對(duì)于三菱plc大家都很熟悉了,而fx2n的密碼破解應(yīng)該大家都會(huì)了,在返回的數(shù)據(jù)中都能找到密碼,密碼是在軟件里比較的,而fx3u就不同了,fx3u有兩段密碼,看下圖:
第1段密就和fx2n的一樣,加的是明碼,第2段就不一樣了,密碼加上后都變了,算法也完全變了,但在網(wǎng)上有高手能做到直讀密碼,我們被fx3u這種plc的強(qiáng)大功能所吸引,對(duì)三菱plc大家都用習(xí)慣了,覺(jué)的用起來(lái)順手,在整個(gè)工控行業(yè)中用的比例很大,所以對(duì)破解這款plc產(chǎn)生的濃厚的性趣,fx3u有的可以2個(gè)口編程,一個(gè)是我們通常用的圓口,還有個(gè)可以擴(kuò)展個(gè)232接口,我先試圓口,通過(guò)串口軟件監(jiān)控的數(shù)椐,以下是我調(diào)試監(jiān)控的數(shù)據(jù)。
#timefunctiondata(hex)
1[00000000]irp_mj_createportopened-gppw.exe
2[00000000]ioctl_serial_set_baud_ratebaudrate:115200
3[00000000]ioctl_serial_set_line_controlstopbits:1,parity:even,databits:7
4[00000001]irp_mj_writelength:0001,data:05
5[00000002]irp_mj_readlength:0001,data:06
6[00000002]irp_mj_writelength:0011,data:0230304530323032033643
7[00000003]irp_mj_readlength:0001,data:02
8[00000003]irp_mj_readlength:0001,data:42
9[00000003]irp_mj_readlength:0001,data:31
10[00000003]irp_mj_readlength:0001,data:35
11[00000003]irp_mj_readlength:0001,data:45
12[00000003]irp_mj_readlength:0001,data:03
13[00000003]irp_mj_readlength:0001,data:46
14[00000003]irp_mj_readlength:0001,data:30
15[00000004]irp_mj_writelength:0011,data:0230304543413032033845
16[00000004]irp_mj_readlength:0001,data:02
17[00000004]irp_mj_readlength:0001,data:37
18[00000004]irp_mj_readlength:0001,data:31
19[00000004]irp_mj_readlength:0001,data:33
20[00000004]irp_mj_readlength:0001,data:46
21[00000004]irp_mj_readlength:0001,data:03
22[00000004]irp_mj_readlength:0001,data:45
23[00000004]irp_mj_readlength:0001,data:34
24[00000005]irp_mj_writelength:0011,data:0230304530323032033643
25[00000006]irp_mj_readlength:0001,data:02
26[00000006]irp_mj_readlength:0001,data:42
27[00000006]irp_mj_readlength:0001,data:31
28[00000006]irp_mj_readlength:0001,data:35
29[00000006]irp_mj_readlength:0001,data:45
30[00000006]irp_mj_readlength:0001,data:03
31[00000006]irp_mj_readlength:0001,data:46
32[00000006]irp_mj_readlength:0001,data:30
33[00000006]irp_mj_writelength:0011,data:0230304543413032033845
34[00000007]irp_mj_readlength:0001,data:02
35[00000007]irp_mj_readlength:0001,data:37
36[00000007]irp_mj_readlength:0001,data:31
37[00000007]irp_mj_readlength:0001,data:33
38[00000007]irp_mj_readlength:0001,data:46
39[00000007]irp_mj_readlength:0001,data:03
40[00000007]irp_mj_readlength:0001,data:45
41[00000007]irp_mj_readlength:0001,data:34
42[00000015]irp_mj_closeportclosed
6、上述從串口監(jiān)控到的數(shù)據(jù)是十六進(jìn)制的數(shù)據(jù),還真不好看,先轉(zhuǎn)換成asc碼,就好看多了。
#timefunctiondata(string)
1[00000000]irp_mj_createportopened-gppw.exe
2[00000000]ioctl_serial_set_baud_ratebaudrate:115200
3[00000000]ioctl_serial_set_line_controlstopbits:1,parity:even,databits:7
4[00000001]irp_mj_writelength:0001,data:
5[00000002]irp_mj_readlength:0001,data:
6[00000002]irp_mj_writelength:0011,data:00e02026c
7[00000003]irp_mj_readlength:0001,data:
8[00000003]irp_mj_readlength:0001,data:b
9[00000003]irp_mj_readlength:0001,data:1
10[00000003]irp_mj_readlength:0001,data:5
11[00000003]irp_mj_readlength:0001,data:e
12[00000003]irp_mj_readlength:0001,data:
13[00000003]irp_mj_readlength:0001,data:f
14[00000003]irp_mj_readlength:0001,data:0
15[00000004]irp_mj_writelength:0011,data:00eca028e
16[00000004]irp_mj_readlength:0001,data:
17[00000004]irp_mj_readlength:0001,data:7
18[00000004]irp_mj_readlength:0001,data:1
19[00000004]irp_mj_readlength:0001,data:3
20[00000004]irp_mj_readlength:0001,data:f
21[00000004]irp_mj_readlength:0001,data:
22[00000004]irp_mj_readlength:0001,data:e
23[00000004]irp_mj_readlength:0001,data:4
24[00000005]irp_mj_writelength:0011,data:00e02026c
25[00000006]irp_mj_readlength:0001,data:
26[00000006]irp_mj_readlength:0001,data:b
27[00000006]irp_mj_readlength:0001,data:1
28[00000006]irp_mj_readlength:0001,data:5
29[00000006]irp_mj_readlength:0001,data:e
30[00000006]irp_mj_readlength:0001,data:
31[00000006]irp_mj_readlength:0001,data:f
32[00000006]irp_mj_readlength:0001,data:0
33[00000006]irp_mj_writelength:0011,data:00eca028e
34[00000007]irp_mj_readlength:0001,data:
35[00000007]irp_mj_readlength:0001,data:7
36[00000007]irp_mj_readlength:0001,data:1
37[00000007]irp_mj_readlength:0001,data:3
38[00000007]irp_mj_readlength:0001,data:f
39[00000007]irp_mj_readlength:0001,data:
40[00000007]irp_mj_readlength:0001,data:e
41[00000007]irp_mj_readlength:0001,data:4
42[00000015]irp_mj_closeportclosed
電腦發(fā):00e0202’查詢d8001的值
plc回:b15e‘回復(fù)為5eb1,回復(fù)的數(shù)據(jù)高位在后、低位在前,所以要對(duì)調(diào)個(gè)位,
5eb1轉(zhuǎn)為10進(jìn)數(shù)據(jù)值為:24241,24表示plc型號(hào)fx2n或3u,241表示版本號(hào),
電腦發(fā):00eca02碼’查詢d8101的值
plc回:713f‘回復(fù)為3f71轉(zhuǎn)為10進(jìn)數(shù)據(jù)值為:16241,16表示plc型號(hào)為fx3u,241表示版本號(hào)
以上這一大段數(shù)據(jù)也就是編程軟件查詢一下plc的型號(hào),以便接下來(lái)按相應(yīng)的通迅協(xié)議進(jìn)行通迅。這些數(shù)據(jù)是花了大量時(shí)間測(cè)試出來(lái)的,
這次就講到這里,望朋友多多指點(diǎn)。