威伦触摸屏MT6100i解密研究
发布时间:2011-09-27 15:10|来源:万胜PLC解密网|点击:
对于威伦MT6100i触摸屏大家都用过,前期出来推出的威伦MT506 508 510触摸屏系列的都能解密,编程软件和屏连接都是用COM口,对于后推出来的6100的编程软件和屏是用USB口连接,下载速度很快,大家用起也方便了很多,但对于威伦触摸屏解密的朋友来说就是难上加难,USB口不象COM口,有驱动,对搞VB的朋友都知道,VB直接掉用COM控件就可,而USB口没象那样的驱动,本人在网上翻遍了就没找到关于USB口的驱动写法,但找到了个可以发送命令及监控一体的软件,好了现在有工具了,先试下上载程序,看看通讯协仪。
以下是威伦触摸屏MT6100i解密数据
19.1 OUT 57 65 69 6e 74 65 6b 20 Weintek 1.1.0
48 4d 49 HMI 1.1.8
19.2 IN 31 32 33 34 35 36 37 38 12345678 2.1.0
39 30 90 2.1.8
19.1 OUT 40 01 00 00 00 00 @..... 3.1.0
19.2 IN 40 01 00 01 00 40 30 35 @....@05 4.1.0
33 41 34 45 38 43 46 35 3A4E8CF5 4.1.8
42 35 31 33 41 39 45 33 B513A9E3 4.1.16
33 41 32 41 46 35 32 30 3A2AF520 4.1.24
19.1 OUT 40 01 00 02 00 40 33 41 @....@3A 5.1.0
33 41 33 44 43 46 43 37 3A3DCFC7 5.1.8
35 43 34 38 33 38 33 42 5C48383B 5.1.16
41 43 30 31 42 33 34 39 AC01B349 5.1.24
19.2 IN 00 47 00 39 00 00 00 f0 .G.9.... 260.1.0
00 01 19 00 00 00 00 00 ........ 260.1.8
00 00 00 48 41 04 02 00 ...HA... 260.1.16
2a 00 0e 00 e5 00 38 00 *.....8. 260.1.24
19.2 IN 00 00 00 00 00 20 20 20 ..... 261.1.0
2a 2a 2a 2a 2a 2a 2a 00 *******. 261.1.8
75 00 00 00 14 01 30 00 u.....0. 261.1.16
00 00 f0 00 01 19 0a 00 ........ 261.1.24
19.2 IN 00 00 00 00 00 01 ...... 262.1.0
19.1 OUT 50 01 00 02 3b 01 P...;. 263.1.0
19.2 IN 50 01 8a a7 10 00 19 05 P....... 264.1.0
00 00 00 00 00 00 45 20 ......E 264.1.8
4e 20 54 00 00 00 00 00 N T..... 264.1.16
97 00 38 00 00 00 f0 00 ..8..... 264.1.24
19.2 IN 00 00 00 00 00 00 48 41 ......HA 265.1.0
04 02 00 12 00 03 00 47 .......G 265.1.8
00 3f 00 00 00 00 00 01 .?...... 265.1.16
28 01 00 00 00 00 00 00 (....... 265.1.24
19.2 IN 48 41 04 02 00 04 00 07 HA...... 266.1.0
00 48 00 39 00 00 00 00 .H.9.... 266.1.8
00 01 19 03 00 00 00 00 ........ 266.1.16
00 00 44 45 4c 00 00 00 ..DEL... 266.1.24
19.2 IN 00 00 f0 00 01 19 00 00 ........ 267.1.0
00 00 00 00 00 00 48 41 ......HA 267.1.8
04 02 00 12 00 03 00 47 .......G 267.1.16
00 3f 00 00 00 00 00 01 .?...... 267.1.24
19.2 IN 58 3a 00 48 41 04 01 00 X:.HA... 268.1.0
00 00 00 00 76 00 2b 00 ....v.+. 268.1.8
00 00 f0 00 01 16 04 00 ........ 268.1.16
00 00 00 00 00 4d 49 4e .....MIN 268.1.24
