In the world of industrial control systems (ICS), the Siemens Simatic S7 series of PLCs has long been a backbone of manufacturing, energy, and critical infrastructure. However, with ubiquity comes scrutiny—and vulnerability. Among the more controversial artifacts of early ICS hacking culture is a tool known as “Simatic S7 Can Opener V1.31.” Despite its whimsical name, this utility exposes a sobering reality: many industrial devices, even those designed for critical processes, can be unlocked with relative ease once physical or network access is achieved.
The Simatic S7 Can Opener is a third-party software utility (not an official Siemens product) designed to unlock protected program blocks in Siemens STEP 7 projects. Version V1.31 (or V1.3) is an older release of this tool primarily used for legacy SIMATIC S7-300 and S7-400 systems. Key Features
KNOW_HOW_PROTECT Removal: Its primary function is to set or remove the "KNOW_HOW_PROTECT" keyword, allowing you to view and edit the source code of protected blocks.
File Support: It operates on standard STEP 7 project files, including: S7 Programs (*.s7p). S7 Libraries (*.s7l).
Comment Retention: If the original block contained comments, the tool preserves them after unlocking so you can understand the logic.
Offline Operation: The software works strictly on projects stored on a hard disk; it cannot be used to bypass PLC hardware passwords or operate online directly on a CPU. Important Limitations
Block Privacy: It cannot unlock the newer "Block Privacy" protection introduced in STEP 7 V5.5 or TIA Portal.
Compiled Languages: For blocks written in SCL, CFC, GRAPH7, or HiGraph, the tool can only reveal the compiled STL code. It cannot reverse-engineer the code back into the original SCL/CFC source files. S7 Can Opener - Runmode.com
The Simatic S7 Can Opener (often referred to as S7CanOpener) is a specialized third-party software utility designed to unlock protected blocks within Siemens SIMATIC STEP 7 projects. Overview and Purpose
The primary function of this tool is to remove or toggle the "KNOW_HOW_PROTECT" attribute from programming blocks (FBs, FCs, OBs, and DBs). This protection is typically used by machine suppliers or system integrators to hide the source code of their logic.
The "Can Opener" is particularly useful in industrial scenarios where:
Lost Source Code: A company has the compiled program on their hard drive but has lost the original source code and needs to make modifications.
Unsupported Systems: The original machinery supplier is no longer in business or no longer supports the software they developed.
Maintenance Efficiency: Engineers want to toggle protection on-the-fly without needing to recompile blocks from source files. Technical Capabilities and Limits
Offline Operation: The software operates strictly on project files stored on a computer’s hard disk (such as .s7p projects or .s7l libraries). It does not operate "online" directly within a PLC's memory.
Compatibility: It is designed for SIMATIC S7-300 and S7-400 series blocks.
Modern Restrictions: It cannot decrypt newer protection methods, such as the "Block Privacy" feature introduced in STEP 7 v5.5 or later security protocols in TIA Portal. Simatic S7 Can Opener V1.31 33
Password Limitation: It does not bypass or remove the hardware CPU password required for online access or downloading to a controller. Usage Highlights
According to documentation from sites like Runmode.com, the tool provides a straightforward interface where users select a project, view a list of blocks, and use "Protect" or "Unprotect" buttons to modify the status. If successful, it allows the user to see the internal Statement List (STL) code and any original comments, provided they were included in the compiled version. S7 Can Opener - Runmode.com
S7CanOpener FAQs. Q: What's the S7CanOpener purpose? A: the S7CanOpener can unlock S7 blocks protected with the "know_how_protect" www.runmode.com S7 Can Opener - Runmode.com
Version 1.31 was one of the stable releases widely used before newer cracks or tools emerged. It typically allows you to:
The “Can Opener” tool emerged in the early 2010s, a period when industrial cybersecurity was still maturing. Its version number (1.31, sometimes appended with “33” as a build or crack release identifier) points to a specific iteration circulated on automation forums, GitHub repositories, and file-sharing networks. The tool’s primary function is to bypass the know-how protection (know-how protection) on Siemens S7-300 and S7-400 PLCs. Know-how protection is a feature intended to prevent unauthorized reading or modification of proprietary logic blocks (OBs, FBs, DBs). Using a vulnerability in the S7 communication protocol (likely a variant of the earlier “PLC-Blaster” or “S7-1200 password bypass” flaws), Can Opener sends specially crafted packets to the PLC, forcing it to disclose or disable password protection. Once unlocked, an attacker—or a legitimate engineer who has lost credentials—can upload, reverse-engineer, or alter the control logic.
