B&R User Role and Access Control Recovery for CP1584
Overview
When you inherit a B&R machine from a defunct OEM, one of the first barriers you may hit is password protection. The OEM may have configured user accounts, OPC-UA authentication, VNC passwords, FTP access controls, or Automation Studio online login credentials — and none of them were documented. This guide covers every known access recovery pathway for the X20CP1584 and related B&R controllers.
Critical context: B&R controllers do not have any built-in default administrator accounts or system-integrated credentials. All user management is entirely application-defined. This was confirmed by B&R staff on the community forum. The passwords, roles, and accounts that exist on any given CP1584 were created by the OEM programmer during project development.
1. Understanding B&R Access Control Layers
B&R access control is not a single mechanism. There are multiple independent layers, each protecting different interfaces:
| Layer | What It Protects | Configured In | Default State |
|---|---|---|---|
| Automation Studio Online Login | Download/upload/online monitoring from AS | Project options in AS | No password by default |
| VNC Server | Remote HMI viewing and control | Ethernet interface settings, VNC Servers section | Password optional; defaults to no auth |
| FTP Server | CF card file access | System configuration, System.par | Username br, password br (traditional default); can be changed |
| OPC-UA Server | Variable access via OPC-UA | OPC-UA configuration, user role system | Anonymous access or configured roles |
| User Role System (mapp) | Application-level login for operators | mapp UserX, AsUserMG library in the PLC program | Defined by OEM programmer |
| SDM Web Interface | Browser-based diagnostics at /sdm | System configuration | No authentication by default |
| Ethernet Station Address / DIP Switch | INA2000 station number | Physical DIP switches on the CPU | Set by hardware |
Key Insight: The OEM Program Controls Everything
Unlike some PLC brands (Siemens, Rockwell) that have factory-level passwords for firmware access, B&R’s security model is:
- No factory passwords exist. B&R confirmed there are “no standard / system integrated administrator accounts / credentials.”
- All credentials are application-specific. The user roles, passwords, and access levels are created by whoever programmed the PLC.
- Credentials are stored in the application project, compiled into the binary, and loaded from the CF card at boot.
- Some credentials are stored on the CF card’s secure partition in a dynamically-named file with SHA256-encrypted password values.
See also: firmware.md, cf-card-boot.md, config-file-formats.md
2. Automation Studio Online Access
2.1 What Is Protected
When you connect to a CP1584 from Automation Studio (Online > Settings > Auto Search or manual IP entry), the controller may require an online password. This is configured per-project in:
Automation Studio > Options > Settings > Online > Login
The online login can have multiple user levels:
| Level | Description |
|---|---|
| Operator | Limited access; can view but not modify |
| Service | Can read/write variables, force I/O, make online changes |
| Administrator | Full access; can download/upload programs, change configuration |
| Default | If no login is configured, anyone with AS can connect with full access |
2.2 Recovery When the AS Password Is Unknown
There are several approaches:
Approach A: Direct CF Card Access
If you can physically access the CF card:
- Power down the PLC
- Remove the CF card
- Image the CF card to your PC (see cf-card-boot.md for imaging procedure)
- The online login configuration is stored in the compiled project on the CF card
- You can search the CF card’s user partition files for configuration data
- In many cases, simply creating a new project with no login protection and downloading it will overwrite the existing password
Approach B: Boot Mode Access
The CP1584 has a physical operating mode switch on the CPU housing:
| Switch Position | Mode | Description |
|---|---|---|
| RUN | Normal operation | Application runs normally |
| BOOT | Boot mode | Boot AR starts; system can be installed via online interface |
| DIAG | Diagnostic mode | CPU boots with diagnostics; programs are not initialized |
In BOOT mode, the controller runs the Boot AR firmware, not the user application. This means:
- No application-level security is active
- You can connect from Automation Studio and install a new project
- The user application is not running (outputs are zeroed)
Procedure:
- Power down the PLC
- Set the operating mode switch to BOOT
- Power up the PLC
- The STATUS LED will show the PLC is in BOOT mode (R/E red on, RDY/F yellow on)
- In Automation Studio, use Online > Settings > Auto Search to find the PLC (it will appear with its hardware address, typically via DHCP)
- Connect and install a new project — or if you have the original
.apjfile with known passwords, install it
Approach C: Reset Button
The CP1584 has a reset button located below the USB interfaces on the bottom of the housing:
Procedure:
1. Press the reset button with a small pointed object (e.g., paper clip)
2. All application programs are stopped immediately
3. All outputs are set to zero
4. The PLC starts up in SERVICE mode by default
5. The startup mode after reset can be configured in Automation Studio
In SERVICE mode, the application is not running normally, but you may still need credentials to connect via Automation Studio. The reset button alone does not clear passwords — it only stops the application.
