search

Blaukovitch / OKUMA_CNC

okumagrd response
GNU General Public License v2.0
0 stars 0 forks source link

is this code used for connecting to relocation detection unit in okuma CNCs? #1

Open MPI4sec opened 8 months ago

MPI4sec commented 8 months ago

how can I use this code?

Blaukovitch commented 8 months ago

@MPI4sec, greetings! Absolutely correct - OCUMA CNC uses its own COM library TRANSDETECTAP in the Windows environment to interrogate 11 different commands

typedef enum OKUMA_ID
{
    OKUMA_UNKNOWN = 0,
    OKUMA_BYTE_1,
    OKUMA_DWORD_2,
    OKUMA_BYTE_3,
    OKUMA_PASSWORD_4,
    //not defined
...

    OKUMA_FILETIME_7,
    OKUMA_BYTE_8,
    OKUMA_DWORD_9,
    OKUMA_DWORD_10,
    OKUMA_DWORD_11,
    OKUMA_DWORD_12,
}ENUM_OK_ID;

commands imply exchange of data of various lengths (DWORD, BYTE, struct FILETIME) with the CNC hardware. The point is that the correct data for location must be returned. There are two modes of data access - read and write. Not all commands (depending on the machine) can support writing, but most of them are readable.

You must compile an executable .exe file (preferably in Visual Studio 6.0 environment) and run it on the CNC machine to output each of the 11 commands. This is only part of the hacking solution - the implementation of the software communication OCUMA with the hardware must be looked at individually for each CNC model.

MPI4sec commented 8 months ago

Thank you very much for your reply Reinard,

I compiled your code (let me name the compiled file as TEST.exe) with MSVC++ v6.0 (same version as the compiler that TRANSDETECTAP.DLL compiled with) and sent all 11 commands to the SSU-RD2 unit, but two events occurred:

1-There is one dll(TRANSDETECTKS.DLL) that is loaded by VOLUNCHER.EXE before OSPDLGRD.exe execution started when I run TEST.exe after VOLUNCHER.EXE all commands that sent by the TEST.exe program returns an error (access error) except Okuma_DWORD_2 that returns an integer number

2- if I run TEST.exe before Voluncher.exe execution every command runs successfully.

By the way to bypassing the password, I reverse engineered the OSPDLGRD.EXE program and led the execution flow to another Dlgbox (there are the 3 Dlgboxes in osodlgrd.exe, that two of them did not want any password) after that all peripherals runs successfully, but NC did not start and HMI(ebisview) Shows alarm 2090. (the remaining time after relocation has passed)

It would be my pleasure if you guide me bypassing the password without error and starting NC drive completely. Regards.

On Wed, 24 Jan 2024, 16:39 Reinhard, @.***> wrote:

@MPI4sec https://github.com/MPI4sec, greetings! Absolutely correct - OCUMA CNC uses its own COM library TRANSDETECTAP in the Windows environment to interrogate 11 different commands

typedef enum OKUMA_ID { OKUMA_UNKNOWN = 0, OKUMA_BYTE_1, OKUMA_DWORD_2, OKUMA_BYTE_3, OKUMA_PASSWORD_4, //not defined ...

OKUMA_FILETIME_7, OKUMA_BYTE_8, OKUMA_DWORD_9, OKUMA_DWORD_10, OKUMA_DWORD_11, OKUMA_DWORD_12, }ENUM_OK_ID;

commands imply exchange of data of various lengths (DWORD, BYTE, struct FILETIME) with the CNC hardware. The point is that the correct data for location must be returned. There are two modes of data access - read and write. Not all commands (depending on the machine) can support writing, but most of them are readable.

You must compile an executable .exe file (preferably in Visual Studio 6.0 environment) and run it on the CNC machine to output each of the 11 commands. This is only part of the hacking solution - the implementation of the software communication OCUMA with the hardware must be looked at individually for each CNC model.

