# RS Logix 500 Question.



## Electrorecycler

"This program has been PROTECTED from user access!"

This is the message I receive each and every time I try to upload the program from one of our machines. It's the last program left to back-up. The manufacturer is no longer supporting the equipment and will not open communications to tell me how to bypass this issue.

I have spoken to my local AB rep and he gave me a master password which is supposed to get me around the issue. I'm sure if you know AB PLC's, you know which one I'm referring to. It didn't work. Now I'm stuck with a PLC that can't be modified in any way and no program to work with.

The PLC is a SLC5/04.

I am able to go online, I just can't view or edit the ladder logic.

Help!


----------



## MDShunk

For almost everything AB, the master password was ABUNLOCK, but you change that to numbers by looking at your telephone keypad. Some people will try to say that this is super-secret information, but it's been sprinkled through several official Allen Bradley knowledgebase articles over the years.


----------



## Electrorecycler

That was the first thing I tried. It won't accept it. I've spoken to our contractor who's a Plc guru and he's never even heard of it. Bloody German programmers! 


Sent from my iPhone using Tapatalk


----------



## Noble 32

One of the more plc savvy guys I work with knows how to get into them. I will ask him but I do know it involves opening the program as a word document. One of the lines of code has the password in it.


----------



## mikey383

IMO, companies which do that sort of thing are complete A-holes. 

We recently had an issue like that, where an Italian company installed a new production line, gave us copies of all the programs, then sent a tech out a few months later to fine tune everything. 

Shortly after he left, there was a major fault on one of the processors. The tech locked up the RSLogix5000 program to where only his computer was able to access it. We couldn't clear the fault, upload, or download the program without the computer he used. 

We reset the memory on the processor, downloaded the most recent version of the program we had, then told them they had to fix it on their dime.


----------



## Jhellwig

Make sure your liscensing is correct. That can cause odd issues to pop up.


----------



## CYoung

I am pretty sure that it can be unlocked using Excel also. Use RSLinxs to create a topic, and then create a excel spreadsheet that will write to the memory location where it is password protected (S:???).


----------



## Electrorecycler

I've found the location for the password protection. S:1/14. I'm just not sure how to change the status from 1 to 0. 


Sent from my iPhone using Tapatalk


----------



## Electrorecycler

Apparently the "future access" oem lock is on. 


Sent from my iPhone using Tapatalk


----------



## Eddie Willers

The right way to implement the OEM Lock feature in an SLC or MicroLogix is to both set the "Allow Future Access" bit to zero, and to write-protect the S:2 Status data file. 

If your OEM has done so, there is no possible way to access the logic stored in the SLC-5/04.

Many OEMs don't do the second step, so you can send a message over one of the network ports to set "Allow Future Access" = 1, which will allow you online.

I don't remember if you can do this with a PanelView terminal. I know you can do it with Excel and RSLinx, and you can do it with another PLC and a Message instruction.

What sort of tools do you have at your disposal other than the SLC-5/04 and the RSLogix 500 computer ?


----------



## Eddie Willers

I reviewed the 1747-RM001 reference manual to remind myself of a couple of things.

I'm wrong about the logic state, above. When S:1/14 = 1, then external access is DENIED.

It turns out you can still do a "transfer to memory module" feature if you have an old DTAM or software that can send those commands. 

But if it were me, I'd put the controller in PROG mode, send a MSG instruction to write S:1/14 = 0, and then try to go online.


----------



## Electrorecycler

Will try. Thanks. 


Sent from my iPhone using Tapatalk


----------



## Eddie Willers

Upon second thought, I'm not sure what command does a "read-modify-write" on a word.

Best to do a MSG to Read the value of word S2:1, then change the value of bit 14, and write the result back to S2:1.

The Status file behaves just like an Integer file; you could probably address it in a MSG instruction configuration as "N2:1".

I've done this, ages ago, by connecting a MicroLogix 1200 to the serial port of an SLC-5/03 and pressing a button wired to an input to trigger the MSG.


----------



## Electrorecycler

An update on this thread. I was able to get around the OEM lock and it was stupidly simple. This is even after AB told me that there was no work around. I will happily share this info with anyone who presently has this issue. Just send me a private message.


----------



## jorger1953

Electrorecycler, How do you solve the problem? I send you a private message, but I think it didn't arrive to you.
Best regards


----------



## psgama

Hint Hint, Hex Editor, project file and Processor name.


----------



## C_951

Why not just post it here so everyone who runs into this situation can know how to get around this.


