BIOS parameters TM171/TM172

Hi,

during the Download All process, if you decide to write the default values, ESME HVAC will write all the default values of EEprom parameters and the bios parameters that have a value written in the "New value" column of Configuration-->M171O-->Modbus Objects-->BIOS Parameters 

Thank you, So actually New value is like a "Project" default while the default values are a factory default value. I understand, thnks for making it clear.

Nice video! Loved it. I have commented it on Youtube and I apologize for duplicating my question, but I would say that it should be fair to say that here is the right place to do it.

So, I finally understood the concept of application password vs level password. It´s an interesting feature to implement if needed, i.e. you could possibly ask for a password at boot time in order for the PLC to run, I guess.

What I do not understand is what you mean by stealing the code. Is it possible to connect to a PLC to upload the binary code to a computer and then write it to a new one? I mean, maybe some SE engineer might have a tool to do that but as far as I know that is advanced hacking!

I also understand that, being a little paranoic, saving the password inside the code is the best solution in terms of application protection, but I would say that for a regular use saving it in an EEPROM variable could be a better solution, this way you may change it later without needing to connect with your laptop. I admit you could connect with some modbus scanner but how would you identify which of the many registers is the right one?

Last, but not least: yours (in the video) is a very small program just to show how this feature works, but it looks like there is some timing issue regarding how fast the new program uploads vs the time you have set before the sysExecutionPassword FB runs. What happens if the program is bigger, demanding more time to load? Particularly for the TM171 line that usually means a long time.

The time delay is to have a chance to enter the password. Whithout this time delay it would be problematic to enter the right password. In that case you will get a reboot loop. Because if the system password check failed the controller will be reboot.

Actually what the video showcases is not about entering a password on screen, though this would be a good use of the sysExecutionPassword. 

@LeTomas says it is possible for someone to connect to a PLC and somehow upload the binary code and download it to another PLC, so my first question is: is it possible?

Then he says that, if that is possible, since the new PLC would have the default password FFFF FFFF then the PLC would restart, since password is hardcoded in the program, and the hacker would not have the source, only the binary code. 

So, the only solution is to enter the right password in the PLC by downloading new code (in the video it is around minute 17.30). I think that in that scenario, once you start downloading the new code PLC execution stops, but in case I am mistaken, I just lost a PLC. So, the second question is: what if the program is a real one and takes longer than the demo to download? 

Hi @otrotabi ,

If I am not wrong If you do not disable the FTP and change the user/pass you can use a FTP client like Filezilla and access to the binary code in the controller. Also, if you have a minu-usb you can connect to the controller and usen the "Open file browser" and access to the files inside the controller.

(Again) if i am not wrong you can copy those files and use them in another controller that's why it is important to have the PASSWORD set as in my example so even if someone copy the files and put them in a new controller they are not able to use the PLC and it show the original programmer information on the embedded display.

If someone tries to use a modbus master to read that PASSWORD register the PLC does not allow the read of this parameter so it will be secure on the original PLC.

Thank you. I will give it a try sometime. Actually, I am not particularly worried about someone else using my code but myself not being able to find the exact program for a given machine is very likely I am afraid 😕.

Since even the smallest indent change, no code touched produces a "DIFF CODE" sign, it has been hard for me to connect to an old machine and get the reassuring "SOURCE OK" sign on the right side bottom of the screen. 

However, using the sysExecutionPassword FB to ask for a password is something very useful indeed.