19.2 IN 00 30 2e 30 37 20 41 37 .0.07 A7 269.1.0
23 e6 96 97 e4 be 9b e7 #....... 269.1.8
b2 89 e4 bf a1 e5 8f b7 ........ 269.1.16
00 48 41 04 01 00 00 00 .HA..... 269.1.24
19.2 IN 00 00 00 31 2e 30 31 20 ...1.01 270.1.0
42 32 23 e6 96 97 e4 be B2#..... 270.1.8
9b e7 b2 89 e4 bf a1 e5 ........ 270.1.16
8f b7 00 48 41 04 01 00 ...HA... 270.1.24
19.2 IN 00 00 a2 00 25 00 00 f0 ....%... 271.1.0
00 00 03 16 0b 00 00 00 ........ 271.1.8
00 00 00 31 2e 30 35 20 ...1.05 271.1.16
e7 a9 ba e9 97 b2 00 48 .......H 271.1.24
19.2 IN b5 81 e7 9b 91 e6 ...... 272.1.0
19.1 OUT 50 01 00 02 8a a7 P..... 273.1.0
19.2 IN 50 01 62 00 10 00 8e a7 P.b..... 274.1.0
00 48 41 04 01 00 00 00 .HA..... 274.1.8
00 00 60 01 25 00 00 f0 ..`.%... 274.1.16
00 00 03 16 1d 00 00 00 ........ 274.1.24
19.2 IN 00 00 00 00 6d 01 25 00 ....m.%. 275.1.0
00 f0 00 00 03 16 20 00 ...... . 275.1.8
00 00 00 00 00 33 2e 30 .....3.0 275.1.16
30 20 e5 ba 95 e7 ba bf 0 ...... 275.1.24
19.2 IN 5f 01 25 00 00 f0 00 00 _.%..... 276.1.0
03 16 1e 00 00 00 00 00 ........ 276.1.8
00 33 2e 31 31 20 42 e7 .3.11 B. 276.1.16
ba bf e6 89 93 e7 a3 a8 ........ 276.1.24
19.2 IN e6 89 93 e7 a3 a8 e8 bf ........ 277.1.0
90 e8 a1 8c 00 48 41 04 .....HA. 277.1.8
01 00 00 00 00 00 27 01 ......'. 277.1.16
25 00 00 f0 00 00 03 16 %....... 277.1.24
19.2 IN 27 01 25 00 00 f0 00 00 '.%..... 278.1.0
03 16 16 00 00 00 00 00 ........ 278.1.8
00 31 30 31 2e 30 36 20 .101.06 278.1.16
41 37 23 e6 89 93 e7 a3 A7#..... 278.1.24
19.2 IN 00 00 03 16 16 00 00 00 ........ 279.1.0
00 00 00 31 30 32 2e 30 ...102.0 279.1.8
33 20 41 31 23 e9 80 81 3 A1#... 279.1.16
e7 b2 89 e8 bf 90 e8 a1 ........ 279.1.24
19.2 IN 42 34 23 e6 89 93 e7 a3 B4#..... 280.1.0
a8 e8 bf 90 e8 a1 8c 00 ........ 280.1.8
48 41 04 01 00 00 00 00 HA...... 280.1.16
00 27 01 25 00 00 f0 00 .'.%.... 280.1.24
19.2 IN 04 01 00 00 00 00 00 c0 ........ 281.1.0
00 25 00 00 f0 00 00 03 .%...... 281.1.8
16 0d 00 00 00 00 00 00 ........ 281.1.16
31 30 34 2e 30 34 20 e7 104.04 . 281.1.24
19.2 IN 00 00 00 00 00 03 ...... 282.1.0
19.1 OUT 50 01 00 02 62 00 P...b. 283.1.0
19.2 IN 50 01 cc 97 10 00 16 07 P....... 284.1.0
00 00 00 00 00 00 e4 b8 ........ 284.1.8