----------



## Electrorecycler

It's a touchy subject with some PLC guys. It comes down to intellectual property and its protection, which I'm a believer in. The OEM lock is a good thing, as long as the manufacturer still supports their product. When you spend countless hours developing a program, the last thing you want is for someone to "steal" your ideas. It becomes a problem when they go out of business, or no longer support older equipment. Which was the situation I found myself in. 

I wouldn't even post this subject on some PlC forums. I'd probably get banned for it, or at the very least my post would be deleted. 


Sent from my iPhone using Tapatalk


----------



## psgama

Yes. I agree. Methods should not be made completely public. Code in a system sold as a package is property of the company that created it. Helping individuals with code recovery privately is fine by me if a vendor has gone out of business. However, if a client has paid to have a program developed that program should not be password protected, as it is property of the client. I've discovered workarounds for other software such as isagraf, DS800 to discover or remove the passwords on project files and until vendors start using Password hashing with a salt specific to each processor, passwords will be crackable (and probably still crackable even then to the right people) 

Cheers


----------



## Electrorecycler

Update on my update. Apparently my fix only works of some AB PLC's. I've been successful with SLC 500's, but not with MLX.


----------



## eng abdo

*plz help me i have same problem*

i have same problem and very tired to find solution i try send private message to ask ur help but i cannot due new account . hope u send me solution


----------



## psgama

What version of rslogix 500, what exactly is your issue, is it just source protection or is deny future access enabled? Do you have an existing project file? Or are you trying to do a fresh download from the processor? You can't be so vague while asking for help.


----------



## eng abdo

i need ur help too . i have the same problem at slc5/05 and micrologix 1200 AB plc . i try send message private to you but cannot due to new account .
So plz send me message for solution


----------



## eng abdo

*my problem*



psgama said:


> What version of rslogix 500, what exactly is your issue, is it just source protection or is deny future access enabled? Do you have an existing project file? Or are you trying to do a fresh download from the processor? You can't be so vague while asking for help.


version of rslogix 500 is 8.00.00 (CPR 9)
my problem i cannot upload or modify at rslogix 500 due to s:1/14 access deny bit is active . i not have original program and ask for assistant here at Egypt for AB plc and cannot find solution


----------



## psgama

Think about what tools you have at your disposal to change a bit in the PLC other than rslogix 500.


----------



## eng abdo

*still problem*



psgama said:


> Think about what tools you have at your disposal to change a bit in the PLC other than rslogix 500.


i already do to change this bit from 1 to 0 by go to this bit at rslogix 500 and convert it to 0 but when i want to save it not saved cause the program protected


----------



## psgama

PM me your email address. If you were able to change the bit, the rest is easy


----------



## eng abdo

*need help*



Electrorecycler said:


> "This program has been PROTECTED from user access!"
> 
> This is the message I receive each and every time I try to upload the program from one of our machines. It's the last program left to back-up. The manufacturer is no longer supporting the equipment and will not open communications to tell me how to bypass this issue.
> 
> I have spoken to my local AB rep and he gave me a master password which is supposed to get me around the issue. I'm sure if you know AB PLC's, you know which one I'm referring to. It didn't work. Now I'm stuck with a PLC that can't be modified in any way and no program to work with.
> 
> The PLC is a SLC5/04.
> 
> I am able to go online, I just can't view or edit the ladder logic.
> 
> Help!


i have the same at slc 5/05 and micrologix 1200 ABplc and i already do to change this bit from 1 to 0 by go to this bit at rslogix 500 and convert it to 0 but when i want to save it not saved cause the program protected so if ur problem solved please i wait message from u for helping me to upload my program.


----------



## psgama

PM me your email address. We will take this off the forum


----------



## psgama

I have a method to recover code even if the status file is write protected. You must be fully up to date with your RSLogix 500 version though. I can provide more information to those who need it via PM if they can prove that the OEM will not assist. 

I can also provide an excel sheet for the Read Modify Write Status word to Turn the Deny Future access bit off and on if anyone needs it. It has a macro, so you have to trust the sheet, and of course, write protection on the status word must not have been enabled for it to work.

All that is required to use the excel sheet is to create a new topic in RSLINX named "test" from the processor you want to enable access to.

