Track downloaded software

[jgaldon 0]

I would like to know how to track the different downloadings made to the PLC (SIMATIC S7-300). I'm going to explain why: My company(A) has made the software for other company(B), and the other company wants the software, this software controls a complete machine, and we have an agreement that the company B has not made any modifications to the software without telling us these modifications, but we want to know if there is a way to track if a modification to the software has been made without notification. Is there something like this? Do not hesitate to contact me if you need more help. Thanks in advance, Juan.

[Mike Dyble 0]

The S7 program allows you to do a comparison of the software, either 1 disk file to another, e.g. Company B sends their latest back up, you compare it off line. Alternatively you can compare online, i.e. your copy against code in the cpu. Either way you get a report which shows differences. Remember that DB's may be changed during operation, so either exclude these or ignore the differences, you should know which blocks the program writes to. Actually tracking revisions is a different matter, the s7 enviroment has a facility to impliment a version number, use this to make sure every one is working with the latest version of the software

[jgaldon 0]

Thanks Mike, But I want to prevent the following case: I give the software to the company B, and then company B makes a mistake modifying the software, that results in a broken machine part. Then company B reverts the software to the original version made by company A, and says that this broken part was a result of my implementation, which is not true, because the machine was working properly before. How can I know if the software has been modified or not? Is there a way to know how many times the software has been written to the S7? Thanks in advance,

[Mike Dyble 0]

I acheived this reasonably easily with Step 5 using the following technique: There is a last program memory location value stored in the system data area. I looked at this value each scan, and logged date and time of change in a data block. OK not fool proof but it got me out of trouble a few times. It didnt tell what the change was, just the time of the change. Trouble is I am not sure how to do it in S7, you dont have the same low level access. Is know how protect the way forward, again I know it can be defeated but it may help.

[jgaldon 0]

Thanks Mike, Will check. It is not completely what I want but it is very similar. Thanks again. Regards, Juan.

[JesperMP 2]

There is the socalled SZL (in english sometimes called SSL) System Status List which you can query with SFC51 RDSYSST. The partial SZL list with ID 13 has a record called "belegt". This should be the used volatile (RAM) memory. As this changes with any program change, it could be used to detect program changes. Look in this manual chapter 33: http://support.automation.siemens.com/WW/view/en/1214574 edit: Am interested if it works. Let us hear how it goes. Edited 17 Dec 2008 by JesperMP

[Mike Dyble 0]

Jesper, Not sure how S7 handles it's memory internally, is it similar to s5, i.e. you make a change, and the revised block is tacked onto the end of the free memory, and the old block is declared 'invalid' and the block start address list is updated. This means the memory 'fills' as you make mods, and you then compress to recover this unused memory. If S7 works differently then making a change say from M0.1 to M0.2 in the operand used in a block will not change the program length, and therefore used memory will stay the same, but function will change. I dont want to reopen all the S5/S7 arguments, but with S5 if you knew what you were doing you could acheive just about anything with S5. Even on a CPU103 I wrote some self modifying code as a learning exercise. Confused the hell out of some techs that I was training at the time! Not sure you have the same low level access on S7.

[JesperMP 2]

Mike, you are right. Changing M0.1 to M0.2, or an "A" to an "A N" will go undetected. But that was the best I could come up with. I looked for, but could not find something like a timestamp or CRC that could be checked in the user program. That does not mean someone else cannot find something like that. I once saw a really sneake "copy protection" or "edit protection" somewhere. I shall see if I can find it again.

[Mike Dyble 0]

When you try and look at an S7 program in status mode, and the block in PLC has been modified, you get a warning message, so the information is in there somewhere, just how do you get at that info in the user program?.

[JesperMP 2]

That is done by STEP7 comparing the timestamp of the offline and online blocks. So that method cannot be done by just the CPU program itself.