Approach D: Network Reset (DHCP Recovery)
If you don’t know the PLC’s IP address:
- Connect your PC directly to the PLC’s Ethernet port
- Set your PC to DHCP
- Switch the PLC to BOOT mode
- If a DHCP server is available, the PLC will obtain an IP via DHCP
- Use Automation Studio’s auto-search to find it
Without a DHCP server, the PLC in BOOT mode may use its hardware-based INA2000 address (set by the DIP switches on the CPU).
3. FTP Access Recovery
SECURITY WARNING — CVE-2024-0323 (CVSS 9.8 Critical): The FTP server on B&R Automation Runtime supports insecure encryption mechanisms (SSLv3, TLSv1.0, TLSv1.1). An attacker on the network can perform man-in-the-middle attacks to decrypt FTP communications, including CF card backups that may contain the entire project, credentials, and configuration. Do not use FTP over untrusted networks. See ar-rtos.md Section 14.8 for details.
3.1 Default FTP Credentials
B&R FTP access traditionally defaults to:
Username: br
Password: br
However, the OEM may have changed these. FTP credentials are stored in the controller’s system configuration, not in the user application.
3.2 FTP Without Credentials (ANSL-era Behavior)
On older B&R systems, FTP would accept any username/password combination (literally any string for both fields). This was possible because FTP authentication was not rigorously enforced. On modern AR versions (4.x+), this behavior depends on the system configuration.
3.3 Testing FTP Access
## Attempt FTP connection
ftp <PLC_IP>
## Or using curl for testing
curl -v ftp://<PLC_IP>/
## Try default credentials
curl -v ftp://br:br@<PLC_IP>/
If FTP access works, you can browse the CF card partitions:
ftp> ls
Volume: A:
Volume: C:
Volume: F: (user partition - contains user files)
Volume: System (system partition - contains AR firmware)
Volume: CONFIG (configuration)
3.4 FTP Access Controls
B&R offers password-protected FTP as of AR 4.33+. The configuration for FTP access is stored in the system configuration on the CF card. If the OEM changed the default credentials:
- If you can physically access the CF card, you may be able to modify the system configuration
- Boot mode + new project installation is the most reliable path
See also: ftp-web-interface.md, config-file-formats.md
4. VNC Access Recovery
4.1 VNC Configuration
The VNC server on B&R PLCs is configured in the Ethernet interface settings within the Automation Studio project, under the “VNC Servers” section. The OEM configures:
- View-only password (typically a single character like
v) - View and control password (typically a single character like
c) - Port number (default: 5900, or offset from 5900 for multiple VNC servers)
4.2 VNC Default Passwords
Common B&R VNC defaults observed in the field:
| Mode | Common Default Password |
|---|---|
| View only | v |
| View and control | c |
These defaults come from B&R training examples and the VC4 visualization tutorials. However, the OEM may have set custom passwords or disabled VNC entirely.
CRITICAL SECURITY WARNING — CVE-2023-1617 (CVSS 9.8 Critical): The B&R VC4 VNC server has an authentication bypass vulnerability affecting VC4 versions 3.x through 4.45.3 and 4.7.x through 4.72.9. An unauthenticated network attacker can bypass all VNC authentication entirely, gaining full view and control of the HMI without any credentials. This means even if the OEM set a custom VNC password, it provides no protection on unpatched systems.
