三菱FX3U PLC解密软件开发叙述

时间：2023-03-20来源：佚名

对于三菱plc大家都很熟悉了，而FX2N的密码破解应该大家都会了，在返回的数据中都能找到密码，密码是在软件里比较的，而FX3U就不同了，FX3U有两段密码，看下图：

三菱FX3U PLC解密软件开发叙述

第1段密就和FX2N的一样，加的是明码，第2段就不一样了，密码加上后都变了，算法也完全变了，但在网上有高手能做到直读密码，我们被FX3U这种PLC的强大功能所吸引，对三菱PLC大家都用习惯了，觉的用起来顺手，在整个工控行业中用的比例很大，所以对破解这款PLC产生的浓厚的性趣， FX3U有的可以2个口编程，一个是我们通常用的圆口，还有个可以扩展个232接口，我先试圆口，通过串口软件监控的数椐，以下是我调试监控的数据。

# Time Function Data ( Hex )

1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe

2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200

3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7

4 [00000001] IRP_MJ_WRITE Length: 0001, Data: 05

5 [00000002] IRP_MJ_READ Length: 0001, Data: 06

6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43

7 [00000003] IRP_MJ_READ Length: 0001, Data: 02

8 [00000003] IRP_MJ_READ Length: 0001, Data: 42

9 [00000003] IRP_MJ_READ Length: 0001, Data: 31

10 [00000003] IRP_MJ_READ Length: 0001, Data: 35

11 [00000003] IRP_MJ_READ Length: 0001, Data: 45

12 [00000003] IRP_MJ_READ Length: 0001, Data: 03

13 [00000003] IRP_MJ_READ Length: 0001, Data: 46

14 [00000003] IRP_MJ_READ Length: 0001, Data: 30

15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45

16 [00000004] IRP_MJ_READ Length: 0001, Data: 02

17 [00000004] IRP_MJ_READ Length: 0001, Data: 37

18 [00000004] IRP_MJ_READ Length: 0001, Data: 31

19 [00000004] IRP_MJ_READ Length: 0001, Data: 33

20 [00000004] IRP_MJ_READ Length: 0001, Data: 46

21 [00000004] IRP_MJ_READ Length: 0001, Data: 03

22 [00000004] IRP_MJ_READ Length: 0001, Data: 45

23 [00000004] IRP_MJ_READ Length: 0001, Data: 34

24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43

25 [00000006] IRP_MJ_READ Length: 0001, Data: 02

26 [00000006] IRP_MJ_READ Length: 0001, Data: 42

27 [00000006] IRP_MJ_READ Length: 0001, Data: 31

28 [00000006] IRP_MJ_READ Length: 0001, Data: 35

29 [00000006] IRP_MJ_READ Length: 0001, Data: 45

30 [00000006] IRP_MJ_READ Length: 0001, Data: 03

31 [00000006] IRP_MJ_READ Length: 0001, Data: 46

32 [00000006] IRP_MJ_READ Length: 0001, Data: 30

33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45

34 [00000007] IRP_MJ_READ Length: 0001, Data: 02

35 [00000007] IRP_MJ_READ Length: 0001, Data: 37

36 [00000007] IRP_MJ_READ Length: 0001, Data: 31

37 [00000007] IRP_MJ_READ Length: 0001, Data: 33

38 [00000007] IRP_MJ_READ Length: 0001, Data: 46

39 [00000007] IRP_MJ_READ Length: 0001, Data: 03

40 [00000007] IRP_MJ_READ Length: 0001, Data: 45

41 [00000007] IRP_MJ_READ Length: 0001, Data: 34

42 [00000015] IRP_MJ_CLOSE Port Closed

6、上述从串口监控到的数据是十六进制的数据，还真不好看，先转换成ASC码，就好看多了。

# Time Function Data ( String )

1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe

2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200

3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7

4 [00000001] IRP_MJ_WRITE Length: 0001, Data:

5 [00000002] IRP_MJ_READ Length: 0001, Data:

6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 00E02026C

7 [00000003] IRP_MJ_READ Length: 0001, Data:

8 [00000003] IRP_MJ_READ Length: 0001, Data: B

9 [00000003] IRP_MJ_READ Length: 0001, Data: 1

10 [00000003] IRP_MJ_READ Length: 0001, Data: 5

11 [00000003] IRP_MJ_READ Length: 0001, Data: E

12 [00000003] IRP_MJ_READ Length: 0001, Data:

