Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

B&R User Role and Access Control Recovery for CP1584

Overview

When you inherit a B&R machine from a defunct OEM, one of the first barriers you may hit is password protection. The OEM may have configured user accounts, OPC-UA authentication, VNC passwords, FTP access controls, or Automation Studio online login credentials — and none of them were documented. This guide covers every known access recovery pathway for the X20CP1584 and related B&R controllers.

Critical context: B&R controllers do not have any built-in default administrator accounts or system-integrated credentials. All user management is entirely application-defined. This was confirmed by B&R staff on the community forum. The passwords, roles, and accounts that exist on any given CP1584 were created by the OEM programmer during project development.


1. Understanding B&R Access Control Layers

B&R access control is not a single mechanism. There are multiple independent layers, each protecting different interfaces:

LayerWhat It ProtectsConfigured InDefault State
Automation Studio Online LoginDownload/upload/online monitoring from ASProject options in ASNo password by default
VNC ServerRemote HMI viewing and controlEthernet interface settings, VNC Servers sectionPassword optional; defaults to no auth
FTP ServerCF card file accessSystem configuration, System.parUsername br, password br (traditional default); can be changed
OPC-UA ServerVariable access via OPC-UAOPC-UA configuration, user role systemAnonymous access or configured roles
User Role System (mapp)Application-level login for operatorsmapp UserX, AsUserMG library in the PLC programDefined by OEM programmer
SDM Web InterfaceBrowser-based diagnostics at /sdmSystem configurationNo authentication by default
Ethernet Station Address / DIP SwitchINA2000 station numberPhysical DIP switches on the CPUSet by hardware

Key Insight: The OEM Program Controls Everything

Unlike some PLC brands (Siemens, Rockwell) that have factory-level passwords for firmware access, B&R’s security model is:

  1. No factory passwords exist. B&R confirmed there are “no standard / system integrated administrator accounts / credentials.”
  2. All credentials are application-specific. The user roles, passwords, and access levels are created by whoever programmed the PLC.
  3. Credentials are stored in the application project, compiled into the binary, and loaded from the CF card at boot.
  4. Some credentials are stored on the CF card’s secure partition in a dynamically-named file with SHA256-encrypted password values.

See also: firmware.md, cf-card-boot.md, config-file-formats.md


2. Automation Studio Online Access

2.1 What Is Protected

When you connect to a CP1584 from Automation Studio (Online > Settings > Auto Search or manual IP entry), the controller may require an online password. This is configured per-project in:

Automation Studio > Options > Settings > Online > Login

The online login can have multiple user levels:

LevelDescription
OperatorLimited access; can view but not modify
ServiceCan read/write variables, force I/O, make online changes
AdministratorFull access; can download/upload programs, change configuration
DefaultIf no login is configured, anyone with AS can connect with full access

2.2 Recovery When the AS Password Is Unknown

There are several approaches:

Approach A: Direct CF Card Access

If you can physically access the CF card:

  1. Power down the PLC
  2. Remove the CF card
  3. Image the CF card to your PC (see cf-card-boot.md for imaging procedure)
  4. The online login configuration is stored in the compiled project on the CF card
  5. You can search the CF card’s user partition files for configuration data
  6. In many cases, simply creating a new project with no login protection and downloading it will overwrite the existing password

Approach B: Boot Mode Access

The CP1584 has a physical operating mode switch on the CPU housing:

Switch PositionModeDescription
RUNNormal operationApplication runs normally
BOOTBoot modeBoot AR starts; system can be installed via online interface
DIAGDiagnostic modeCPU boots with diagnostics; programs are not initialized

In BOOT mode, the controller runs the Boot AR firmware, not the user application. This means:

  • No application-level security is active
  • You can connect from Automation Studio and install a new project
  • The user application is not running (outputs are zeroed)

Procedure:

  1. Power down the PLC
  2. Set the operating mode switch to BOOT
  3. Power up the PLC
  4. The STATUS LED will show the PLC is in BOOT mode (R/E red on, RDY/F yellow on)
  5. In Automation Studio, use Online > Settings > Auto Search to find the PLC (it will appear with its hardware address, typically via DHCP)
  6. Connect and install a new project — or if you have the original .apj file with known passwords, install it

Approach C: Reset Button

The CP1584 has a reset button located below the USB interfaces on the bottom of the housing:

Procedure:
1. Press the reset button with a small pointed object (e.g., paper clip)
2. All application programs are stopped immediately
3. All outputs are set to zero
4. The PLC starts up in SERVICE mode by default
5. The startup mode after reset can be configured in Automation Studio

In SERVICE mode, the application is not running normally, but you may still need credentials to connect via Automation Studio. The reset button alone does not clear passwords — it only stops the application.

Approach D: Network Reset (DHCP Recovery)

If you don’t know the PLC’s IP address:

  1. Connect your PC directly to the PLC’s Ethernet port
  2. Set your PC to DHCP
  3. Switch the PLC to BOOT mode
  4. If a DHCP server is available, the PLC will obtain an IP via DHCP
  5. Use Automation Studio’s auto-search to find it

Without a DHCP server, the PLC in BOOT mode may use its hardware-based INA2000 address (set by the DIP switches on the CPU).


3. FTP Access Recovery

SECURITY WARNING — CVE-2024-0323 (CVSS 9.8 Critical): The FTP server on B&R Automation Runtime supports insecure encryption mechanisms (SSLv3, TLSv1.0, TLSv1.1). An attacker on the network can perform man-in-the-middle attacks to decrypt FTP communications, including CF card backups that may contain the entire project, credentials, and configuration. Do not use FTP over untrusted networks. See ar-rtos.md Section 14.8 for details.

3.1 Default FTP Credentials

B&R FTP access traditionally defaults to:

Username: br
Password: br

However, the OEM may have changed these. FTP credentials are stored in the controller’s system configuration, not in the user application.

3.2 FTP Without Credentials (ANSL-era Behavior)

On older B&R systems, FTP would accept any username/password combination (literally any string for both fields). This was possible because FTP authentication was not rigorously enforced. On modern AR versions (4.x+), this behavior depends on the system configuration.

3.3 Testing FTP Access

## Attempt FTP connection
ftp <PLC_IP>

## Or using curl for testing
curl -v ftp://<PLC_IP>/

## Try default credentials
curl -v ftp://br:br@<PLC_IP>/

If FTP access works, you can browse the CF card partitions:

 ftp> ls
  Volume: A:
  Volume: C:
  Volume: F:       (user partition - contains user files)
  Volume: System   (system partition - contains AR firmware)
  Volume: CONFIG   (configuration)

3.4 FTP Access Controls

B&R offers password-protected FTP as of AR 4.33+. The configuration for FTP access is stored in the system configuration on the CF card. If the OEM changed the default credentials:

  1. If you can physically access the CF card, you may be able to modify the system configuration
  2. Boot mode + new project installation is the most reliable path

See also: ftp-web-interface.md, config-file-formats.md


4. VNC Access Recovery

4.1 VNC Configuration

The VNC server on B&R PLCs is configured in the Ethernet interface settings within the Automation Studio project, under the “VNC Servers” section. The OEM configures:

  • View-only password (typically a single character like v)
  • View and control password (typically a single character like c)
  • Port number (default: 5900, or offset from 5900 for multiple VNC servers)

4.2 VNC Default Passwords

Common B&R VNC defaults observed in the field:

ModeCommon Default Password
View onlyv
View and controlc

These defaults come from B&R training examples and the VC4 visualization tutorials. However, the OEM may have set custom passwords or disabled VNC entirely.

CRITICAL SECURITY WARNING — CVE-2023-1617 (CVSS 9.8 Critical): The B&R VC4 VNC server has an authentication bypass vulnerability affecting VC4 versions 3.x through 4.45.3 and 4.7.x through 4.72.9. An unauthenticated network attacker can bypass all VNC authentication entirely, gaining full view and control of the HMI without any credentials. This means even if the OEM set a custom VNC password, it provides no protection on unpatched systems.