Or create the sheet yourself with the following macro



Code:


Sub Word_Read()
RSIchan = DDEInitiate("RSLinx", "test")
Data = DDERequest(RSIchan, "S:1")
Range("[test.XLSM]DDE_Sheet!B1").Value = Data
DDETerminate (RSIchan)
End Sub

Sub SetBit_Off()
RSIchan = DDEInitiate("RSLinx", "test")
Data = DDERequest(RSIchan, "S:1")
Range("[test.XLSM]DDE_Sheet!B1").Value = Data

If Range("[test.XLSM]DDE_Sheet!B1") >= 16384 Then
Range("[test.XLSM]DDE_Sheet!B1") = (Range("[test.XLSM]DDE_Sheet!B1") - 16384)
DDEPoke RSIchan, "S:1", Range("[test.XLSM]DDE_Sheet!B1")
RSIchan = DDEInitiate("RSLinx", "test")
Data = DDERequest(RSIchan, "S:1")
Range("[test.XLSM]DDE_Sheet!B1").Value = Data
    If Range("[test.XLSM]DDE_Sheet!B1") < 16384 Then
    MsgBox ("Success")
    End If
Else
MsgBox ("Deny Future Access Bit Already OFF")
DDETerminate (RSIchan)
End
End If
DDETerminate (RSIchan)
End Sub
Sub SetBit_ON()
RSIchan = DDEInitiate("RSLinx", "test")
Data = DDERequest(RSIchan, "S:1")
Range("[test.XLSM]DDE_Sheet!B1").Value = Data

If Range("[test.XLSM]DDE_Sheet!B1") < 16384 Then
Range("[test.XLSM]DDE_Sheet!B1") = (Range("[test.XLSM]DDE_Sheet!B1") + 16384)
DDEPoke RSIchan, "S:1", Range("[test.XLSM]DDE_Sheet!B1")
RSIchan = DDEInitiate("RSLinx", "test")
Data = DDERequest(RSIchan, "S:1")
Range("[test.XLSM]DDE_Sheet!B1").Value = Data
    If Range("[test.XLSM]DDE_Sheet!B1") >= 16384 Then
    MsgBox ("Success")
    End If
Else
MsgBox ("Deny Future Access Bit Already ON")
DDETerminate (RSIchan)
End
End If
DDETerminate (RSIchan)
End Sub

PM me for details.


----------



## eng abdo

*yes i need details*



psgama said:


> I have a method to recover code even if the status file is write protected. You must be fully up to date with your RSLogix 500 version though. I can provide more information to those who need it via PM if they can prove that the OEM will not assist.
> 
> I can also provide an excel sheet for the Read Modify Write Status word to Turn the Deny Future access bit off and on if anyone needs it. It has a macro, so you have to trust the sheet, and of course, write protection on the status word must not have been enabled for it to work.
> 
> All that is required to use the excel sheet is to create a new topic in RSLINX named "test" from the processor you want to enable access to.
> 
> Or create the sheet yourself with the following macro
> 
> 
> 
> Code:
> 
> 
> Sub Word_Read()
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> DDETerminate (RSIchan)
> End Sub
> 
> Sub SetBit_Off()
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> 
> If Range("[test.XLSM]DDE_Sheet!B1") >= 16384 Then
> Range("[test.XLSM]DDE_Sheet!B1") = (Range("[test.XLSM]DDE_Sheet!B1") - 16384)
> DDEPoke RSIchan, "S:1", Range("[test.XLSM]DDE_Sheet!B1")
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> If Range("[test.XLSM]DDE_Sheet!B1") < 16384 Then
> MsgBox ("Success")
> End If
> Else
> MsgBox ("Deny Future Access Bit Already OFF")
> DDETerminate (RSIchan)
> End
> End If
> DDETerminate (RSIchan)
> End Sub
> Sub SetBit_ON()
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> 
> If Range("[test.XLSM]DDE_Sheet!B1") < 16384 Then
> Range("[test.XLSM]DDE_Sheet!B1") = (Range("[test.XLSM]DDE_Sheet!B1") + 16384)
> DDEPoke RSIchan, "S:1", Range("[test.XLSM]DDE_Sheet!B1")
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> If Range("[test.XLSM]DDE_Sheet!B1") >= 16384 Then
> MsgBox ("Success")
> End If
> Else
> MsgBox ("Deny Future Access Bit Already ON")
> DDETerminate (RSIchan)
> End
> End If
> DDETerminate (RSIchan)
> End Sub
> 
> PM me for details.


1-this sheet with marco where write at excel sheet ?
2-i know you send to me before message because i need ur help and really i thank you . but are there new


----------



## psgama

Admins, please delete this link if not allowed.

Please see Demonstration of Removal of Deny Future Access bit when improperly implemented without write protecting the status file


----------



## psgama

Code recovery with Write Protection Enabled Video. Tested on a New MicroLogix PLC on a computer that has never opened the original source file


----------



## eng abdo

*thanks and need solve this*

this appear with me what can i do to solve it 
regards


----------



## psgama

The file must be named test. You have it named test(2)


----------



## eng abdo

hello 
i hope all fine . i do steps for removing s:1/14 bit as you show at your video but not effect to change this bit . i send record video for what i do to your email.also hope ask when you do your video you have original program for your plc or not .
i am very sorry for boring you but really need your respond 
regards


----------



## psgama

If the bit will not change, then your firmware on the micrologix has auto locked the status bit, which the new firmware does. If it is an SLC, the status file has been write protected and there is nothing else I can do to help you at this time. 

