READ Length: 0001, Data: 7
36 [00000007] IRP_MJ_READ Length: 0001, Data: 1
37 [00000007] IRP_MJ_READ Length: 0001, Data: 3
38 [00000007] IRP_MJ_READ Length: 0001, Data: F
39 [00000007] IRP_MJ_READ Length: 0001, Data:
40 [00000007] IRP_MJ_READ Length: 0001, Data: E
41 [00000007] IRP_MJ_READ Length: 0001, Data: 4
42 [00000015] IRP_MJ_CLOSE Port Closed
从上面数据看到,其实只有四个回合的数据通信,其中还有两个回合是一模一样的重复的数据。
7、接下来就编个简单的程序,从PLC上载程序,对上载过程的数据交换进行监控。