Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

B&R CP1584 FTP and Web Server Interface Reference

Overview

Every B&R CP1584 (X20CP1584) running Automation Runtime ships with two built-in network services that are invaluable when maintaining machines from defunct OEMs with no documentation: an FTP server for direct file system access to the Compact Flash card, and a web server hosting the System Diagnostics Manager (SDM) and optionally custom HTML/ASP pages with live process variable access.

Neither service requires Automation Studio to use. A laptop on the same subnet with any FTP client or web browser is sufficient to pull configuration files, extract logs, download system dumps, and inspect live PLC data. This makes them critical survival tools when you have no AS project and no OEM support.

The CP1584 uses a PCMCIA Compact Flash card that holds the Automation Runtime OS and all application data. The FTP server exposes the CF card partitions directly. The web server runs on the same Ethernet interface as SDM and any custom pages the OEM may have deployed.


FTP Server

Connection Basics

ParameterValue
ProtocolFTP (plain text, no encryption)
Default Port21
FTPS SupportAvailable in AR 4.x via configuration (not SFTP)
Port ChangeAR P4.93+ via CfgSetFTPServerPort FB; AS UI from AS 4.12.9
AuthenticationConfigured in Automation Studio (CPU > FTP settings)
Anonymous AccessC: partition only (read-only); F: requires credentials
RBAC (AR 6.5+)Role-based access control for authentication and permissions (AS 6.5 / AR 6.5)

Access Levels and Partitions

The FTP server presents two root-level directories corresponding to CF card partitions:

C: – System Partition (Anonymous / Read-Only)

  • Anonymous FTP login grants access to the C: partition in read-only mode.
  • Contains the Automation Runtime OS files, system configuration, and log files.
  • Attempting CWD F: while anonymous returns 550 Guest access denied.
  • You cannot write to C: via FTP under any circumstances.

F: – User Partition (Requires Credentials)

  • The F: (user) partition stores application data, project backups, recipe files, CSV logs, and anything the PLC program writes via FileIO.
  • Access requires the username and password configured in the AS project under CPU > FTP configuration.
  • If no credentials were configured by the OEM, common defaults reported in the field include admin/admin or empty credentials.
  • On very old B&R systems, any username/password combination reportedly worked.
  • Read/write access level is also configured per-file-device in the AS project.

File System Layout

Key directories typically found via FTP:

C:\
  BrWebSvr.ini          -- Web server configuration
  BrWebSvr.cfg          -- Web server user/group definitions (legacy)
  arlogsys.log          -- System logger output
  SysDir\               -- System configuration directory
    *.cfg               -- Runtime configuration files
    *.ini               -- Initialization files
  AS\                   -- Automation Runtime module libraries
    WebServer\          -- Web server binary and support files
  Temp\                 -- Temporary files
  web\                  -- Default web server root directory
    index.htm           -- Default start page
    PV_Access.js        -- JavaScript library for process variable access
    *.asp               -- Active Server Pages (if deployed)
  mappView\             -- mappView HMI files (if mappView is used)
    *.widget            -- Widget definitions
    *.page              -- Page definitions
    *.css               -- Stylesheets

F:\
  (user files - varies by OEM project)
  *.csv                 -- Data logs, recipes, production records
  *.txt                 -- Text log files
  *.zip                 -- Project backups (if OEM stored them here)
  *.dat                 -- Parameter or recipe files
  TimLogger\            -- If mapp TimLogger is used
    *.csv               -- Time-stamped log files
  DataXfer\             -- File transfer directories
  UserDir\              -- Custom user data directory

The USER_PATH keyword in Automation Runtime automatically resolves to the F: partition root.

Practical FTP Commands

Connecting with FileZilla (recommended over WinSCP for B&R):

Host: <PLC_IP_ADDRESS>
Username: <configured_username or "anonymous" for C: only>
Password: <configured_password or blank for anonymous>
Port: 21

FileZilla works reliably across all AR versions. WinSCP has known compatibility issues with AR P4.93+ due to FTP server implementation changes.

Connecting with curl (command line, for scripting):

# List system partition files (anonymous)
curl -s ftp://192.168.0.1/ --user anonymous:

# Download a configuration file
curl -s ftp://192.168.0.1/SysDir/Config.cfg --user anonymous: -o Config.cfg

# Download a file from the user partition
curl -s ftp://192.168.0.1/data/recipe.csv --user admin:admin -o recipe.csv

# Upload a file to the user partition
curl -s -T local_file.csv ftp://192.168.0.1/data/ --user admin:admin

# List user partition contents
curl -s ftp://192.168.0.1/ --user admin:admin

# Download the entire web directory for offline inspection
curl -s ftp://192.168.0.1/web/ --user admin:admin --list-only

Bulk backup with lftp (mirrors the entire user partition):

lftp -e "mirror --verbose / /path/to/local_backup" -u admin,admin ftp://192.168.0.1