If you upgrade to RSLogix 500 v10 I may be able to help, but I have no workaround for version 8, and currently do not have time to develop one, as I am very busy with work as well as personal matters at this time.

Sorry friend.


----------



## eng abdo

*sorry*

i try to buy rslogix500 v 10 but really ask more and no engineer use it . so i need ur to send this program with version to me please 
regards


----------



## PFanizzi

Hello, I have the same issue on an old 5/04. The programmer give me the latest backup but it doesn't fit and he said he cant'put that protection because He doesn't know it.
You can help me to put bit S:1/14 to zero or any other way to access to the PLC without resetting it?


----------



## MDShunk

What do you mean by "it doesn't fit"? Typically you'd just toggle that bit in your backup and download it to the processor.


----------



## psgama

What version logix500 are you using?


----------



## Mangocat

Thanks psgama for this macro.

I am working with a SLC 500/02 that controls the main curtain in our theatre.
It is the only PLC in the building and I am not very familiar with them but it falls to me to maintain this system.
It is still working fine after being on 24/7 since 1992 I have only replaced one output module being replaced in that time.
Last summer we lost power for a few days after hurricane Irma. The battery held the program but I have been concerned about a possibl longer outage this season or even the possibility of the power supply failing after all these years.
We have no backup of the program, so I have managed to acquire an old laptop with a serial port and RS logix/linx and a pic adapter in an effort to back up the program.
Now I am learning about the protected access lock, because that is what we have.
I have set up a topic in Linx and an excel sheet with your macro.
I can't get data into it though.
Trying to copy a DDE link from Linx, I don't see a S:1 register as referred to in the macro
I only see 0:0, I:1, S:2, B:3, T:4, AND N:7

Am I missing something?
Should I change the macro to S:2 ?
Thanks in advance if you happen respond to such an old thread.
Russ


----------



## psgama

What version of rslogix are you using?


----------



## Mangocat

Hi,
8.10


----------



## psgama

Find upgrade to version 10 or 11 online. Many forum sites have it uploaded. PM me your email address and we can take this offline. I have another method to recover code. With the 500 series, you won’t have any descriptors if you don’t have an original program file as a starting point though.


----------



## Mangocat

Thanks.
I'll start hunting for the update.
I can't pm yet, I'm new around here. I don't intend any changes to the program, just want to have a backup in case of loss.
It's pretty simple. Just tells the motor which way to run, where to stop, and when to start deceleration.


----------



## psgama

Let me know when you find a copy. 10.0.0 would be best, as I already have a method available. Several plc forums have the installer shared


----------



## Mangocat

All the links I have found so far are dead now.

I am svmangocat at the gmail if anyone cares to comment.


----------



## mohammed_92

i have OEM lock on slc 5/03 and i already do to change S1:14 bit from 1 to 0 by go to this bit at rslogix 500 and convert it to 0 but when i want to save it not saved cause the program protected so if ur problem solved please i wait message from u for helping me to upload my program. My email is [email protected]


----------



## MDShunk

email it to me and I'll unlock it.


----------



## mohammed_92

Email what to you , what do you need??


----------



## cmdr_suds

Sometimes if the overall sequence isn’t too complex, I find it easier just to s..tcan the original program and start from scratch. But then again I write plc code for a living.


----------



## wapiti

*Need Help Removing OEM Lock*



MDShunk said:


> email it to me and I'll unlock it.


Can I send you mine please? I have a lock on mine and the OEM supplier is no longer in business.

Thanks.


----------



## psgama

Upload your program somewhere and share the link here.


----------



## Minhquanghp86

psgama said:


> What version of rslogix are you using?


Hi. I work with a micrologix 1400 plc, I use rslogix v11, and when uploading and downloading also encounter oem lock status. Your psgama tutorial video I can't watch, so can someone help me? Sorry I'm not good at English .... I'm Vietnamese. Thanks very much


----------



## Minhquanghp86

Please help me. My Email: [email protected]


----------



## Minhquanghp86

MDShunk said:


> email it to me and I'll unlock it.


Can you help me. My email: [email protected]
Thank


----------



## cuddonfd

Hi Team

First time post,joined especially for this topic, How to get past OEM lock.