Mitigation:
- Update VC4 to version 4.45.1+ or 4.72.9+ (requires Automation Studio with matching VC4 component)
- Block VNC ports (5900, 5800) at the network firewall if VNC is not needed
- On patched systems, change VNC passwords from defaults — single-character passwords are trivially guessable
- Never expose VNC ports to untrusted networks
See ar-rtos.md Section 14.10 for full CVE details and network-architecture.md for firewall configuration.
4.3 Connecting to VNC
## Using standard VNC client
vncviewer <PLC_IP>:5900
## Using B&R VNC Viewer (included with Automation Studio)
## Launch from: C:\Program Files\B&R\Automation Studio\<version>\Automation\Tools\VNC
4.4 VNC Not Configured
If the OEM did not configure a VNC server, you will not be able to connect. VNC is an application-level service — it must be explicitly configured in the Automation Studio project. Without the project or the ability to download a new configuration, VNC access is not available.
To enable VNC:
- You need to download a project to the PLC that includes VNC server configuration
- This can be done in BOOT mode from Automation Studio
See also: hmi-integration.md
5. OPC-UA Access Recovery
5.1 OPC-UA Security Model
B&R’s OPC-UA implementation supports:
- Anonymous access (no authentication)
- Username/password authentication (application-defined)
- Certificate-based authentication (X.509)
- Role-based access control (per-node permissions)
5.2 The User Role System
Starting with Automation Studio supporting OPC-UA, B&R introduced a user role system:
- Any number of roles can be defined
- Each role gets individual access rights per node (read, write, browse)
- Nodes can be completely hidden from specific roles
- Rights can be inherited from parent nodes to children
- Users are assigned one or more roles
- Passwords are SHA256-encrypted
5.3 Where Credentials Are Stored
OPC-UA user credentials are stored in:
- The compiled application on the CF card (User ROM / user partition)
- A dynamically-named file on the CF card’s secure partition with content like:
Property ID="Password" Value="bL3DNQOpeohgnWO6/XrO3/WjxEdDmtVI5eN8bg9oxj1gcJSr5ng=" DataType="STRING"
B&R has confirmed that:
- The filename is dynamically created and varies based on the total number of files
- The password value is SHA256 encrypted
- B&R does not disclose the full encryption details for security reasons
5.4 Testing OPC-UA Access Without Credentials
If anonymous access is enabled (which is common on machines where the OEM didn’t configure strict security):
import asyncio
from asyncua import Client
async def test_opcua_access(plc_ip):
url = f"opc.tcp://{plc_ip}:4840"
async with Client(url=url) as client:
root = client.get_root_node()
print(f"Connected to {url} - anonymous access enabled")
print(root)
children = await root.get_children()
for child in children:
print(f" {await child.get_browse_name()}")
asyncio.run(test_opcua_access("<PLC_IP>"))
5.5 Recovering When Authentication Is Required
If OPC-UA requires authentication:
- Try common defaults:
admin,operator,service,br(empty password orbr) - FTP into the CF card and search for configuration files that might contain credential hints
- Boot mode → new project with known credentials
- Check the CF card user partition for configuration files that may contain user role definitions
See also: opcua.md, pvi-api.md
6. mapp UserX / Application-Level User Management
6.1 What Is mapp UserX?
mapp UserX is B&R’s pre-built user management component. If the OEM used mapp UserX, the following applies:
- Users are created and managed through the
MpUserXManagerfunction block - User levels are hierarchical: administrators can create users at their level or below
- Password rules are configurable (minimum length, complexity, expiration)
- User data is stored in the mapp UserX configuration on the CF card
6.2 Typical mapp UserX Role Hierarchy
A common OEM configuration:
| Role Level | Role Name | Capabilities |
|---|---|---|
| 10 | Developer | Full access; create/edit all users |
| 7 | Service | Create/edit operators and below |
| 5 | ShiftLeader | Create/edit operators |
| 3 | Operator | Basic machine operation |
| 1 | Visitor | View-only |
6.3 Admin Rights and User Management
Administrator rights in mapp UserX are used only for user management:
- Create new users
- Unlock locked users
- Reset passwords
- Edit user properties
Administrator rights do not affect other access like OPC-UA or other mapp components — those have their own role-based access controls.