— Reply to this email directly, view it on GitHub https://github.com/Blaukovitch/OKUMA_CNC/issues/1#issuecomment-1908092605, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFSIW72I4YHURL2UUW7S4M3YQEB2HAVCNFSM6AAAAABCIMEKSGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBYGA4TENRQGU . You are receiving this because you were mentioned.Message ID: @.***>

Blaukovitch commented 7 months ago

@MPI4sec, i updated the OKUMA_CNC.cpp You have 10 variables in CNC and you need to view current values of him:

 TEST_DWORD(OKUMA_DWORD_12);
    TEST_DWORD(OKUMA_DWORD_11);
    TEST_DWORD(OKUMA_DWORD_10);
    TEST_DWORD(OKUMA_DWORD_9);
    TEST_BYTE (OKUMA_BYTE_8);
    TEST_FILETIME(OKUMA_FILETIME_7);
    TEST_STRING(OKUMA_PASSWORD_4);
    TEST_BYTE  (OKUMA_BYTE_3);
    TEST_DWORD (OKUMA_DWORD_2);
    TEST_BYTE  (OKUMA_BYTE_1);

Every _TEST__ subroutine show a two state: GET/SET (Read/Write) attribute;

You end up with some SET/GET (Read/Write) variable table on your screen. The idea was to write (SET) the correct configuration of values to the CNC hardware at once. But this requires that all 10 values support the write (SET) functionality. Most likely, two of these values will not have this feature (an error will be returned, the code of which is decoded in const char* okumagrd_error_code_to_stringA(OKUMA_ERRORS Err_code)). Unfortunately, I can't say exactly in your case - you need to look at the CNC software individually, but unfortunately I don't have time. Nevertheless, if you run the compiled version of OKUMA_CNC, you should get this magic SET/GET table and you will have an understanding of what exactly the travel protection is bound to.

MPI4sec commented 6 months ago

Thanks, @Blaukovitch, this is my results after compiling and executing your code on the OKUMA machine:

Hello OKUMA! 1     v2.0
+---------------------- [ 12        DWORD ]-------------------------------------+
GET< 0          NO_ERROR
SET>            DIALOGRD INTERNAL FATAL ERROR: Access Refuse(Read/Write)

+---------------------- [ 11-Time Remaining to Enter Password(in Hours)        DWORD ]-------------------------------------+
GET< 0          NO_ERROR
SET>            DIALOGRD INTERNAL FATAL ERROR: Access Refuse(Read/Write)

+---------------------- [ 10-Starting CNC        DWORD ]-------------------------------------+
GET<            DIALOGRD INTERNAL FATAL ERROR: Access Refuse(Read/Write)
SET> 0          NO_ERROR

+---------------------- [ 9         DWORD ]-------------------------------------+
GET< 0          NO_ERROR
SET>            DIALOGRD INTERNAL FATAL ERROR: Access Refuse(Read/Write)

+---------------------- [ 8         BYTE  ]-------------------------------------+
GET< 0          NO_ERROR
SET>            DIALOGRD INTERNAL FATAL ERROR: Access Refuse(Read/Write)

+---------------------- [ 7-CNC Time      FILETIME ]-------------------------------------+
GET< 0          0     (null)
SET> 0          0     (null)

+---------------------- [ 4-CNC Password       STRING ]-------------------------------------+
GET<            DIALOGRD INTERNAL FATAL ERROR: Access Refuse(Read/Write)
SET> 0          NO_ERROR

+---------------------- [ 3-CNC Relocation Error Code         BYTE  ]-------------------------------------+
GET< 224        NO_ERROR
SET>            DIALOGRD INTERNAL FATAL ERROR: Access Refuse(Read/Write)

+---------------------- [ 2-CNC Password Size         DWORD ]-------------------------------------+
GET< 20         NO_ERROR
SET> 30         NO_ERROR

+---------------------- [ 1         BYTE  ]-------------------------------------+
GET< 1          NO_ERROR
SET> 1          DIALOGRD INTERNAL FATAL ERROR: Access Refuse(Read/Write)

It appears that four individuals (numbers 2, 4, 7, and 10) had permission to SET data into the CNC system, while eight individuals (numbers 1, 2, 3, 7, 8, 9, 11, and 12) were authorized to retrieve data from the system. Regarding the OPSDLGRD.exe program, if the error code for relocation (get_nc_data(3)) is equal to zero (in my case, get_nc_data(3)=224 (E0)), then only the set_nc_data(10) executed with payload 1, and the CNC system starts operating correctly (although this did not occur in my case). I don't know, what can I do anymore! :(

Blaukovitch commented 6 months ago

Access Refuse(Read/Write) - therein lies the problem. Not all values in the CNC machine can be changed from the outside in this way with a program. In the case where values could be set (written) this would immediately solve the issue by correcting the movement of the equipment. As far as I remember, CNC Password(4) had to be entered to continue the correct operation of the CNC software. There may be a last option - to patch the entire OKUMA software on the CNC machine, but this is an extremely difficult and risky job, and I also need the OKUMA CNC machine itself :/