I work for an OEM building Industrial Freeze Dryers, our cpompany just accepted a trade in on on a new machine, unfortunately the machine the customer traded, which is one of ours, is so old (25 yrs) that the company no longer has the RSS files here, and we migrated to Omron PLCs about 20 years ago.

My boss wants me to get this machine running, but it is starting up with a fault and wont run. I can force all the outputs to check the systems and they are all fine, it just wont start on auto run due to an unknown system alarm (not PLC alarm).

I really need to get past the OEM lock to save starting from scratch.

It is a AB Micrologix 1000 PLC (Bul.1761)
I am successfully connected through RSlinx, RSlogix Micro Lite and ADVHMI via RS232 serial.

In RSlogix the S:1/14 bit is greyed out and cant be changed, even in the binary view it won't save a change.

Any help here is appreciated.

Regards
Andrew


----------



## dronai

Did you try plctalk.net ?


----------



## paulengr

The old ABUNLOCK password dies not work on that PLC. You can’t do anything with it.


----------



## gpop

plctalk.net is your best bet. There is meant to be a way that you can write directly into the plc but it takes a good understanding of C or someone who's willing to show you how.


----------



## RonC1952

*Authenticate Password Issue in RSLogix 500*

I recently ran into an issue with a program developed by a company that is no longer in business and the person that wrote the code has passed away. When I open the program it asks me to authenticate the password. 

I tried the back door password that should bypass any passwords that was put into the program but it does not work.

Can someone that had the issue give me some ideas on how to figure a way to actually recover the password or go around the password?


----------



## just the cowboy

RonC1952 said:


> I recently ran into an issue with a program developed by a company that is no longer in business and the person that wrote the code has passed away. When I open the program it asks me to authenticate the password.
> 
> I tried the back door password that should bypass any passwords that was put into the program but it does not work.
> 
> Can someone that had the issue give me some ideas on how to figure a way to actually recover the password or go around the password?


www.plctalk.net as @gpop said. 
Note: there is a good chance no one will open it or tell you how due to legal issues. Depends on how they feel today!

I know for a large fee Allen Bradley used to unlock them if you could prove the OEM is no longer in business.


----------



## gpop

RonC1952 said:


> I recently ran into an issue with a program developed by a company that is no longer in business and the person that wrote the code has passed away. When I open the program it asks me to authenticate the password.
> 
> I tried the back door password that should bypass any passwords that was put into the program but it does not work.
> 
> Can someone that had the issue give me some ideas on how to figure a way to actually recover the password or go around the password?


You did convert the password to numbers using the old fashion phone keys. 

Can you save a copy of the program?


----------



## RonC1952

*RSLogix 500*

Yes I tried to convert the backdoor to the numbers on the phone and it still didn't work. and yes I do have a copy sent by the company to the plant back in 1990's.


----------



## gpop

if you can open the copy then do so and go online with the program.

If it requires a upload then your copy is not the same as the one in the plc.

There is a way to wipe the memory on the micrologix which will reset it to factory (never used it myself just quoting what i have been told)

use MLCLRMEM (65257636) as the password and it should delete the program


----------



## macmikeman

gpop said:


> if you can open the copy then do so and go online with the program.
> 
> If it requires a upload then your copy is not the same as the one in the plc.
> 
> There is a way to wipe the memory on the micrologix which will reset it to factory (never used it myself just quoting what i have been told)
> 
> use MLCLRMEM (65257636) as the password and it should delete the program



And then all the twelve yr olds went crazy with the newest fad of clearing PLC's all over the country......................


----------



## gpop

macmikeman said:


> And then all the twelve yr olds went crazy with the newest fad of clearing PLC's all over the country......................


We don't need 12 year olds we have scada tech that are capable of accidentally doing that.


----------



## just the cowboy

gpop said:


> We don't need 12 year olds we have scada tech that are capable of accidentally doing that.


Hey I resemble that remark.


----------



## paulengr

At least on SLC and PLC-5 If you send a packet it doesn't like it will wipe the memory and fault! Such as reading nonexistent memory locations. Found this out the hard way. So no need for 12 year olds or secret jumper tricks.


Sent from my SM-T350 using Tapatalk


----------



## Ing Lalochenco

psgama said:


> Upload your program somewhere and share the link here.


 Hi, i hope yo can help me with your excel file to disable the OEM Lock because I have a old with a micrologix damaged and I need replace it but the original company doesn´t exists. My email address is: [email protected]


----------



## psgama

Hi, All the information required is on the previous pages






Rename the attachment to .xlsm from .txt

If this doesn't work, please let me know what version of RSLogix500 you are using.



