三菱FX3U PLC解密软件开发叙述

对于三菱plc大家都很熟悉了，而FX2N的密码破解应该大家都会了，在返回的数据中都能找到密码，密码是在软件里比较的，而FX3U就不同了，FX3U有两段密码，看下图：

第1段密就和FX2N的一样，加的是明码，第2段就不一样了，密码加上后都变了，算法也完全变了，但在网上有高手能做到直读密码，我们被FX3U这种PLC的强大功能所吸引，对三菱PLC大家都用习惯了，觉的用起来顺手，在整个工控行业中用的比例很大，所以对破解这款PLC产生的浓厚的性趣， FX3U有的可以2个口编程，一个是我们通常用的圆口，还有个可以扩展个232接口，我先试圆口，通过串口软件监控的数椐，以下是我调试监控的数据。

# Time Function Data ( Hex )

1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe

2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200

3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7

4 [00000001] IRP_MJ_WRITE Length: 0001, Data: 05

5 [00000002] IRP_MJ_READ Length: 0001, Data: 06

6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43

7 [00000003] IRP_MJ_READ Length: 0001, Data: 02

8 [00000003] IRP_MJ_READ Length: 0001, Data: 42

9 [00000003] IRP_MJ_READ Length: 0001, Data: 31

10 [00000003] IRP_MJ_READ Length: 0001, Data: 35

11 [00000003] IRP_MJ_READ Length: 0001, Data: 45

12 [00000003] IRP_MJ_READ Length: 0001, Data: 03

13 [00000003] IRP_MJ_READ Length: 0001, Data: 46

14 [00000003] IRP_MJ_READ Length: 0001, Data: 30

15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45

16 [00000004] IRP_MJ_READ Length: 0001, Data: 02

17 [00000004] IRP_MJ_READ Length: 0001, Data: 37

18 [00000004] IRP_MJ_READ Length: 0001, Data: 31

19 [00000004] IRP_MJ_READ Length: 0001, Data: 33

20 [00000004] IRP_MJ_READ Length: 0001, Data: 46

21 [00000004] IRP_MJ_READ Length: 0001, Data: 03

22 [00000004] IRP_MJ_READ Length: 0001, Data: 45

23 [00000004] IRP_MJ_READ Length: 0001, Data: 34

24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 30 32 30 32 03 36 43

25 [00000006] IRP_MJ_READ Length: 0001, Data: 02

26 [00000006] IRP_MJ_READ Length: 0001, Data: 42

27 [00000006] IRP_MJ_READ Length: 0001, Data: 31

28 [00000006] IRP_MJ_READ Length: 0001, Data: 35

29 [00000006] IRP_MJ_READ Length: 0001, Data: 45

30 [00000006] IRP_MJ_READ Length: 0001, Data: 03

31 [00000006] IRP_MJ_READ Length: 0001, Data: 46

32 [00000006] IRP_MJ_READ Length: 0001, Data: 30

33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 02 30 30 45 43 41 30 32 03 38 45

34 [00000007] IRP_MJ_READ Length: 0001, Data: 02

35 [00000007] IRP_MJ_READ Length: 0001, Data: 37

36 [00000007] IRP_MJ_READ Length: 0001, Data: 31

37 [00000007] IRP_MJ_READ Length: 0001, Data: 33

38 [00000007] IRP_MJ_READ Length: 0001, Data: 46

39 [00000007] IRP_MJ_READ Length: 0001, Data: 03

40 [00000007] IRP_MJ_READ Length: 0001, Data: 45

41 [00000007] IRP_MJ_READ Length: 0001, Data: 34

42 [00000015] IRP_MJ_CLOSE Port Closed

6、上述 从串口监控到的数据是十六进制的数据，还真不好看，先转换成ASC码，就好看多了。

# Time Function Data ( String )

1 [00000000] IRP_MJ_CREATE Port Opened - Gppw.exe

2 [00000000] IOCTL_SERIAL_SET_BAUD_RATE Baud Rate: 115200

3 [00000000] IOCTL_SERIAL_SET_LINE_CONTROL StopBits: 1, Parity: Even, DataBits: 7

4 [00000001] IRP_MJ_WRITE Length: 0001, Data:

5 [00000002] IRP_MJ_READ Length: 0001, Data:

6 [00000002] IRP_MJ_WRITE Length: 0011, Data: 00E02026C

7 [00000003] IRP_MJ_READ Length: 0001, Data:

8 [00000003] IRP_MJ_READ Length: 0001, Data: B

9 [00000003] IRP_MJ_READ Length: 0001, Data: 1

10 [00000003] IRP_MJ_READ Length: 0001, Data: 5

11 [00000003] IRP_MJ_READ Length: 0001, Data: E

12 [00000003] IRP_MJ_READ Length: 0001, Data:

13 [00000003] IRP_MJ_READ Length: 0001, Data: F

14 [00000003] IRP_MJ_READ Length: 0001, Data: 0

15 [00000004] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E

16 [00000004] IRP_MJ_READ Length: 0001, Data:

17 [00000004] IRP_MJ_READ Length: 0001, Data: 7

18 [00000004] IRP_MJ_READ Length: 0001, Data: 1

19 [00000004] IRP_MJ_READ Length: 0001, Data: 3

20 [00000004] IRP_MJ_READ Length: 0001, Data: F

21 [00000004] IRP_MJ_READ Length: 0001, Data:

22 [00000004] IRP_MJ_READ Length: 0001, Data: E

23 [00000004] IRP_MJ_READ Length: 0001, Data: 4

24 [00000005] IRP_MJ_WRITE Length: 0011, Data: 00E02026C

25 [00000006] IRP_MJ_READ Length: 0001, Data:

26 [00000006] IRP_MJ_READ Length: 0001, Data: B

27 [00000006] IRP_MJ_READ Length: 0001, Data: 1

28 [00000006] IRP_MJ_READ Length: 0001, Data: 5

29 [00000006] IRP_MJ_READ Length: 0001, Data: E

30 [00000006] IRP_MJ_READ Length: 0001, Data:

31 [00000006] IRP_MJ_READ Length: 0001, Data: F

32 [00000006] IRP_MJ_READ Length: 0001, Data: 0

33 [00000006] IRP_MJ_WRITE Length: 0011, Data: 00ECA028E

34 [00000007] IRP_MJ_READ Length: 0001, Data:

35 [00000007] IRP_MJ_READ Length: 0001, Data: 7

36 [00000007] IRP_MJ_READ Length: 0001, Data: 1

37 [00000007] IRP_MJ_READ Length: 0001, Data: 3

38 [00000007] IRP_MJ_READ Length: 0001, Data: F

39 [00000007] IRP_MJ_READ Length: 0001, Data:

40 [00000007] IRP_MJ_READ Length: 0001, Data: E

41 [00000007] IRP_MJ_READ Length: 0001, Data: 4

42 [00000015] IRP_MJ_CLOSE Port Closed

电脑发：00E0202 ’查询D8001的值

PLC回：B15E ‘回复为5EB1，回复的数据高位在后、低位在前，所以要对调个位，

5EB1转为10进数据值为：24241，24表示PLC型号FX2N或3U，241表示版本号，

电脑发：00ECA02码 ’查询D8101的值

PLC回：713F ‘回复为3F71转为10进数据值为：16241，16表示PLC型号为FX3U，241表示版本号

以上这一大段数据也就是编程软件查询一下PLC的型号，以便接下来按相应的通迅协议进行通迅。这些数据是花了大量时间测试出来的，

这次就讲到这里，望朋友多多指点。