Mitigation:

  1. Update VC4 to version 4.45.1+ or 4.72.9+ (requires Automation Studio with matching VC4 component)
  2. Block VNC ports (5900, 5800) at the network firewall if VNC is not needed
  3. On patched systems, change VNC passwords from defaults — single-character passwords are trivially guessable
  4. Never expose VNC ports to untrusted networks

See ar-rtos.md Section 14.10 for full CVE details and network-architecture.md for firewall configuration.

4.3 Connecting to VNC

## Using standard VNC client
vncviewer <PLC_IP>:5900

## Using B&R VNC Viewer (included with Automation Studio)
## Launch from: C:\Program Files\B&R\Automation Studio\<version>\Automation\Tools\VNC

4.4 VNC Not Configured

If the OEM did not configure a VNC server, you will not be able to connect. VNC is an application-level service — it must be explicitly configured in the Automation Studio project. Without the project or the ability to download a new configuration, VNC access is not available.

To enable VNC:

  1. You need to download a project to the PLC that includes VNC server configuration
  2. This can be done in BOOT mode from Automation Studio

See also: hmi-integration.md


5. OPC-UA Access Recovery

5.1 OPC-UA Security Model

B&R’s OPC-UA implementation supports:

  • Anonymous access (no authentication)
  • Username/password authentication (application-defined)
  • Certificate-based authentication (X.509)
  • Role-based access control (per-node permissions)

5.2 The User Role System

Starting with Automation Studio supporting OPC-UA, B&R introduced a user role system:

  • Any number of roles can be defined
  • Each role gets individual access rights per node (read, write, browse)
  • Nodes can be completely hidden from specific roles
  • Rights can be inherited from parent nodes to children
  • Users are assigned one or more roles
  • Passwords are SHA256-encrypted

5.3 Where Credentials Are Stored

OPC-UA user credentials are stored in:

  1. The compiled application on the CF card (User ROM / user partition)
  2. A dynamically-named file on the CF card’s secure partition with content like:
Property ID="Password" Value="bL3DNQOpeohgnWO6/XrO3/WjxEdDmtVI5eN8bg9oxj1gcJSr5ng=" DataType="STRING"

B&R has confirmed that:

  • The filename is dynamically created and varies based on the total number of files
  • The password value is SHA256 encrypted
  • B&R does not disclose the full encryption details for security reasons

5.4 Testing OPC-UA Access Without Credentials

If anonymous access is enabled (which is common on machines where the OEM didn’t configure strict security):

import asyncio
from asyncua import Client

async def test_opcua_access(plc_ip):
    url = f"opc.tcp://{plc_ip}:4840"
    async with Client(url=url) as client:
        root = client.get_root_node()
        print(f"Connected to {url} - anonymous access enabled")
        print(root)
        children = await root.get_children()
        for child in children:
            print(f"  {await child.get_browse_name()}")

asyncio.run(test_opcua_access("<PLC_IP>"))

5.5 Recovering When Authentication Is Required

If OPC-UA requires authentication:

  1. Try common defaults: admin, operator, service, br (empty password or br)
  2. FTP into the CF card and search for configuration files that might contain credential hints
  3. Boot mode → new project with known credentials
  4. Check the CF card user partition for configuration files that may contain user role definitions

See also: opcua.md, pvi-api.md


6. mapp UserX / Application-Level User Management

6.1 What Is mapp UserX?

mapp UserX is B&R’s pre-built user management component. If the OEM used mapp UserX, the following applies:

  • Users are created and managed through the MpUserXManager function block
  • User levels are hierarchical: administrators can create users at their level or below
  • Password rules are configurable (minimum length, complexity, expiration)
  • User data is stored in the mapp UserX configuration on the CF card

6.2 Typical mapp UserX Role Hierarchy

A common OEM configuration:

Role LevelRole NameCapabilities
10DeveloperFull access; create/edit all users
7ServiceCreate/edit operators and below
5ShiftLeaderCreate/edit operators
3OperatorBasic machine operation
1VisitorView-only

6.3 Admin Rights and User Management

Administrator rights in mapp UserX are used only for user management:

  • Create new users
  • Unlock locked users
  • Reset passwords
  • Edit user properties

Administrator rights do not affect other access like OPC-UA or other mapp components — those have their own role-based access controls.