6.4 Recovering mapp UserX Access
If the OEM used mapp UserX and you don’t have any credentials:
- The CF card is your path. mapp UserX stores its configuration in files on the CF card user partition
- FTP access may allow you to browse and identify mapp UserX configuration files
- Creating a new project without mapp UserX (or with a default admin account) and downloading it will replace the existing user management
- If you need to preserve the existing program while resetting access, you must first upload the existing project from the PLC (which may require credentials), then modify the user management, then download it back
6.5 Using the User Role System Programmatically
B&R provides function blocks for managing users at runtime:
MpUserXManager - Core user management function block
MpUserXManagerUI - User management with UI confirmation dialogs
The user role system can be updated during operation — you can assign a username and password to a new system operator from within the application program using these function blocks. If you have access to modify the PLC program (via online changes or a new download), you can inject code to create a new admin account.
See also: online-changes.md, custom-diagnostic-tools.md
7. SDM (System Diagnostics Manager) Access
7.1 SDM Is Typically Unauthenticated
The SDM web interface at http://<PLC_IP>/sdm is typically accessible without authentication. This is one of your most valuable diagnostic entry points when you have no credentials.
If SDM is enabled (it is by default on most configurations):
- Open a web browser and navigate to
http://<PLC_IP>/sdm - You can view CPU status, I/O module states, error logs, alarm history, network diagnostics
- No login is required for read-only access
7.2 If SDM Is Disabled
SDM can be disabled in the project configuration to save CPU memory (about 200-400 kB of DRAM). If it’s disabled, you’ll get a 404 or connection refused on port 80.
To re-enable SDM, you need to download a new project configuration — which requires BOOT mode or existing Automation Studio access.
See also: diagnostics-sdm.md
8. Factory Reset / Full Wipe Procedures
8.1 Method 1: CF Card Format (HDD/CF Utility)
Prerequisites: Automation Studio installed on a Windows PC, PLC accessible via network or serial.
Automation Studio > Online > Settings > [select your PLC] > right-click > HDD/CF Utility
The HDD/CF utility allows you to:
- Format the CF card (destroying all user data including credentials)
- Repartition the CF card
- Initialize the CF card for a fresh installation
After formatting:
- All user programs are gone
- All user accounts and passwords are gone
- The PLC boots into BOOT mode
- You can install a new, clean project
8.2 Method 2: Runtime Utility Center
Runtime Utility Center (RUC) can execute the HDD/CF utility without requiring a full Automation Studio installation. This is useful if you don’t have AS installed.
- Install Runtime Utility Center from B&R’s website
- Connect to the PLC (requires knowing its IP address or using auto-discovery)
- Execute the HDD/CF utility
Limitation: RUC has less capability than AS for browsing/set IP address. In BOOT mode, the PLC needs DHCP to get an IP, which may be impractical.
8.3 Method 3: Physical CF Card Replacement
The most brute-force approach:
- Power down the PLC
- Remove the existing CF card
- Insert a new, blank B&R-certified CF card
- Power up — the PLC will go to BOOT mode (no system ROM on the blank card)
- Connect via Automation Studio and install a fresh system + your project
This preserves the original CF card as a backup in case you need to recover anything later.
8.4 Method 4: USB Flash Drive Installation
If you have a prepared USB installation package (a .zp2 or .zp3 file created by Automation Studio):
- Copy the installation package to a FAT32-formatted USB stick
- Set the PLC to BOOT mode
- Insert the USB stick
- The PLC will detect and install the package automatically
- This performs an initial installation that wipes the previous configuration
8.5 Hardware Reset Button Procedure
Step 1: Locate the reset button (below USB interfaces, on the bottom of the CPU housing)
Step 2: Press and hold with a pointed object
Step 3: The STATUS LED will flash orange after ~10 seconds
Step 4: Release the button
Step 5: The CPU returns to factory defaults (DHCP enabled, no application)
Note: This procedure resets network settings and clears the running application, but it does not format the CF card. Any passwords stored on the CF card persist.