bb 20 e9 a1 b5 00 00 00 . ...... 284.1.16
00 00 60 00 30 00 00 00 ..`.0... 284.1.24
19.2 IN a1 a5 e6 96 99 e4 be 9b ........ 285.1.0
e7 b2 89 e8 af b7 e6 b1 ........ 285.1.8
82 00 48 41 04 02 00 0c ..HA.... 285.1.16
00 0c 00 60 00 30 00 00 ...`.0.. 285.1.24
19.2 IN 80 80 e7 bb 84 00 00 00 ........ 286.1.0
10 00 c7 00 30 00 f0 00 ....0... 286.1.8
00 00 03 16 0d 00 00 00 ........ 286.1.16
00 00 00 e7 ac ac e3 80 ........ 286.1.24
19.2 IN 00 03 16 09 00 00 00 00 ........ 287.1.0
00 00 e4 b8 8b e4 b8 80 ........ 287.1.8
e7 bb 84 00 48 41 04 02 ....HA.. 287.1.16
00 20 00 0a 00 94 00 36 . .....6 287.1.24
19.2 IN 00 00 03 16 0e 00 00 00 ........ 288.1.0
00 00 00 e7 ac ac e3 80 ........ 288.1.8
80 31 30 e3 80 80 e7 bb .10..... 288.1.16
84 00 00 00 10 00 c7 00 ........ 288.1.24
19.2 IN f0 f0 00 03 16 0d 00 00 ........ 289.1.0
00 00 00 00 e7 ac ac e3 ........ 289.1.8
80 80 31 e3 80 80 e7 bb ..1..... 289.1.16
84 00 00 00 10 00 c7 00 ........ 289.1.24
19.2 IN 80 31 35 e3 80 80 e7 bb .15..... 290.1.0
84 00 00 00 10 00 c7 00 ........ 290.1.8
30 00 f0 00 00 00 03 16 0....... 290.1.16
0e 00 00 00 00 00 00 e7 ........ 290.1.24
19.2 IN 00 00 00 00 00 00 20 20 ...... 291.1.0
20 20 20 e8 ad a6 e5 91 ..... 291.1.8
8a ef bc 9a 0a e5 90 84 ........ 291.1.16
e7 ba a7 e5 af 86 e7 a0 ........ 291.1.24
19.2 IN 00 00 00 00 00 00 ...... 292.1.0
19.1 OUT 50 01 00 02 cc 97 P..... 293.1.0
19.2 IN 50 01 ca d6 06 30 00 00 P....0.. 294.1.0
00 00 00 00 00 00 00 00 ........ 294.1.8
0d 00 42 d7 e9 cb cd b7 ..B..... 294.1.16
db d1 d3 ca b1 c9 e8 b6 ........ 294.1.24
19.2 IN 00 00 00 00 00 00 00 00 ........ 295.1.0
00 00 00 00 00 00 00 00 ........ 295.1.8
33 00 4c 42 31 30 30 bc 3.LB100. 295.1.16
fc c5 cc 00 00 00 00 00 ........ 295.1.24
19.2 IN 00 00 00 00 00 00 00 00 ........ 296.1.0
00 00 00 00 00 00 00 00 ........ 296.1.8
5d 00 57 49 4e 44 4f 57 ].WINDOW 296.1.16
5f 30 39 33 00 00 00 00 _093.... 296.1.24
19.2 IN 00 00 00 00 00 00 00 00 ........ 297.1.0
00 00 00 00 00 00 00 00 ........ 297.1.8
54 41 47 53 5f 4c 49 42 TAGS_LIB 297.1.16
00 00 4d 41 43 52 4f 5f ..MACRO_ 297.1.24
19.1 OUT 50 01 00 02 ca d6 P..... 298.1.0
19.2 IN 50 01 00 01 00 00 P..... 299.1.0
