RUB-SysSec
Ask for help, unable to communicate with PLC via UART;
Sending "FFFFMFGT1" via UART PLC does not return a message; S7-1200 1212C DC/DC/DC 6ES7212-1AE40-0XB0; Fw 4.2.3; hope to get help, thanks,thanks,thanks Here is my code,
`#include <Windows.h>
#include <stdio.h>
#include <stdlib.h>
#include
int main() { HANDLE hcom = CreateFile(TEXT("COM3"),GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL); if (hcom == INVALID_HANDLE_VALUE) { printf("open error \n"); }
DCB dcb;
GetCommState(hcom,&dcb);
dcb.BaudRate = 38400;
//dcb.BaudRate = 115200;
dcb.StopBits = 1;
dcb.Parity = 2;
dcb.ByteSize = 8;
//dcb.fOutX = 1;
//dcb.fInX = 1;
//dcb.fBinary =1;
//dcb.fParity = 1;
SetCommState(hcom,&dcb);
GetCommState(hcom,&dcb);
string magic = "MFGT1";
vector<char> v_ch;
for (int i = 0; i < 4; i++){
v_ch.push_back('A');
}
v_ch.push_back('\0');
DWORD length = v_ch.size();
string pad = &v_ch[0];
pad.append(magic);
do
{
COMSTAT rcs= {0};
DWORD dwerror = 0;
char recv_buf[100] = {0};
DWORD rc_len = 0;
ClearCommError(hcom,&dwerror,&rcs);
ReadFile(hcom,recv_buf,rcs.cbInQue,&rc_len,NULL);
if( rc_len > 0)
{
string buf = recv_buf;
if(buf.find("CPU") != -1)
{
printf("buf = %s\n",buf.c_str());
getchar();
}
printf("recv message len = %d\n",rc_len);
printf("recv message:%s\n",recv_buf);
for(int i=0; i < rc_len; i++)
{
printf("%x",recv_buf[i]);
}
printf("\n");
}
PurgeComm(hcom,PURGE_TXCLEAR|PURGE_RXCLEAR);
//Sleep(300);
}while(WriteFile(hcom,pad.c_str(),pad.length(),&length,NULL));
CloseHandle(hcom);
return 0;
}`
New attempts in 2025 Attempted to inject the MFGT1 string within the 0.5-second window with several PLCs (1211C v3.0, 1212C v4.2.7) without success. 38400 baud, 8-bit. I only receive echo responses from the PLCs. Do you include two bytes 0xFF before the MFGT1 string? Can you provide details on anything not documented that would help establish the initial connection to the bootloader? Thanks