6.4 Recovering mapp UserX Access

If the OEM used mapp UserX and you don’t have any credentials:

  1. The CF card is your path. mapp UserX stores its configuration in files on the CF card user partition
  2. FTP access may allow you to browse and identify mapp UserX configuration files
  3. Creating a new project without mapp UserX (or with a default admin account) and downloading it will replace the existing user management
  4. If you need to preserve the existing program while resetting access, you must first upload the existing project from the PLC (which may require credentials), then modify the user management, then download it back

6.5 Using the User Role System Programmatically

B&R provides function blocks for managing users at runtime:

MpUserXManager    - Core user management function block
MpUserXManagerUI  - User management with UI confirmation dialogs

The user role system can be updated during operation — you can assign a username and password to a new system operator from within the application program using these function blocks. If you have access to modify the PLC program (via online changes or a new download), you can inject code to create a new admin account.

See also: online-changes.md, custom-diagnostic-tools.md


7. SDM (System Diagnostics Manager) Access

7.1 SDM Is Typically Unauthenticated

The SDM web interface at http://<PLC_IP>/sdm is typically accessible without authentication. This is one of your most valuable diagnostic entry points when you have no credentials.

If SDM is enabled (it is by default on most configurations):

  • Open a web browser and navigate to http://<PLC_IP>/sdm
  • You can view CPU status, I/O module states, error logs, alarm history, network diagnostics
  • No login is required for read-only access

7.2 If SDM Is Disabled

SDM can be disabled in the project configuration to save CPU memory (about 200-400 kB of DRAM). If it’s disabled, you’ll get a 404 or connection refused on port 80.

To re-enable SDM, you need to download a new project configuration — which requires BOOT mode or existing Automation Studio access.

See also: diagnostics-sdm.md


8. Factory Reset / Full Wipe Procedures

8.1 Method 1: CF Card Format (HDD/CF Utility)

Prerequisites: Automation Studio installed on a Windows PC, PLC accessible via network or serial.

Automation Studio > Online > Settings > [select your PLC] > right-click > HDD/CF Utility

The HDD/CF utility allows you to:

  1. Format the CF card (destroying all user data including credentials)
  2. Repartition the CF card
  3. Initialize the CF card for a fresh installation

After formatting:

  • All user programs are gone
  • All user accounts and passwords are gone
  • The PLC boots into BOOT mode
  • You can install a new, clean project

8.2 Method 2: Runtime Utility Center

Runtime Utility Center (RUC) can execute the HDD/CF utility without requiring a full Automation Studio installation. This is useful if you don’t have AS installed.

  1. Install Runtime Utility Center from B&R’s website
  2. Connect to the PLC (requires knowing its IP address or using auto-discovery)
  3. Execute the HDD/CF utility

Limitation: RUC has less capability than AS for browsing/set IP address. In BOOT mode, the PLC needs DHCP to get an IP, which may be impractical.

8.3 Method 3: Physical CF Card Replacement

The most brute-force approach:

  1. Power down the PLC
  2. Remove the existing CF card
  3. Insert a new, blank B&R-certified CF card
  4. Power up — the PLC will go to BOOT mode (no system ROM on the blank card)
  5. Connect via Automation Studio and install a fresh system + your project

This preserves the original CF card as a backup in case you need to recover anything later.