Python script for automated log retrieval:

import ftplib

ftp = ftplib.FTP("192.168.0.1")
ftp.login("admin", "admin")
ftp.cwd("TimLogger")
filenames = ftp.nlst()
for f in filenames:
    with open(f, "wb") as fh:
        ftp.retrbinary(f"RETR {f}", fh.write)
ftp.quit()

FTP Configuration in Automation Studio

If you have access to an AS project (or can obtain one), the FTP server is configured under:

CPU > Properties > FTP Server

Key settings:

  • FTP Server Enabled: Checkbox to enable/disable
  • Password: Sets the FTP access password
  • File Device Access: Per-device read/write permissions under the File Device configuration
  • User Partition Minimum Size: Must be > 0 for F: to exist (check CPU > Module system on target)

FTP Gotchas and Known Issues

  1. WinSCP incompatibility with AR P4.93: The FTP server implementation changed in P4.93, breaking WinSCP directory listing. Use FileZilla instead. This is a known regression.

  2. No SFTP: B&R supports FTPS (FTP over SSL/TLS) but not SFTP (SSH-based). For AR 4.x, configure FTPS in the CPU properties. For security on plant networks, consider tunneling FTP through an SSH tunnel or VPN rather than relying on FTPS.

  3. Minimum user partition size: If the “Minimum user partition size” in CPU > Module system on target is set to 0, the F: partition will not exist and FTP access to user data will fail. This must be set > 0 and the CF card must be re-initialized (offline installation).

  4. Concurrent connection limits: The FTP server supports limited concurrent connections (typically 4-8 sessions). Excessive simultaneous sessions may cause connection refused errors or intermittent timeouts.

  5. File locking: Files currently open by the PLC program (via FileIO) cannot be overwritten via FTP. This is particularly relevant for active log files. Lock duration is typically until the FileIO handle is closed or the PLC program cycle ends.

  6. Path navigation quirk: The FTP root shows a .. entry (parent directory) that returns “Permission denied” when clicked. This is normal – you are already at the partition root.

  7. Timeout behavior: Long-running transfers may timeout on slow networks. The FTP server does not support resume/partial transfers reliably on older AR versions.

  8. Case sensitivity: The B&R file system is case-insensitive on C: but this can vary on F: depending on AR version. Use exact case when in doubt.

FTP Active vs Passive Mode

FTP uses two channels: a control channel (port 21, always used for commands) and a data channel (for file transfers). The data channel can be established in two ways:

Active Mode (PORT):

Client → Server: PORT command with client IP and port number
Server → Client: Server initiates data connection TO the client
Problem: The server connects back to the client on an unpredictable port (typically 20).
         Most firewalls and NAT routers block incoming connections on arbitrary ports.

Passive Mode (PASV):

Client → Server: PASV command
Server → Client: Server responds with IP and port number
Client → Server: Client initiates data connection TO the server
Solution: The client connects to a known server port. Only outbound connections from client needed.
          Works through firewalls and NAT.

For B&R FTP on plant networks:

ScenarioRecommended ModeWhy
Direct connection (same subnet)Either mode worksNo firewall in path
Through corporate firewallPassiveFirewall blocks server-to-client data connections
Behind NAT/DSL modemPassiveNAT cannot forward server’s data connection
VPN tunnelPassive preferredSome VPNs block active mode data connections
Automation Studio “Transfer to target”Active (AS default)AS manages the connection automatically

Configuring passive mode in clients:

# curl (useful for scripted FTP operations)
curl --ftp-pasv ftp://admin:[email protected]/F:/logfile.txt -o logfile.txt

# FileZilla: Edit > Settings > Connection > FTP > Transfer Mode > Passive

# Python ftplib
from ftplib import FTP
ftp = FTP('192.168.1.10')
ftp.login('admin', 'password')
ftp.set_pasv(True)  # Force passive mode

# lftp
lftp -e "set ftp:passive-mode on; ls" admin:[email protected]

Passive port range on B&R controller: B&R’s FTP server uses a default passive port range (typically ports 49152-65535). If a firewall sits between the client and controller, open this port range for TCP traffic. The range cannot be reconfigured on AR 4.x controllers.

FTPS Configuration

B&R supports FTPS (FTP over SSL/TLS) for encrypted file transfers. This is distinct from SFTP (which B&R does not support — confirmed on B&R Community).

Configuration in Automation Studio:

  1. CPU > Properties > FTP Server

  2. Enable FTPS checkbox

  3. Select SSL/TLS mode:

    • Explicit FTPS (AUTH TLS): Client requests TLS upgrade via AUTH TLS command on port 21. Most compatible option.
    • Implicit FTPS: TLS is assumed from the start on port 990. Less compatible, deprecated by RFC.
  4. Certificate management: FTPS requires an SSL/TLS certificate on the controller.

