Actions
Forum Thread Details
  • Replies 8 replies
  • Subscribers 48 subscribers
  • Views 110 views
  • Users 0 members are here
Related

"Its all the same"

SensoredHacker0

Some internet jerk made a snide comment today about someone else’s light-hearted Linux install project. It shouldn’t have stuck with me, but it did. It woke me up hours later with a thought I couldn’t shake:

They’re all the same.

For the past few years I’ve been building my own PLC communication libraries — serial, USB, TCP — in Python, C/C++, JavaScript, PHP. In the last 24 hours I’ve been writing Kotlin because I want a field tech to be able to debug a PLC from their phone, even if the PLC doesn’t have Bluetooth. No PhD. No formal CS background. Just me, a hex editor, and the habit of staring at binaries until the patterns start to move.

I’ve got a small collection of PLCs to experiment with — mostly IDEC, plus a few Siemens, Keyence, Mitsubishi. When I want to understand something, I don’t wait for permission. I open the firmware, trace frames, XOR checksums by hand, and squint until the Matrix resolves. That’s how I dug into IDEC’s Maintenance Protocol. I’ve mapped most of it. I still haven’t fully cracked firmware writing or compiled bytecode translation, but I’m close.

Then something weird happened.

I was experimenting with a Keyence KV series PLC my employer provided. By accident, I ran some IDEC code against it.

The LEDs toggled.

That shouldn’t be possible.

So I ran it again.

There it was: IDEC’s Maintenance Protocol responding on a Keyence KV-1000.

That sent me digging. I looked for documentation. Nothing useful. 
Every OEM wants you locked into their bloated, feature-starved software. 
So I asked ChatGPT what PLC communication protocols are linguistically similar to “Maintenance Protocol.”

The answer?

All of them.

Mitsubishi MELSEC. IDEC Maintenance. Keyence KV. Siemens S7. Schneider Electric. And probably the rest. I haven’t tested the GE units yet — the ones I have are temperamental — but I’m not expecting surprises anymore.

The structures match. The framing matches. The checksums match. Even the command semantics echo each other.

And here’s the funniest part: there’s a typo. A small framing typo that has survived for roughly forty years. It appears in every document from every vendor. Same sentence. Same mistake. Never corrected. It’s like a fossil record of copying.

Near as I can tell, someone named Petr John, defined a protocol that was likely meant to be open. 
Over time, industrial OEMs cloned it, rebranded it, redistributed it, and quietly erased source attribution. 
Every one of them claimed it as thier own uniqe protocol. The memory mappings might differ, but the language is the same. 


What’s fascinating is that nobody fixed the typos.

Four decades. Dozens of manufacturers. Identical typologcal error.

They’re all the same.

I started this because I wanted to build tools that help techs in the field. 
I don’t want to drive out for service calls just to flip a bit. 
I want clean, simple, useful software anyone can use. 
I didn’t set out to reverse engineer the entire industrial controls ecosystem.

But once you see it, you can’t unsee it.

The protocols are the same.
The framing is the same.
The semantics are the same.
Even the typos are the same.

When I finally finish mapping byte-code to instructions and build an open instruction compiler, 
It’ll just be the same thing running everywhere else.

Find the TYPO!

dl.mitsubishielectric.com/.../sh080008ab.pdf

docs.galco.com/.../fc4a_protocol_im.pdf

### Good docs are hard to come by, but when i find the other again Ill post them.



  • Very cool.  Thumbsup  That's a lot of manual to review.  I'll just have to trust you.  Joy

  • in reply to kmikemoo

    yeah, Ive read a lot of manuals. My ""code base is a whole bunch of fragments. Im trying to organize into a usable API. 
    in all the tinkering, Ive made arduinos program PLCs, and projects in 10 languages. Some of those languages have caveates, and this is influencing my choices in making an API.   it might go: plc = API(vendor.interface)
    well then anyways, Ill make proper videos, which isnt a skill Ive developed. 

    This plc isnt programed. 
    I run the app on my phone. 
    The plc is now programed. 

    seems conceptually simple, but how to make the video is confusing. Well Ive managed to convince a few folks, and have a brand new pile of PLCs to perform confirmations and proofs on. 