8.4 Method 4: USB Flash Drive Installation

If you have a prepared USB installation package (a .zp2 or .zp3 file created by Automation Studio):

  1. Copy the installation package to a FAT32-formatted USB stick
  2. Set the PLC to BOOT mode
  3. Insert the USB stick
  4. The PLC will detect and install the package automatically
  5. This performs an initial installation that wipes the previous configuration

8.5 Hardware Reset Button Procedure

Step 1: Locate the reset button (below USB interfaces, on the bottom of the CPU housing)
Step 2: Press and hold with a pointed object
Step 3: The STATUS LED will flash orange after ~10 seconds
Step 4: Release the button
Step 5: The CPU returns to factory defaults (DHCP enabled, no application)

Note: This procedure resets network settings and clears the running application, but it does not format the CF card. Any passwords stored on the CF card persist.

See also: bootloader-recovery.md, cf-card-boot.md, firmware-version-mgmt.md


9. Serial Console Access

9.1 RS232 Interface

The CP1584 has an RS232 interface (IF1) on the 12-pin terminal block. This interface can be used as an online programming interface.

Pinout (X20TB12 terminal block):

PinSignal
1RX
2TX
3GND

Connection parameters: 57600 baud (factory default), 8-N-1, no flow control. If the default doesn’t work, the baud rate may have been reconfigured in the original project — try 9600, 19200, 38400, or 115200.

9.2 Serial Access Limitations

The RS232 interface on the CP1584 is primarily designed for:

  • Automation Studio serial connection (legacy)
  • Serial communication with external devices (configured in the application)
  • Boot loader serial console (for firmware recovery)

It does not provide a shell or command-line interface to the VxWorks-based operating system. You cannot log in via serial and reset passwords. However, it can be used for:

See also: serial-diagnostics.md


10. Network-Level Access When All Else Fails

10.1 What You Can Always Access (If Configured)

Even without any passwords, these interfaces are typically open by default:

InterfacePortAccess
SDM web interface80No auth (read-only)
ANSL discovery30303/11169 UDPNo auth (read-only broadcast)
OPC-UA4840May allow anonymous
FTP21Default br:br
VNC5900May be unconfigured

10.2 The “Nuclear Option” Workflow

When you have absolutely no credentials and need full access:

1. BACK UP THE CF CARD FIRST
   - Power down, remove CF card, image it to your PC
   - See cf-card-boot.md for imaging procedure
   - Store the image safely

2. SET PLC TO BOOT MODE
   - Switch the operating mode switch to BOOT
   - Power up
   - PLC is now in Boot AR, no application running

3. CONNECT VIA AUTOMATION STUDIO
   - Auto-search should find the PLC (DHCP or hardware address)
   - No application-level passwords are active in BOOT mode

4. CHOOSE YOUR PATH:
   Option A: Create a minimal new project, download it
   Option B: If you have a .apj backup with known passwords, download that
   Option C: Use HDD/CF utility to completely wipe and start fresh

5. RESTORE FROM YOUR ANALYSIS
   - Use the forensic data from cp1584-forensics.md to reconstruct functionality
   - See project-reconstruction.md for the full reconstruction methodology

10.3 Preserving the Running Application

If you need to keep the machine running while regaining access:

  1. FTP into the CF card and back up all files
  2. OPC-UA browse (if anonymous) to document the variable namespace
  3. SDM to capture all diagnostic data
  4. Network sniff POWERLINK traffic to document I/O mapping (see io-sniffing.md)
  5. Schedule a planned shutdown for the CF card swap

11. Security Implications of Having Full Access

11.1 What Full Access Means

Once you have full access to the CP1584:

  • You can read/write any PLC variable
  • You can modify the running program
  • You can change I/O mapping
  • You can modify safety system parameters (if safe I/O is configured)
  • You can change network configuration
  • You can enable/disable any service (OPC-UA, FTP, VNC, SDM, web server)
  • You can install new firmware

11.2 Safety System Considerations

If the machine has B&R Safe I/O modules (SafeLOGIC, Safe I/O):