    • For AR 4.x: Certificates are managed in CPU > Properties > SSL/TLS
    • Self-signed certificates can be generated in Automation Studio
    • Certificate is stored on the CF card and loaded at startup

FTPS gotchas:

  • FTPS requires multiple ports — the control connection on 21 AND the data connection ports must both allow TLS. Active mode adds another connection direction.
  • Minimum TLS version should be set to TLS 1.0 or higher in client settings (some B&R AR versions may have issues with TLS 1.2 negotiation — check community posts for your specific AR version).
  • Certificate validation may fail with self-signed certificates unless the client is configured to accept them.

Using FTPS with FileZilla:

Host: ftps://192.168.1.10
Username: admin
Password: [configured password]
Port: 21
Protocol: Require explicit FTPS

SFTP is NOT available:

B&R Community confirmed: “SFTP Support — B&R does not provide SFTP (SSH-based file transfer). FTPS (FTP + TLS/SSL) is the only encrypted file transfer option.” Source: https://community.br-automation.com/t/sftp-support/8247


Web Server and System Diagnostics Manager (SDM)

Web Server Overview

B&R Automation Runtime includes an integrated web server that serves multiple purposes:

  1. System Diagnostics Manager (SDM) – Built-in diagnostic web interface
  2. Custom HTML/ASP pages – OEM-deployed web pages for monitoring/control
  3. PV_Access – JavaScript-based live process variable read/write from the browser
  4. mappView – HTML5 HMI served directly from the PLC

SDM Access

ParameterValue
URL (AR 4.x default)http://<PLC_IP>/sdm
URL (AR 6.x default)https://<PLC_IP>/sdm (HTTPS by default)
Port80 (HTTP) or 443 (HTTPS)
Alternative port81 sometimes used for web app separation
AuthenticationNone by default (AS 6.x can enable auth)
AR Version RequiredV3.0+ for SDM; V3.08+ for System Dump
Enabled by defaultYes in AR 4.x; No in AS 6.0+ (must enable manually)

Accessing SDM

  1. Configure your laptop’s Ethernet adapter to the same subnet as the PLC
  2. Open a web browser (Chrome recommended)
  3. Navigate to http://<PLC_IP>/sdm
  4. If HTTP fails, try https://<PLC_IP>/sdm

SDM remains accessible even when the PLC is in SERVICE mode, as long as the network configuration is intact.

SDM Capabilities

The SDM provides:

  • Hardware Overview: All connected modules, firmware versions, serial numbers
  • Task Monitor: Real-time cycle time monitoring for all task classes (Cyc0-Cyc3)
  • Logger: View system log entries (arlogsys) without needing Automation Studio
  • System Dump: Download a complete diagnostic archive (.tar.gz) over HTTP
  • Network Configuration: View IP, subnet, gateway, DNS settings
  • CF Card Status: Partition sizes, free space, file system health
  • User Partition Status: Monitor F: partition usage

Downloading a System Dump via SDM

This is the single most valuable diagnostic procedure available without Automation Studio:

  1. Open http://<PLC_IP>/sdm in Chrome
  2. Click the System Dump icon (center of the SDM interface)
  3. Select Parameters + Data-Files
  4. Click OK on the confirmation dialog
  5. Click Upload from target
  6. Wait for the download to complete (Chrome may show a “Keep” warning – click Keep)
  7. The file will be named BuR_SDM_Sysdump_<timestamp>.tar.gz

The system dump contains:

  • arlogsys.log – System logger output
  • Configuration files from SysDir
  • Hardware topology information
  • Task and module status data
  • Memory usage snapshots

To analyze the dump, open it in Automation Studio Logger (File > Load Data) or use the third-party SystemDumpViewer tool. The AS version must match the AR major version on the PLC.

Custom Web Pages (Legacy ASP/HTML)

Older B&R systems (AR 2.x/3.x era) used the legacy BrWebSvr web server with ASP-like pages. The configuration file is C:\BrWebSvr.ini:

BaseDir = C:           ; Base directory on the CF card
WebDir = web            ; Subdirectory containing web pages
StartPage = index.htm   ; Default start page

The web server binary is located at C:\AS\WebServer\i386\webserv.br.

Complete Legacy ASP Function Reference

These functions are available in .asp files on the legacy web server. The web server binary is located at C:\AS\WebServer\i386\webserv.br (or C:\AS\WebServer\Y0200\i386\webserv.br on newer AR versions).

