├── README.md
├── pcom2tcp.py
├── pcom_client.py
└── requirements.txt


/README.md:
--------------------------------------------------------------------------------
  1 | # Unitronics Forensic Tools / by Claroty Team82
  2 | 
  3 | ### TL;DR
  4 | Unitronics Forensic Tools, including a modular PCOM client, as well as PCOM to TCP converter (and vice versa). 
  5 | 
  6 | Using these tools, we implemented a custom PCOM client (Unitronics Vision/Samba communication protocol), allowing users to connect to their PLC using either serial/TCP, and query information from it. 
  7 | These tools main goal is to enable users to extract forensic infromation from attacked Unitronics PLCs.
  8 | 
  9 | ### Background
 10 | Due to [recent attacks](https://claroty.com/team82/blog/opportunistic-hacktivists-target-plcs-at-us-water-facility) on Unitronics Vision/Samba PLCs, we research the communication protocol implemented by these PLC/HMI devices. The goal of our research was to develop a toolset enabling users to extract forensic information from attacked PLCs.
 11 | 
 12 | At the end of our research, we developed two tools - 
 13 | - `PCOMClient`: a PCOM client, enabling users to connect to their Unitronics Vision/Samba series PLCs/HMIs. In this module, we support PCOM Serial, PCOM TCP, PCOM ASCII and PCOM Binary messages, as well as support a wide range of built-in function codes/procedures. This tool in specific allows users to extract forensic information from their PLC.
 14 | 
 15 | - `PCOM2TCP`: This tool allows users to convert PCOM messages from PCOM TCP to PCOM Serial and vice versa. This allows users with only serial connection to the PLC to connect to it using PCOM TCP, and sniff packets.
 16 | 
 17 | 
 18 | 
 19 | ### What's supported?
 20 | - `PCOM Serial`
 21 | - `PCOM\TCP`
 22 | - `PCOM ASCII`
 23 | - `PCOM Binary`
 24 | - `Supported PCOM Function Codes` - 23 opcodes
 25 | - `Supported Procedures` - read/write raw memory, upload project, read resources etc.
 26 | - `Forensic Information Extraction` - read PLC infromation (version, name, UnitID etc.), dump and parse siganture table.
 27 | 
 28 | 
 29 | ### Usage
 30 | Basic Usage: `python pcom_client.py SERVER_IP`
 31 | Main functionalities:
 32 | 1. Setup PCOM Client -
 33 | ```
 34 | ip_addr = sys.argv[1]
 35 | pcom = PCOM_CLIENT(isTcp=True, debugMode=False)
 36 | s = socket.socket()
 37 | port = 20256
 38 | s.connect((ip_addr, port))
 39 | 
 40 | # You are connected, now invoke any function you choose.
 41 | print_plc_name(s, pcom)
 42 | print_plc_firmware(s, pcom)
 43 | ```
 44 | 2. Extract Information About PLC - 
 45 | ```
 46 | print_plc_name(s, pcom)
 47 | print_plc_firmware(s, pcom)
 48 | print_plc_unitid(s, pcom)
 49 | ```
 50 | 
 51 | 3. Extract Signature Table -
 52 | ```
 53 | print_signature_table(s, pcom)
 54 | ```
 55 | 
 56 | 4. Read Project File:
 57 | ```
 58 | read_and_save_project_zip(s, pcom)
 59 | ```
 60 | 
 61 | 5. Read/Write RAM:
 62 | ```
 63 | # Read memory:
 64 | location_id = 1 	# 1/4 - identifies memory type
 65 | start_addr	= 0 	# Read from
 66 | end_addr 	= 0x100 # Read until
 67 | 
 68 | read_memory(s, pcom, location_id, start_addr, end_addr)
 69 | 
 70 | # Write memory (use with caution):
 71 | location_id = 1 				# 1/4 - identifies memory type
 72 | addr		= 0 				# Write to
 73 | data 		= b'Claroty Team82' # Data to write
 74 | 
 75 | write_memory(s, pcom, addr, data, location_id)
 76 | ```
 77 | 
 78 | 
 79 | ### Function Codes
 80 | ----------------------------------------------------
 81 | | Function Code (req/resp) | Description           |
 82 | |--------------------------|-----------------------|
 83 | | 0x01 / 0x81   		   | Read Memory           |
 84 | | 0x02 / 0x82        	   | Check Password        |
 85 | | 0x0C / 0x8C 			   | Get PLC Name 	       |
 86 | | 0x10 / 0x90			   | Find resources	       |
 87 | | 0x16 / 0x96			   | Translate Resource Index to Address*    |
 88 | | 0x1A / 0x9A			   | Flush Memory Buffer   |
 89 | | 0x41 / 0xC1			   | Write Memory 		   |
 90 | | 0x42 / 0xC2			   | Reset Upload Password ([CVE-2024-38434](https://claroty.com/team82/disclosure-dashboard/cve-2024-38434)) |
 91 | | 0x4D / 0xCD			   | Read Operand		   |
 92 | | 0xFF					   | Error				   |
 93 | | ID (ASCII) 			   | Get PLC ID 		   |
 94 | | UG (ASCII)			   | Get PLC UnitID 	   |
 95 | | GF (ASCII)			   | Get PLC Version 	   |
 96 | 
 97 | 
 98 | ### Forensic Information
 99 | 
100 | Using our PCOMClient tool, users which their PLC was attacked can extract *TONS* of forensic information from their PLC, containig details about the attack itself, as well as on the attacker's computer and setup.
101 | Our tool allows users to extract forensic information using two methods:
102 | 
103 | - Project Upload - using the `read_and_save_project_zip` function, it is possible to extract the project from the PLC (only available if the project was "burned" - downloaded using "Download & Burn"). The project is an encrypted zip file (with an hardcoded password), containing an Access DB file. In this Access DB file, there is a lot of information about the project creator PC.
104 | 
105 | - Signature Table - in the Unitronics ecosystem, the Signature Table is a structure containg data about PLC connectsions, as well as the PC of the user connecting to it. using the `print_signature_table` function, it is possible to extract the Signature Table from the PLC.