  • Safety programs are separate from standard programs
  • Safety parameters have their own protection mechanism
  • Modifying safety parameters without proper validation can create dangerous conditions
  • Always validate safety-related changes through proper procedures

11.3 Securing the System After Recovery

After gaining access and reconstructing functionality:

  1. Set a new Automation Studio online login with proper user levels
  2. Configure OPC-UA user roles if exposing the PLC to a SCADA/MES system
  3. Change FTP credentials from defaults
  4. Set VNC passwords if VNC is enabled
  5. Document all credentials in your maintenance manual
  6. Consider disabling unused services (FTP, web server) to reduce attack surface
  7. Enable OPC-UA certificates for production environments

See also: safe-io-diagnostics.md, documentation-reconstruction.md


12. brwatch: External Service Tool for Variable Access Without Project

12.1 What Is brwatch?

brwatch (https://github.com/hilch/brwatch) is a free Windows service tool for B&R PLCs that provides variable watch, change, logging, IP configuration, and CPU reboot capabilities without requiring Automation Studio or the original project. This is one of the most valuable community tools for engineers working with undocumented B&R systems.

12.2 Capabilities

FeatureDescription
Watch variablesMonitor live variable values from any connected B&R PLC
Change variablesWrite values to PLC variables (setpoints, flags, parameters) at runtime
Log variablesRecord variable values over time to a log file for trending
Search variablesBrowse and search the variable namespace of a connected PLC
Set IP addressesChange PLC network configuration (IP, subnet, gateway)
Reboot CPUsRemotely restart connected PLCs
List PLCsDiscover all B&R PLCs on the network

12.3 Installation and Setup

# Download the latest release from GitHub
# https://github.com/hilch/brwatch/releases

# Run the installer (Windows)
# brwatch installs as a Windows service
# Configure the target PLC IP address in brwatch settings

12.4 Using brwatch Without Project Files

brwatch connects to the PLC via PVI and can enumerate variables that are visible in the runtime — even without the original project. This makes it valuable for:

  1. Checking which variables are accessible before investing in PVI/OPC-UA setup
  2. Making quick parameter changes on the running machine (setpoints, flags)
  3. Logging variable trends to diagnose intermittent issues
  4. Discovering the variable namespace as input for project reconstruction

12.5 Relationship to PVI

brwatch uses the B&R PVI infrastructure internally (PVI Manager). It requires either PVI 4.x or PVI 6.x installed on the workstation. On AS6, only ANSL lines are supported (INA2000 is removed). See pvi-api.md for PVI configuration details.

12.6 Comparison: brwatch vs Automation Studio vs PVI/OPC-UA

CapabilitybrwatchAutomation StudioOPC-UA ClientPVI API
Watch variablesYesYes (with connection)Yes (subscribe)Yes (poll)
Change variablesYesYes (with connection)Yes (write)Yes (write)
Log to fileYesLimited (Trace)Via externalVia script
Set IP addressYesYesNoNo
Reboot PLCYesYesNoNo
Requires projectNoYesNoNo
Requires AS licenseNoYesNoNo
FreeYesNo (requires license)Yes (UaExpert)No (PVI SDK)

brwatch is the recommended first tool for quick assessment of an undocumented PLC. See also: pvi-api.md, python-diagnostics.md.


13. Pvi.py: Python Access Without Automation Studio

13.1 What Is Pvi.py?

Pvi.py (https://github.com/hilch/Pvi.py) is a Python wrapper for B&R PVI that enables programmatic access to PLC variables from Python scripts without Automation Studio. This is the foundation for building automated diagnostic tools.

13.2 Quick Start

## pip install pvi  (or clone from GitHub)
from pvi import Pvi

plc = Pvi()
## Connect to PLC using ANSL line
plc.line_set(
    line_name="ANSL",
    ip="192.168.0.14",
)
plc.connect()

## Read a variable
value = plc.variable_read("MachineData.Temperature")
print(f"Temperature: {value}")

## Write a variable
plc.variable_write("MachineData.TargetRPM", 1500)

13.3 When Pvi.py Is Useful

  • Automated diagnostic scripts that poll PLC variables
  • Building custom monitoring dashboards without AS
  • Automated setpoint changes based on external logic
  • Batch variable extraction for documentation purposes

See python-diagnostics.md for comprehensive Python diagnostic script examples.


