三菱 PLC FX3U解密研究 我是从2010年5月26日开始研究FX3U解密,查遍网络找不到只言半语,看来FX3U解密没人研究,或者研究的人怕人家学,竟然找不到一丁点有用的信息。看来只有靠自力更生了。 虽然目前已经研究成功了FX3U解密,免拆机的,读出正确程序和参数,包括禁止上载的问题也能读出正确程序和参数。但我还是想把当时研究解密的过程整理出来,供有兴趣的朋友参考,我这里所讲的过程也是我实践研究的过程,这当中也难免要走弯路的。但最终是要通往成功的大道的。
其实 没必要搞得这么神秘,PLC解密没那么复杂。
1、三菱 PLC FX3U 用的编程软件必须采用GX Developer8.10以上的版本,我是从网上下载个GX Developer Version8.52E就可以支持FX3U的编程。启动GX Developer,从帮助菜单就可以看到编程软件的版本号,如下图所示。
从工程菜单,创建新工程,PLC系列中选择FXCPU,PLC类型中选FX3U(C)就可以对FX3U进行编程的各种操作。
2、FX3U的加密方法是:打开GX Developer 后从菜单 "在线—》登录关键字—》新建登录,改变....."进入,显示如下界面:
FX3U可以设置两个密码,即关键字和第2关键字,每个有8个字符(字符只能是0-F共16个16进制的字符),这样说明如果两个关键字都设定的话密码总共有16个字符。这样可以组合多少种密码呢,即16^16=18446744073709551616.这是个天文数字,有人想要用穷举法解密,那是不可能的。
3、首先随便编个测试程序,不加密,两个关键字都不设定,写入FX3U,然后用FXWIN软件选取FX2N型号读出程式,竟然能读出正确的程序来。相信三菱FX PLC的FXWIN程软件大家应该很熟悉了。界面如下所示:
用自编的FX三菱解密软件连线显示,FX3U PLC竟然显示成FX2N版本号为2.41,说明FX3U是FX2N的高级版本。
4、继续测试,用 GX Developer 只设定第1关键字,第2关键字为空。
用自编的FX三菱解密软件(可解FX0N、1N、2N、1S、FX2),进行解密。竟然解出密码来。按FX2N型号进行下载也能下载程序,说明当只设一个关键字的时候,FX3U加密机制和FX2N的是一模一样的。
看看我的FX解密软件:
5、继续测试,用 GX Developer 同时设定第1关键字,第2关键字。
这时用老的解密软件解不出来了,用老的编程软件FXGP-WIN-C,企图读入程序,显示通信错误。
6、看来只有祭出法宝了,那就是PLC解密通用的法宝串口监控软件。
先启用串口监控软件,设置好开始监控,然后运行编程软件。注意顺序要搞对喔。
从菜单-》在线-》传输设置,进入传输设置界面,然后“按通信测试”键,显示CPU类型为FX3U,通信成功。
此时从串口监控到的数据是:
# Time Function Data ( Hex )
1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe
2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200
3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
4 [00000001] IRP_MJ_WRITE Length: 0001, Data: 05
5 [00000002] IRP_MJ_READ Length: 0001, Data: 06
6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43
7 [00000003] IRP_MJ_READ Length: 0001, Data: 02
8 [00000003] IRP_MJ_READ Length: 0001, Data: 42
9 [00000003] IRP_MJ_READ Length: 0001, Data: 31
10 [00000003] IRP_MJ_READ Length: 0001, Data: 35
11 [00000003] IRP_MJ_READ Length: 0001, Data: 45
12 [00000003] IRP_MJ_READ Length: 0001, Data: 03
13 [00000003] IRP_MJ_READ Length: 0001, Data: 46
14 [00000003] IRP_MJ_READ Length: 0001, Data: 30
15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45
16 [00000004] IRP_MJ_READ Length: 0001, Data: 02
17 [00000004] IRP_MJ_READ Length: 0001, Data: 37
18 [00000004] IRP_MJ_READ Length: 0001, Data: 31
19 [00000004] IRP_MJ_READ Length: 0001, Data: 33
20 [00000004] IRP_MJ_READ Length: 0001, Data: 46
21 [00000004] IRP_MJ_READ Length: 0001, Data: 03
22 [00000004] IRP_MJ_READ Length: 0001, Data: 45
23 [00000004] IRP_MJ_READ Length: 0001, Data: 34
24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43
25 [00000006] IRP_MJ_READ Length: 0001, Data: 02
26 [00000006] IRP_MJ_READ Length: 0001, Data: 42
27 [00000006] IRP_MJ_READ Length: 0001, Data: 31
28 [00000006] IRP_MJ_READ Length: 0001, Data: 35
29 [00000006] IRP_MJ_READ Length: 0001, Data: 45
30 [00000006] IRP_MJ_READ Length: 0001, Data: 03
31 [00000006] IRP_MJ_READ Length: 0001, Data: 46
32 [00000006] IRP_MJ_READ Length: 0001, Data: 30
33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45
34 [00000007] IRP_MJ_READ Length: 0001, Data: 02
35 [00000007] IRP_MJ_READ Length: 0001, Data: 37
36 [00000007] IRP_MJ_READ Length: 0001, Data: 31
37 [00000007] IRP_MJ_READ Length: 0001, Data: 33
38 [00000007] IRP_MJ_READ Length: 0001, Data: 46
39 [00000007] IRP_MJ_READ Length: 0001, Data: 03
40 [00000007] IRP_MJ_READ Length: 0001, Data: 45
41 [00000007] IRP_MJ_READ Length: 0001, Data: 34
42 [00000015] IRP_MJ_CLOSE Port Closed
开始花大量时间来分析这些数据吧。
上述 从串口监控到的数据是十六进制的数据,还真不好看,先转换成ASC码,就好看多了。
# Time Function Data ( String )
1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe
2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200
3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
4 [00000001] IRP_MJ_WRITE Length: 0001, Data:
5 [00000002] IRP_MJ_READ Length: 0001, Data:
6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 00E02026C
7 [00000003] IRP_MJ_READ Length: 0001, Data:
8 [00000003] IRP_MJ_READ Length: 0001, Data: B
9 [00000003] IRP_MJ_READ Length: 0001, Data: 1
10 [00000003] IRP_MJ_READ Length: 0001, Data: 5
11 [00000003] IRP_MJ_READ Length: 0001, Data: E
12 [00000003] IRP_MJ_READ Length: 0001, Data:
13 [00000003] IRP_MJ_READ Length: 0001, Data: F
14 [00000003] IRP_MJ_READ Length: 0001, Data: 0
15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E
16 [00000004] IRP_MJ_READ Length: 0001, Data:
17 [00000004] IRP_MJ_READ Length: 0001, Data: 7
18 [00000004] IRP_MJ_READ Length: 0001, Data: 1
19 [00000004] IRP_MJ_READ Length: 0001, Data: 3
20 [00000004] IRP_MJ_READ Length: 0001, Data: F
21 [00000004] IRP_MJ_READ Length: 0001, Data:
22 [00000004] IRP_MJ_READ Length: 0001, Data: E
23 [00000004] IRP_MJ_READ Length: 0001, Data: 4
24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 00E02026C
25 [00000006] IRP_MJ_READ Length: 0001, Data:
26 [00000006] IRP_MJ_READ Length: 0001, Data: B
27 [00000006] IRP_MJ_READ Length: 0001, Data: 1
28 [00000006] IRP_MJ_READ Length: 0001, Data: 5
29 [00000006] IRP_MJ_READ |
自动化资料下载
自动化产品