106 | 
107 | 
108 | Here is a table showing all forensic evidence possible for extraction from the PLC:
109 | ------------------------------------------------------------------------------
110 | | Forensic Evidence     | Is Inside Siganture Table | Is Inside Project File |
111 | |-----------------------|---------------------------|------------------------|
112 | | Project Path 		    | Yes 					    | Yes 				     |
113 | | PC Username 		    | Yes 					    | No (could be in path)  |
114 | | Project Creation Date | No 						| Yes  		   			 |
115 | | PLC Connection Date 	| Yes 						| Yes 					 |
116 | | Computer Keyboards 	| Yes 						| Yes 					 |
117 | | PLC Connection String | Yes 						| Yes 					 |
118 | | Project Images 		| No 						| Yes 					 |
119 | | Project Functions 	| No 						| Yes 					 |
120 | 
121 | 
122 | 
123 | 
124 | ### How to use
125 | ```
126 | git clone https://github.com/claroty/pcom-forensic-tools.git
127 | cd pcom-forensic-tools
128 | python3 -m venv venv
129 | source ./venv/bin/activate
130 | pip install -r requirements.txt
131 | ```
132 | then for example, `python pcom_client.py 1.2.3.4`
133 | 
134 | 


--------------------------------------------------------------------------------
/pcom2tcp.py:
--------------------------------------------------------------------------------
 1 | import serial
 2 | import struct
 3 | import time
 4 | import struct
 5 | import socket
 6 | import binascii
 7 | import sys
 8 | 
 9 | # User configable - change to your setup
10 | COM_PORT = "COM1"
11 | COM_RATE = 115200 # Old series - 57600
12 | PCOM_PORT = 20256
13 | 
14 | 
15 | # Consts
16 | BINARY_PREFIX = b"/_"
17 | ASCII_REQUEST = b"/0"
18 | ASCII_RESPONSE = b"/A"
19 | ASCII_TERMINATE = ord("\r")
20 | BINARY_TERMINATE = b"\\"
21 | 
22 | 
23 | # This function reads PCOM message (Binary/ASCII) and returns the
24 | # message, or 0 if encountered an error
25 | def read_until(reader):
26 |     
27 |     # Read magic
28 |     magic = reader.read(size=2)
29 |     
30 |     # If no magic - return error
31 |     if not magic:
32 |         return 0
33 |     
34 |     # Match magic to correct packet type
35 |     if magic == BINARY_PREFIX:
36 |         rest_of_header = reader.read(size=22)
37 |         if len(rest_of_header) != 22:
38 |             return 0
39 | 
40 |         header = magic + rest_of_header
41 |         packet_length = struct.unpack("<H", header[20:22])[0]
42 |         packet_data = reader.read(size=packet_length+3)
43 |         return header + packet_data
44 |     elif magic in (ASCII_REQUEST, ASCII_RESPONSE):
45 |         data = magic
46 | 
47 |         # Read until we encounter ASCII_TERMINATE (\)
48 |         while True:
49 |             data += reader.read(size=1)
50 |             if data[-1] == ASCII_TERMINATE:
51 |                 return data
52 |     else:
53 |         return 0 # Error - got no magic
54 | def main():
55 | 
56 |     # Open serial port
57 |     forwarder = serial.Serial(COM_PORT, COM_RATE)
58 |     forwarder.timeout = 0.5
59 | 
60 |     # Open socket
61 |     s = socket.socket(2,1)
62 |     s.bind(("0.0.0.0", PCOM_PORT))
63 |     s.listen()
64 |     conn, addr = s.accept()
65 | 
66 |     # While true - forward messages
67 |     while True:
68 |         data = conn.recv(1024)
69 | 
70 |         # Reset connection if closed
71 |         if not data:
72 |             conn, addr = s.accept()
73 |             continue
74 | 
75 |         # Extract fileds from PCOM/TCP layer, to insert to response
76 |         com_data = data[6:]
77 |         transaction_id = data[:2]
78 |         protocol_type = data[2:3]
79 |         
80 |         print(f"TCP-->PCOM: {data}") 
81 |         forwarder.write(com_data)
82 |         pcom_response = read_until(forwarder)
83 | 
84 |         # If did not get data - try retransmittion
85 |         if not pcom_response:
86 |             continue
87 | 
88 |         tcp_response = transaction_id
89 |         tcp_response += protocol_type
90 |         tcp_response += b"\x00" 
91 |         tcp_response += struct.pack("<H", len(pcom_response) + 6 ) 
92 |         tcp_response += pcom_response
93 | 
94 |         print(f"PCOM-->TCP: {tcp_response}")
95 |         conn.send(tcp_response)
96 | 
97 | 
98 | if __name__ == "__main__":
99 |     main()        


--------------------------------------------------------------------------------
/pcom_client.py:
--------------------------------------------------------------------------------
   1 | import time
   2 | import zlib
   3 | import socket
   4 | import re
   5 | import binascii
   6 | import struct
   7 | import sys
   8 | import datetime
   9 | import random
  10 | from io import BytesIO
  11 | 
  12 | # Helper functions
  13 | def tx(d):
  14 |     return binascii.hexlify(d).decode()
  15 | 
  16 | def up_I(r):
  17 |     return struct.unpack("<I", r.read(4))[0]
  18 | 
  19 | def dex(d):
  20 |     return binascii.unhexlify(d)
  21 | 
  22 | def print_body_info(key, info):
  23 |     if info:
  24 |         info_data = info
  25 |         try:
  26 |             if type(info_data) == bytes:
  27 |                 info_data = info_data.decode("windows-1252")
  28 |         except Exception as e:
  29 |             info_data = info
  30 |         print(f"\t\t\t[-] {key}: {info_data}")
  31 |     else:
  32 |         print(f"\t\t\t[-] {key}")
  33 | 
  34 | 
  35 | RESOURCE_ID_PROJECT_ZIP = 6
  36 | PASSWORD_DEFAULT = "*"*8
  37 | 
  38 | 
  39 | class PCOM_CLIENT:
  40 | 
  41 |     MODELS = { 'PRBT': 'FACTORY BOOT', '13PRBT': 'V130 FACTORY BOOT', '35PRBT': 'V350 FACTORY BOOT', '43PRBT': 'V430 FACTORY BOOT', '10PRBT': 'V1040/V1210 FACTORY BOOT', 'PC15': 'EXF-RC15 FACTORY BOOT', 'SM35PB': 'SM35-J FACTORY BOOT', 'SM43PB': 'SM43-J FACTORY BOOT', 'SM70PB': 'SM70-J FACTORY BOOT', 'SM7OPB': 'SM70-OEM FACTORY BOOT', '70PR': 'V700-T20BJ FACTORY BOOT', 'ADF1': 'ADP-PB1 FACTORY BOOT', 'BOOT': 'BOOT', 'CLBT': 'CLR BOOT', '13BOOT': 'V130 BOOT', '35BOOT': 'V350 BOOT', 'SM35BT': 'SM35-J BOOT', 'SM43BT': 'SM43-J BOOT', 'SM70BT': 'SM70-J BOOT', 'SM7OBT': 'SM70-OEM BOOT', 'SMBT': 'SM35 BOOT', '10BOOT': 'V1040 BOOT', '12BOOT': 'V1210 BOOT', '43BOOT': 'V430 BOOT', '70BOOT': 'V700-T20BJ BOOT', 'ADB1': 'ADP-PB1 BOOT', 'BM90': 'BOOT', 'BNX1': 'BOOT', 'BNR1': 'BOOT', 'BRC1': 'EX-RC1 BOOT', 'BC15': 'EXF-RC15 BOOT', 'B1': 'M90-19-B1', 'B1A': 'M90-19-B1A', 'R1': 'M90-R1', 'R1C': 'M90-R1-CAN', 'R2C': 'M90-R2-CAN', 'T': 'M90-T', 'T1': 'M90-T1', 'T1C': 'M90-T1-CAN', 'TA2C': 'M90-TA2-CAN', 'TA3C': 'M90-TA3-CAN', '1TC2': 'M91-19-TC2', '1UN2': 'M91-19-UN2', '1R1': 'M91-19-R1', '1R2': 'M91-19-R2', '1R2C': 'M91-19-R2C', '1T1': 'M91-19-T1', '1UA2': 'M91-19-UA2', '1T2C': 'M91-19-T2C', '7B1': 'M90-2-B1', '7B1A': 'M90-2-B1A', '7R1': 'M90-2-R1', '7R1C': 'M90-2-R1-CAN', '7R2C': 'M90-2-R2-CAN', '7T': 'M90-2-T', '7T1': 'M90-2-T1', '7T1C': 'M90-2-T1-CAN', '7TA2': 'M90-2-TA2-CAN', '7TA3': 'M90-2-TA3-CAN', '8TC2': 'M91-2-TC2', '8UN2': 'M91-2-UN2', '8R1': 'M91-2-R1', '8R2': 'M91-2-R2', '8R2C': 'M91-2-R2C', '8T1': 'M91-2-T1', '8UA2': 'M91-2-UA2', '8T38': 'M91-2-T38', '8T2C': 'M91-2-T2C', '8R6C': 'M91-2-R6C', '8R34': 'M91-2-R34', '8A19': 'M91-2-RA19', '8A22': 'M91-2-RA22', '1T38': 'M91-19-T38', 'JR14': 'BOSCH', 'JR17': 'JZ10-11-R17', 'JR10': 'JZ10-11-R10', 'JR16': 'JZ10-11-R16', 'JT10': 'JZ10-11-T10', 'JT17': 'JZ10-11-T17', 'JEW1': 'JZB2-11-EW1', 'JE10': 'JZB1-11-SE10', 'JR31': 