发表于:2011/11/24 7:44:54
#0楼
破解西门子直流调速6RA70钥匙U005的研究记录
破解方法有两个:
【方法一】暴力写U005测试破解
破解方法:先读取U006或其他不常使用切被锁定的参数值,如果能读出数据来,证明密码是当前U005.1 和U005.2的值,反之继续暴力写U005。
【方法二】通过编程器读取EEPROM的Bin文件破解
破解方法:先用编程器读取一份没加锁的Bin文件,然后在读取加锁后的Bin文件,用Bin文件比较器比较差异,经过几次尝试能知道U006的存储位置,然后编写程序直接读取指定位置,换算出密码后显示出来
以上两种方法我已试验成功,下面简单介绍一下过程,方便大家共同研究提高
先介绍【方法一】
一、 所需软件:
1、 Divemoinor
2、 Accessport
3、 串口调试器
软件如下图
二、 打开所有软件,连接好70装置到PC机的RS232连线
1、 Divemonitor 进入,先别按在线按钮
2、 打开监听软件,进入画面,先配置好端口
3、 然后确认端口没有打开的前提下,选择监听本端口。
4、 按一下Divemonitor 在线按钮,查看Accessport的监控数据
[IMG]
5、 查找规律
6、 其他
三、现状分析
1、 Divemonitor 只监控U005.1=90,每次点击在线(EPPROM),然后立即关闭,会出现先写入“AAAAAA”然后后面很多其他数据,所以编写软件是,第一次也要先写入“AAAAAA”
2、 用串口调试软件发送参照监控得出数据,效仿发送“02 0C 00 60 05 80 01 00 5A 8C 7E 00 00 42” 能得到“02 0C 00 40 05 80 01 00 5A 43 31 00 00 E2 ” ,和Divemonitor一样。
3、 监控r024值为0时得到 ,
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 10 18 00 00 00 00 8C 7E 00 00 F4
IRP_MJ_READ Length: 0008, Data: 02 0C 00 10 18 00 00 00
IRP_MJ_READ Length: 0006, Data: 00 43 31 00 00 74
监控P052值为3时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 10 34 00 00 00 03 8C 7E 00 00 DB
IRP_MJ_READ Length: 0008, Data: 02 0C 00 10 34 00 00 00
IRP_MJ_READ Length: 0006, Data: 03 43 31 00 00 5B
监控P051值为40时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 10 33 00 00 00 28 8C 7E 00 00 F7
IRP_MJ_READ Length: 0008, Data: 02 0C 00 10 33 00 00 00
IRP_MJ_READ Length: 0006, Data: 28 43 31 00 00 77
监控P401 值为5时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 91 00 01 01 F4 8C 7E 00 00 F8
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 91 00 01 01
IRP_MJ_READ Length: 0006, Data: F4 43 31 00 00 58
监控P401 值为 -5时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 91 00 01 FE 0C 8C 7E 00 00 FF
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 91 00 01 FE
IRP_MJ_READ Length: 0006, Data: 0C 43 31 00 00 5F
监控P401 值为102时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 91 00 01 27 D8 8C 7E 00 00 F2
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 91 00 01 27
IRP_MJ_READ Length: 0006, Data: D8 43 31 00 00 52
监控P401 值为 -102时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 91 00 01 D8 28 8C 7E 00 00 FD
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 91 00 01 D8
IRP_MJ_READ Length: 0006, Data: 28 43 31 00 00 5D
监控P402值为0时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 92 00 01 00 00 8C 7E 00 00 0E
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 92 00 01 00
IRP_MJ_READ Length: 0006, Data: 00 43 31 00 00 AE
监控P402值为5 时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 92 00 01 01 F4 8C 7E 00 00 FB
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 92 00 01 01
IRP_MJ_READ Length: 0006, Data: F4 43 31 00 00 5B
监控U005值为90时P51=40 时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 5A 8C 7E 00 00 42
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 5A 43 31 00 00 E2
监控U005值为90,P51=0 时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 5A 8C 7E 00 00 42
