Re: Getting into PLCs

For higher performance PLC's, you will find compiler code (native to the CPU that's executing it). For cheaper models, you'll likely find some sort of intermediate code that is interpreted/JITed by the processor.

You won't find stuff that you can read "in English"...

Re: Getting into PLCs

part number of the flash will help,
or just spend $800 on something universal with 48 active pins!!!

the flash will have a bootloader with the code for reading passwords and comparing them, together with the loader routines.
then it will have a system area for storing passwords and other "settings",
then a big area for the uploaded user-code.

Re: Getting into PLCs

I was hoping it's pretty visible in the picture (I took one of every major chip on there), but in case it isn't it's SST39SF020A which I think is THIS.
Nope - not happening It would be redundant for this purpose anyway, plus the issue at hand is not so much learning to program a new PLC entirely from scratch as it is recovering the routine the original machine performed, which is only partly known so far due to a complete lack of documentation on these machines (even "known" is a bit generous here - inferred would be more appropriate)

Also, just the issue I've been having from the very start and why it's not happening:

Re: Getting into PLCs

["Code" not visible in human-readable form]

Depending on the PLC, the programming tools may hold the "source" off-line (relying on you to maintain it's availability), or, will include tools to "decompile" the image from the controller and (effectively) recreate the original sources.

Re: Getting into PLCs

i think that part is compatable with a 256k 32pin eprom,
you could read it with an arduino running eprom/novram software.

Re: Getting into PLCs

XCP Pro (the software used with this PLC) does have a function to read back from the PLC, but it won't let you do it without the password...

On this topic, I of course shall want to protect my version of the program on the new PLC with a password as well, but there was something I came across in the manual which put me off: the manual talks about something called "secret download" which sounds like it would do just that - password-protect the PLC to prevent writing/reading, which these guys already did with theirs - but the slightly broken english made it sound like it would lock down the PLC entirely and would prevent ANY subsequent attempts at reading/writing to it, even if you purposely do it and know the password....damn chinese tech

Re: Getting into PLCs

do you want to read the flash?

i can explain in detail how to do it with just an arduino, and a chinese €1 adapter pcb.

Re: Getting into PLCs

Go ahead, just for reference. I'm not sure it would help with cracking the password, but still useful to know in the long run, why not

Obviously I have to pull off the chip first...preferably without destroying pins and traces, which is not going to be easy with all that lacquer they poured on the PCB. Then I'd need the adapter and then something to read it with...I didn't know the Arduino can do that.

Re: Getting into PLCs

https://www.jammarcade.net/programmi...-arduino-mega/

you can mod that to read any parallel memory device.

Re: Getting into PLCs

Systems implemented with PLCs are notoriously easy to "steal" -- buy the sensors and actuators that the original manufacturer used, buy an exact copy of the PLC that was used, transfer the "software" from the PLC to the new one and you've cut the original manufacturer out of the loop (sale)!

So, you want to be able to "lock up" the "source code" (ladder logic, etc.) that is embodied in that PLC so that the counterfeiter can't clone it.

At the very least, you want to ensure the counterfeiter can't blindly clone the code (without bothering to understand it: "This SEEMS to work good enough, as is!") to cut the manufacturer out of the subsequent "purchase(s)".

As many industries using PLCs in their process control applications have staff that are competent with PLCs -- though not, perhaps, capable of designing a complete system from scratch (amazing how many folks can MODIFY an existing system yet are clueless as to its basic design) -- you also would like to obfuscate the sources so the counterfeiter can't "see" how you've solved the problem. And, by extension, can't see how to make the changes they would like -- without enlisting your help ($$).

Whenever your customer (or competitor!) can freely purchase the components that you have purchased and used in your design, you are at risk for them cutting you out of the loop. You want to raise the bar so they need to invest as much effort trying to steal your work as they would have to invest to create their own ORIGINAL work.

Re: Getting into PLCs

Doesn't seem to be so much for reading chips as it is for writing to them. Not sure about one thing though: is this the same thing as the NAND in TVs ? Those always fail on Samsungs and I thought this might kill two birds with one stone and I'd be able to reprogram those as well (provided I find the correct software)

Re: Getting into PLCs

here's a better one - just increase the number of address pins.
https://github.com/frisnit/Arduino-Eprom-Writer

and no, you cant really clone high density flash with it because you cant re-map around bad sectors on the new chip
you can read any parallel memory with it though - as long as it's 5v tolerant.

Re: Getting into PLCs

Well, just for those who are curious about the display for these things as well, here's some shots of what's inside one of these OP320 displays. This is one of the newer ones we received and I successfully created a program for. I distinctly remember there were some slight differences between this one and the "original" TouchWin ones which came installed on those water filter stations.

There's three of those: one of them works but has vertical streaks across the middle of the display due to moisture, the second was completely dead but I managed to revive it (corroded trace somewhere) and the last one turns on but doesn't do anything else: just the blue backlight comes on but never boots. My idea was to take the microcontroller from that one and solder it onto this one, or even better, swap the whole board if it fits, which I believe it doesn't because of one of those slight differences I mentioned. This is of course assuming the micro is not the cause of the failure to begin with ! ! I think that one uses a flex cable to connect the two boards, whereas this one uses header pins.

Re: Getting into PLCs

looks like an off-the-shelf graphic lcd, and an obsolete 4k microcontroller.
not much to it.

Re: Getting into PLCs

I guess I should probably dig into the dead one some more, since I feel I didn't give it the required amount of attention before giving up....granted, the time constraint was rather short, so I just left it in there so there wouldn't be a hole in the panel of the station