'JZ10-11-R31', 'JT40': 'JZ10-11-T40', 'JP15': 'JZ10-11-PT15', 'JE13': 'JZ10-11-UE13', 'JA24': 'JZ10-11-UA24', 'JN20': 'JZ10-11-UN20', '8RZ': 'M91-2-R1-AZ1', '2320': 'V230-13-B20', '2620': 'V260-16-B20', '2820': 'V280-18-B20', '2920': 'V290-19-B20', 'VUN2': 'V120-12-UN2', 'VR1': 'V120-12-R1', 'VR2C': 'V120-12-R2C', 'VUA2': 'V120-12-UA2', 'VT1': 'V120-12-T1', 'VT40': 'V120-12-T40', 'VT2C': 'V120-12-T2C', 'VT38': 'V120-12-T38', 'WUN2': 'V120-22-UN2', 'WR1': 'V120-22-R1', 'WR2C': 'V120-22-R2C', 'WUA2': 'V120-22-UA2', 'WT1': 'V120-22-T1', 'WT40': 'V120-22-T40', 'WT2C': 'V120-22-T2C', 'WT38': 'V120-22-T38', 'WR6C': 'V120-22-R6C', 'WR34': 'V120-22-R34', 'WA19': 'V120-22-RA19', 'WA22': 'V120-22-RA22', 'ERC1': 'EX-RC1', '5320': 'V530-53-B20B', '49C3': 'V570-57-C30 / V290-19-C30', '57C3': 'V570-57-C30 / V290-19-C30', '49T3': 'V570-57-T34 / V290-19-T34', '57T3': 'V570-57-T34 / V290-19-T34', '49T2': 'V570-57-T20 / V290-19-T20', '57T2': 'V570-57-T20 / V290-19-T20', '49T4': 'V570-57-T40 / V290-19-T40', '57T4': 'V570-57-T40 / V290-19-T40', '56C3': 'V560-56-C30', '56T4': 'V560-56-T40', '56T3': 'V560-56-T34', '56T2': 'V560-56-T25B', '13TR22': 'V130-33-TRA22', '13XXXX': 'V130-33-XXXX', '13R2': 'V130-33-R2', '13R34': 'V130-33-R34', '13T2': 'V130-33-T2', '13T38': 'V130-33-T38', '13RA22': 'V130-33-RA22', '13TA24': 'V130-33-TA24', '13B1': 'V130-33-B1', '13T40': 'V130-33-T40', '13R6': 'V130-33-R6', '13TR34': 'V130-33-TR34', '13TR20': 'V130-33-TR20', '13TR6': 'V130-33-TR6', '13TU24': 'V130-33-TU24', '35R2': 'V350-35-R2', '35R34': 'V350-35-R34', '35T2': 'V350-35-T2', '35T38': 'V350-35-T38', '35RA22': 'V350-35-RA22', '35TA24': 'V350-35-TA24', '35B1': 'V350-35-B1', '35T40': 'V350-35-T40', '35R6': 'V350-35-R6', '35TR34': 'V350-35-TR34', '35TR22': 'V350-35-TRA22', '35TR20': 'V350-35-TR20', '35TR6': 'V350-35-TR6', '35TU24': 'V350-35-TU24', '35XXXX': 'V350-35-XXXX', 'S3T20': 'SM35-J-T20', 'S3TA2': 'SM35-J-R20', 'S3R20': 'SM35-J-R20', 'S4T20': 'SM43-J-T20', 'S4TA2': 'SM43-J-R20', 'S4R20': 'SM43-J-R20', '70T2': 'V700-T20BJ', 'EC15': 'EXF-RC15', '10T2': 'V1040', '12T2': 'V1210', 'ADP1': 'ADP-PB1'}
  42 |     FW_TYPE_TO_NAME = {'B':'O/S', 'P':'BOOT', 'F':'FactoryBoot', 'FT': 'BinLib'}
  43 |     binary_header_magic = b"/_OPLC"
  44 |     ascii_header_magic = b"/"
  45 |     binary_suffix = b"\\"
  46 |     ascii_suffix = b"\x0d"
  47 |     PCOM_TCP_HEADER_SIZE = 6
  48 |     PCOM_HEADER_SIZE = 24
  49 |     PCOM_BINARY_FOOTER_SIZE = 3
  50 |     current_tcp_id = 30412
  51 | 
  52 |     
  53 |     def __init__(self, isTcp=False, debugMode=False) -> None:
  54 |         self.isTcp = isTcp
  55 |         self.debugMode = debugMode
  56 |     
  57 | 
  58 |     def print_pcom_binary(self, data):
  59 |         opcode_table = {
  60 |             b"\x01": "Read Memory Reqeust",
  61 |             b"\x81": "Read Memory Response",
  62 |             b"\x02": "Check Password",
  63 |             b"\x82": "Password OK",
  64 |             b"\x0c": "Get PLC Name Request",
  65 |             b"\x8C": "Get PLC Name Response",
  66 |             b"\x10": "Where Resource Reqeust",
  67 |             b"\x90": "Where Resource Response",
  68 |             b"\x16": "Translate Index to Address Request",
  69 |             b"\x96": "Translate Index to Address Response",
  70 |             b"\x1A": "Flash Memory Buffer Request",
  71 |             b"\x9A": "Flash Memory Buffer Response",
  72 |             b"\x41": "Write Memory Reqeust",
  73 |             b"\xC1": "Write Memory Response",
  74 |             b"\x4D": "Read Operand Request",
  75 |             b"\xCD": "Read Operand Response",
  76 |             b"\xFF": "Error",
  77 |         }
  78 |         opcode = data[12:13]
  79 |         opcode_message = opcode_table.get(opcode, "")
  80 |         if int.from_bytes(opcode, 'little') & 0b10000000:
  81 |             direction = "Client <--- Server"
  82 |         else:
  83 |             direction = "Client ---> Server"
  84 |         
  85 |         print(f"{direction}: Binary PCOM Command {opcode_message} ({hex(int.from_bytes(opcode, 'little'))})")
  86 | 
  87 |     
  88 |     def print_pcom_ascii(self, data):
  89 |         opcode_table = {
  90 |             b"ID": "Get PLC Version ",
  91 |             b"UG": "Get UnitID Command ",
  92 |             b"GF": "Read Integers ",
  93 |             b"CCS": "Stop PLC "
  94 |         }
  95 |         if data[0:2] == b"/A":
  96 |             direction = "Client (EWS) <--- Server (PLC)"
  97 |             type_of_msg = "Response"
  98 |             opcode = data[4:6]
  99 |         else:
 100 |             direction = "Client (EWS) ---> Server (PLC)"
 101 |             type_of_message = "Request"
 102 |             opcode = data[3:5]
 103 |         
 104 |         opcode_message = opcode_table.get(opcode, "")
 105 |         print(f"{direction}: ASCII PCOM Command {opcode_message} ({opcode.decode()})")
 106 | 
 107 | 
 108 |     def extract_pcom_data(self, data):
 109 |         # Move after the PCOM/TCP header
 110 |         if self.isTcp:
 111 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 112 |         if self.debugMode:
 113 |             self.print_pcom_binary(data)
 114 |         return data[self.PCOM_HEADER_SIZE:-self.PCOM_BINARY_FOOTER_SIZE]
 115 | 
 116 |     
 117 |     def make_tcp(self,data, isAscii=False):
 118 |         tcp = struct.pack("<H", self.current_tcp_id) # Transaction ID (2 bytes)
 119 |         self.current_tcp_id += 1
 120 |         tcp += struct.pack("B", 101) if isAscii else struct.pack("B", 102) # 101 for Ascii mode or 102 for Binary mode
 121 |         tcp += b"\x00" # Reserved
 122 |         tcp += struct.pack("<H", len(data)) # PCOM length
 123 |         tcp += data
 124 |         return tcp 
 125 | 
 126 |     
 127 |     def calc_binary_hedear_crc(self,data):
 128 |         # Packet[0:22]
 129 |         return struct.pack("<H", (( ~ (sum(data[0:22]) % 0x10_000) + 1 ) % 0xffff + 1))
 130 |     
 131 |     
 132 |     def calc_binary_footer_crc(self,data):
 133 |         # Packet[24:-3]
 134 |         return struct.pack("<H", (( ~ (sum(data[self.PCOM_HEADER_SIZE:]) % 0x10_000) + 1 ) % 0xffff + 1))
 135 |     
 136 |     
 137 |     def calc_ascii_crc(self, data):
 138 |         # Packet[1:-3]
 139 |         return hex(sum((data)[1:]) % 256).upper()[2:].rjust(2,"0").encode()
 140 |     
 141 | 
 142 |     def create_binary_request(self, command_opcode, command_details = b'\x00\x00\x00\x00\x00\x00', command_data = b"", res1=b"\xfe", res2=b"\x01", res3=b"\x01\x00\x00", res4=b"\x00"):
 143 |         header = self.binary_header_magic # Magic
 144 |         header += b'\x00' # ID
 145 |         header += res1 # default: b'\xfe' # Reserved
 146 |         header += res2 # default: b'\x01' # Reserved
 147 |         header += res3 # default: b'\x01\x00\x00' # Reserved
 148 |         header += struct.pack("b", command_opcode) # Command Opcode
 149 |         header += res4 # default: b'\x00' # Reserved
 150 |         header += command_details[0:6] # Command details (6 bytes)
 151 |         header += struct.pack("<H", len(command_data)) # Command length
 152 |         header += self.calc_binary_hedear_crc(header) # CRC
 153 |         packet = header
 154 |         packet += command_data # Data
 155 | 
 156 |         if not command_data:
 157 |             footer_crc = b'\x00\x00'
 158 |         else:
 159 |             footer_crc = self.calc_binary_footer_crc(packet) # CRC
 160 |         packet += footer_crc
 161 |         packet += self.binary_suffix # Suffix (\)
 162 | 
 163 |         if self.debugMode:
 164 |             self.print_pcom_binary(packet)
 165 |         
 166 |         if self.isTcp:
 167 |             return self.make_tcp(packet)
 168 |         
 169 |         return packet
 170 |    
 171 | 
 172 |     # Binary Request
 173 |     def create_read_plc_name(self):
 174 |         opcode = 0x0c
 175 |         return self.create_binary_request(opcode)
 176 | 
 177 |     
 178 |     # Binary Response
 179 |     def parse_read_plc_name(self,data):
 180 | 
 181 |         # Move after the PCOM/TCP header
 182 |         if self.isTcp:
 183 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 184 | 
 185 |         if self.debugMode:
 186 |             self.print_pcom_binary(data)
 187 |         
 188 |         # The header length should be 27 bytes long (including footer + suffix)
 189 |         if len(data) < 27:
 190 |             return 0
 191 | 
 192 |         name_len = struct.unpack("<H", data[20:22])[0]
 193 |         
 194 |         if not name_len:
 195 |             return 0
 196 |         
 197 |         # Check packet is long enough to contain name
 198 |         if len(data) < 27 + name_len:
 199 |             return 0
 200 |         
 201 |         name = data[self.PCOM_HEADER_SIZE:self.PCOM_HEADER_SIZE + name_len]
 202 |         
 203 |         return name
 204 | 
 205 | 
 206 |     # ASCII Request
 207 |     def create_read_system_integers(self):
 208 |         request = self.ascii_header_magic # Magic (/)
 209 |         request += b"00" # Unit ID (00 const)
 210 |         request += b"GF" # Opcode 
 211 |         request += b"00FC" # Address
 212 |         request += b"01" # Length
 213 |         request += self.calc_ascii_crc(request)
 214 |         request += self.ascii_suffix
 215 | 
 216 |         if self.debugMode:
 217 |             self.print_pcom_ascii(request)
 218 |         
 219 |         if self.isTcp:
 220 |             return self.make_tcp(request, isAscii=True)
 221 |         
 222 |         return request    
 223 | 
 224 |     
 225 |     # ASCII Requset
 226 |     def create_read_plc_versions(self):
 227 |         request = self.ascii_header_magic # Magic (/)
 228 |         request += b"00" # Unit ID (00 const)
 229 |         request += b"ID" # Opcode
 230 |         request += self.calc_ascii_crc(request) # CRC
 231 |         request += self.ascii_suffix # Suffix
 232 |         
 233 |         if self.debugMode:
 234 |             self.print_pcom_ascii(request)
 235 |         
 236 |         if self.isTcp:
 237 |             return self.make_tcp(request, isAscii=True)
 238 |         
 239 |         return request
 240 |     
 241 | 
 242 |     # ASCII Response
 243 |     def parse_version(self, data):
 244 |         
 245 |         # Move after the PCOM/TCP header
 246 |         if self.isTcp:
 247 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 248 |         
 249 |         if self.debugMode:
 250 |             self.print_pcom_ascii(data)
 251 | 
 252 |         # 49T4 C 
 253 |         # 004 010 36 B --> 4.10.36 B (OS)
 254 |         # 002 002 53 P --> 2.2.53 P (BOOT)
 255 |         # 000 000 43 F --> 0.0.43 F (BinLib / Force)
 256 |         # 11100001     --> ?????
 257 | 
 258 |         data = data.decode()
 259 |         data = data[self.PCOM_TCP_HEADER_SIZE:-self.PCOM_BINARY_FOOTER_SIZE]
 260 |         REGEX_FW_SINGLE = "(([0-9x]{3})([0-9x]{3})([0-9x]{2})([A-Z]+))"
 261 |         res = {}
 262 |         model_len = 6
 263 |         
 264 |         while self.MODELS.get(data[:model_len]) is None:
 265 |             model_len -= 1
 266 |             if model_len == 2:
 267 |                 return data
 268 |         
 269 |         res["model"] = data[:model_len]
 270 |         res["model_desc"] = self.MODELS.get(data[:model_len])
 271 |         res["hw_rev"] = data[model_len:model_len+1]
 272 |         res["fw_ver"] = []
 273 |         sub_fw = re.findall(REGEX_FW_SINGLE, data)
 274 |         
 275 |         for match in sub_fw:
 276 |             full_match, ver, ver_major, ver_minor, ver_type = match
 277 |             if ver_type == "FT":
 278 |         
 279 |                 # 03100020 --> 0-3.10 (20)
 280 |                 # 11100001 --> 1-1.10 (10)
 281 |                 version = f"{full_match[0:1]}-{full_match[1:2]}.{full_match[2:4]} ({full_match[4:8]})"
 282 |         
 283 |             else:
 284 |                 ver = int(ver) if ver.isdigit() else ver
 285 |                 ver_major = int(ver_major) if ver_major.isdigit() else ver_major
 286 |                 ver_minor = int(ver_minor) if ver_minor.isdigit() else ver_minor
 287 |                 version = f"{ver}.{str(ver_major).zfill(3)} ({str(ver_minor).zfill(2)})" # 2.011 (02)
 288 |         
 289 |             res["fw_ver"].append({"version": version, "type": ver_type})
 290 |         
 291 |         leftovers = data.split(full_match)[-1]
 292 |         res["leftover"] = leftovers
 293 |         return res
 294 | 
 295 |     
 296 |     # Binary Request
 297 |     def create_read_operand(self):
 298 |         command_opcode = 0x4d
 299 |         command_details = b"\x00\x00\x00\x00\x02\x00" # Const for read_operand
 300 |         command_data = b"\x01\x00\x02\xff\x8d\x00\x03\x00\x11\xff\x00\x00\x09\x00\x03\x00" # Const for read Operand
 301 |         return self.create_binary_request(command_opcode=command_opcode, command_details=command_details, command_data=command_data)
 302 | 
 303 | 
 304 |     # Binary Response
 305 |     def parse_read_operand(self,data):
 306 |         
 307 |         # Move after the PCOM/TCP header
 308 |         if self.isTcp:
 309 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 310 |         
 311 |         if self.debugMode:
 312 |             self.print_pcom_binary(data)
 313 | 
 314 |         # Not interesting data for us here
 315 |         pass
 316 | 
 317 |     
 318 |     # ASCII Requset
 319 |     def create_stop_command(self):
 320 |         request = self.ascii_header_magic # Magic (/)
 321 |         request += b"00" # Unit ID (00 const)
 322 |         request += b"CCS" # Opcode
 323 |         request += self.calc_ascii_crc(request)
 324 |         request += self.ascii_suffix
 325 |         
 326 |         if self.debugMode:
 327 |             self.print_pcom_ascii(request)
 328 | 
 329 |         if self.isTcp:
 330 |             return self.make_tcp(request, isAscii=True)
 331 |         
 332 |         return request
 333 | 
 334 | 
 335 |     # ASCII Requset
 336 |     def create_read_unitID(self):
 337 |         request = self.ascii_header_magic # Magic (/)
 338 |         request += b"00" # Unit ID (00 const)
 339 |         request += b"UG" # Opcode
 340 |         request += self.calc_ascii_crc(request)
 341 |         request += self.ascii_suffix
 342 |         
 343 |         if self.debugMode:
 344 |             self.print_pcom_ascii(request)
 345 | 
 346 |         if self.isTcp:
 347 |             return self.make_tcp(request, isAscii=True)
 348 |         
 349 |         return request
 350 | 
 351 | 
 352 |     # ASCII Response
 353 |     def parse_read_unitID(self,data):
 354 | 
 355 |         # Move after the PCOM/TCP header