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 5A 43 31 00 00 E2
监控U005值为0时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 00 8C 7E 00 00 18
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 00 43 31 00 00 B8
监控U005值为1时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 01 8C 7E 00 00 19
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 01 43 31 00 00 B9
监控U005值为2时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 00 00 00 00 00 02 8C 7E 00 00 FE
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 02 43 31 00 00 BA
监控U005值为3时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 03 8C 7E 00 00 1B
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 03 43 31 00 00 BB
监控U005值为4时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 04 8C 7E 00 00 1C
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 04 43 31 00 00 BC
监控U005值为5时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 05 8C 7E 00 00 1D
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 05 43 31 00 00 BD
监控U005值为6时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 00 00 00 00 00 06 8C 7E 00 00 FA
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 06 43 31 00 00 BE
监控U005值为7时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 00 00 00 00 00 07 8C 7E 00 00 FB
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 07 43 31 00 00 BF
监控U005值为8时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 08 8C 7E 00 00 10
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 08 43 31 00 00 B0
监控U005值为9时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 09 8C 7E 00 00 11
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 09 43 31 00 00 B1
监控U005值为10时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 0A 8C 7E 00 00 12
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 0A 43 31 00 00 B2
监控U005值为16时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 10 8C 7E 00 00 08
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 10 43 31 00 00 A8
监控U005值为99时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 63 8C 7E 00 00 7B
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 63 43 31 00 00 DB
监控U005值为100时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 64 8C 7E 00 00 7C
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 64 43 31 00 00 DC
监控U005值为255时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 FF 8C 7E 00 00 E7
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: FF 43 31 00 00 47
监控U005值为256时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 00 00 00 00 01 00 8C 7E 00 00 FD
IRP_MJ_READ Length: 0008, Data: 02 0C 00 00 00 00 00 01
IRP_MJ_READ Length: 0006, Data: 00 43 31 00 00 7D
监控U005值为257时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 01 01 8C 7E 00 00 18
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 01
IRP_MJ_READ Length: 0006, Data: 01 43 31 00 00 B8
分析:r024 转换成十六进制 为 18 ,r024的值0 转换十六进制 为00
P052 转换为十六进制 为34 , P052的值3 转换十六进制 为03
