Fanuc Ladder passwords

[Petro]

Does anyone know how to figure out how to determine what the password is to open fanuc ladders?? I heard of a few people using a hexeditor of some sort to figure it out. I have one of the new Robodrills with the 30I control. The control seems to also have changed in that it now has PMC1 and PMC2. Any help or understanding of this new format is greatly appreciated.

[codyst]

I've got 30i documentation at work. I'll send you some info on the new set up when I go into work this evening.

[codyst]

The programming of PMC1, PMC2, PMC3 is as I'm sure you already know, set up by the machine tool builder. PMC1 is typically going to control the operator interface for controlling main functions. PMC2 is typically going to control peripheral equipment. PMC3 typically controls the operator interface for loaders, etc.. They are typically set up to share data such as faults, so that all of the devices on separate channels will stop if said fault is a "critical" fault. They can also be set up for different channels of I/O, so expansion is normally not a problem(adding new devices and such). Each PMC will typically have it's own Estop signal address. The execution of the PMC's can be set in the parameters. Typically it reads PMC1, then 2, then 3. The read times can also be set for each PMC to 4 or 8ms.

Each ladder has 3 ladder levels, up to (about) 64,000 steps, at least 1kb of symbol comment, 8kb of message. 14 Instructions, 69 functional instructions(option of 83).

You can use up to four I/O channels with 4,096 inputs, 4,096 outputs, but using all four requires a I/O link expansion option.

From a machine tool builder point of view this is an ideal set up. If I'm building identical machines, except one has a robot and one doesn't, I put the robot control on a secondary PMC so if a company buys one without a robot, and later decides to install one, it's basically plug cable A, into cable B, and send me a check for the PMC that all you have to do is upload and run. It would also be ideal for a large amount of controlled axis. The CNC controls the fixture in the machining area, while the second or third PMC controls all of the activity on the load/unload side of the machine.

From a user standpoint, I find them a little easier to troubleshoot. Machine functions on PMC1, fixture functions on PMC2, Robot functions on PMC3. To me this seems a little more structured. Could all of it be done on one PMC? Yes. It comes down to how the builder wants to set it all up.

[Petro]

Thanks for the reply Codyst. I am not sure what the advantage would be since I think you could just add subprograms to seperate them out couldn't you and then use some keep relays to add on options. I tried looking at the PMC2 file but nothing came up. When I open the PMC1 file which is my main ladder file it asks for a password but I do not know what it is. It seems the builder was able to lock out the main ladder with the password and leave the subprograms so that we can put a custom PMC ladder within it. The only problem is that the password also prevents you from looking or searching the main ladder at all. So when I am doing the custom interface in order to figure out what is happening in the main ladder I actually have to go out to the machine and search within it instead of using doing it easily with my laptop. Do you know of a way to at least view it on the computer without having a password for the ladder. I have heard of a way to try to figure it out with a hex editor but I have not tried it yet.

[codyst]

They could very easily do the same thing by adding sub's and putting keep relays on them to enable. I guess room to expand is going to be the biggest benefit. If you had a large amount of machines, the capability to hand of parts from machine to machine would be a little faster. You could have a machine sending a ready signal, and send parts to the first available machine. On a small scale you're not going to see much difference from a 16/18/21i series. When you get into large cell machining you start to see the benefits. The 30i reminds me of the Indramat MTCNC/MTC200. Indramat is a very good control for large scale multiple station machines, and that's where I think the 30i will serve it's purpose best. The only problem with that mindset is most high volume production shops are going away from large machines that are dedicated to one product, and going back to single cell machines that can be fixtured and tooled in a matter of days rather than weeks.

As for your password issue, there is no way that I know off the top of my head to get around it. The password has to be input before the program can decompile. I contacted a controls engineer I used to work with, and asked if he knew of any type of executive password that can be used to override builder passwords and he said there was none that he knew of. That doesn't necessarily mean that there isn't one. Fanuc might have something set up they can use, but getting them to give that up might be an issue.

I dumped identical programs into a hexeditor, one password protected, the other unprotected, and couldn't make much sense of it all. Would you mind sharing how you have heard to retrieve the password using one?

[codyst]

Just for giggles when it asks for the password try #Fanuc

It's the example in the PMC programming examples book. Maybe they got lazy. Who built the machine? Some builders I have worked with use the serial number off of the machine. At Liberty our view passwords were the acronym for the company name. Most of the time they don't get real creative. Sometimes they do.