19.2 IN 50 01 00 02 ff f0 P..... 300.1.0
19.1 OUT 50 01 00 00 00 08 73 63 P.....sc 301.1.0
61 6e 66 6f 6e 74 anfont 301.1.8
19.2 IN 50 01 00 02 ff f0 P..... 302.1.0
19.1 OUT 50 01 00 00 00 04 72 75 P.....ru 303.1.0
6e 20 n 303.1.8
19.2 IN 50 01 00 02 ff f0 P..... 304.1.0
19.1 OUT 50 01 00 00 00 06 63 6c P.....cl 305.1.0
6f 73 65 20 ose 305.1.8
现在来慢慢分析这些协仪,57 65 69 6e 74 65 6b 20 48 4d 49 Weintek 编程先发送这个协仪,然后反回 31 32 33 34 35 36 37 38 39 30 1234567890 一条条的分析,USB协仪有点不好懂,大家都看惯了COM口协仪,第1次搞很难,万事都是开头难呀,同过半个月的摸索,看懂了一步份,大家在看看威伦触摸屏MT6100i解密协仪
Device - Device ID (followed by the endpoint for USB devices)
(19) Weintek HMI i Series
Phase - Phase Type
IN Data in transfer
OUT Data out transfer
Data - Hex dump of the data transferred
Descr - Description of the phase
Cmd... - Position in the captured data
Device Phase Data Description Cmd.Phase.Ofs(rep)
------ ----- ------------------------ ---------------- ------------------
19.1 OUT fd 7f e4 ac e5 7f 44 b2 ......D. 10625.1.0
fd 7f 78 ad e5 7f 60 b2 ..x...`. 10625.1.8
fd 7f 60 ae e5 7f 74 b2 ..`...t. 10625.1.16
fd 7f 1c b0 e5 7f 88 b2 ........ 10625.1.24
19.1 OUT 00 00 10 9a 3a 00 d8 98 ....:... 10726.1.0
3a 00 84 cf 33 00 00 00 :...3... 10726.1.8
00 00 10 9a 3a 00 88 99 ....:... 10726.1.16
3a 00 88 cf 33 00 d8 98 :...3... 10726.1.24
19.1 OUT 3a 00 1c d0 33 00 01 00 :...3... 10727.1.0
00 00 18 9c 3a 00 d8 98 ....:... 10727.1.8
3a 00 20 d0 33 00 00 00 :. .3... 10727.1.16
00 00 18 9c 3a 00 88 99 ....:... 10727.1.24
19.1 OUT 00 00 00 00 00 00 00 00 ........ 10728.1.0
00 00 00 00 00 00 00 00 ........ 10728.1.8
00 00 00 00 00 00 00 00 ........ 10728.1.16
00 00 c4 9c 3a 00 00 00 ....:... 10728.1.24
19.1 OUT 01 00 24 10 01 00 ..$... 10729.1.0
19.2 IN 50 01 00 02 03 68 P....h 10730.1.0
19.1 OUT 50 01 00 01 10 00 24 10 P.....$. 10731.1.0
01 00 24 10 01 00 24 10 ..$...$. 10731.1.8
01 00 24 10 01 00 24 10 ..$...$. 10731.1.16
01 00 24 10 01 00 24 10 ..$...$. 10731.1.24
19.1 OUT 01 00 24 10 01 00 24 10 ..$...$. 10732.1.0(2)
01 00 24 10 01 00 24 10 ..$...$. 10732.1.8
01 00 24 10 01 00 24 10 ..$...$. 10732.1.16
01 00 24 10 01 00 24 10 ..$...$. 10732.1.24
19.1 OUT 00 00 58 02 00 00 54 d7 ..X...T. 10734.1.0
