Password override Z2000 VFD?

Help Support and Requests
41

Communication time… Once the brute force script is written.

The suggested program has a limitation wherein it will only do a certain number of messages in the demo version.

If suggest a python script to do the brute forcing instead. Aircrack may have some tools for that but I’d suggest rolling your own is faster.

If you’ve got a usb dongle I could probably be convinced to write you a quick and dirty brute forcing script once you figure out the precise flavour of modbus it speaks and the connection parameters.

6 Likes
42

you my friend are on another level though… luckily the ABB VFD’s laying around wont need any sneaky hacking.

2 Likes
43

Pippo responded that many people ask this, but they did not set the password, so they cannot help.

which might amount to “no, we won’t help you around an OEM’s password” or may really mean that they designed this thing to brick on forgotten password.

as the VFD we found on site is not a good match, I need to consider my options again.

1 Like
44

Try telling Jenny you want to order a few more of these units as you love the way they operated before your clumsy technician scraped the password tag off the face of it… maybe she’ll be more helpful if there’s future business dependent on solving it :man_shrugging:

Long shot

It really is worth it paying for the better brands… Schneider has sat on the phone with me for hours at a time helping program all sorts of automation

6 Likes
45

absolutely.

Pippo is still trying, we’ll see what happens…neither of the jumpers I moved around bough me joy (nor despair :sweat_smile:)…

3 Likes
46

image
image1170×874 97.3 KB

Looks like my earlier translation was correct. Lol

4 Likes
47

This would probably get you there.

Untested but seems like it should do the trick. You’d need to adjust the COM1, baudrate, and VFD_address to suit your system.

Requires a USB dongle, a current python installation, and the pymodbus library installed via pip install pymodbus command once python is installed and working.

from pymodbus.client.sync import ModbusSerialClient as ModbusClient
from pymodbus.constants import Endian
from pymodbus.payload import BinaryPayloadDecoder

client = ModbusClient(method='rtu', port='COM1', baudrate=9600, timeout=1)
client.connect()

vfd_address = 1
reg_address = 7936 #0x1F00 == 7936 # The address of the register you want to write to

#iterates through all values from 0 to 65535 - range() doesn't use the final value
for i in range(0,65536):
	
	value = i # The value you want to write to the register

	result = client.write_register(reg_address, value, vfd_address)

	if not result.isError():
		print("Write successful")
		decoder = BinaryPayloadDecoder.fromRegisters(result.registers, byteorder=Endian.Big)
		decoded = decoder.decode_32bit_uint()
		print(decoded)

		if decoded == 34952: #0x8888 == 34952
			print("Password is:", decoded)
			break
	else:
		print("Error:", result)
11 Likes
48

Thank you kind sir!!!

@raghanded: Jenny & Pippo were polite but not super helpful.

Manufacturer does have a master password, but getting them to hand it over is unlikely. They insist I go through my equipment OEM.

Guess my next step is dongle shopping :shushing_face:

when I stated my other option was brute force via modbus, I got this as a response…

Z2000 English Modbus.doc (807.6 KB)

2 Likes
49

We’ve got a handful of these dongles on hand for random modbus hacking.

And one of these for when you might also need to also handle rs232 comms. Either should work for this application.

2 Likes
50

You can get the mfgr to reset it for you or send the OEM/MFG code. Pretty easy.

Tell them you’re a Automation controls company that needs to edit the VFD parameters as it’s not working.

Let them know the vendor of the OEM machine does not know how to help.

Keep pestering every few hrs.

They will eventually help you.

I’ve had numerous VFD’s and digital drive controllers on systems from China I’ve had to unlock in the exact same circumstances.

New years holiday doesn’t start for 2-4 days depending on the company. Most start around the 12-16th for vacation until 2nd week of Feb.

What’s app is the best way to communicate with China.

3 Likes
51

And now I have 2 new dongles, just in case. <3 Could be so helpful so many other things as well! Thank you!

2 Likes
52

No problem. These dongles get a pretty heavy workout in our facility… most things that are even semi-smart speak modbus/RS485, so it’s generally the fastest way to make them dance from a distance.

Add in some wifi to RS485 adapters and you can run a LOT of things from your laptop.

1 Like
53

Discombobulated and en-dongled.

image
image
image
image
image
image

Not yet communicating…

4 Likes
54

…are we there yet?

3 Likes
55

hackercrap

56

And we’re in….

image
image1920×1440 207 KB

13 Likes
57

mel-brooks-password

5 Likes
58

The content I didn’t know I needed

What a ride

All for 55555

7 Likes
59

Yeah, but now I can change top speed from 42Hz to 400Hz should I choose to be that irresponsible.

Was running the fuge at 72Hz last week on a borrowed controller…which turns out to be a quite reasonable ask.

1 Like
60

Congratulations @cyclopath glad you got in.

2 Likes