[codyst]

I just got off the phone with Fanuc, and no executive password exists. The rep I deal with suggested trying an editor, but had no clue where to start looking, and his other suggestion was if access to view is capable on the control itself, rewrite it in FAPT on my laptop without a password. This is going to be very time consuming considering the available 64,000 lines of logic available in PMC1.

[Petro]

I have heard it from two different people one customer and an automation house. Form what little information I had gotten from them they basically changed the password many times and looked for changes within a file and the numbers or data had to be decifered to determine what the code actually ment. They had done it on the regular 16/18i controls but not on the 30i. The older robo drills use to be #cunaf but they changed it on the newer machines. I tried serial numbers, ladder numbers and various combinations, but no luck. I have tried calling many people myself but the control and machine is so new and the builder will not give up the password. With the new control and PMC file may be more complicated to. It may be easier to try figuring it out with a 16 or 18 control. Thanks for all your help and info Codyst. If I come up with anything I will let you know as well.

If you email the ladder to me I may be able to remove the password for you.

Regards,

Paul Sevin
Ovation Engineering, Inc.

[codyst]

Petro,

Having any luck?

[Petro]

No not yet. I played with it for about 4 hours one night but have not had any more time yet. I had thought I figured it out at one point, but I could not repeat it. I think I may have gotten lucky once, but I could't figure out exactly what I had done since I had tried so many things before. I did realize however that if attempt to unzip it this will seperate multiple files and one of them has $ before the file names that are protected. I tried changing multiple configurations and removing this. It then will display the ladder programs in the left bar but the ladder logic is not there. So I have made some minor progress but I do not understand this programming language or hex code much yet. Hopefully within the next couple of weeks I will get some more time to make another attempt.

[codyst]

Petro,

Did your Robodrill come from Methods Machine?

[Petro]

Yes it was through methods. About 9 months ago I had one of their distributers contact them. I tried some more to try and figure it out but no luck. I think maybe I need to find a better hex editor.

the password for reading global pmc is #5555

[Petro]

#5555 works only for reading it on the machine. When you download the ladder program and open it on your laptop it is different, but thanks for posting it.

If you would like to email the ladder to me, we can probably remove the password and email it back.

I would like to know how to make the ladder visible on a bridgeport with fanuc O-M

the passwords are set by the OEM............. just ask them, you will try forever to guess !!

[codyst]

At the time this whole discussion was taking place, I was working for a machine tool distributor that had a partnership with Methods Machine supplying the Robodrills. I made several phone calls (sometimes getting very heated)and I know Petro did as well, and neither Methods, or Fanuc Japan would give up the passwords.

I couldn't help but laugh at the "just ask them".

I know my remark was amusing, but it was also "obvious".

I am a CNC electronics service engineer with many years experience on Meldas, Siemens, Fanuc and other controls. I know from my own company who are a large european machining center builder, that the PLC writers all password protect these files and unless you ask for the password you will NEVER open the file. As the machine owner, you have a right to ask for and receive a response to be able to open the PLC file, or at least get a hard copy. You may have to pay for this service, but that is normal these days.

If I need to, I ask for and get the information....... But then I do work directly for the OEM.

[codyst]

Feel free to call and ask them for the passwords. I couldn't even get them when I was doing an integration and found errors that needed corrected in their system PMC for controlling an Auto Door add on option. (It's built in to the system and activated by a keep relay.)

Instead of giving up the password, or even offering to correct the errors, their suggestion was that I correct the errors in my custom PMC and not use their control.

Asking is good in theory, and so is offering to pay, but it doesn't always work.

Memory card file ladder password protection is very weak. It took me less than 30 mins to crack it. I'll try to make a small tool, that will display passwords of locked files. Does this forum support attachments, and is it acceptable if such tool is attached here?

Ok, here it is.
http://rapidshare.com/files/87740177/GetPass.exe.html
This is a command line program. Usage:
GETPASS [memory card format file]
The program reads memory card format file and outputs display & edit permission and display permission passwords. If no password is set, gibberish will be displayed.
It should work for 16i/18i/...
Please test it and post your replies. Source code requests accepted via email.
Have fun!