P051 转化为十六进制 为33 ,P051的值40 转换十六进制 为28
由此可见:
“IRP_MJ_WRITE”写内数据从左向右数第5组数是参数号,第9组数是参数值
相当于“IRP_MJ_WRITE”下面第一个“IRP_MJ_READ”读数据内是参数号,第二个“IRP_MJ_WRITE”读数据内是参数值
4、 只监控U005时
1先发送“AAAAAA” ,
2然后发送 r063.1 对应数据 “02 0C 00 60 3F 00 01 00 00 8C 7E 00 00 A2” 2次 每次返回结果不同
3然后发送 r060.1 对应数据 “02 0C 00 60 3C 00 01 00 00 8C 7E 00 00 A1” 2次
4然后发送 对应数据 “02 0C 00 00 3C 00 01 00 20 8C 7E 00 00 E1” 1次 好像给赋值了“20”
5然后发送 r063.2 对应数据 “02 0C 00 60 3F 00 02 00 00 8C 7E 00 00 A1” 2次
6然后发送 对应数据 “02 0C 00 00 3F 00 02 00 94 8C 7E 00 00 55” 1次 好像赋值了“94”
7然后发送r060.2 对应数据 “02 0C 00 60 3C 00 02 00 00 8C 7E 00 00 A2” 1次
8然后发送r065.2对应数据 “02 0C 00 60 41 00 02 00 00 8C 7E 00 00 DF” 2次
9然后发送 对应数据 “02 0C 00 60 05 80 01 02 32 8C 7E 00 00 28” 2次
10然后发送r063.3 对应数据 “02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0” 2次
11然后发送r063.4 对应数据 “02 0C 00 60 3F 00 04 00 00 8C 7E 00 00 A7” 2次
12然后发送r063.5 对应数据 “02 0C 00 60 3F 00 05 00 00 8C 7E 00 00 A6” 2次
13然后发送r063.3 对应数据 “02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0” 1次
14 重复显示U005相关信息
监控空参数表时
AA AA AA
02 0C 00 00 3F 00 03 00 00 8C 7E 00 00 C0 应该是r63.3
02 0C 00 60 3F 00 01 00 00 8C 7E 00 00 A2 r63.1
02 0C 00 60 3F 00 01 00 00 8C 7E 00 00 A2 r63.1
02 0C 00 60 3C 00 01 00 00 8C 7E 00 00 A1 r60.1
02 0C 00 60 3C 00 01 00 00 8C 7E 00 00 A1 r60.1
02 0C 00 60 3F 00 02 00 00 8C 7E 00 00 A1 r63.2
02 0C 00 60 3F 00 02 00 00 8C 7E 00 00 A1 r63.2
02 0C 00 60 3C 00 02 00 00 8C 7E 00 00 A2 r60.2
02 0C 00 60 3C 00 02 00 00 8C 7E 00 00 A2 r60.2
02 0C 00 60 41 00 02 00 00 8C 7E 00 00 DF 应该是r65.2
02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0 r63.3
02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0 r63.3
02 0C 00 60 3F 00 04 00 00 8C 7E 00 00 A7 r63.4
02 0C 00 60 3F 00 04 00 00 8C 7E 00 00 A7 r63.4
02 0C 00 00 3F 00 04 00 00 8C 7E 00 00 C7 r63.4
02 0C 00 60 3F 00 05 00 00 8C 7E 00 00 A6 r63.5
02 0C 00 60 3F 00 05 00 00 8C 7E 00 00 A6 r63.5
02 0C 00 00 3F 00 05 00 00 8C 7E 00 00 C6 r63.5
02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0 r63.3
02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0 r63.3
02 0C 00 00 3F 00 03 00 00 8C 7E 00 00 C0 应该是r63.3
02 0C 00 00 3F 00 03 00 00 8C 7E 00 00 C0 应该是r63.3 一直重复显示此参数
第二次监控空参数表时,结果稍有不同,如第二次监控时有参数顺序或读取次数有变化
参数含义:
编写软件:
需要注意的问题:
1、 最好运行软件后,在激活串口时直接先把P51=40
2、 破解用写操作要写RAM,不要写EEPROM,因为EEPROM写次数有寿命
3、 P927参数化使能需激活G-SST1串口即X300接口,P927默认值是6 (4+2)即激活PMU和X300的G-SST1及OP1S
注意事项: EEPROM擦写次数有寿命一般100-1000万次,可通过r827.1查看EEPROM写访问操作数,r827.2查看EEPROM写访问操作数量
软件截图:
软件大体思路已完成,细节没有完善,已试验能破解成功!目前正在完善中
下面介绍【方法二】
需要工具:
EEPROM 编程器一个
附带软件一套
我用的是硕飞的产品,我拆开编程器看了,做工相当不错,读写速度也相当快,而且支持ISP协议读写
软件如下图所示
编程器如下图:
操作方法:
1、先查看EEPROM对应CUD1板插座的管脚
这是我测量的结果,按从下向上的顺数:
CUD1插座8脚 对应 EEPROM 的1脚 CS#
5、9、11脚 对应 4脚 VSS
12脚 对应 5脚 DI
13脚 对应 3、7、8脚 (3-WP# 7-Hold 8-VCC)
14脚 对应 6脚
将这些管脚连在编程器上,然后选择好EPPROM的型号,我现在的装置是ATMEL的25128N1,然后用软件进行读取BIN文件
然后更改U006的值继续重复用软件读取改后的BIN值,用HexCMP软件进行把读出的Bin文件比较做好记录,多试验几次就有规律了。
用第二种方法破解西门子直流调速器钥匙的软件我已编写完毕,不知道是不适合其他款编程器,
如下图:
破解方法有两个:
【方法一】暴力写U005测试破解
破解方法:先读取U006或其他不常使用切被锁定的参数值,如果能读出数据来,证明密码是当前U005.1 和U005.2的值,反之继续暴力写U005。
【方法二】通过编程器读取EEPROM的Bin文件破解
破解方法:先用编程器读取一份没加锁的Bin文件,然后在读取加锁后的Bin文件,用Bin文件比较器比较差异,经过几次尝试能知道U006的存储位置,然后编写程序直接读取指定位置,换算出密码后显示出来
以上两种方法我已试验成功,下面简单介绍一下过程,方便大家共同研究提高
先介绍【方法一】
一、 所需软件:
1、 Divemoinor
2、 Accessport
3、 串口调试器
软件如下图
二、 打开所有软件,连接好70装置到PC机的RS232连线
1、 Divemonitor 进入,先别按在线按钮
2、 打开监听软件,进入画面,先配置好端口
3、 然后确认端口没有打开的前提下,选择监听本端口。
4、 按一下Divemonitor 在线按钮,查看Accessport的监控数据
[IMG]
5、 查找规律
6、 其他
三、现状分析
1、 Divemonitor 只监控U005.1=90,每次点击在线(EPPROM),然后立即关闭,会出现先写入“AAAAAA”然后后面很多其他数据,所以编写软件是,第一次也要先写入“AAAAAA”
2、 用串口调试软件发送参照监控得出数据,效仿发送“02 0C 00 60 05 80 01 00 5A 8C 7E 00 00 42” 能得到“02 0C 00 40 05 80 01 00 5A 43 31 00 00 E2 ” ,和Divemonitor一样。
3、 监控r024值为0时得到 ,
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 10 18 00 00 00 00 8C 7E 00 00 F4
IRP_MJ_READ Length: 0008, Data: 02 0C 00 10 18 00 00 00
IRP_MJ_READ Length: 0006, Data: 00 43 31 00 00 74
监控P052值为3时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 10 34 00 00 00 03 8C 7E 00 00 DB
IRP_MJ_READ Length: 0008, Data: 02 0C 00 10 34 00 00 00
IRP_MJ_READ Length: 0006, Data: 03 43 31 00 00 5B
监控P051值为40时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 10 33 00 00 00 28 8C 7E 00 00 F7
IRP_MJ_READ Length: 0008, Data: 02 0C 00 10 33 00 00 00
IRP_MJ_READ Length: 0006, Data: 28 43 31 00 00 77
监控P401 值为5时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 91 00 01 01 F4 8C 7E 00 00 F8
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 91 00 01 01
IRP_MJ_READ Length: 0006, Data: F4 43 31 00 00 58
监控P401 值为 -5时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 91 00 01 FE 0C 8C 7E 00 00 FF
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 91 00 01 FE
IRP_MJ_READ Length: 0006, Data: 0C 43 31 00 00 5F
监控P401 值为102时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 91 00 01 27 D8 8C 7E 00 00 F2
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 91 00 01 27
IRP_MJ_READ Length: 0006, Data: D8 43 31 00 00 52
监控P401 值为 -102时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 91 00 01 D8 28 8C 7E 00 00 FD
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 91 00 01 D8
IRP_MJ_READ Length: 0006, Data: 28 43 31 00 00 5D
监控P402值为0时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 92 00 01 00 00 8C 7E 00 00 0E
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 92 00 01 00
IRP_MJ_READ Length: 0006, Data: 00 43 31 00 00 AE
监控P402值为5 时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 61 92 00 01 01 F4 8C 7E 00 00 FB
IRP_MJ_READ Length: 0008, Data: 02 0C 00 41 92 00 01 01
IRP_MJ_READ Length: 0006, Data: F4 43 31 00 00 5B
监控U005值为90时P51=40 时得到
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 5A 8C 7E 00 00 42
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 5A 43 31 00 00 E2
监控U005值为90,P51=0 时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 5A 8C 7E 00 00 42
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 5A 43 31 00 00 E2