 356 |         if self.isTcp:
 357 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 358 |         
 359 |         if self.debugMode:
 360 |             self.print_pcom_ascii(data)
 361 | 
 362 |         return data[self.PCOM_TCP_HEADER_SIZE:-self.PCOM_BINARY_FOOTER_SIZE]
 363 | 
 364 |     
 365 |     # Binary Request
 366 |     def create_where_resource(self, resource_id):
 367 |         opcode = 0x10
 368 |         res1 = b"\xfe"
 369 |         res2 = b"\x01"
 370 |         res3 = b"\x00\x00\x00"
 371 |         res4 = struct.pack("b", resource_id)
 372 |         command_details = b"\x00"*6
 373 |         return self.create_binary_request(command_opcode=opcode, res1=res1, res2=res2, res3=res3, res4=res4, command_details=command_details)
 374 | 
 375 |     
 376 |     # Binary Response
 377 |     def parse_where_resource(self, data):
 378 |         
 379 |         # Move after the PCOM/TCP header
 380 |         if self.isTcp:
 381 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 382 | 
 383 |         if self.debugMode:
 384 |             self.print_pcom_binary(data)
 385 | 
 386 |         addr, size, res_id = struct.unpack("<III", data[self.PCOM_HEADER_SIZE:-self.PCOM_BINARY_FOOTER_SIZE])
 387 |         return addr, size, res_id
 388 | 
 389 |     
 390 |     # Binary Request
 391 |     def create_read_memory(self, address, size, flag=1):
 392 |         opcode = 0x01
 393 |         res1 = b"\xfe"
 394 |         res2 = b"\x01"
 395 |         res3 = b"\x00\x00\x00"
 396 |         res4 = struct.pack("b", flag)
 397 |         command_details = address
 398 |         command_details += struct.pack("<H", size)
 399 |         return self.create_binary_request(command_opcode=opcode, res1=res1, res2=res2, res3=res3, res4=res4, command_details=command_details)
 400 | 
 401 | 
 402 |     # This function parses the resource table struct from memory read from the PLC (using read_memory)
 403 |     # Binary Response
 404 |     def parse_read_resource_table(self, data):
 405 |         # Move after the PCOM/TCP header
 406 |         if self.isTcp:
 407 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 408 |         
 409 |         if len(data) < 67:
 410 |             return 0
 411 |         
 412 |         if self.debugMode:
 413 |             self.print_pcom_binary(data)
 414 | 
 415 |         # OPLC_HEADER (size 24)
 416 |         # Resource table struct (each size 4)
 417 |         # We need the 10th resource (signature table) --> 24 + 9*4 
 418 |         index =  struct.unpack("<I", data[self.PCOM_HEADER_SIZE + 9*4: self.PCOM_HEADER_SIZE + 10*4])[0]
 419 |         return index
 420 |     
 421 | 
 422 |     # Binary Request
 423 |     def create_write_memory(self, address, size, data, flag=1):
 424 |         opcode = 0x41
 425 |         res1 = b"\xfe"
 426 |         res2 = b"\x01"
 427 |         res3 = b"\x00\x00\x00"
 428 |         res4 = struct.pack("b", flag)
 429 |         command_details = address
 430 |         command_details += struct.pack("<H", size)
 431 |         return self.create_binary_request(command_opcode=opcode, res1=res1, res2=res2, res3=res3, res4=res4, command_details=command_details, command_data=data)
 432 | 
 433 |     
 434 |     # This function creates a request translating a resource index to its address. For example, the resource table has index 0x0d
 435 |     # Binary Request
 436 |     def create_translate_resource_index_to_address(self, index):
 437 |         command_opcode = 0x16
 438 |         command_data = b"\x64\x00" # Const
 439 |         command_data += struct.pack("<H", index) # Resource Index
 440 |         res3 = b"\x00\x00\x00"
 441 |         return self.create_binary_request(command_opcode=command_opcode, command_data=command_data, res3=res3)
 442 | 
 443 | 
 444 |     # Binary Response
 445 |     def parse_translate_index(self,data):
 446 |         
 447 |         # Move after the PCOM/TCP header
 448 |         if self.isTcp:
 449 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 450 |         
 451 |         if self.debugMode:
 452 |             self.print_pcom_binary(data)
 453 | 
 454 |         if len(data) < 37:
 455 |             return 0
 456 |         
 457 |         # Message Struct:
 458 |         #   OPLC_HEADER (size 24)
 459 |         #   PCOM_DATA (should be <= size 10)
 460 |         #   OPLC_FOOTER (size 3)
 461 | 
 462 |         # PCOM_DATA Struct:
 463 |         #   ???? (size 4)
 464 |         #   Index Address (Size 4)
 465 |         #   Content Length (Size 2)
 466 |         address = data[self.PCOM_HEADER_SIZE + 2: self.PCOM_HEADER_SIZE + 6]
 467 |         size = struct.unpack("<H", data[self.PCOM_HEADER_SIZE + 6: self.PCOM_HEADER_SIZE + 8])[0]
 468 |         return (address, size)
 469 | 
 470 |     
 471 |     # Gets the address of the resource table
 472 |     # Binary Request
 473 |     def create_read_resource_table_address(self):
 474 |         return self.create_translate_resource_index_to_address(0x0d)
 475 | 
 476 | 
 477 |     # Unknown opcode
 478 |     # Binary Request
 479 |     def create_opcode_1a_request(self):
 480 |         command_opcode = 0x1a
 481 |         res3 = b"\x00\x00\x00"
 482 |         return self.create_binary_request(command_opcode=command_opcode, res3=res3)
 483 | 
 484 | 
 485 |     # Binary Response    
 486 |     def parse_opcode_1a(self,data):
 487 |         # Move after the PCOM/TCP header
 488 |         if self.isTcp:
 489 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 490 |         
 491 |         if self.debugMode:
 492 |             self.print_pcom_binary(data)
 493 | 
 494 | 
 495 |     # Parse a single signature record
 496 |     def parse_signature(self,data):
 497 |         reader = BytesIO(data)
 498 |         magic = up_I(reader)
 499 |         print(f"\t[-] Magic: {hex(magic)}")
 500 |         total_len = up_I(reader)
 501 |         print(f"\t[-] Total Len: {hex(total_len)} ({total_len == len(data)})")
 502 | 
 503 |         while reader.tell() < len(data):
 504 |             print(f"\t[-] Signature Topic")
 505 | 
 506 |             unk1 = reader.read(4)
 507 |             print(f"\t\t[-] Unk1: {tx(unk1)}")
 508 |             
 509 |             unk2 = reader.read(4)
 510 |             print(f"\t\t[-] Unk2: {tx(unk2)}")
 511 | 
 512 |             block_size = up_I(reader)
 513 |             print(f"\t\t[-] Size: {hex(block_size)}")
 514 | 
 515 |             name = reader.read(18)
 516 |             name = name.decode("utf-16")
 517 |             print(f"\t\t[-] Name: {name}")
 518 | 
 519 |             if 1000 > block_size > 200:
 520 |                 body = reader.read(block_size-4-4-4-18-4)
 521 |             else:
 522 |                 block_size = 1000 # default
 523 |                 body = reader.read(block_size-4-4-4-18-4)
 524 |             
 525 |             if not (reader.tell() < len(data)):
 526 |                 footer = int.from_bytes(body[-4:],"little")
 527 |                 body = body[:-4]
 528 |             else:
 529 |                 footer = up_I(reader)
 530 |             
 531 |             try:
 532 |                 decompressed_body = zlib.decompress(body[11:],-15)
 533 |                 print(f"\t\t[-] Decompressed Body: {len(decompressed_body)} bytes")
 534 |                 self.parse_decompressed(decompressed_body)
 535 |                 print(f"\t\t[-] Footer: {hex(footer)}")