Tools like this exist in a grey area.
Note: This post is for educational and maintenance troubleshooting purposes. Ensure you have the legal right to modify the PLC program before doing so.
Discussion: Has anyone had success using this on Windows 10/11 machines running Step 7 v5.6? Compatibility can sometimes be tricky with legacy tools.
Simatic S7 Can Opener (often referred to as S7CanOpener) is a specialized software tool developed by Runmode.com to unlock and manage protection settings for Siemens SIMATIC S7-300 and S7-400 programmable logic controller (PLC) blocks. Primary Function
The tool’s core purpose is to set or remove the KNOW_HOW_PROTECT keyword. This keyword is a standard Siemens security feature that prevents users from viewing or modifying the source code of specific program blocks. Key Capabilities:
Unlocks Blocks: It can remove protection from various block types, including Function Blocks (FBs), Functions (FCs), Organization Blocks (OBs), and Data Blocks (DBs).
Offline Operation: The software operates on project files (.s7p) and libraries (.s7l) stored on a hard disk; it cannot operate online directly on a live PLC memory.
On-the-Fly Toggling: It allows users to quickly enable or disable protection without needing to recompile the entire block in the Siemens STEP 7 editor. Use Cases and Limitations
The tool is typically used in industrial maintenance and legacy software recovery. When to Use It:
When an automation supplier is no longer in business and support for protected code is unavailable.
If the original source code has been lost, making compiled blocks inaccessible for maintenance. In the world of industrial control systems (ICS),
To simplify project management by keeping only one copy of blocks rather than separate protected and source versions. What It Cannot Do:
Newer Protections: It does not support the newer "Block Privacy" encryption introduced in Step7 v5.5 or TIA Portal.
System Blocks: It cannot unlock system functions (SFCs) or system function blocks (SFBs), as these are stored in the PLC's internal system memory.
CPU Passwords: It does not bypass or remove passwords set at the hardware configuration level of a CPU.
Decompilation: For blocks originally written in SCL or CFC, unlocking will only reveal the compiled Statement List (STL) code, not the original high-level source files. Version & Developer Info
Developer: The tool was created by Luca Gallina of Runmode.com.
Version History: Version 1.31 is an older release; the tool has since been updated to version 2.0. Early versions like 1.10 were the initial commercial releases, while later iterations added features like support for User Data Types (UDTs). Simatic S7 Can Opener V1.31 33 - 15.152.32.195
Simatic S7 Can Opener is a third-party software utility designed to bypass the "KNOW_HOW_PROTECT" attribute on Siemens SIMATIC S7-300 and S7-400 PLC blocks . While the current official version from is v2.0, version
(and the similar v1.3) remains widely discussed in legacy automation circles for its ability to toggle block protection without needing the original source code or a compiler. www.runmode.com Core Functionality & Purpose Unlocking Protected Blocks
: Its primary use is to remove the "KNOW_HOW_PROTECT" keyword from Function Blocks (FBs), Functions (FCs), and Data Blocks (DBs). Legacy Hardware Support : It is specifically built for the series using STEP 7 v5.x Off-line Operation : The tool works directly on project files ( ) or libraries ( ) stored on your hard drive; it does operate online in the PLC’s memory. www.runmode.com Key Review Points for V1.31 Capability
: It can successfully unlock blocks to reveal the underlying code, including comments, provided the original block contained them. Limitations No Hardware Passwords
: It cannot bypass the CPU's hardware-level password (access protection). No Modern Protection
of unlocking "Block Privacy" introduced in newer versions like STEP 7 v5.5 or the TIA Portal (S7-1200/1500). No Reverse Engineering
: It does not "reconstruct" SCL or CFC source files from compiled code; it simply makes the compiled block viewable in the LAD/FBD/STL editor. : Because it modifies the project database (often the subblk.dbf
