Hello 0x00sec! I hope you’re all doing great. Today, I will (finally) teach you a thing or two about PLC’s, more specifically the LOGO! micro-PLC from Siemens. This micro-PLC is very simple and relatively cheap, while being incredibly versatile: it can switch pretty much anything and take input from almost anything. The newer versions also have various functions that make it even more versatile:
- Communication over IP
- Communication over mobile networks and over KNX for home-automation appliances
- A web server
- Extensive debugging options
- The list goes on
But most of all: the logo is very easy to program and the software used for programming, LOGO! Soft, comes with a free demo version that has no limitations to the full version, except that you can’t transfer your program to your logo and the other way around. As you can see, there is nothing you can’t do with a logo! It goes from automating exercises for fire departments to automating your coffee machine, the possibilities are endless.
In this article I will show you the basic wiring of a logo and how to use the software, so that you can go solve the exercises I have created for you guys, which I will post in a moment. Siemens has a great manual already so I think it is not needed to go in-depth on the material. I will make a list of useful links for you guys to learn from.
Why should you learn PLC’s as a hacker? Stuxnet.
PLC vs microcontroller
Alright, first I need to get this straight because there seems to be so much confusion around it.
A microcontroller is a piece of electronics that can be programmed to do a specific function. Often times, microcontrollers are used for very specific applications where the software placed on it doesn’t need to change often (firmware) and the program is usually written in assembly or C. Microcontrollers are placed on PCB’s.
A Programmable Logic Controller, or PLC for short, differs from a microcontroller in terms that it is larger and is wired and not soldered on a PCB. PLC’s are commonly placed on a DIN-rail inside an electric switchbox and the programming on a PLC can be easily modified. PLC’s can also be changed by hand without software in most cases, unlike microcontrollers. Unlike microcontrollers as well, PLC’s often run an entire OS, like WinCC. This is not the case for LOGO, but LOGO has it’s own firmware in it that we don’t touch.
The LOGO! basic module has 8 digital inputs and 4 relay-outputs available.
The digital inputs are either 0 (meaning 0V) or 1 (the same voltage as the supplied power to the LOGO). It is extremely important that the voltage on an input is never higher than the voltage on the supply screws!
The relay-outputs are called that because they basically act like contacts of a relay. Each output has two screws: one for each end of the internal contact. The way to wire such an output is to connect the positive end of the power supply (+) to one side of the contact and on the other side of the contact connect the thing you want to switch (like a lamp) and on the other end of that thing you connect the negative terminal (-). When the output (like Q1) in your program is active, then the contact will close and the lamp will turn on. The relay-outputs are not dependant on the supply voltage of the LOGO, but still have a maximum voltage they can handle. See the datasheet of the LOGO you are using to make sure you don’t overvolt anything.
Furthermore, there are also two screws dedicated to the power supply of the basic module.
Below you can find a few schematic drawings of how to wire the basic module. The inputs and outputs in this case are contacts and lamps, but know that it can be just about anything.
- The screws L1 and N are the power supply.
- The screws I1-8 are the inputs
- The contacts starting with “Q” (Q1-Q4) are the outputs
There are expansion modules available to give you more digital inputs & outputs, to give you analogue inputs and outputs, to let you communicate over KNX bus, and so on.
Now that we have learned about the hardware, it’s time to investigate how we can program the LOGO. Unlike microcontrollers, most PLC’s are not programmed in languages like C or assembly. The LOGO uses function blocks. You need to drag & drop blocks that have a function and then connect the pins of that block to do what you want. The reason why electrical engineers like us choose to do this is because it gives a better image of the total product than a text-based language ever could, and since PLC’s often take control of critical infrastructure, bugs are totally not allowed.
Note: so now you’re asking yourself “then why did stuxnet happen?”. First of all, no bugs does not equal top-notch security. The reason why so many SCADA systems are so easily hacked is because they are poorly secured (like leaving passwords at their default), allowing an attacker to change the program freely. The PLC’s involved in stuxnet were never programmed in a wrong way. It was the Iranian’s fault for connecting an infected computer to a network solely made for PLC’s like the apes they are.
There are two main ways to program a LOGO: you either do it by hand on the basic module, which is ideal for small programs or small changes to an already existing program, or you “draw” the program in a piece of software and then upload it to the LOGO.
LOGO Soft Comfort
For the LOGO, this piece of software is called “LOGO Soft Comfort”, and you can download it from here. If you want to participate in my challenges for the LOGO that I will post later, you will need to install LOGO Soft Comfort V8. Just follow the instructions for your specific OS.
This is the demo version. The only limit the demo version has is that you can’t interact with hardware. Since most of you probably don’t own a LOGO, this is not a problem. However, if you wish to get into it, you could buy one of the starter kits offered by Siemens, they are included with a full version of the software.
Once you have installed & opened the software, you will see this screen (gimme a like for my excellent paint skills <3)
The bar encircled in red allows you to make new diagrams (programs), save your program, etc. All the basic functions basically.
The bar encircled in black is where a big part of your interaction goes. It allows you to put the program in select mode (select & move blocks, connections, etc.), in connection mode (connect pins), put comments, etc.
The part encircled in gray is where you have an overview of all you active diagrams and to switch to other diagrams.
The part encircled in blue is where you select the function blocks you want to place.
Note: If you have drawn a program and want to test it, press F3 to simulate it. At the bottom you can view the state of your outputs and switch the state of your inputs.
And I will end this article here, because we will learn how to program through challenges I have made, the first set of which I will post later today. They range from ridiculously easy to automating entire plants. Let the fun begin!
But I don’t know enough!
No problem, I got you covered!
In LOGO Soft, go to “Help > contents”. There you can view a description of each function block and what it does, + access sample programs so you can learn from real examples.
Go to File > Open, and then go to your installation directory. There you should find a folder called “Samples”. In there is another folder called “Program”. Open those up! There you can see real world examples of LOGO programs and you can simulate them after opening to see their working. Play around with them!
Read the detailed user manual, which can be found here. It contains a detailed description of all the function blocks, wiring, etc.
Browse their website
That’s it, fellow nullers. I was planning to write an in-depth article on LOGO at first, but there is already plenty of good documentation out there. And following 0x00sec’s principles, I decided to link these sources instead.
I will post the first set of basic challenges soon, so be sure to try and get LOGO Soft to work if you want to solve them!
I hope the read was good and you learned something new, or your interest for PLC’s has been sparked. Until next time.