Ing Lalochenco said:


> Hi, i hope yo can help me with your excel file to disable the OEM Lock because I have a old with a micrologix damaged and I need replace it but the original company doesn´t exists. My email address is: [email protected]


----------



## Lex1975

Hi, using the excel, RS500 v11. with MLX1200. but get error 400. can you enlighten me.


----------



## psgama

Did you create a “topic” in RSLinx named “test”?


----------



## Lex1975

Thanks for the reply. Yes, I create a new topic "test" and link to the processor. by using the excel any of the 3 buttons pop up window error 400.


----------



## psgama

Try renaming the excel to test.xlsm


----------



## Lex1975

after downloading, the file is renamed as mentioned. 
new topic in rslinx - test 

i there any other steps. 

thanks for the support


----------



## psgama

My apologies. The previously attached file had some issues.
Name the attached as test.xlsm
Create a new System enviromental variable for RSlinx and point it to the right path
Rather than opening the excel file directly, create a shortcut to open excel as an administrator and then load the excel file from there to ensure Excel has administrator rights.


----------



## Jackofalltrades70

Thanks
Matt


----------



## wiz1997

I ran into a similar problem on a drop packing machine.
I could not access the program because of the security bit being set.
If the program on the laptop did not match the program on the PLC, the PLC would not let you in.
I contacted the machine manufacturer and discussed getting access so I could add some conveyor controls to the PLC.
They would not give me access but would gladly come to the plant and make the changes for me, for some crazy money, air fare, car rental, hotel, food ect….
Told them I would have to get up with the Maintenance Manager when he got back from vacation (little white lie) so in the mean time could they send me a paper copy of the program.
Sure no problem, they emailed the program in a pdf. form.
I took the paper program and manually duplicated it into my laptop.
When I attempted to communicate with the PLC it recognized the program and opened up.
First thing I did was go in and change the security bit to 0.


----------



## paulengr

Why not backup/save the code in the ASCII (human readable) format then edit with a text editor?

As an example I do this all the time with Logix 5000. That’s where you can easily edit the file if say you need to downgrade versions if a firmware upgrade turns into a previously unknown compatibility issue. Just change the revision number then fix anything it complains about until it loads.

Fixing the protection bit should work the same way.


----------



## Jackofalltrades70

I get this error when trying to use the excel macro. Am I doing something wrong or do I need to upgrade my logix?


----------



## GrayHair

Very familiar with that type of message (but not your software). Most likely they're telling you that if you want to use the "good stuff", you have to pay.

Sometimes the free version is the same as the paid version but with the free version, all but the most basic features are neutered without a license key. They can also sell license keys that active only some of the features. I can see the logic in that; those using more features, bear more cost. Doing it this way they don't have to update and test multiple software packages. Particularly one that is given away.


----------



## msmayilsamyrn

I have a problem uploading Logic it’s not even allowing to upload. I don’t have back up it’s saying password protected. Could you some one help me on this one . Who ever worked before they put password for logic. I tried with OEM they are out of business . How to upload file are how to find the password.


----------



## msmayilsamyrn




----------



## paulengr

Jackofalltrades70 said:


> View attachment 155960
> 
> I get this error when trying to use the excel macro. Am I doing something wrong or do I need to upgrade my logix?


RS-Linz must be a licensed version.

ANY paid license works.


----------



## gpop

msmayilsamyrn said:


> I have a problem uploading Logic it’s not even allowing to upload. I don’t have back up it’s saying password protected. Could you some one help me on this one . Who ever worked before they put password for logic. I tried with OEM they are out of business . How to upload file are how to find the password.


This post explains how to do it but and this is a big BUT you have no back up plan.

You need to reverse engineer what the plc is doing so if you crap out the plc and it dumps its memory you will have to write the code from scratch. If you lack the experience to reverse engineer the program then you probably lack the experience to remove the password.


----------



## msmayilsamyrn

I stared doing all my machine backup after that only I found particular machine is not allowing do upload. I was searching backup they didn’t stored . I joined recently.


----------



## paulengr

msmayilsamyrn said:


> I stared doing all my machine backup after that only I found particular machine is not allowing do upload. I was searching backup they didn’t stored . I joined recently.


There are four AB protection schemes.

One is to password/hide the code.

One is to use a modified RS-Linx Gateway version but easily bypassed:

One is load the program into a flash card with the write protect on. Pull our card and read it.

The final scheme is you can set read/write privileges on different ports. Plug into another port


----------



## angel_z

[QUOTE = "Eddie Willers, publicación: 1986498, miembro: 9501"]

in spanish 

Pensándolo bien, no estoy seguro de qué comando hace "leer-modificar-escribir" en una palabra.

Es mejor hacer un MSG para leer el valor de la palabra S2: 1, luego cambiar el valor del bit 14 y volver a escribir el resultado en S2: 1.

