2016-10-28 16:17:40 | 人围观 | 评论:
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
第1段密就和FX2N的一样,加的是明码,第2段就不一样了,密码加上后都变了,算法也完全变了,但在网上有高手能做到直读密码,我们被FX3U这种PLC的强大功能所吸引,对三菱PLC大家都用习惯了,觉的用起来顺手,在整个工控行业中用的比例很大,所以对破解这款PLC产生的浓厚的性趣, FX3U有的可以2个口编程,一个是我们通常用的圆口,还有个可以扩展个232接口,我先试圆口,通过串口软件监控的数椐,以下是我调试监控的数据。
# Time Function Data ( Hex )
1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe
2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200
3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
4 [00000001] IRP_MJ_WRITE Length: 0001, Data: 05
5 [00000002] IRP_MJ_READ Length: 0001, Data: 06
6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43
7 [00000003] IRP_MJ_READ Length: 0001, Data: 02
8 [00000003] IRP_MJ_READ Length: 0001, Data: 42
9 [00000003] IRP_MJ_READ Length: 0001, Data: 31
10 [00000003] IRP_MJ_READ Length: 0001, Data: 35
11 [00000003] IRP_MJ_READ Length: 0001, Data: 45
12 [00000003] IRP_MJ_READ Length: 0001, Data: 03
13 [00000003] IRP_MJ_READ Length: 0001, Data: 46
14 [00000003] IRP_MJ_READ Length: 0001, Data: 30
15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45
16 [00000004] IRP_MJ_READ Length: 0001, Data: 02
17 [00000004] IRP_MJ_READ Length: 0001, Data: 37
18 [00000004] IRP_MJ_READ Length: 0001, Data: 31
19 [00000004] IRP_MJ_READ Length: 0001, Data: 33
20 [00000004] IRP_MJ_READ Length: 0001, Data: 46
21 [00000004] IRP_MJ_READ Length: 0001, Data: 03
22 [00000004] IRP_MJ_READ Length: 0001, Data: 45
23 [00000004] IRP_MJ_READ Length: 0001, Data: 34
24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43
25 [00000006] IRP_MJ_READ Length: 0001, Data: 02
26 [00000006] IRP_MJ_READ Length: 0001, Data: 42
27 [00000006] IRP_MJ_READ Length: 0001, Data: 31
28 [00000006] IRP_MJ_READ Length: 0001, Data: 35
29 [00000006] IRP_MJ_READ Length: 0001, Data: 45
30 [00000006] IRP_MJ_READ Length: 0001, Data: 03
31 [00000006] IRP_MJ_READ Length: 0001, Data: 46
32 [00000006] IRP_MJ_READ Length: 0001, Data: 30
33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45
34 [00000007] IRP_MJ_READ Length: 0001, Data: 02
35 [00000007] IRP_MJ_READ Length: 0001, Data: 37
36 [00000007] IRP_MJ_READ Length: 0001, Data: 31
37 [00000007] IRP_MJ_READ Length: 0001, Data: 33
38 [00000007] IRP_MJ_READ Length: 0001, Data: 46
39 [00000007] IRP_MJ_READ Length: 0001, Data: 03
40 [00000007] IRP_MJ_READ Length: 0001, Data: 45
41 [00000007] IRP_MJ_READ Length: 0001, Data: 34
42 [00000015] IRP_MJ_CLOSE Port Closed
6、上述 从串口监控到的数据是十六进制的数据,还真不好看,先转换成ASC码,就好看多了。
# Time Function Data ( String )
1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe
2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200
3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7
4 [00000001] IRP_MJ_WRITE Length: 0001, Data:
5 [00000002] IRP_MJ_READ Length: 0001, Data:
6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 00E02026C
7 [00000003] IRP_MJ_READ Length: 0001, Data:
8 [00000003] IRP_MJ_READ Length: 0001, Data: B
9 [00000003] IRP_MJ_READ Length: 0001, Data: 1
10 [00000003] IRP_MJ_READ Length: 0001, Data: 5
11 [00000003] IRP_MJ_READ Length: 0001, Data: E
12 [00000003] IRP_MJ_READ Length: 0001, Data:
13 [00000003] IRP_MJ_READ Length: 0001, Data: F
14 [00000003] IRP_MJ_READ Length: 0001, Data: 0
15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E
16 [00000004] IRP_MJ_READ Length: 0001, Data:
17 [00000004] IRP_MJ_READ Length: 0001, Data: 7
18 [00000004] IRP_MJ_READ Length: 0001, Data: 1
19 [00000004] IRP_MJ_READ Length: 0001, Data: 3
20 [00000004] IRP_MJ_READ Length: 0001, Data: F
21 [00000004] IRP_MJ_READ Length: 0001, Data:
22 [00000004] IRP_MJ_READ Length: 0001, Data: E
23 [00000004] IRP_MJ_READ Length: 0001, Data: 4
24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 00E02026C
25 [00000006] IRP_MJ_READ Length: 0001, Data:
26 [00000006] IRP_MJ_READ Length: 0001, Data: B
27 [00000006] IRP_MJ_READ Length: 0001, Data: 1
28 [00000006] IRP_MJ_READ Length: 0001, Data: 5
29 [00000006] IRP_MJ_READ Length: 0001, Data: E
30 [00000006] IRP_MJ_READ Length: 0001, Data:
31 [00000006] IRP_MJ_READ Length: 0001, Data: F
32 [00000006] IRP_MJ_READ Length: 0001, Data: 0
33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E
34 [00000007] IRP_MJ_READ Length: 0001, Data:
35 [00000007] IRP_MJ_READ Length: 0001, Data: 7
36 [00000007] IRP_MJ_READ Length: 0001, Data: 1
37 [00000007] IRP_MJ_READ Length: 0001, Data: 3
38 [00000007] IRP_MJ_READ Length: 0001, Data: F
39 [00000007] IRP_MJ_READ Length: 0001, Data:
40 [00000007] IRP_MJ_READ Length: 0001, Data: E
41 [00000007] IRP_MJ_READ Length: 0001, Data: 4
42 [00000015] IRP_MJ_CLOSE Port Closed
电脑发:00E0202 ’查询D8001的值
PLC回:B15E ‘回复为5EB1,回复的数据高位在后、低位在前,所以要对调个位,
5EB1转为10进数据值为:24241,24表示PLC型号FX2N或3U,241表示版本号,
电脑发:00ECA02码 ’查询D8101的值
PLC回:713F ‘回复为3F71转为10进数据值为:16241,16表示PLC型号为FX3U,241表示版本号
以上这一大段数据也就是编程软件查询一下PLC的型号,以便接下来按相应的通迅协议进行通迅。这些数据是花了大量时间测试出来的,
这次就讲到这里,望朋友多多指点。
全站搜索