 536 |             except Exception as e:
 537 |                 pass
 538 |     
 539 | 
 540 |     def parse_decompressed(self, data):
 541 |         
 542 |         try:
 543 |             
 544 |             # data[0x4:0xc] - PC Date
 545 |             pc_date_double, = struct.unpack('<d', data[0x4:0xc])
 546 |             pc_date = datetime.datetime(1899, 12, 30) + datetime.timedelta(pc_date_double)
 547 |             print_body_info("PC Date", pc_date)
 548 | 
 549 |             # data[0xc:0x1c] - GUID
 550 |             guid_tuple = struct.unpack('<IHH2s6s', data[0xc:0x1c])
 551 |             guid_first_part = '-'.join([hex(item).strip('0x').upper() for item in guid_tuple[:-2]])
 552 |             guid_second_part = f"{binascii.hexlify(guid_tuple[-2]).decode().upper()}-{binascii.hexlify(guid_tuple[-1]).decode().upper()}"
 553 |             guid = f"{{{guid_first_part}-{guid_second_part}}}"
 554 |             print_body_info('GUID', guid)
 555 | 
 556 |             # data[0x1c:0x2c] - Username
 557 |             print_body_info('User', data[0x1c:0x2c])
 558 | 
 559 |             # data[0x2c:0x40] - Description
 560 |             print_body_info('Description', data[0x2c:0x40])
 561 | 
 562 |             # data[0x40:0x68] - Path
 563 |             print_body_info('Path', data[0x40:0x68])
 564 | 
 565 |             # data[0x68:0x6a] - DB
 566 |             db, = struct.unpack('<H', data[0x68:0x6a])
 567 |             print_body_info('DB', db)
 568 | 
 569 |             # data[0x6a:0x6c] - Version Created
 570 |             created, = struct.unpack('<H', data[0x6a:0x6c])
 571 |             
 572 |             try:
 573 |                 created_str = str(created)
 574 |                 created_str = f"{created_str[0]}.{created_str[1]}.{created_str[2:]}"
 575 |             
 576 |             except Exception as e:
 577 |                 created_str = str(created)
 578 |             
 579 |             print_body_info('Created Version', created_str)
 580 |             
 581 |             # data[0x6c:0x6e] - Modified Version
 582 |             modified, = struct.unpack('<H', data[0x6c:0x6e])
 583 |             
 584 |             try:
 585 |                 modified_str = str(modified)
 586 |                 modified_str = f"{modified_str[0]}.{modified_str[1]}.{modified_str[2:]}"
 587 |             
 588 |             except Exception as e:
 589 |                 modified_str = str(modified)
 590 |             
 591 |             print_body_info('Modified Version', modified_str)
 592 | 
 593 |             # data[0x6e:0x70] - Booleans bitmask
 594 |             features_bitmask, = struct.unpack('<H', data[0x6e:0x70])
 595 |             features_bitmask_str = bin(features_bitmask)[2:].zfill(16)[::-1]
 596 | 
 597 |             info_table_bit, ladder_bit, ladder_data_bit, page_bit, misc_data_bit, eDT_Reserved1_bit, page_idx_bit, eDT_Reserved2_bit, variables_bit, eDT_Reserved3_bit, counters_bit, functionBlocks_bit, func_blocks_inst_bit, timers_bit, data_tables_bit, hw_config_bit = [bool(int(x)) for x in features_bitmask_str]
 598 | 
 599 |             # data[0x70:0x78] - Unk1/2
 600 |             unk1, unk2 = struct.unpack('<II', data[0x70:0x78])
 601 |             print_body_info('Unk1 (0)', unk1)
 602 |             print_body_info('Unk2 (0)', unk2)
 603 | 
 604 |             # data[0x78:0xb8] - All other integers
 605 | 
 606 |             info_table, ladder, ladder_data, page, misc_data, eDT_Reserved1, page_idx, eDT_Reserved2, variables, eDT_Reserved3, counters, functionBlocks, func_blocks_inst, timers, data_tables, hw_config, eDT_Reserved4 = struct.unpack('<'+'I'*17, data[0x78:0x78 + 4*17])
 607 |             
 608 |             print_body_info(f'Info Tables Downloaded: {info_table_bit} (CRC={info_table})', None)
 609 |             
 610 |             print_body_info(f'Ladder Downloaded: {ladder_bit} (CRC={ladder})', None)
 611 |             
 612 |             print_body_info(f'Ladder Data Downloaded: {ladder_data_bit} (CRC={ladder_data})', None)
 613 |             
 614 |             print_body_info(f'Page Downloaded: {page_bit} (CRC={page})', None)
 615 |             
 616 |             print_body_info(f'Misc.Data Downloaded: {misc_data_bit} (CRC={misc_data})', None)
 617 |             
 618 |             print_body_info(f'eDT_Reserved1 Downloaded: {eDT_Reserved1_bit} (CRC={eDT_Reserved1})', None)
 619 |             
 620 |             print_body_info(f'Pages->Idx Downloaded: {page_idx_bit} (CRC={page_idx})', None)
 621 |             
 622 |             print_body_info(f'eDT_Reserved2 Downloaded: {eDT_Reserved2_bit} (CRC={eDT_Reserved2})', None)
 623 |             
 624 |             print_body_info(f'Variables Downloaded: {variables_bit} (CRC={variables})', None)
 625 |             
 626 |             print_body_info(f'eDT_Reserved3 Downloaded: {eDT_Reserved3_bit} (CRC={eDT_Reserved3})', None)
 627 |             
 628 |             print_body_info(f'Counters Downloaded: {counters_bit} (CRC={counters})', None)
 629 |             
 630 |             print_body_info(f'FunctionBlocks Downloaded: {functionBlocks_bit} (CRC={functionBlocks})', None)
 631 |             
 632 |             print_body_info(f'Function Blocks Instance Downloaded: {func_blocks_inst_bit} (CRC={func_blocks_inst})', None)
 633 |             
 634 |             print_body_info(f'Timers Downloaded: {timers_bit} (CRC={timers})', None)
 635 |             
 636 |             print_body_info(f'Data Tables Downloaded: {data_tables_bit} (CRC={data_tables})', None)
 637 |             
 638 |             print_body_info(f'HW Configuration Downloaded: {hw_config_bit} (CRC={hw_config})', None)
 639 |             
 640 |             # data[0xbc:0xcc] - Connection info
 641 |             conn_info = data[0xbc:0xcc]
 642 |             conn_info_type = conn_info[0]
 643 |             
 644 |             if conn_info_type == 0:
 645 |                 conn_info_general = "Serial"
 646 |                 conn_info_details = conn_info[1:]
 647 |             
 648 |             elif conn_info_type == 3:
 649 |                 conn_info_general = "TCP/IP"
 650 |                 conn_info_ip = socket.inet_ntoa(conn_info[1:5])
 651 |                 conn_info_port, = struct.unpack("<H", conn_info[7:9])
 652 |                 conn_info_details = f"{conn_info_ip} TCP {conn_info_port}"
 653 |             else:
 654 |                 conn_info_general = f"Unknown (type {conn_info_type})"
 655 |                 conn_info_details = conn_info[1:].hex()
 656 |             
 657 |             print_body_info('Connection Info General', conn_info_general)
 658 |             
 659 |             print_body_info('Connection Info Details', conn_info_details)
 660 | 
 661 |             # data[0xcd:0xce] - PLC Reset Event
 662 |             plc_reset_event, = struct.unpack("<B", data[0xcd:0xce])
 663 |             PLC_RESET_DICT = {
 664 |                 0: "None",
 665 |                 1: "Flash",
 666 |                 2: "Password",
 667 |                 3: "Hardware Config",
 668 |                 4: "Function Block",
 669 |                 5: "Memory",
 670 |                 6: "ISC",
 671 |                 7: "Compiled STL Size",
 672 |                 8: "Build All",
 673 |                 9: "User",
 674 |             }
 675 |             plc_reset_event_desc = PLC_RESET_DICT.get(plc_reset_event, f"Unknown") + f" (type {hex(plc_reset_event)})"