See also: bootloader-recovery.md, cf-card-boot.md, firmware-version-mgmt.md
9. Serial Console Access
9.1 RS232 Interface
The CP1584 has an RS232 interface (IF1) on the 12-pin terminal block. This interface can be used as an online programming interface.
Pinout (X20TB12 terminal block):
| Pin | Signal |
|---|---|
| 1 | RX |
| 2 | TX |
| 3 | GND |
Connection parameters: 57600 baud (factory default), 8-N-1, no flow control. If the default doesn’t work, the baud rate may have been reconfigured in the original project — try 9600, 19200, 38400, or 115200.
9.2 Serial Access Limitations
The RS232 interface on the CP1584 is primarily designed for:
- Automation Studio serial connection (legacy)
- Serial communication with external devices (configured in the application)
- Boot loader serial console (for firmware recovery)
It does not provide a shell or command-line interface to the VxWorks-based operating system. You cannot log in via serial and reset passwords. However, it can be used for:
- BOOT mode communication (see bootloader-recovery.md)
- Firmware recovery via serial/TFTP
See also: serial-diagnostics.md
10. Network-Level Access When All Else Fails
10.1 What You Can Always Access (If Configured)
Even without any passwords, these interfaces are typically open by default:
| Interface | Port | Access |
|---|---|---|
| SDM web interface | 80 | No auth (read-only) |
| ANSL discovery | 30303/11169 UDP | No auth (read-only broadcast) |
| OPC-UA | 4840 | May allow anonymous |
| FTP | 21 | Default br:br |
| VNC | 5900 | May be unconfigured |
10.2 The “Nuclear Option” Workflow
When you have absolutely no credentials and need full access:
1. BACK UP THE CF CARD FIRST
- Power down, remove CF card, image it to your PC
- See cf-card-boot.md for imaging procedure
- Store the image safely
2. SET PLC TO BOOT MODE
- Switch the operating mode switch to BOOT
- Power up
- PLC is now in Boot AR, no application running
3. CONNECT VIA AUTOMATION STUDIO
- Auto-search should find the PLC (DHCP or hardware address)
- No application-level passwords are active in BOOT mode
4. CHOOSE YOUR PATH:
Option A: Create a minimal new project, download it
Option B: If you have a .apj backup with known passwords, download that
Option C: Use HDD/CF utility to completely wipe and start fresh
5. RESTORE FROM YOUR ANALYSIS
- Use the forensic data from cp1584-forensics.md to reconstruct functionality
- See project-reconstruction.md for the full reconstruction methodology
10.3 Preserving the Running Application
If you need to keep the machine running while regaining access:
- FTP into the CF card and back up all files
- OPC-UA browse (if anonymous) to document the variable namespace
- SDM to capture all diagnostic data
- Network sniff POWERLINK traffic to document I/O mapping (see io-sniffing.md)
- Schedule a planned shutdown for the CF card swap
11. Security Implications of Having Full Access
11.1 What Full Access Means
Once you have full access to the CP1584:
- You can read/write any PLC variable
- You can modify the running program
- You can change I/O mapping
- You can modify safety system parameters (if safe I/O is configured)
- You can change network configuration
- You can enable/disable any service (OPC-UA, FTP, VNC, SDM, web server)
- You can install new firmware
11.2 Safety System Considerations
If the machine has B&R Safe I/O modules (SafeLOGIC, Safe I/O):
- Safety programs are separate from standard programs
- Safety parameters have their own protection mechanism
- Modifying safety parameters without proper validation can create dangerous conditions
- Always validate safety-related changes through proper procedures
11.3 Securing the System After Recovery
After gaining access and reconstructing functionality:
- Set a new Automation Studio online login with proper user levels
- Configure OPC-UA user roles if exposing the PLC to a SCADA/MES system
- Change FTP credentials from defaults
- Set VNC passwords if VNC is enabled
- Document all credentials in your maintenance manual
- Consider disabling unused services (FTP, web server) to reduce attack surface
- Enable OPC-UA certificates for production environments
See also: safe-io-diagnostics.md, documentation-reconstruction.md
12. brwatch: External Service Tool for Variable Access Without Project
12.1 What Is brwatch?
brwatch (https://github.com/hilch/brwatch) is a free Windows service tool for B&R PLCs that provides variable watch, change, logging, IP configuration, and CPU reboot capabilities without requiring Automation Studio or the original project. This is one of the most valuable community tools for engineers working with undocumented B&R systems.
12.2 Capabilities
| Feature | Description |
|---|---|
| Watch variables | Monitor live variable values from any connected B&R PLC |
| Change variables | Write values to PLC variables (setpoints, flags, parameters) at runtime |
| Log variables | Record variable values over time to a log file for trending |
| Search variables | Browse and search the variable namespace of a connected PLC |
| Set IP addresses | Change PLC network configuration (IP, subnet, gateway) |
| Reboot CPUs | Remotely restart connected PLCs |
| List PLCs | Discover all B&R PLCs on the network |
12.3 Installation and Setup
# Download the latest release from GitHub
# https://github.com/hilch/brwatch/releases
# Run the installer (Windows)
# brwatch installs as a Windows service
# Configure the target PLC IP address in brwatch settings
12.4 Using brwatch Without Project Files
brwatch connects to the PLC via PVI and can enumerate variables that are visible in the runtime — even without the original project. This makes it valuable for:
- Checking which variables are accessible before investing in PVI/OPC-UA setup
- Making quick parameter changes on the running machine (setpoints, flags)
- Logging variable trends to diagnose intermittent issues
- Discovering the variable namespace as input for project reconstruction
12.5 Relationship to PVI
brwatch uses the B&R PVI infrastructure internally (PVI Manager). It requires either PVI 4.x or PVI 6.x installed on the workstation. On AS6, only ANSL lines are supported (INA2000 is removed). See pvi-api.md for PVI configuration details.
12.6 Comparison: brwatch vs Automation Studio vs PVI/OPC-UA
| Capability | brwatch | Automation Studio | OPC-UA Client | PVI API |
|---|---|---|---|---|
| Watch variables | Yes | Yes (with connection) | Yes (subscribe) | Yes (poll) |
| Change variables | Yes | Yes (with connection) | Yes (write) | Yes (write) |
| Log to file | Yes | Limited (Trace) | Via external | Via script |
| Set IP address | Yes | Yes | No | No |
| Reboot PLC | Yes | Yes | No | No |
| Requires project | No | Yes | No | No |
| Requires AS license | No | Yes | No | No |
| Free | Yes | No (requires license) | Yes (UaExpert) | No (PVI SDK) |
brwatch is the recommended first tool for quick assessment of an undocumented PLC. See also: pvi-api.md, python-diagnostics.md.
13. Pvi.py: Python Access Without Automation Studio
13.1 What Is Pvi.py?
Pvi.py (https://github.com/hilch/Pvi.py) is a Python wrapper for B&R PVI that enables programmatic access to PLC variables from Python scripts without Automation Studio. This is the foundation for building automated diagnostic tools.
13.2 Quick Start
## pip install pvi (or clone from GitHub)
from pvi import Pvi
plc = Pvi()
## Connect to PLC using ANSL line
plc.line_set(
line_name="ANSL",
ip="192.168.0.14",
)
plc.connect()
## Read a variable
value = plc.variable_read("MachineData.Temperature")
print(f"Temperature: {value}")
## Write a variable
plc.variable_write("MachineData.TargetRPM", 1500)
13.3 When Pvi.py Is Useful
- Automated diagnostic scripts that poll PLC variables
- Building custom monitoring dashboards without AS
- Automated setpoint changes based on external logic
- Batch variable extraction for documentation purposes
See python-diagnostics.md for comprehensive Python diagnostic script examples.