  • in reply to SensoredHacker0

    @SensoredHacker0  When it comes to the video... give yourself some grace.  I used to have to do a monthly Safety video for work and I wasted a TON of emotional energy chasing perfection - which I never achieved.  Along the way, I learned that it's okay to be human.  It makes you more relatable - and therefore trustworthy. Relaxed  We're all here for the nerdy stuff anyway. Joy

  • At least in Europe, it's generally considered to be valid to reverse-engineer a protocol at a device interface, for the purposes of interworking their own products. That was also part of EU legislation in the early 2000's, although now I believe it's changed to an extent, presumably at the pressure of manufacturers unfortunately, but I'm not sure.

    Some manufacturers didn't like the legislation because it exposed their proprietary stuff (not just the protocol, but anything else that got revealed through the process of reverse-engineering). The ones who thought about it more, simply offered the protocol for free or for a fee, since that eliminated the justification to reverse-engineer and the proprietary stuff exposure risk.

    Telecoms firms were interesting, every country wanted to protect their manufacturing base, so they all slightly tweaked the international standards. I had a job once re-tweaking things back, in a system that would attach to their equipment. Say if a telecom customer came along from any random small country or large, I'd have to look through their documentation to try to find the closest matching variant that I already had, and then tweak that one to create the new one. I wish I'd thought of drawing a tree diagram of them at the time.. would have been interesting from a history perspective, to see how they evolved. 

  • Ah-ha. You've discovered big business ! .......OEM owning multiple brands, brand label agreements, business and technology acquisition, joint ventures, buying and selling of intellectual properties.......and creative marketing. 

  • in reply to SensoredHacker0

    Hi,

    What is your intention? Thinking

    A lot of intellectual knowledge leads to a lot of headaches.

    Who are you doing all this for?

    A hobbyist has no chance of achieving anything.

    Especially in areas where everything is very sensitive, -> "protocols" for data transmission.

    Well, back in the day, people played around with this in their garages; today, you'd be charged with intellectual property theft.

    Licenses are very expensive, and some decisions are made with a hammer.

    Especially in these areas, contracts need to be watertight.

    Another problem: time.

    Technological progress will surely overtake you.

    By the time you've finished solving one problem, the major global players will have already solved many more.

    And you'll have to chase after them again, researching these new developments so you can incorporate them into your tinkering.

    Ugh... nobody can keep that up.

    Almost 50 years of experience, both employed and privately as a hobby, and with my own companies in technology, electronics, electrical engineering, and physics have taught me a lot.

    I wish you all the best!

    Gerald

    ---

  • Nice post.  I haven't used a PLC before but I've looked into them here and there... anyway I guess I have enough familiarity to get excited about what you are trying to accomplish... and I am not exaggerating when I say it's like reading the tech version of the DaVinci code.  Good luck with this endeavor.

  • in reply to shabaz

    There is so much old equipment control equipment in the world, it's crazy.  I've run into manufacturers that run the gamut.  Some simply disavow that they ever made the item.  Some admit that they have no one that knows anything about the product anymore.  A few will give you what little they have and wish you luck.  None of them are able to provide any real support - unless you run into the unicorn (the old technician that still remembers a bit OR... the person that sees the pattern).  I've worked on systems without manuals or prints but that used a similar wire numbering convention dating back to a small regional company in the 1960's.  There are still elements of this numbering system in equipment produced today.

    ANYWAY... I think a sure-fire way to get the equipment upgraded is to figure out how to fix it.  It's one of the Murphy's Laws kind of things.  Once you know how to get past that road block, you'll never need to do it again - because you can make it past the road block.  Instant obsolescence - since you know what to do.  This is especially true if you document what you did and leave a copy in the machine.  On a particular brand of controllers, I figured out how to determine the user selected unlock code from the reset code.  A disgruntled, now former employee had changed the passcode and left the company.  Now, no one could operate the equipment.  The controller manufacturer was very unhelpful.  I cracked the code.  Made a spreadsheet to do the conversion.  Put it all in a shared folder on a shared drive.  How many times after that did we need to use that decode? ... None that I know of.  Still... it kept Murphy from using that particular road block for the rest of my time at that company.

    What is impressive in all this is seeing the pattern or seeing the evolution.  THAT is cool.  As to some of the "intellectual property", many of the machines do the same thing that they did decades ago - they just do it with more modern variants of the same stuff they had when the machine was first created.  Or they have additional "features" that may help in manufacturing but are ancillary to the core function of the machine.  If you can make an old system work... that is engineering. Thumbsup