El archivo de estado se comporta como un archivo Integer; probablemente podría abordarlo en una configuración de instrucción MSG como "N2: 1".

Hice esto, hace años, conectando un MicroLogix 1200 al puerto serie de un SLC-5/03 y presionando un botón conectado a una entrada para activar el MSG.


-----------

in english

On second thought, I'm not sure what command does "read-modify-write" in a word.

Better to do a MSG to read the value of word S2: 1, then change the value of bit 14 and write the result back to S2: 1.

The state file behaves like an Integer file; you could probably address it in a MSG instruction setting like "N2: 1".

I did this, years ago, by connecting a MicroLogix 1200 to the serial port of an SLC-5/03 and pressing a button connected to an input to activate the MSG.

[/quote]

-------------
in spanish
Estoy usando el cliente de prueba opc y lo configuro en 0 S2: 1/14
LISTO DESBLOQUEO

in english
I am using the opc test client and I set it to 0 S2: 1/14
READY UNLOCK

--------------------

BEST REGARDS


----------



## MikeFL

@angel_z 

¿Tienes una pregunta? 

in english: do you have a question?


----------



## psgama

msmayilsamyrn said:


> I have a problem uploading Logic it’s not even allowing to upload. I don’t have back up it’s saying password protected. Could you some one help me on this one . Who ever worked before they put password for logic. I tried with OEM they are out of business . How to upload file are how to find the password.


Did you solve your issue and upload the program from your micrologix? I have not frequented the forum lately.


----------



## vmam99

Electrorecycler said:


> An update on this thread. I was able to get around the OEM lock and it was stupidly simple. This is even after AB told me that there was no work around. I will happily share this info with anyone who presently has this issue. Just send me a private message.


I'm new here. I cannot send PM to anyone. But i have problem with OEM lock. It's lock in ML1000 and high risk machine. And i cannot contact machine owner. Please help in PM or [email protected].
Thank you in advance.


----------



## Almost Retired

@micromind @paulengr and several others i wish i could think of


----------



## Almost Retired

Electrorecycler said:


> An update on this thread. I was able to get around the OEM lock and it was stupidly simple. This is even after AB told me that there was no work around. I will happily share this info with anyone who presently has this issue. Just send me a private message.


@Electrorecycler there is a person on this thread who needs your help


----------



## vmam99

psgama said:


> I have a method to recover code even if the status file is write protected. You must be fully up to date with your RSLogix 500 version though. I can provide more information to those who need it via PM if they can prove that the OEM will not assist.
> 
> I can also provide an excel sheet for the Read Modify Write Status word to Turn the Deny Future access bit off and on if anyone needs it. It has a macro, so you have to trust the sheet, and of course, write protection on the status word must not have been enabled for it to work.
> 
> All that is required to use the excel sheet is to create a new topic in RSLINX named "test" from the processor you want to enable access to.
> 
> Or create the sheet yourself with the following macro
> 
> 
> 
> Code:
> 
> 
> Sub Word_Read()
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> DDETerminate (RSIchan)
> End Sub
> 
> Sub SetBit_Off()
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> 
> If Range("[test.XLSM]DDE_Sheet!B1") >= 16384 Then
> Range("[test.XLSM]DDE_Sheet!B1") = (Range("[test.XLSM]DDE_Sheet!B1") - 16384)
> DDEPoke RSIchan, "S:1", Range("[test.XLSM]DDE_Sheet!B1")
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> If Range("[test.XLSM]DDE_Sheet!B1") < 16384 Then
> MsgBox ("Success")
> End If
> Else
> MsgBox ("Deny Future Access Bit Already OFF")
> DDETerminate (RSIchan)
> End
> End If
> DDETerminate (RSIchan)
> End Sub
> Sub SetBit_ON()
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> 
> If Range("[test.XLSM]DDE_Sheet!B1") < 16384 Then
> Range("[test.XLSM]DDE_Sheet!B1") = (Range("[test.XLSM]DDE_Sheet!B1") + 16384)
> DDEPoke RSIchan, "S:1", Range("[test.XLSM]DDE_Sheet!B1")
> RSIchan = DDEInitiate("RSLinx", "test")
> Data = DDERequest(RSIchan, "S:1")
> Range("[test.XLSM]DDE_Sheet!B1").Value = Data
> If Range("[test.XLSM]DDE_Sheet!B1") >= 16384 Then
> MsgBox ("Success")
> End If
> Else
> MsgBox ("Deny Future Access Bit Already ON")
> DDETerminate (RSIchan)
> End
> End If
> DDETerminate (RSIchan)
> End Sub
> 
> PM me for details.