14. BOOT Mode: Service State Recovery
14.1 The Problem
A CP1584 can become stuck in “BOOT mode: Service” — a state where the Boot AR firmware is running but the controller cannot proceed to RUN or SERVICE mode. This typically indicates corrupted firmware or missing system files on the CF card.
14.2 Recovery Procedure
Based on B&R community discussions (https://community.br-automation.com/t/plc-module-stuck-in-boot-mode-service/8634):
- Verify the operating mode switch is set to BOOT (not RUN or DIAG)
- Check if Automation Studio can find the PLC via Auto Search (it should appear if Boot AR is running)
- Connect and check the error in Automation Studio’s connection dialog — the error message indicates what’s corrupted
- Try installing a fresh system runtime via Automation Studio transfer (Application > Transfer to Target)
- If transfer fails, try formatting the CF card via HDD/CF Utility and performing a fresh installation
- If the CF card itself is corrupted, image the card and restore from backup or use a new CF card
14.3 Serial Recovery
If network access is impossible:
- Connect RS232 serial cable to IF1 (12-pin terminal block, pins 1=RX, 2=TX, 3=GND)
- Set baud to 57600 (or try 9600, 19200, 38400, 115200)
- Some B&R controllers accept TFTP boot commands via serial — see bootloader-recovery.md
See also: bootloader-recovery.md, cf-card-boot.md
15. BrSecurity Library: Password/Encrypt/Decrypt
The BrSecurity library (https://github.com/br-automation-community/awesome-B-R) is a community library providing security functions for B&R Automation Studio projects:
- Password hashing and verification
- String encryption/decryption
- Secure data storage
If the original project used BrSecurity for credential management, the password verification algorithm is embedded in the compiled code. Understanding this library may help when:
- You can extract the compiled binary and identify BrSecurity usage
- You need to replicate the same password scheme in a new project
- You’re trying to verify if a guessed password matches
Note: This library is community-developed, not an official B&R product.
Key Findings
- B&R has no factory default administrator accounts. All credentials are OEM-defined and application-specific.
- BOOT mode bypasses all application security. Setting the physical switch to BOOT and downloading a new project is the most reliable recovery path.
- The CF card holds all secrets. User credentials are stored in compiled application data and/or the CF card’s secure partition with SHA256 encryption.
- SDM is typically unauthenticated. The web diagnostic interface is your primary entry point for assessing an unknown PLC.
- FTP defaults are
br:br. This is the most commonly unchanged credential on B&R systems. - VNC defaults are typically
v(view) andc(control). But VNC must be configured in the project — it may not be enabled at all. - The nuclear option (CF card format + fresh install) is always available but requires Automation Studio and results in complete loss of the existing application.
- Always image the CF card before making changes. The original application and configuration are your only reference for reconstruction.
- brwatch is the fastest way to gain access to an undocumented PLC’s variables — it requires no AS project, no AS license, and can enumerate, watch, and change variables from a Windows PC.
- Pvi.py enables automated Python access for building diagnostic scripts, monitoring dashboards, and batch documentation tools without Automation Studio.
Sources
B&R Documentation
- B&R Automation Studio Online Help — CPU Properties > User Administration
- B&R Automation Runtime Manual — Service Mode and Diagnostic Mode specifications
- B&R X20 System User’s Manual — operating mode switch, LED indicators, and recovery procedures
- B&R CF Card Handling Guide — backup and restore procedures
B&R Community Forum
- community.br-automation.com — discussions on password recovery, BOOT mode, FTP defaults, and VNC configuration
Related Documents
- cp1584-forensics.md — Forensic information extraction from a CP1584 without project files
- ftp-web-interface.md — FTP server access for remote recovery
- diagnostics-sdm.md — SDM web interface for initial assessment
- cf-card-boot.md — CF card structure and backup procedures
- safe-io-diagnostics.md — Safety system access considerations
- documentation-reconstruction.md — Documenting the system after access recovery