13 [00000003] IRP_MJ_READ Length: 0001, Data: F

14 [00000003] IRP_MJ_READ Length: 0001, Data: 0

15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E

16 [00000004] IRP_MJ_READ Length: 0001, Data:

17 [00000004] IRP_MJ_READ Length: 0001, Data: 7

18 [00000004] IRP_MJ_READ Length: 0001, Data: 1

19 [00000004] IRP_MJ_READ Length: 0001, Data: 3

20 [00000004] IRP_MJ_READ Length: 0001, Data: F

21 [00000004] IRP_MJ_READ Length: 0001, Data:

22 [00000004] IRP_MJ_READ Length: 0001, Data: E

23 [00000004] IRP_MJ_READ Length: 0001, Data: 4

24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 00E02026C

25 [00000006] IRP_MJ_READ Length: 0001, Data:

26 [00000006] IRP_MJ_READ Length: 0001, Data: B

27 [00000006] IRP_MJ_READ Length: 0001, Data: 1

28 [00000006] IRP_MJ_READ Length: 0001, Data: 5

29 [00000006] IRP_MJ_READ Length: 0001, Data: E

30 [00000006] IRP_MJ_READ Length: 0001, Data:

31 [00000006] IRP_MJ_READ Length: 0001, Data: F

32 [00000006] IRP_MJ_READ Length: 0001, Data: 0

33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E

34 [00000007] IRP_MJ_READ Length: 0001, Data:

35 [00000007] IRP_MJ_READ Length: 0001, Data: 7

36 [00000007] IRP_MJ_READ Length: 0001, Data: 1

37 [00000007] IRP_MJ_READ Length: 0001, Data: 3

38 [00000007] IRP_MJ_READ Length: 0001, Data: F

39 [00000007] IRP_MJ_READ Length: 0001, Data:

40 [00000007] IRP_MJ_READ Length: 0001, Data: E

41 [00000007] IRP_MJ_READ Length: 0001, Data: 4

42 [00000015] IRP_MJ_CLOSE Port Closed

电脑发：00E0202 ’查询D8001的值

PLC回：B15E ‘回复为5EB1，回复的数据高位在后、低位在前，所以要对调个位，

5EB1转为10进数据值为：24241，24表示PLC型号FX2N或3U，241表示版本号，

电脑发：00ECA02码 ’查询D8101的值

PLC回：713F ‘回复为3F71转为10进数据值为：16241，16表示PLC型号为FX3U，241表示版本号

以上这一大段数据也就是编程软件查询一下PLC的型号，以便接下来按相应的通迅协议进行通迅。这些数据是花了大量时间测试出来的，

这次就讲到这里，望朋友多多指点。

三菱FX3U PLC解密软件开发叙述

相关阅读

触电急救方法，这是我见过最详细的

运放电路设计

收藏啦！电工配线必背口诀

普通二极管能代替快恢复二极管吗

变频器过电压的防止措施

热销商品

EPDM配电箱机柜密封条三元乙丙橡胶半圆海绵自粘发泡胶条20*10mm

防静电塑料镊子93301-08硬质碳纤维合成镊子尖头镊子纤维镊子

耐高温发泡硅胶密封垫片背胶定制聚氨酯丁晴氟橡胶EPDM矩形软四氟

硅胶发泡圆条硅胶发泡条耐高温密封条海绵条 1mm/2/3/4/5/8/10/12

轻便型防撞鸭舌安全帽车间防撞安全鸭舌帽防砸帽劳保帽子定制印字

网站栏目

三菱FX3U PLC解密软件开发叙述

相关阅读

触电急救方法，这是我见过最详细的

运放电路设计

收藏啦！电工配线必背口诀

普通二极管能代替快恢复二极管吗

变频器过电压的防止措施

热销商品

EPDM配电箱机柜密封条三元乙丙橡胶半圆海绵自粘发泡胶条20*10mm

防静电塑料镊子93301-08硬质碳纤维合成镊子 尖头镊子 纤维镊子

耐高温发泡硅胶密封垫片背胶定制聚氨酯丁晴氟橡胶EPDM矩形软四氟

硅胶发泡圆条硅胶发泡条耐高温密封条海绵条 1mm/2/3/4/5/8/10/12

轻便型防撞鸭舌安全帽车间防撞安全鸭舌帽防砸帽劳保帽子定制印字

网站栏目

防静电塑料镊子93301-08硬质碳纤维合成镊子尖头镊子纤维镊子