监控U005值为0时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 00 8C 7E 00 00 18
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 00 43 31 00 00 B8
监控U005值为1时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 01 8C 7E 00 00 19
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 01 43 31 00 00 B9
监控U005值为2时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 00 00 00 00 00 02 8C 7E 00 00 FE
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 02 43 31 00 00 BA
监控U005值为3时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 03 8C 7E 00 00 1B
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 03 43 31 00 00 BB
监控U005值为4时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 04 8C 7E 00 00 1C
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 04 43 31 00 00 BC
监控U005值为5时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 05 8C 7E 00 00 1D
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 05 43 31 00 00 BD
监控U005值为6时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 00 00 00 00 00 06 8C 7E 00 00 FA
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 06 43 31 00 00 BE
监控U005值为7时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 00 00 00 00 00 07 8C 7E 00 00 FB
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 07 43 31 00 00 BF
监控U005值为8时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 08 8C 7E 00 00 10
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 08 43 31 00 00 B0
监控U005值为9时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 09 8C 7E 00 00 11
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 09 43 31 00 00 B1
监控U005值为10时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 0A 8C 7E 00 00 12
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 0A 43 31 00 00 B2
监控U005值为16时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 10 8C 7E 00 00 08
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 10 43 31 00 00 A8
监控U005值为99时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 63 8C 7E 00 00 7B
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 63 43 31 00 00 DB
监控U005值为100时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 64 8C 7E 00 00 7C
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: 64 43 31 00 00 DC
监控U005值为255时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 00 FF 8C 7E 00 00 E7
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 00
IRP_MJ_READ Length: 0006, Data: FF 43 31 00 00 47
监控U005值为256时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 00 00 00 00 01 00 8C 7E 00 00 FD
IRP_MJ_READ Length: 0008, Data: 02 0C 00 00 00 00 00 01
IRP_MJ_READ Length: 0006, Data: 00 43 31 00 00 7D
监控U005值为257时
IRP_MJ_WRITE Length: 0014, Data: 02 0C 00 60 05 80 01 01 01 8C 7E 00 00 18
IRP_MJ_READ Length: 0008, Data: 02 0C 00 40 05 80 01 01
IRP_MJ_READ Length: 0006, Data: 01 43 31 00 00 B8
分析:r024 转换成十六进制 为 18 ,r024的值0 转换十六进制 为00
P052 转换为十六进制 为34 , P052的值3 转换十六进制 为03
