Mitsubishi plc system password

[Guest JJH]

hi, i would like to know how can i unprotected a mitsubishi plc protected by system password. thanks JJH

[Paul416]

I have contacted Mitsubishi several times about this. They tell me it can not be done.

[Chris Elston]

Wow really? Not even unplugging the battery and shorting out the EPROM chip huh? That's too bad. So what does Mitsu suggest when one forgets the password?

[Paul416]

You can clear the memory so there is nothing in the PLC, but there is no way to access a password protected program.

[chrisbramall]

Talk about bad practice, usually the companies which put password protection on plc software code are the ones who have since gone bust and left you in the lurch.

[JayA]

There is the brute force method.  Use snooper software like the Comm Lite 32 found in this site's download section and trap the command that sends the password.  Most Japanese PLCs use one 4 digit hex register as the password.  Set up a  VB application to try all possibilities from 0000 to FFFF.  

[Guest JJH]

Thanks Jay!   I tried Comm Lite 32, but it didn't work when I installed in a PC with Windows 2000. Do you know a program like Comm Lite 32 that works on Windows 2000 ?  Thanks and Regards !!!  JJH From Mexico

[Guest Gene]

I assume you don't have the password. Do you have a backup copy of the original code, if yes then use the following. Using Medoc, Select the following Start Open the Project Transfer Other Keyword- (Entry Code Settings) F2 PLC All Clear You should now be able to download your copy. If you don't have a back-up of the original, then its hand writing out whats in the existing PLC and generating your own program from this. Regards, Gene.

[Guest Guest]

I am of the opinion that without the password you cannot even read or see the program without having the original on disk. It is a total lock-out without the password. I have not password protected in a long while but I seem to remember it was an 8 No. password using hex No's 0 to F. I have found passwords written on the back of the PLC (you have to turn it around in the panel) and even tried the machine serial No. with limited success. The person that password protected the plc either uses the same password each time or writes it down somewhere so that he does not forget it.

[Guest Scott]

For a nice terminal app that works on NT/2000, try Tera Term Pro. It's a nice freebe that I use all the time. http://hp.vector.co.jp/authors/VA002416/teraterm.html

[navillusi]

There is always a way, if you have patience..... This page http://freespace.virgin.net/ian.sullivan/M.../Mitsubishi.htm may give you some guidance, If anyone has some similar ideas for these or other controllers I'd be pleased to know. Ian

[Guest Rother]

There is always a way, if you have patience..... This page http://freespace.virgin.net/ian.sullivan/M.../Mitsubishi.htm may give you some guidance, Thanks for that navillusi, am very interested in that. I have downloaded the packet sniffer program and have brought some mitsi plcs home to practice on. I have a customer with an A series plc that is password protected it has 192 I/O. We have no way of getting in without a re-write and he doesnt want to pay for that. I will keep you posted as to how I get on.

[Chris Elston]

Ian, Wow. Great article. Excellent research. Hats off. Way to be a go getter. Makes me want to get our article pages up on mrplc.com right away!

[navillusi]

Share the knowledge, share the profits!

[Guest yokel]

I see this topic closed some time ago and I have lokked at the suggested site which covers FX and A, but..................does anyone know the protocol for Q,QnS,etc

[Crossbow]

Do you have a copy of this article... it's two years later and the website is not there anymore. I'd be interested in testing it on a PLC in my lab.

[Guest Albert Fanakapan]

Somewhere, I have the program and documents from that site. (I shall try to find them) I did what you are proposing to do and it does work. I set up a known password and looked for it with the packet sniffer. (on both an FX and A series - as passwords are handled differently on these 2 models) Then, (and it was a little scary) I got my assistant to 1st write down, then very carefully password them with one unknown to me. I found them both (the A being much harder) and unlocked them. I actually needed to unlock a real PLC and then managed to do it. The only trouble is - the packet sniffer program only works in win 98

[Guest Buaya]

Chris, I just goto check this web site, it still live

[navillusi]

Trust me, my pages are still live.... For those who do not use Comlite as they haven't got a win 98 pc anymore, try sermon from HHD software, http://www.hhdsoftware.com/ it works on W2k & XP and is a much better product.

[Pierre]

I personnaly use a freeware called Portmon version 3.2 It very easy to crak a Mitsu PLC .... You can find the warez at PORTMON V 3.2 for all the MS flavors. For those willing to try her what you do. Start your PLC programming ware Start Portmon . Once this is done... Try to upload the PLC program to your PC You will be asked for a password Write 00000000 in the password field Start the CAPTURE function of Portmon Click to accept password You will receive a message that its not the good password END the CAPTURE function of Portmon Now check your Portmon screen and look for a serie of 8 time the value of ZERO. The real password is sitting right beside it. All this is in HEX of course. Edited January 14, 2005 by Pierre

[panic mode]

i can confirm that navillusi's website is live, i just downloaded files... there is PDF at the bottom of the page for those who want to keep the article for reference.

[Guest Guest]

Is this method work with omron CQM1H, CS/CJ series?

[panic mode]

Hi Chris, Did you find the article? If not I could email it to you (it's 700k PDF file). Btw. what do you have in the lab? PLCs, HMIs, servos, comms, ...? Regards, Panic

[panic mode]

Guest, Omron PLCs are discussed in different forum section. This topic was discussed in the past and as far as I remember aproach was pretty much the same. Just go to Omron section of the forum and use search function to look for "password". There will be number of hits like http://forums.mrplc.com/index.php?showtopic...st=0entry3929

[Crossbow]

I've got a bit of everything in the lab... FX1S, FX1N, FX2N, FX2NC, A1S, Q02H, A985GOT, F930GOT, E615, E150, MR-J2S, a bunch of AS-I and Profibus networking, etc.