Sign in to follow this  
Followers 0
Guest JJH

Mitsubishi plc system password

26 posts in this topic

hi, i would like to know how can i unprotected a mitsubishi plc protected by system password. thanks JJH

Share this post


Link to post
Share on other sites
I have contacted Mitsubishi several times about this. They tell me it can not be done.

Share this post


Link to post
Share on other sites
Wow really? Not even unplugging the battery and shorting out the EPROM chip huh? That's too bad. So what does Mitsu suggest when one forgets the password?

Share this post


Link to post
Share on other sites
You can clear the memory so there is nothing in the PLC, but there is no way to access a password protected program.

Share this post


Link to post
Share on other sites
Talk about bad practice, usually the companies which put password protection on plc software code are the ones who have since gone bust and left you in the lurch.

Share this post


Link to post
Share on other sites
There is the brute force method.  Use snooper software like the Comm Lite 32 found in this site's download section and trap the command that sends the password.  Most Japanese PLCs use one 4 digit hex register as the password.  Set up a  VB application to try all possibilities from 0000 to FFFF.  
1 person likes this

Share this post


Link to post
Share on other sites
Thanks Jay!   I tried Comm Lite 32, but it didn't work when I installed in a PC with Windows 2000. Do you know a program like Comm Lite 32 that works on Windows 2000 ?  Thanks and Regards !!!  JJH From Mexico

Share this post


Link to post
Share on other sites
I assume you don't have the password. Do you have a backup copy of the original code, if yes then use the following. Using Medoc, Select the following Start Open the Project Transfer Other Keyword- (Entry Code Settings) F2 PLC All Clear You should now be able to download your copy. If you don't have a back-up of the original, then its hand writing out whats in the existing PLC and generating your own program from this. Regards, Gene.

Share this post


Link to post
Share on other sites
I am of the opinion that without the password you cannot even read or see the program without having the original on disk. It is a total lock-out without the password. I have not password protected in a long while but I seem to remember it was an 8 No. password using hex No's 0 to F. I have found passwords written on the back of the PLC (you have to turn it around in the panel) and even tried the machine serial No. with limited success. The person that password protected the plc either uses the same password each time or writes it down somewhere so that he does not forget it.

Share this post


Link to post
Share on other sites
For a nice terminal app that works on NT/2000, try Tera Term Pro. It's a nice freebe that I use all the time. http://hp.vector.co.jp/authors/VA002416/teraterm.html
1 person likes this

Share this post


Link to post
Share on other sites
There is always a way, if you have patience..... This page http://freespace.virgin.net/ian.sullivan/M.../Mitsubishi.htm may give you some guidance, If anyone has some similar ideas for these or other controllers I'd be pleased to know. Ian

Share this post


Link to post
Share on other sites
There is always a way, if you have patience..... This page http://freespace.virgin.net/ian.sullivan/M.../Mitsubishi.htm may give you some guidance, Thanks for that navillusi, am very interested in that. I have downloaded the packet sniffer program and have brought some mitsi plcs home to practice on. I have a customer with an A series plc that is password protected it has 192 I/O. We have no way of getting in without a re-write and he doesnt want to pay for that. I will keep you posted as to how I get on.

Share this post


Link to post
Share on other sites
Ian, Wow. Great article. Excellent research. Hats off. Way to be a go getter. Makes me want to get our article pages up on mrplc.com right away!

Share this post


Link to post
Share on other sites
Share the knowledge, share the profits!
1 person likes this

Share this post


Link to post
Share on other sites
I see this topic closed some time ago and I have lokked at the suggested site which covers FX and A, but..................does anyone know the protocol for Q,QnS,etc

Share this post


Link to post
Share on other sites
Do you have a copy of this article... it's two years later and the website is not there anymore. I'd be interested in testing it on a PLC in my lab.

Share this post


Link to post
Share on other sites
Somewhere, I have the program and documents from that site. (I shall try to find them) I did what you are proposing to do and it does work. I set up a known password and looked for it with the packet sniffer. (on both an FX and A series - as passwords are handled differently on these 2 models) Then, (and it was a little scary) I got my assistant to 1st write down, then very carefully password them with one unknown to me. I found them both (the A being much harder) and unlocked them. I actually needed to unlock a real PLC and then managed to do it. The only trouble is - the packet sniffer program only works in win 98

Share this post


Link to post
Share on other sites
Chris, I just goto check this web site, it still live

Share this post


Link to post
Share on other sites
Trust me, my pages are still live.... For those who do not use Comlite as they haven't got a win 98 pc anymore, try sermon from HHD software, http://www.hhdsoftware.com/ it works on W2k & XP and is a much better product.
1 person likes this

Share this post


Link to post
Share on other sites
I personnaly use a freeware called Portmon version 3.2 It very easy to crak a Mitsu PLC .... You can find the warez at PORTMON V 3.2 for all the MS flavors. For those willing to try her what you do. Start your PLC programming ware Start Portmon . Once this is done... Try to upload the PLC program to your PC You will be asked for a password Write 00000000 in the password field Start the CAPTURE function of Portmon Click to accept password You will receive a message that its not the good password END the CAPTURE function of Portmon Now check your Portmon screen and look for a serie of 8 time the value of ZERO. The real password is sitting right beside it. All this is in HEX of course. Edited by Pierre
1 person likes this

Share this post


Link to post
Share on other sites
i can confirm that navillusi's website is live, i just downloaded files... there is PDF at the bottom of the page for those who want to keep the article for reference.

Share this post


Link to post
Share on other sites
Is this method work with omron CQM1H, CS/CJ series?

Share this post


Link to post
Share on other sites
Hi Chris, Did you find the article? If not I could email it to you (it's 700k PDF file). Btw. what do you have in the lab? PLCs, HMIs, servos, comms, ...? Regards, Panic

Share this post


Link to post
Share on other sites
Guest, Omron PLCs are discussed in different forum section. This topic was discussed in the past and as far as I remember aproach was pretty much the same. Just go to Omron section of the forum and use search function to look for "password". There will be number of hits like http://forums.mrplc.com/index.php?showtopic...st=0entry3929

Share this post


Link to post
Share on other sites
I've got a bit of everything in the lab... FX1S, FX1N, FX2N, FX2NC, A1S, Q02H, A985GOT, F930GOT, E615, E150, MR-J2S, a bunch of AS-I and Profibus networking, etc.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0