I was told that some files have different password offsets. I am not sure whether the coding scheme is the same. Anyway, this code did the trick for my files:

#include <stdio.h>
#include <stdlib.h>
FILE* file;
unsigned char tab[] = {0x8c, 0x82, 0x9c, 0xaa, 0x86, 0xa0, 0x96, 0x86};

int main(int argc, char* argv[]){
if(argc != 2){
printf("\nGETPASS <memory card format file> \nFANUC ladder password cracker by Sculptor 2008.");
exit(1);
}
if(!(file = fopen (argv[1], "rb"))){
printf("\nCannot find file %s. Exiting.", argv[1]);
exit(1);
}
char c;
printf("\nDisplay and edit permission password: ");
fseek(file, 0x31e, SEEK_SET);
for(int i = 0; i < 8; i++){
if((c = fgetc(file)) == EOF){
printf("\nWrong file format. Exiting.");
exit(1);
}
printf("%c", c ^ tab[i]);
}
printf("\nDisplay permission password: ");
fseek(file, 0x340, SEEK_SET);
for(int i = 0; i < 8; i++){
if((c = fgetc(file)) == EOF){
printf("\nWrong file format. Exiting.");
exit(1);
}
printf("%c", c ^ tab[i]);
}
fclose(file);
}

Good luck with experimenting!

[f-bu]

Some additions
On PMC-SA, PMC-SB if offset 1F0=0c, no password protection, there is garbage in 31e, 340
if 1f0=0, password exists

Ok, here it is: http://rapidshare.com/files/88384765/GetPass.exe.html.
New version supports 30i/31i/32i... as well. It is not pretty, but it works.
If someone with better knowledge about PMC types is willing to join me, we could make small, less annoying, Win GUI app, with optional command line interface.
More feedback, please.

It is easy. Since GetPass is a command line app, you need to use it in command line.
Suppose you have a memory card format file, say PMC.200 in folder C:\backup\emag\vl5\100459\ and that the GetPass utility is in folder C:\utils\ .
First you need to open a command line prompt: Start -> Run: cmd
A command line window will pop out.
Then you browse to the getpass utility by typing: CD c:\utils
If you want to examine folder content, use command: DIR.
Then you start getpass and pass path to memory card format file: GETPASS c:\backup\emag\vl5\100459\pmc.200
Program will output results and quit.
You can close command line window by typing: EXIT

Please send me memory card format files that cannot be unlocked by current version of GetPass.

[codyst]

I see now, thank you. Somehow I managed to delete my previous post.

[f-bu]

I checked with SA1, RA3, SB7 and 31i-A, it is OK
Have no actual files with other plc models, so not tested. Will try to compile some old/exotic plc and check
Best regards,

Source code:

#include <stdio.h>
#include <stdlib.h>

FILE* file;
unsigned char tab[] = {0x8c, 0x82, 0x9c, 0xaa, 0x86, 0xa0, 0x9a, 0x86};
unsigned char tab2[] = {0x8c, 0x82, 0x9c, 0xaa, 0x86, 0xa0, 0x96, 0x86};
int main(int argc, char* argv[]){
if(argc != 2){
printf("\nGETPASS <memory card format file> \nFANUC ladder password cracker by Sculptor 2008.");
exit(1);
}
if(!(file = fopen (argv[1], "rb"))){
printf("\nCannot find file %s. Exiting.", argv[1]);
exit(1);
}
char c, p = 0;
printf("\nDisplay and edit permission password");
printf("\n[0x22c, 16] : ");
fseek(file, 0x22c, SEEK_SET);
for(int i = 0; i < 16; i++){
c = fgetc(file);
p = p ^ c ^ tab[i & 7];
if(p < 32)
p = '*';
printf("%c", p);
p = c;
}
printf("\n[0x31e, 08] : ");
fseek(file, 0x31e, SEEK_SET);
for(int i = 0; i < 8; i++){
c = fgetc(file);
p = c ^ tab2[i];
if(p < 32)
p = '*';
printf("%c", p);
}
p = 0;
printf("\nDisplay permission password");
printf("\n[0x24c, 16] : ");
fseek(file, 0x24c, SEEK_SET);
for(int i = 0; i < 16; i++){
c = fgetc(file);
p = p ^ c ^ tab[i & 7];
if(p < 32)
p = '*';
printf("%c", p);
p = c;
}
printf("\n[0x340, 08] : ");
fseek(file, 0x340, SEEK_SET);
for(int i = 0; i < 8; i++){
c = fgetc(file);
p = c ^ tab2[i];
if(p < 32)
p = '*';
printf("%c", p);
}
fclose(file);
}