14. BOOT Mode: Service State Recovery

14.1 The Problem

A CP1584 can become stuck in “BOOT mode: Service” — a state where the Boot AR firmware is running but the controller cannot proceed to RUN or SERVICE mode. This typically indicates corrupted firmware or missing system files on the CF card.

14.2 Recovery Procedure

Based on B&R community discussions (https://community.br-automation.com/t/plc-module-stuck-in-boot-mode-service/8634):

  1. Verify the operating mode switch is set to BOOT (not RUN or DIAG)
  2. Check if Automation Studio can find the PLC via Auto Search (it should appear if Boot AR is running)
  3. Connect and check the error in Automation Studio’s connection dialog — the error message indicates what’s corrupted
  4. Try installing a fresh system runtime via Automation Studio transfer (Application > Transfer to Target)
  5. If transfer fails, try formatting the CF card via HDD/CF Utility and performing a fresh installation
  6. If the CF card itself is corrupted, image the card and restore from backup or use a new CF card

14.3 Serial Recovery

If network access is impossible:

  1. Connect RS232 serial cable to IF1 (12-pin terminal block, pins 1=RX, 2=TX, 3=GND)
  2. Set baud to 57600 (or try 9600, 19200, 38400, 115200)
  3. Some B&R controllers accept TFTP boot commands via serial — see bootloader-recovery.md

See also: bootloader-recovery.md, cf-card-boot.md


15. BrSecurity Library: Password/Encrypt/Decrypt

The BrSecurity library (https://github.com/br-automation-community/awesome-B-R) is a community library providing security functions for B&R Automation Studio projects:

  • Password hashing and verification
  • String encryption/decryption
  • Secure data storage

If the original project used BrSecurity for credential management, the password verification algorithm is embedded in the compiled code. Understanding this library may help when:

  • You can extract the compiled binary and identify BrSecurity usage
  • You need to replicate the same password scheme in a new project
  • You’re trying to verify if a guessed password matches

Note: This library is community-developed, not an official B&R product.


Key Findings

  1. B&R has no factory default administrator accounts. All credentials are OEM-defined and application-specific.
  2. BOOT mode bypasses all application security. Setting the physical switch to BOOT and downloading a new project is the most reliable recovery path.
  3. The CF card holds all secrets. User credentials are stored in compiled application data and/or the CF card’s secure partition with SHA256 encryption.
  4. SDM is typically unauthenticated. The web diagnostic interface is your primary entry point for assessing an unknown PLC.
  5. FTP defaults are br:br. This is the most commonly unchanged credential on B&R systems.
  6. VNC defaults are typically v (view) and c (control). But VNC must be configured in the project — it may not be enabled at all.
  7. The nuclear option (CF card format + fresh install) is always available but requires Automation Studio and results in complete loss of the existing application.
  8. Always image the CF card before making changes. The original application and configuration are your only reference for reconstruction.
  9. brwatch is the fastest way to gain access to an undocumented PLC’s variables — it requires no AS project, no AS license, and can enumerate, watch, and change variables from a Windows PC.
  10. Pvi.py enables automated Python access for building diagnostic scripts, monitoring dashboards, and batch documentation tools without Automation Studio.

Sources

B&R Documentation

  • B&R Automation Studio Online Help — CPU Properties > User Administration
  • B&R Automation Runtime Manual — Service Mode and Diagnostic Mode specifications
  • B&R X20 System User’s Manual — operating mode switch, LED indicators, and recovery procedures
  • B&R CF Card Handling Guide — backup and restore procedures

B&R Community Forum

  • community.br-automation.com — discussions on password recovery, BOOT mode, FTP defaults, and VNC configuration