Open Schneggo opened 1 month ago
I'm glad to hear that! I'll try to look at it but first I need to get my reversing setup up and working again. I also finally got my hands on real PLCs so I will look into getting Harpo working on real ones as well.
Amazing! Thank you and if i can help you somehow just let me know.
So far, I've found that different algorithms get used when the PLC sends a 0x00 key type (Unspecified) instead of 0x03 (ConnectionKey - I think) used by the PLCSIMs. I need to dig deeper, and it probably will take some time.
It's not all different, though. Some of the algs are reused, like the key ID derivation obviously and the pseudorandom number generator.
@Schneggo Hi, I'm sorry it's taking so long but I had to finish a project at work. I've found some new 'obfuscated' functions and I'll probably have to develop some new tools and find patterns (just as I had to do for the challenge fingerprint function).
I think I won't bother trying to 'deobfuscate' these functions and just use them as is. They are large blocks of bitwise operations and I'm not really familiar with dealing with MBAs yet.
No worries, just take your time. And thank you for keeping me updated :D 👍
Found your project and love it! I wanted to ask if you plan on doing the encryption for physical SPS.
I'm currently trying to run HarpoS7 with a 6ES7511-1AK02-0AB0 myself and keep getting stuck at the SetMultivarsRequest. So far i figured almost all offsets out which differ. I'm using the publickey "S1500" and using TIA V16 for my project. The bloblength on my side is 180 and the publickey is 40 bytes long.
I added a Zip with two wiresharkdump:
Do you maybe have an idea what else would i would have to change that it would work? I could also share my project if you're interested.