file), there is a risk of project corruption. It is highly recommended to create a backup before use. www.runmode.com Quick Comparison: V1.31 vs. V2.0 Version 1.31 (Legacy) Version 2.0 (Current) Registration Basic registration scheme. Newer scheme; includes free updates for registered users. Basic file picker with recent file history. Refined UI and better Windows compatibility. Compatibility Focused on S7-300/400. Remains focused on S7-300/400; still no S7-1500 support. alternative methods
for password recovery on newer Siemens S7-1200 or 1500 series PLCs? S7 Can Opener - Runmode.com Version 1
Title: Unlocking Legacy Automation: An Analysis of the Simatic S7 Can Opener V1.31
Introduction
In the realm of industrial automation, Siemens SIMATIC S7 controllers represent a gold standard for reliability and ubiquity. However, this widespread adoption has historically presented a significant challenge for maintenance engineers and system integrators: the protection of intellectual property via "Know-How Protection." In locked PLCs, the source code is often encrypted, rendering the code invisible and uneditable. This creates a "black box" scenario where maintaining or migrating legacy systems becomes fraught with risk. Into this gap steps third-party utility software, specifically tools like the "Simatic S7 Can Opener." This essay explores the functionality, significance, and implications of version 1.31 of this tool, examining its role in bridging the divide between proprietary security and operational necessity.
The Problem of "Know-How Protection"
To understand the utility of the S7 Can Opener, one must first understand the mechanism it is designed to bypass. Siemens provides a feature known as "Know-How Protection" (and often "Copy Protection") within its STEP 7 programming environment. This allows the original programmer or Original Equipment Manufacturer (OEM) to lock the source code of function blocks (FCs) and organization blocks (OBs). Once locked, the binary code is uploaded to the PLC, but the source code remains encrypted.
While this is a legitimate business tool for protecting intellectual property, it creates a severe dependency. If the OEM goes out of business, loses the source code, or refuses to support the end user, the end user is left with a machine they cannot fully debug, modify, or migrate to newer hardware. In critical infrastructure or manufacturing, this is not merely an inconvenience; it is an operational hazard.
Functionality of Simatic S7 Can Opener V1.31
The "Simatic S7 Can Opener" is a third-party software utility designed to interface with Siemens S7-300 and S7-400 PLCs (and typically S7-200 via separate utilities). The "V1.31 33" designation refers to a specific build of the software, refined for stability and compatibility with various firmware versions of the S7 architecture.
The software operates by exploiting the implementation of the protection mechanism. It allows the user to upload the block from the PLC to the programming device (PG/PC) and attempt to remove the protection flag. Unlike a "crack" that steals code, the Can Opener is often used to unlock blocks where the password is lost, effectively stripping the "Know-How" lock to restore the block to an editable state (STL source).
Version 1.31 specifically addressed several nuances in how Siemens implemented the block header structures in later firmware revisions. By deciphering the specific byte structures that dictate the lock status, the tool resets the block properties, allowing the engineer to view the code—typically in Statement List (STL) format—even if the original source (LAD/FBD) is unrecoverable.
Operational Scenarios and Justification
The primary user base for the Simatic S7 Can Opener is not malicious hackers, but rather maintenance engineers facing legacy system decay. The justification for using such a tool generally falls into three categories:
Ethical and Legal Considerations
While functionally impressive, the use of the Simatic S7 Can Opener V
The dual-use nature of Can Opener makes it a litmus test for industrial cybersecurity ethics. On the one hand, plant engineers have used it to recover locked projects after a programmer left without handing over passwords—saving weeks of downtime. On the other, attackers (including state actors targeting critical infrastructure) have used the same tool to reconnoiter and sabotage systems. In 2016, the infamous CrashOverride/Industroyer malware used a similar technique to manipulate circuit breakers in Ukraine. While CrashOverride was more sophisticated, it relied on the same core insight: S7 PLCs trust commands from anyone who can speak the protocol.