 676 |             print_body_info('PLC Reset', plc_reset_event_desc)
 677 | 
 678 |             # data[0xd4:0xd8] - UnitID
 679 |             unitid, = struct.unpack("<I", data[0xd4:0xd8])
 680 |             print_body_info('Unit ID', unitid)
 681 | 
 682 |             #data[0xe4:0xe8] - User OS
 683 |             pc_os_type, = struct.unpack("<f", data[0xe4:0xe8])
 684 |             pc_os_desc = "Unknown"
 685 |             
 686 |             if pc_os_type == 5.0:
 687 |                 pc_os_desc = "Windows XP"
 688 |             
 689 |             elif pc_os_type == 6.0:
 690 |                 pc_os_desc = "Windows 7 or later"
 691 |             
 692 |             else:
 693 |                 pc_os_desc = "Windows Unknown"
 694 | 
 695 |             pc_os_desc = f"{pc_os_desc} (type {pc_os_type})"
 696 |             print_body_info('PC OS', pc_os_desc)
 697 | 
 698 |             # data[0xe8:0x128] - User Computer Langauge
 699 |             language = data[0xe8:0x128]
 700 |             print_body_info('Language', language)
 701 | 
 702 |             # data[0x128:0x138] - PLC Model
 703 |             plc_model = data[0x128:0x138]
 704 |             print_body_info('PLC Model', plc_model)
 705 |             
 706 |             # data[0x138:0x148] - PLC Boot Version
 707 |             boot = data[0x138:0x148]
 708 |             print_body_info('Boot', boot)
 709 | 
 710 |             # data[0x148:0x158] - PLC Bin Lib Version
 711 |             bin_lib = data[0x148:0x158]
 712 |             print_body_info('BinLib', bin_lib)
 713 | 
 714 |             # data[0x158:0x168] - PLC Factory Boot Version
 715 |             factory_boot = data[0x158:0x168]
 716 |             print_body_info('Factory Boot', factory_boot)
 717 | 
 718 |             # data[0x168:0x16c] - User Connection Timeout
 719 |             timeout_ms, = struct.unpack("<I", data[0x168:0x16c])
 720 |             print_body_info('Timeout (ms)', timeout_ms)
 721 | 
 722 |             # data[0x16c:0x170] - User Connection Retry Count
 723 |             retry_count, = struct.unpack("<I", data[0x16c:0x170])
 724 |             print_body_info('Retry Count', retry_count)
 725 | 
 726 |             # data[0x170:] - Download Type
 727 |             download_type = data[0x170:]
 728 |             print_body_info('Download Type', download_type)
 729 | 
 730 |         except struct.error as e:
 731 |             print(f"\t\t{WARNING}[x] Warning: Struct failed to unpack a field.{ENDC}")
 732 |             return
 733 | 
 734 |         except Exception as e:
 735 |             print(f"Error: {e}")
 736 |     
 737 | 
 738 |     # Binary request
 739 |     def create_check_password_request(self, password):
 740 |         opcode = 0x02
 741 |         res3 = b"\x00\x00\x00"
 742 |         password = password[:8].ljust(8," ").encode()
 743 |         return self.create_binary_request(command_opcode=opcode, command_data=password, res3=res3)
 744 | 
 745 | 
 746 |     # Binary Response
 747 |     def parse_check_password(self, data):        
 748 |         # Move after the PCOM/TCP header
 749 |         if self.isTcp:
 750 |             data = data[self.PCOM_TCP_HEADER_SIZE:]
 751 |         
 752 |         if self.debugMode:
 753 |             self.print_pcom_binary(data)
 754 | 
 755 |         opcode = data[12]
 756 |         reserved = data[13]
 757 |         
 758 |         if opcode == 0x82 and reserved == 0x64:
 759 |             return True
 760 |         
 761 |         return False
 762 |     
 763 | 
 764 | def do_read(sock, pcom_client, addr, length, flag, read_size=976):
 765 |     pcom = pcom_client
 766 |     read_bytes = 0
 767 |     res = b""
 768 | 
 769 |     while read_bytes < length:
 770 |         print(f"\r[-] Reading from address: {hex(addr)} ({(read_bytes/length)*100:.2f}%)      ", end="")
 771 |         size = min(read_size, length-read_bytes)
 772 |         read_mem = pcom.create_read_memory(struct.pack("<I", addr), size, flag=flag)
 773 |         sock.send(read_mem)
 774 |         read_bytes += size
 775 |         addr += size
 776 |         resp = sock.recv(1024*5)
 777 |         res += pcom.extract_pcom_data(resp)
 778 |     
 779 |     print(f"\r[-] Read is completed (100%)                                                    ", end="")
 780 |     print("")
 781 |     
 782 |     return res
 783 | 
 784 | 
 785 | def do_write(sock, pcom_client, addr, data, flag):
 786 |     pcom = pcom_client
 787 |     write_size = 976
 788 |     write_bytes = 0
 789 |     length = len(data)
 790 |     res = b""
 791 |     
 792 |     while write_bytes < length:
 793 |         print(f"\r[-] Writing to address: {hex(addr)} ({(write_bytes/length)*100:.2f}%)      ", end="")
 794 |         size = min(write_size, length-write_bytes)
 795 |         current_data_chunk = data[write_bytes:write_bytes+size]
 796 |         write_mem = pcom.create_write_memory(struct.pack("<I", addr), size, current_data_chunk, flag=flag)
 797 |         sock.send(write_mem)
 798 |         write_bytes += size
 799 |         addr += size
 800 |         resp = sock.recv(1024*5)
 801 |         pcom.extract_pcom_data(resp)
 802 |     
 803 |     print(f"\r[-] Write is completed (100%)                                                    ", end="")
 804 |     
 805 |     print("")
 806 | 
 807 | 
 808 | def print_firmware_version(data):
 809 |     
 810 |     if type(data) in [bytes, str]:
 811 |         print(f"\t[-] Unknown Model (model: {data})")
 812 |     
 813 |     else:
 814 |         print("\t[-] Model: " + data.get("model_desc"))
 815 |         print("\t[-] HW Rev: " + data.get("hw_rev"))
 816 |         is_ft_exists = False
 817 |     
 818 |         for fw_ver in data["fw_ver"]:
 819 |             fw_ver_type = fw_ver.get("type")
 820 |             if fw_ver_type == "FT":
 821 |                 is_ft_exists = True
 822 |             fw_ver_version = fw_ver.get("version")
 823 |             print(f"\t[-] {PCOM_CLIENT.FW_TYPE_TO_NAME.get(fw_ver_type,fw_ver_type)}: {fw_ver_version}")
 824 |     
 825 |         if not is_ft_exists and len(data.get("leftover","")) == 8:
 826 |             binlib_ver_full = data.get("leftover")
 827 |             binlib_ver = f"{binlib_ver_full[0:1]}-{binlib_ver_full[1:2]}.{binlib_ver_full[2:4]} ({binlib_ver_full[4:8]})"
 828 |             print("\t[-] BinLib: " + binlib_ver)    
 829 | 
 830 | 
 831 | def print_plc_name(sock, pcom_client):
 832 |     s = sock
 833 |     pcom = pcom_client
 834 |     # --> (B) Get Name Req (0c)
 835 |     get_name_req = pcom.create_read_plc_name()
 836 |     s.send(get_name_req)
 837 |     # <-- (B) Get Name Res (8c)
 838 |     resp = s.recv(1024*5)
 839 |     plc_name = pcom.parse_read_plc_name(resp)
 840 |     print(f"\t[-] PLC Name: {plc_name.decode()}")
 841 | 
 842 | 
 843 | def print_plc_firmware(sock, pcom_client):
 844 |     s = sock
 845 |     pcom = pcom_client
 846 |     # --> (A) Get Versions Req (ID)
 847 |     get_versions_req = pcom.create_read_plc_versions()
 848 |     s.send(get_versions_req)
 849 |     # <-- (A) Get Versions Res (ID)
 850 |     resp = s.recv(1024*5)
 851 |     firmware_version_raw = pcom.parse_version(resp)
 852 |     print_firmware_version(firmware_version_raw)
 853 | 
 854 | 
 855 | def print_plc_unitid(sock, pcom_client):
 856 |     s = sock