P051 转化为十六进制 为33 ,P051的值40 转换十六进制 为28
由此可见:
“IRP_MJ_WRITE”写内数据从左向右数第5组数是参数号,第9组数是参数值
相当于“IRP_MJ_WRITE”下面第一个“IRP_MJ_READ”读数据内是参数号,第二个“IRP_MJ_WRITE”读数据内是参数值
4、 只监控U005时
1先发送“AAAAAA” ,
2然后发送 r063.1 对应数据 “02 0C 00 60 3F 00 01 00 00 8C 7E 00 00 A2” 2次 每次返回结果不同
3然后发送 r060.1 对应数据 “02 0C 00 60 3C 00 01 00 00 8C 7E 00 00 A1” 2次
4然后发送 对应数据 “02 0C 00 00 3C 00 01 00 20 8C 7E 00 00 E1” 1次 好像给赋值了“20”
5然后发送 r063.2 对应数据 “02 0C 00 60 3F 00 02 00 00 8C 7E 00 00 A1” 2次
6然后发送 对应数据 “02 0C 00 00 3F 00 02 00 94 8C 7E 00 00 55” 1次 好像赋值了“94”
7然后发送r060.2 对应数据 “02 0C 00 60 3C 00 02 00 00 8C 7E 00 00 A2” 1次
8然后发送r065.2对应数据 “02 0C 00 60 41 00 02 00 00 8C 7E 00 00 DF” 2次
9然后发送 对应数据 “02 0C 00 60 05 80 01 02 32 8C 7E 00 00 28” 2次
10然后发送r063.3 对应数据 “02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0” 2次
11然后发送r063.4 对应数据 “02 0C 00 60 3F 00 04 00 00 8C 7E 00 00 A7” 2次
12然后发送r063.5 对应数据 “02 0C 00 60 3F 00 05 00 00 8C 7E 00 00 A6” 2次
13然后发送r063.3 对应数据 “02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0” 1次
14 重复显示U005相关信息
监控空参数表时
AA AA AA
02 0C 00 00 3F 00 03 00 00 8C 7E 00 00 C0 应该是r63.3
02 0C 00 60 3F 00 01 00 00 8C 7E 00 00 A2 r63.1
02 0C 00 60 3F 00 01 00 00 8C 7E 00 00 A2 r63.1
02 0C 00 60 3C 00 01 00 00 8C 7E 00 00 A1 r60.1
02 0C 00 60 3C 00 01 00 00 8C 7E 00 00 A1 r60.1
02 0C 00 60 3F 00 02 00 00 8C 7E 00 00 A1 r63.2
02 0C 00 60 3F 00 02 00 00 8C 7E 00 00 A1 r63.2
02 0C 00 60 3C 00 02 00 00 8C 7E 00 00 A2 r60.2
02 0C 00 60 3C 00 02 00 00 8C 7E 00 00 A2 r60.2
02 0C 00 60 41 00 02 00 00 8C 7E 00 00 DF 应该是r65.2
02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0 r63.3
02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0 r63.3
02 0C 00 60 3F 00 04 00 00 8C 7E 00 00 A7 r63.4
02 0C 00 60 3F 00 04 00 00 8C 7E 00 00 A7 r63.4
02 0C 00 00 3F 00 04 00 00 8C 7E 00 00 C7 r63.4
02 0C 00 60 3F 00 05 00 00 8C 7E 00 00 A6 r63.5
02 0C 00 60 3F 00 05 00 00 8C 7E 00 00 A6 r63.5
02 0C 00 00 3F 00 05 00 00 8C 7E 00 00 C6 r63.5
02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0 r63.3
02 0C 00 60 3F 00 03 00 00 8C 7E 00 00 A0 r63.3
02 0C 00 00 3F 00 03 00 00 8C 7E 00 00 C0 应该是r63.3
02 0C 00 00 3F 00 03 00 00 8C 7E 00 00 C0 应该是r63.3 一直重复显示此参数
第二次监控空参数表时,结果稍有不同,如第二次监控时有参数顺序或读取次数有变化
参数含义:
编写软件:
需要注意的问题:
1、 最好运行软件后,在激活串口时直接先把P51=40
2、 破解用写操作要写RAM,不要写EEPROM,因为EEPROM写次数有寿命
3、 P927参数化使能需激活G-SST1串口即X300接口,P927默认值是6 (4+2)即激活PMU和X300的G-SST1及OP1S
注意事项: EEPROM擦写次数有寿命一般100-1000万次,可通过r827.1查看EEPROM写访问操作数,r827.2查看EEPROM写访问操作数量
软件截图:
软件大体思路已完成,细节没有完善,已试验能破解成功!目前正在完善中
下面介绍【方法二】
需要工具:
EEPROM 编程器一个
附带软件一套
我用的是硕飞的产品,我拆开编程器看了,做工相当不错,读写速度也相当快,而且支持ISP协议读写
软件如下图所示
编程器如下图:
操作方法:
1、先查看EEPROM对应CUD1板插座的管脚
这是我测量的结果,按从下向上的顺数:
CUD1插座8脚 对应 EEPROM 的1脚 CS#
5、9、11脚 对应 4脚 VSS
12脚 对应 5脚 DI
13脚 对应 3、7、8脚 (3-WP# 7-Hold 8-VCC)
14脚 对应 6脚
将这些管脚连在编程器上,然后选择好EPPROM的型号,我现在的装置是ATMEL的25128N1,然后用软件进行读取BIN文件
然后更改U006的值继续重复用软件读取改后的BIN值,用HexCMP软件进行把读出的Bin文件比较做好记录,多试验几次就有规律了。
用第二种方法破解西门子直流调速器钥匙的软件我已编写完毕,不知道是不适合其他款编程器,
如下图:
[此贴子已经被作者于2011/11/24 8:00:26编辑过]
西门子专家