Using HarpoS7 with 6ES7511-1AK02-0AB0

[Schneggo]

Found your project and love it!
I wanted to ask if you plan on doing the encryption for physical SPS.

I'm currently trying to run HarpoS7 with a 6ES7511-1AK02-0AB0 myself and keep getting stuck at the SetMultivarsRequest.
So far i figured almost all offsets out which differ.
I'm using the publickey "S1500" and using TIA V16 for my project.
The bloblength on my side is 180 and the publickey is 40 bytes long.

I added a Zip with two wiresharkdump:

• TIAV16ConnectionDump
• MyHarpoDump
  Wiresharkdump.zip

Do you maybe have an idea what else would i would have to change that it would work?
I could also share my project if you're interested.

[bonk-dev]

I'm glad to hear that! I'll try to look at it but first I need to get my reversing setup up and working again.
I also finally got my hands on real PLCs so I will look into getting Harpo working on real ones as well.

[Schneggo]

Amazing!
Thank you and if i can help you somehow just let me know.

[bonk-dev]

So far, I've found that different algorithms get used when the PLC sends a 0x00 key type (Unspecified) instead of 0x03 (ConnectionKey - I think) used by the PLCSIMs. I need to dig deeper, and it probably will take some time.

It's not all different, though. Some of the algs are reused, like the key ID derivation obviously and the pseudorandom number generator.

[bonk-dev]

@Schneggo Hi, I'm sorry it's taking so long but I had to finish a project at work. I've found some new 'obfuscated' functions and I'll probably have to develop some new tools and find patterns (just as I had to do for the challenge fingerprint function).

[bonk-dev]

I think I won't bother trying to 'deobfuscate' these functions and just use them as is. They are large blocks of bitwise operations and I'm not really familiar with dealing with MBAs yet.

[Schneggo]

No worries, just take your time.
And thank you for keeping me updated :D 👍

[bonk-dev]

@Schneggo I think it should work, but I might have gotten some offsets mixed up because I don't have a PLC at hand at the moment.

I've published a PoC release (it should automatically determine whether you are connecting to a PLCSIM or a real PLC and adjust offsets accordingly and you can pass the IP address and port by command line now instead of recompiling the binary).

You can find it here.

If you're interested, you can take a look at the issue-3 branch.

[bonk-dev]

I forgot to mention that there is no need for dumping public keys etc. I've added a default public key store which contains all of the keys dumped from TIA Portal V16.

[bonk-dev]

I've fixed the Release variant and added support for S7-1200 (family0 keys, which are used by S7-1500, are used the same way as family1 keys, which are used by S7-1200).

I've also tested the PoC on my real S7-1200 and it authenticated successfully.

Here's the improved version: https://github.com/bonk-dev/HarpoS7/releases/tag/v1.1.0-pre2

[peterbelica]

Hello, I tested your patched version v1.1.0-pre2 on my real S7-1200 PLC, 6ES7214-1BG40-0XB0 and I can confirm, that the library authenticated successfully. Great work.
Now, after successful auth with PLC, I started testing also password legitimation. I was able to send correct S7-packet with correct 32byte integrity part (calculation of integrity part seems working properly also on real PLCs) and with GetVarSubStreamed request. From response I extracted 20byte passChallenge and call LegitimateScheme.SolveLegitimateChallenge(). But here I am receiving unhandled exception:
Unhandled exception. System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
at HarpoS7.Seed.HarpoSeedUtilities.OmsReverseRows in ..\HarpoS7\Seed\HarpoSeedUtilities.cs:line 76
what I found out that this is connected with publicKey not 64bytes long, but only 40bytes long for S7-1200. This is causing problems at data2.ReverseBytes.
Unfortunately, I was not able to move forward with this.
If you could possibly look also on this part of the code, will be great. I can help with other testing on my real PLC setup.

[bonk-dev]

@peterbelica That's great, thanks a lot!
When it comes to SolveLegitimateChallenge, I honestly forgot to test it, but I'll happily look into it soon.

[bonk-dev]

I got it to work on my S7-1200! I'm going to add the packets for S7-1500 to the PoC and release a new version soon (probably tomorrow).

[Schneggo]

Thank you very much.
Will test it as soon as i can when the new version is ready and let you know if it works👍

[bonk-dev]

Here's the pre3 version: https://github.com/bonk-dev/HarpoS7/releases/tag/v1.1.0-pre3.
I couldn't get a hold of a S7-1500, so I tried to modify the S7-1200 packets instead.
I'd appreciate it if you could send me the Wireshark dumps - even if it worked.

[Schneggo]

Amazing!
I will test it in the next few days and send you the Wireshark dumps.

Thank you for your effort!

[Schneggo]

Tested it with a 6ES75 16-3AN02-0AB0 and it worked.
Dump looks also fine to me. (added it to a zip file since github doesn't allow the upload of .pcapng)
Great Job!

Wiresharkdump - 22.08.2024.zip

[bonk-dev]

That's great!
In that case I'll leave this issue open for a bit longer in case anyone else wants to test this on their own hardware.

[peterbelica]

Hello,
I tested on my S7-1200 (6ES7214-1BG40-0XB0) and it worked successfully too.
Good job, thank you for your work!

Attached my Wireshark dump, first with wrong password, then with the correct.

S7-1200_passNG+passOK.zip