 857 |     pcom = pcom_client
 858 |     # --> (A) Get UnitID (UG) Req  (UG)
 859 |     get_unitid_req = pcom.create_read_unitID()
 860 |     s.send(get_unitid_req)
 861 |     # <-- (A) Get UnitID (UG) Res  (UG)
 862 |     resp = s.recv(1024*5)
 863 |     unitId = pcom.parse_read_unitID(resp)
 864 |     print(f"\t[-] UnitID: {unitId.decode()}")
 865 | 
 866 | 
 867 | def print_signature_table(sock, pcom_client):
 868 |     # Directions:
 869 |     # Client (EWS) <--> Server (PLC)
 870 |     # Type of Connection:
 871 |     # (B)inary (A)scii
 872 |     # --> (B) Get Name Req (0c)                     
 873 |     # <-- (B) Get Name Res (8c)                     
 874 |     # --> (A) Get Versions Req (ID)                 
 875 |     # <-- (A) Get Versions Res (ID)                 
 876 |     # --> (B) Read Operands Req (4D)                
 877 |     # <-- (B) Read Operands Res (CD)                
 878 |     # --> (A) Get UnitID (UG) Req  (UG)             
 879 |     # <-- (A) Get UnitID (UG) Res  (UG)             
 880 |     # --> (B) Get Resource Table Address Req (16)   
 881 |     # <-- (B) Get Resource Table Address Res (96)   
 882 |     # --> (B) Opcode 0x1a Req  (1A)                 
 883 |     # <-- (B) Opcode 0x1a Res  (9A)                 
 884 |     # --> (B) Read Resource Table Memory Req  (01)  
 885 |     # <-- (B) Read Resource Table Memory Res  (81)  
 886 |     # --> (B) Get Signature Address Req (16)        
 887 |     # <-- (B) Get Signature Address Res (96)        
 888 |     # --> (B) Opcode 0x1a Req  (1A)                 
 889 |     # <-- (B) Opcode 0x1a Res  (9A)                 
 890 |     # --> (B) Read Signature Table Memory Req  (01) 
 891 |     # <-- (B) Read Signature Table Memory Res  (81) 
 892 | 
 893 |     s = sock
 894 |     pcom = pcom_client
 895 | 
 896 |     # --> (B) Read Operands Req (4D) 
 897 |     read_operand_req = pcom.create_read_operand()
 898 |     s.send(read_operand_req)
 899 |     # <-- (B) Read Operands Res (CD)
 900 |     resp = s.recv(1024*5)
 901 | 
 902 |     # --> (B) Get Resource Table Address Req (16)
 903 |     get_resource_table_address_req = pcom.create_read_resource_table_address()
 904 |     s.send(get_resource_table_address_req)
 905 |     # <-- (B) Get Resource Table Address Res (96)
 906 |     resp = s.recv(1024*5)
 907 |     rTable_addr, rTable_size = pcom.parse_translate_index(resp)
 908 |     rTable_addr_hex = hex(struct.unpack("<I", rTable_addr)[0])
 909 |     print(f"\t[-] Resource Table Address: {rTable_addr_hex} Size: {hex(rTable_size)}")
 910 | 
 911 |     # --> (B) Opcode 0x1a Req  (1A)
 912 |     flush_req = pcom.create_opcode_1a_request()
 913 |     s.send(flush_req)
 914 |     # <-- (B) Opcode 0x1a Res  (9A)
 915 |     resp = s.recv(1024*5)
 916 |     pcom.parse_opcode_1a(resp)
 917 | 
 918 |     # --> (B) Read Resource Table Memory Req  (01)
 919 |     read_rTable_memory = pcom.create_read_memory(rTable_addr, rTable_size, flag=4)
 920 |     s.send(read_rTable_memory)
 921 |     # <-- (B) Read Resource Table Memory Res  (81)
 922 |     resp = s.recv(1024*5)
 923 |     sigTable_index = pcom.parse_read_resource_table(resp)
 924 |     print(f"\t[-] Signature Table Index: {sigTable_index}")
 925 | 
 926 |     # --> (B) Get Signature Address Req (16)
 927 |     get_signature_table_address_req = pcom.create_translate_resource_index_to_address(sigTable_index)
 928 |     s.send(get_signature_table_address_req)
 929 |     # <-- (B) Get Signature Address Res (96)
 930 |     resp = s.recv(1024*5)
 931 |     sigTable_address, sigTable_size = pcom.parse_translate_index(resp)
 932 |     sigTable_address_hex = hex(struct.unpack("<I", sigTable_address)[0])
 933 |     print(f"\t[-] Signature Table Address: {sigTable_address_hex} Size: {hex(sigTable_size)}")
 934 | 
 935 |     # --> (B) Opcode 0x1a Req  (1A)
 936 |     flush_req = pcom.create_opcode_1a_request()
 937 |     s.send(flush_req)
 938 |     # <-- (B) Opcode 0x1a Res  (9A)
 939 |     resp = s.recv(1024*5)
 940 |     pcom.parse_opcode_1a(resp)
 941 | 
 942 |     # --> (B) Read Signature Table Memory Req  (01)
 943 |     # <-- (B) Read Signature Table Memory Res  (81) - Check
 944 |     addr = struct.unpack("<I", sigTable_address)[0]
 945 |     sig_table_data = do_read(sock=s, pcom_client=pcom, addr=addr, length=sigTable_size, flag=4)
 946 |     sigTable = pcom.parse_signature(sig_table_data)
 947 | 
 948 | 
 949 | def read_project_zip(sock, pcom_client):
 950 |     s = sock
 951 |     pcom = pcom_client
 952 |     where_resource_id_req = pcom.create_where_resource(resource_id=RESOURCE_ID_PROJECT_ZIP)
 953 |     s.send(where_resource_id_req)
 954 |     resp = s.recv(1024*5)
 955 |     addr, size, res_id = pcom.parse_where_resource(resp)
 956 |     print(f"[-] Reading project file from {hex(addr)} with size {hex(size)}")
 957 |     project_zip_data = do_read(sock=s, pcom_client=pcom, addr=addr, length=size, flag=res_id) # flag should be 1
 958 |     return project_zip_data
 959 | 
 960 | 
 961 | def read_and_save_project_zip(sock, pcom_client):
 962 |     name = f"project_{int(time.time())}.zip"
 963 |     project_zip = read_project_zip(s, pcom)
 964 |     project_zip = project_zip[0x2a:]
 965 |     with open(name, "wb") as f:
 966 |         f.write(project_zip)
 967 | 
 968 | 
 969 | def read_memory(sock, pcom_client, loc_type=1, start=0, end=0x100000):
 970 |     s = sock
 971 |     pcom = pcom_client
 972 |     print(f"[-] Dumping RAM from from address {hex(start)} to address {hex(end)} (flag={loc_type})")
 973 |     data = do_read(sock=s, pcom_client=pcom, addr=start, length=end-start, flag=loc_type)
 974 |     with open(f"ram_{hex(start)}_{hex(end)}_flag_{loc_type}_{time.time()}.bin", "wb") as f:
 975 |         f.write(data)
 976 | 
 977 | 
 978 | def write_memory(sock, pcom_client, addr, data, loc_type=1):
 979 |     s = sock
 980 |     pcom = pcom_client
 981 |     print(f"[-] Writing memory from from address {hex(addr)} with size {hex(len(data))} (flag={loc_type})")
 982 |     do_write(sock, pcom_client, addr, data, loc_type)
 983 | 
 984 | 
 985 | def upload_auth(sock, pcom_client, password=PASSWORD_DEFAULT):
 986 |     s = sock
 987 |     pcom = pcom_client
 988 |     print(f"[-] Trying to check upload_auth with password: '{password}'")
 989 |     # --> (B) Opcode 0x02 Req
 990 |     req_pass = pcom.create_check_password_request(password)
 991 |     s.send(req_pass)
 992 |     # <-- (B) Opcode 0x82 Res
 993 |     resp = s.recv(1024*5)
 994 |     is_ok = pcom.parse_check_password(resp)
 995 |     if is_ok:
 996 |         print(f"\t[-] Password: OK")
 997 |         return True
 998 |     else:
 999 |         print(f"\t[-] Password: Bad")
1000 |         return False
1001 | 
1002 | 
1003 | def main():
1004 |     ip_addr = sys.argv[1]
1005 |     pcom = PCOM_CLIENT(isTcp=True, debugMode=False)
1006 |     s = socket.socket()
1007 |     port = 20256
1008 |     s.connect((ip_addr, port))
1009 | 
1010 |     print_plc_name(s, pcom)
1011 |     print_plc_firmware(s, pcom)
1012 |     print_plc_unitid(s, pcom)
1013 |     print_signature_table(s, pcom)
1014 |     read_and_save_project_zip(s, pcom)
1015 |     
1016 |     
1017 | if __name__ == "__main__":
1018 |     main()
1019 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | pyserial


--------------------------------------------------------------------------------