Use a password manager (offline, like KeePass) or a locked engineering notebook with all PLC credentials, including project name, date, programmer name, and password.

Due to the limitations of official methods, third-party tools and hacking techniques have emerged. These range from free open-source scripts to commercial hardware devices. Warning: Many of these violate Siemens’ EULA and may void warranties, damage the PLC, or compromise safety. Proceed at your own risk.

This is the most famous method used by freelance automation engineers.

Tools Needed:

The Process:

Why this works: The password hash is stored in a predictable memory block (typically at addresses 0x1F0 to 0x1FF). The unlocker tool reverse-engineers the Siemens obfuscation algorithm and outputs the plaintext password in seconds.

Success Rate: ~95% for CPU 22x series.

The S7-200 family (including the CPU 221, 222, 224, 224XP, and 226) has a built-in password system designed to prevent unauthorized reading, writing, or modifying of the user program. The protection operates at three hierarchical levels:

Passwords are case-sensitive, up to 8 characters long, and stored in the system block of the PLC. Crucially, the password is not stored in plaintext but as a hashed value. However, the S7-200 uses a relatively weak hashing algorithm compared to modern standards, which is why third-party unlock tools exist.

For the technically brave who own the hardware:

Real-world example: A client had a CPU 226 locked for 6 years. Using a $14 EEPROM reader, the tool returned M3l!n0t3 in 4 seconds. The line was running within an hour.

You can study the S7-200’s password mechanism (3-level password: no protection, read-only, full access) using:

This section is for educational purposes only. The author assumes no responsibility for misuse.

Using the “S7-200 PPI Unlocker” software with an RS-485 adapter (common method):

Siemens provides a dedicated password tool for the S7-200 PLC. This tool can help you reset the password: