Hacking a PLC (Programmable Logic controller)

I had a couple of these PLCs lying around eating dust and, driven by curiosity, I decided to explore how they operate. Naturally, my first step was to remove the protective casing, revealing an unexpected surprise inside – an MegaWin microcontroller instead of the expected legacy chip. This revelation piqued my interest even more, prompting me to delve into the inner workings of this device.

Additionally, I had an Internet Serial Connect module, a vivid blue piece of hardware as seen in the picture. This remarkable module boasts both a LAN port for network connectivity and a Serial port designed to accommodate a PLC. It serves as a bridge between the virtual and physical worlds, effectively creating a TCP/IP Serial port connection. The module obtains an IP address, which becomes the gateway for communication with the legacy software of ICP DAS, facilitating the exchange of commands with the attached Serial Port. I carefully removed the protective casing, only to be greeted by a surprising revelation – instead of the expected legacy chip, I found an MegaWin microcontroller nestled inside. This unexpected discovery fueled my curiosity even more, compelling me to embark on a journey deep into the intricacies of this device.

In addition to these PLCs, I had a striking blue piece of hardware known as the Internet Serial Connect module, prominently featured in the picture. This remarkable module boasts dual functionalities: a LAN port for seamless network connectivity and a dedicated Serial port tailored to accommodate a PLC. It acts as a vital bridge, seamlessly connecting the realms of the virtual and the physical, effectively establishing a TCP/IP Serial port connection. This module autonomously acquires an IP address, serving as the gateway for communication with the legacy software of ICP DAS. It enables the effortless exchange of commands with the attached Serial Port, truly exemplifying the convergence of technology and innovation.

Reverse Engineering

Desiring complete control over the PLC without relying on legacy software, I embarked on a mission to decipher the communication protocol. Equipped with Wire Shark, I meticulously probed the software's functions one by one, scrutinizing the hexadecimal data it transmitted. My first challenge was to command the relays on the PLC, and as I dived into the HEX codes, patterns began to emerge.

For the relay control, I identified a consistent structure:

• Relay 1 was signified by { 0x40, 0x30, 0x30, 0x31, 0x0D }
• Relay 2 by { 0x40, 0x30, 0x30, 0x32, 0x0D }
• Relay 3 by { 0x40, 0x30, 0x30, 0x34, 0x0D }
• Relay 4 by { 0x40, 0x30, 0x30, 0x38, 0x0D }

It became apparent that 0x40 and 0x0D were the fixed starting and ending HEX values, respectively.

As I delved deeper, a breakthrough emerged. The representation of the relays was encoded in a 4-bit format, where activating Relay 1 equated to 2^0 = 1, Relay 2 to 2^1 = 2, Relay 3 to 2^2 = 4, and so forth. Armed with this newfound knowledge, I could now manipulate the state of all four relays effortlessly.

However, my quest was far from over. The PLC had more to offer, including counters and digital inputs. Determined to unlock their secrets, I continued my exploration, ready to decode the mysteries that lay ahead.

Continuing my investigation, I applied the same method as before to uncover how the PLC retrieved counter data. The HEX value {0x40, 0x30, 0x30, 0x0D } turned out to be the key to accessing this information. The PLC featured four Digital Inputs, each in either a High (1) or LOW (0) state, and the command returned the status of all input lines.

However, obtaining counter data presented a unique challenge due to the legacy software's data polling, resulting in noisy Wire Shark capture sessions. Despite the interference, I persisted in finding patterns within the data. The command structure revealed itself as follows:

• Counter 1: { 0x20, 0x23, 0x30, 0x30, 0x30, 0x0D }
• Counter 2: { 0x20, 0x23, 0x30, 0x30, 0x31, 0x0D }
• Counter 3: { 0x20, 0x23, 0x30, 0x30, 0x32, 0x0D }
• Counter 4: { 0x20, 0x23, 0x30, 0x30, 0x33, 0x0D }

It was evident that only the second-to-last hexadecimal value was changing, representing a 4-bit value, with the exception of counter 4, which posed a unique challenge requiring significant effort to decipher.

With the counter values at my disposal, I sought to reset them as a precaution against potential 8-bit overflow. To reset the counters, I discovered the corresponding commands:

• Counter 1 reset: { 0x20, 0x24, 0x30, 0x30, 0x43, 0x30, 0x0D }
• Counter 2 reset: { 0x20, 0x24, 0x30, 0x30, 0x43, 0x31, 0x0D }
• Counter 3 reset: { 0x20, 0x24, 0x30, 0x30, 0x43, 0x32, 0x0D }
• Counter 4 reset: { 0x20, 0x24, 0x30, 0x30, 0x43, 0x33, 0x0D }

In this case, everything remained constant except for the introduction of the 0x43 value just before the counter-determining HEX value. Armed with this knowledge, I could now not only read but also manage the counters efficiently

Eager to streamline the process, I set out to design a Python program that could replicate the control I had achieved through reverse engineering. Swiftly, I crafted a simple yet effective socket program to establish a connection with the PLC. The culmination of my efforts was sending the command { 0x40, 0x30, 0x30, 0x31, 0x0D }, and the response from the PLC was the reassuring '<, ' signifying success. To my delight, the distinctive clicking noise of the PLC confirmed that the commands were taking effect.

With this initial success, I proceeded to code the remaining commands, transforming them into a cohesive library. This library, a testament to my journey of exploration and discovery, provided the means to control an ICP DAS PLC programmatically.

Now, fellow enthusiasts and engineers could harness the power of automation and extend the capabilities of their ICP DAS PLCs effortlessly, thanks to this comprehensive Python library. It was a gratifying moment, knowing that my efforts had not only unraveled the mysteries of the PLC but also empowered others to wield this newfound control.

Conclusion

Through reverse engineering, I successfully decoded the intricate HEX values that the software transmitted to the PLC for control. This newfound knowledge empowered me to wield control over the PLC with ease through a Python script. I could now seamlessly operate Digital I/O, manage counters, and toggle pins on or off at will.

The feeling of wielding this newfound power was exhilarating. With a software I designed myself, I not only controlled the PLC but also unlocked the potential for automation and extended functionality. It was as if I had opened a door to a world of limitless possibilities.

This adventure was an enlightening journey, granting me deep insights into the inner workings of a PLC and shedding light on its security. As I navigated the labyrinthine code, I gained a profound understanding of how these systems operate and, in turn, their potential vulnerabilities. Armed with this knowledge, I was not just a spectator but an active participant in the world of industrial automation, poised to make a meaningful impact