I'm new for this solution! Please teach me about your solution. [email protected]


----------



## Almost Retired

vmam99 said:


> I'm new for this solution! Please teach me about your solution. [email protected]


@psgama some one needs your help please


----------



## vmam99

I'm open as administrator but resualt is "#REF!" all bottom. How to solve?


----------



## Almost Retired

vmam99 said:


> I'm open as administrator but resualt is "#REF!" all bottom. How to solve?


im sorry i couldnt get anyone on here currently to respond to your question
however the ppl you are asking havent been on this thread for at least a month and longer
but if you will start your own post about this question you will get a much better response


----------



## paulengr

Look the default password trick (ABUNLOCK) was removed from most Micrologix firmware. At best you can factory reset and reprogram but that’s not your goal,


----------



## vmam99

Now i can read S:1 data via EXCEL sheet but cannot change S:1/14 to 0? Other way i'm open Data file S2 and direct to toggle S:1/14 but bad luck. How can i set S:1/14 to 0 please help!!!


----------



## HT Lee

psgama said:


> My apologies. The previously attached file had some issues.
> Name the attached as test.xlsm
> Create a new System enviromental variable for RSlinx and point it to the right path
> Rather than opening the excel file directly, create a shortcut to open excel as an administrator and then load the excel file from there to ensure Excel has administrator rights.


HI Dear psgama 
I'm new here and I have a micrologix1400 has OEM lock but OEM not on business now .I just wanna backup program to prevent accidental damage about PLC
I use the excel tool that you provided . In that tool I can read system word but when I deny access bit off ,the system word change quick as flash and return as original . I can't watch the video you sent so I have no clue now
The origin program was edited in RS500 V8.1 and I see you told others to upgrade to RSLogix 500 v10 , and I don't know how to do it . I'm eager to seek your help in PM or [email protected]
Thank you in advance.


----------



## adk_mech_E_Tech

psgama said:


> My apologies. The previously attached file had some issues.
> Name the attached as test.xlsm
> Create a new System enviromental variable for RSlinx and point it to the right path
> Rather than opening the excel file directly, create a shortcut to open excel as an administrator and then load the excel file from there to ensure Excel has administrator rights.


Big thanks for this, it worked like a charm. I have a very good customer that was left with a machine and no documentation or backups. The original programmer passed away, but left the system with the OEM lock enabled along with a password. I was able to get around the password with a V9 Hex edit, and with your nifty excel sheet, the OEM lock went poof as well. 

You made me and my google-fu look like a god. Another very useful tool to add to my bag of tricks!


----------



## psgama

Glad that this method is still working for some. Unfortunately the newer firmware doesn’t allow the excel worksheet to write these bits anymore, but there are still methods of code recovery / removal of OEM lock as a paid service if the com port of the PLC can be shared across the internet.


----------



## cuongvcs01

psgama said:


> Glad that this method is still working for some. Unfortunately the newer firmware doesn’t allow the excel worksheet to write these bits anymore, but there are still methods of code recovery / removal of OEM lock as a paid service if the com port of the PLC can be shared across the internet.


Dear Friend.
I'm new member in this 4rum.
I tried with your advise and read the value S:1 ok, push the set bit off. it show the box confirm OK. but set bit on not action.
can you please advise me more.
Thank you so much.
BR


----------



## crx7877

Working a project to modify the hardcoded password... can anyone tell me where the hardcoded AB...K lives ? Is it in the Firmware image ?


----------



## paulengr

crx7877 said:


> Working a project to modify the hardcoded password... can anyone tell me where the hardcoded AB...K lives ? Is it in the Firmware image ?


Logix 50 is written in 68000 code: I’ve never even tried to flash one:. Not sure that’s even possible. Why would you change it from ABUNLOCK?

In the program files save the .RSS in the text format and it’s clear as day in the text string. That should giv you a hint about the binary version.

What bother anyway? SLCs are getting ancient and unreliable. You can buy a Click for less than the price of an IO card from AB and Ethernet cards aren’t $10,000.


----------



## crx7877

If you are in an industry that requires password rotation and the ABUNLOCK password cannot change you are not compliant. In addition to being vulnerable to anyone that gains network access. Does the ABUNLOCK live in the RSS file or is it in the RSLogix.exe?


----------



## psgama

crx7877 said:


> Working a project to modify the hardcoded password... can anyone tell me where the hardcoded AB...K lives ? Is it in the Firmware image ?


RSLogix executable.
If you are in an industry that requires password rotation get rid of your SLC500 and Microligix PLCs. PLC password and OEM lock can be easily circumvented.


----------

