How to hack the defense of the project Allen-Bradley PLC

Brief background

For some time using one of the control systems of those. The process necessitated the revision of the PLC project. Since the system was installed by an American company, the project was implemented on the Allen Bradley controller, namely, 1756-L61. Coincidence? I do not think.

Although the love of Americans for Allen Bradley is rather just my observation. And in no case advertising this manufacturer of controllers.

Get to the point. Sections of the project were protected from editing, due to the “wise” developer policy in the style of “Don't touch anything, without us! This will violate the safety standards of the managed unit. Etc."
')
I admit, no one set a goal to change the technological logic of the object.

It was only about creating a couple of variables for later output to the Operator Panel with the ability to change the setpoint.

But the defense did not even allow creating a new variable instead of a constant. Therefore, the desire to break the protection completely overwhelmed.

Let's get started

I used RSLogix 5000 V19.01.00 (CPR 9 SR 3) to connect to the controller.



The gray background of the project editor shows a ban on editing the section.

Go to File-> Save as ... and save the file in RSLogix 5000 .L5X XML format:



Open the saved project * .L5X in a text editor, such as Notepad ++.

Copy the contents and go to the online descriptor: skdatmonster.imtqy.com/DecryptSourceProtection/index.html . Paste the content into the left window.

Attention! Copying may take some time. Expect in anticipation. My file was 1.9 MB in size: it took about 15-20 real seconds.



Copied? Click “Decrypt->”.

We get a picture similar to this one. Where “Unpacked encoded data” is a failed decryption attempt. Scroll a little lower - Hallelujah! Here it is - the decrypted key.



Now we are ready to proceed to the second part, namely, to unprotect each section of the project.

Using Notepad ++, we create the sk.dat unlock file and paste into it the project protection key that is already known to us.

Go to Tools -> Security -> Configure Source Protection. Click "Specify" and select the path to our file sk.dat.



Further, it is still easier - select the project section and click “Unprotect”.



The attributes of Source Key and Viewable will disappear, confirming the fact of unlocking the section. Thus, we do this with every interesting for us, in terms of editing section.

Connect online to our controller - it will offer to upload the project. We agree.



And after a couple of minutes, after unloading the project, we go into any section from which we previously removed protection. Voila!



The white background of the project code editor confirms that now we can edit the section. The goal is achieved.

In the event that the file is subsequently moved or deleted with the project unprotection key, editing will be prohibited. Consequently, you will have to repeat the steps to create a new sk.dat file.

Afterword

Ironically, or perhaps even because of the “lush” fantasy of the code developer, in my case, the key was different from the password to access the Operator Panel of the control system, only one character. Namely - underscore.

Good luck to all!