BIOS parameters TM171/TM172

otrotabi · ‎2022-10-06

I would like to have some clarification regarding the way BIOS parameters are updated when using the "Download all" tool or the "Commissioning /Parameteres/Write all default values".

I noticed that if I use the Download all tool, at least parameters UI27 and UI28 which correspond to password authetication are not updated according to the default values, while "Write all default values" does update them.

Also I get this error :

This does not correspond to either UI27 o UI28. I know there is another password but I am not familiar about what it does. Should I pay more attention to this?

LeTomas · ‎2022-10-06

Hi @otrotabi ,

I would not recommend you to freely change the value on the PASSWORD parameter because this is related to the protection of your application inside the controller.

Please take a look in the next video for further information about this "PASSWORD":

Regarding the UI27 and UI28 for accessing to the variables in the controller it should be written when you make a the download all (i guess, i do not have a m171O to check it ☹️ ) but in the commissioning it works 100%.

Saludos

Leandro

See Answer In Context

LeTomas · ‎2022-10-06

Hi @otrotabi ,

I would not recommend you to freely change the value on the PASSWORD parameter because this is related to the protection of your application inside the controller.

Please take a look in the next video for further information about this "PASSWORD":

Regarding the UI27 and UI28 for accessing to the variables in the controller it should be written when you make a the download all (i guess, i do not have a m171O to check it ☹️ ) but in the commissioning it works 100%.

Saludos

Leandro

FedericoM · ‎2022-10-06

Hi,

during the Download All process, if you decide to write the default values, ESME HVAC will write all the default values of EEprom parameters and the bios parameters that have a value written in the "New value" column of Configuration-->M171O-->Modbus Objects-->BIOS Parameters

otrotabi · ‎2022-10-06

Thank you, So actually New value is like a "Project" default while the default values are a factory default value. I understand, thnks for making it clear.

otrotabi · ‎2022-10-08

Nice video! Loved it. I have commented it on Youtube and I apologize for duplicating my question, but I would say that it should be fair to say that here is the right place to do it.

So, I finally understood the concept of application password vs level password. It´s an interesting feature to implement if needed, i.e. you could possibly ask for a password at boot time in order for the PLC to run, I guess.

What I do not understand is what you mean by stealing the code. Is it possible to connect to a PLC to upload the binary code to a computer and then write it to a new one? I mean, maybe some SE engineer might have a tool to do that but as far as I know that is advanced hacking!

I also understand that, being a little paranoic, saving the password inside the code is the best solution in terms of application protection, but I would say that for a regular use saving it in an EEPROM variable could be a better solution, this way you may change it later without needing to connect with your laptop. I admit you could connect with some modbus scanner but how would you identify which of the many registers is the right one?

Last, but not least: yours (in the video) is a very small program just to show how this feature works, but it looks like there is some timing issue regarding how fast the new program uploads vs the time you have set before the sysExecutionPassword FB runs. What happens if the program is bigger, demanding more time to load? Particularly for the TM171 line that usually means a long time.

Bastian_Schmitz · ‎2022-10-10

The time delay is to have a chance to enter the password. Whithout this time delay it would be problematic to enter the right password. In that case you will get a reboot loop. Because if the system password check failed the controller will be reboot.

otrotabi · ‎2022-10-11

Actually what the video showcases is not about entering a password on screen, though this would be a good use of the sysExecutionPassword.

@LeTomas says it is possible for someone to connect to a PLC and somehow upload the binary code and download it to another PLC, so my first question is: is it possible?

Then he says that, if that is possible, since the new PLC would have the default password FFFF FFFF then the PLC would restart, since password is hardcoded in the program, and the hacker would not have the source, only the binary code.

So, the only solution is to enter the right password in the PLC by downloading new code (in the video it is around minute 17.30). I think that in that scenario, once you start downloading the new code PLC execution stops, but in case I am mistaken, I just lost a PLC. So, the second question is: what if the program is a real one and takes longer than the demo to download?

LeTomas · ‎2022-10-11

Hi @otrotabi ,

If I am not wrong If you do not disable the FTP and change the user/pass you can use a FTP client like Filezilla and access to the binary code in the controller. Also, if you have a minu-usb you can connect to the controller and usen the "Open file browser" and access to the files inside the controller.

(Again) if i am not wrong you can copy those files and use them in another controller that's why it is important to have the PASSWORD set as in my example so even if someone copy the files and put them in a new controller they are not able to use the PLC and it show the original programmer information on the embedded display.

If someone tries to use a modbus master to read that PASSWORD register the PLC does not allow the read of this parameter so it will be secure on the original PLC.

otrotabi · ‎2022-10-11

Thank you. I will give it a try sometime. Actually, I am not particularly worried about someone else using my code but myself not being able to find the exact program for a given machine is very likely I am afraid 😕.

Since even the smallest indent change, no code touched produces a "DIFF CODE" sign, it has been hard for me to connect to an old machine and get the reassuring "SOURCE OK" sign on the right side bottom of the screen.

However, using the sysExecutionPassword FB to ask for a password is something very useful indeed.