13 00 54 d7 13 00 01 01 ..T..... 10734.1.8
00 00 ec 2f 14 00 ac 2f .../.../ 10734.1.16
14 00 ac 2f 14 00 f7 ff .../.... 10734.1.24
19.1 OUT 05 00 09 00 09 00 0f 00 ........ 10735.1.0
0f 00 0f 00 0f 00 09 00 ........ 10735.1.8
09 00 0f 00 09 00 09 00 ........ 10735.1.16
05 00 09 00 09 00 09 00 ........ 10735.1.24
19.1 OUT 66 06 88 08 aa 0a cc 0c f....... 10736.1.0
ff 0f cc 0f c8 0f c4 0f ........ 10736.1.8
c0 0f 8c 0f 88 0f 84 0f ........ 10736.1.16
80 0f 4c 0f 48 0f 44 0f ..L.H.D. 10736.1.24
19.1 OUT 24 3f 00 00 48 3f 00 00 $?..H?.. 10737.1.0
6d 3f 00 00 91 3f 00 00 m?...?.. 10737.1.8
b6 3f 00 00 da 3f 00 00 .?...?.. 10737.1.16
ff 3f 00 00 00 7f 00 00 .?...... 10737.1.24
19.1 OUT 24 7f 00 bf 48 7f 00 bf $...H... 10738.1.0
19.2 IN 50 01 00 02 03 6b P....k 10760.1.0
19.1 OUT 50 01 00 01 10 00 e4 01 P....... 10761.1.0
8f 77 b0 43 1d e7 38 87 .w.C..8. 10761.1.8
38 7a 28 0e 8e 34 63 16 8z(..4c. 10761.1.16
b5 69 47 2d 7e 33 1d e0 .iG-.3.. 10761.1.24
19.1 OUT 74 d6 7b 7b dd 73 73 da t....ss. 10762.1.0
7c 7c e0 4d 4d e1 58 58 ...MM.XX 10762.1.8
e5 63 63 e9 62 62 e8 71 .cc.bb.q 10762.1.16
71 bd 7f 80 83 82 82 89 q....... 10762.1.24
19.1 OUT 3b 71 e2 a8 41 83 46 8d ;q..A.F. 10763.1.0
99 ad 3a 5a b9 e3 f7 cd ..:Z.... 10763.1.8
28 59 96 f3 f6 35 0b 34 (Y...5.4 10763.1.16
8c d8 a1 3c 75 12 2b 4e ...<u.+N 10763.1.24
19.1 OUT 03 ce 35 d7 a6 b2 2f 37 ..5.../7 10764.1.0
03 fc 3b 41 07 dd 7e 3c ..;A...< 10764.1.8
c1 06 e8 a0 a2 49 41 91 .....IA. 10764.1.16
cc 73 0b 1b 67 30 1c a5 .s..g0.. 10764.1.24
19.1 OUT 7c 60 19 f6 78 c4 27 d4 .`..x.'. 10765.1.0
57 90 20 a9 a3 01 df f2 W. ..... 10765.1.8
96 04 32 10 0a 6d c8 31 ..2..m.1 10765.1.16
00 69 4c 9e f8 4c 40 02 .iL..L@. 10765.1.24
19.1 OUT 4a ea 6a 32 b2 12 92 3a J.j2...: 10766.1.0
ba 1a 9a f2 72 d2 52 fa ....r.R. 10766.1.8
7a da 5a 0e 8e 2e ae 06 z.Z..... 10766.1.16
86 26 a6 ce 4e ee 6e c6 .&..N.n. 10766.1.24
19.1 OUT f7 69 32 c1 e5 2a 12 e5 .i2..*.. 10767.1.0
d1 0f 07 f3 bf 06 04 f6 ........ 10767.1.8
aa 04 01 f7 93 01 02 f7 ........ 10767.1.16
87 02 00 ee 73 00 6a 53 ....s.jS 10767.1.24
威伦触摸屏MT6100i解密成功,通过万胜PLC解密网长时间分析找到了密码换算方法与密码位,本人正在编写USB驱动,过不了几天USB口的直读版的解密就要出炉,望大家给点宝贵的意见。