FunctionSyntaxPurpose
ReadPLC<% ReadPLC("varname"); %>Insert the current value of a global PLC variable. Only global variables are accessible. If the variable does not exist, “Unknown variable” is displayed. Supports array indexing: <% ReadPLC("Program:array[0]"); %>
WebPrint<% WebPrint("param"); %>Insert the value of an HTTP GET/POST parameter into the page output. Used with form submissions and the ReadWrite action.
UserGroup<% UserGroup(rights); %>Conditional display — HTML after this tag only renders if the logged-in user has the required rights bitmask. Rights are checked as bitwise AND. Call with UserGroup(0) to re-enable display for all users.
ErrorMsg<% ErrorMsg(); %>Display the authorization error message from the last UserGroup() check. Shows why access was denied.
ReadALARM<% ReadALARM("Errorstr", index); %>Display alarm history from Visual Components. Index: 1=date/time, 2=group number, 3=alarm number, 4=alarm text, 5=alarm status. The errorstring comes from VA_GetAlarmList or VA_GetExAlarmList VISAPI calls.
UserLogin/goform/UserLogin?username=X&password=Y&redirect=page.asp&error_redirect=err.aspAuthenticate a user. Credentials are defined in BrWebSvr.cfg. Only one user per IP address can be logged in simultaneously. Login persists until logout or web server restart.
UserLogout/goform/UserLogout?redirect=page.aspLog out the current user. Must be from the same IP as login.
UserGroup Rights Bitmask System

The UserGroup function uses a bitmask to check authorization. Rights values are summed from individual permission bits:

BitDecimalMeaning
Bit 01Permission level 1
Bit 12Permission level 2
Bit 24Permission level 3
Bit 38Permission level 4
Bit 416Permission level 5

Example: UserGroup(20) checks if the user has bits 3 and 4 set (8 + 16 = 24, or 4 + 16 = 20). The user’s rights bitmask in BrWebSvr.cfg is ANDed with the parameter.

BrWebSvr.cfg Configuration File Format

The BrWebSvr.cfg file defines web server users, passwords, and rights:

[User1]
Name=admin
Password=mypassword
Rights=31

[User2]
Name=operator
Password=operator
Rights=1
  • One user per IP address can be logged in simultaneously
  • If no BrWebSvr.cfg exists or it contains no users, no login is required
  • Passwords are stored in plaintext in the configuration file (not hashed)
Read/Write Variables via HTTP Forms (goform/ReadWrite)

The /goform/ReadWrite endpoint is the primary mechanism for bidirectional variable access from web pages:

/goform/ReadWrite?variable=VarName&value=NewValue&write=1&redirect=result.asp

Parameters:

ParameterDescription
variablePLC variable name to read/write (indexed arrays supported: myArray[5])
valueValue to write (for write operations)
writeSet to 1 to write, or omit/0 for read-only
readSet to 1 to read the variable
redirectPage to redirect to after the operation
varName of the variable in the redirect (echoes back the variable name)
valValue of the variable in the redirect (echoes back the value)

Batching multiple variables in a single call: The goform/ReadWrite endpoint supports up to 10 variables per call. Additional variables use suffixed parameter names:

/goform/ReadWrite?redirect=target.html
  &variable=myVar[0]&value=none&read=1
  &variable__1__=myVar[1]&value__1__=none&read=1
  &variable__2__=myVar[2]&value__2__=none&read=1
  ...
  &variable__9__=myVar[9]&value__9__=none&read=1

This is critical for performance — reading 10 variables in one request is roughly 10x faster than 10 individual requests.

Read result page example (result.asp):

<%-- Display the variable name and value from the redirect parameters --%>
Variable: <% WebPrint("var"); %> = <% WebPrint("val"); %>

PV_Access (Modern JavaScript API)

For AR 4.x systems, the modern approach uses PV_Access.js located in the web server root (C:\web\PV_Access.js). This JavaScript library provides real-time read/write access to PLC process variables directly from the browser using HTTP or WebSocket connections.

How PV_Access.js Works Internally

PV_Access.js wraps the legacy goform/ReadWrite ASP endpoint. Under the hood, every readVariable() or writeVariable() call from PV_Access.js generates an HTTP request to /goform/ReadWrite with the appropriate parameters. This means:

  • PV_Access is not a WebSocket or binary protocol — it is HTTP-based
  • Each variable read/write is a separate HTTP request by default
  • The 10-variable batching limit of goform/ReadWrite applies to PV_Access as well
  • Port 80 is used by default; port 81 is recommended to separate web application traffic from SDM

Basic PV_Access Usage

<html>
<head>
    <script src="PV_Access.js"></script>
</head>
<body>
    <script>
        var pv = new PVAccess("192.168.0.1");
        pv.readVariable("gMachineStatus", function(value) {
            document.getElementById("status").innerText = value;
        });
        pv.writeVariable("gCmd_Start", 1);
    </script>
    <div>Machine Status: <span id="status">--</span></div>
</body>
</html>

Reading variables one-by-one via PV_Access is slow for large datasets (100 variables via PV_Access can take 15+ seconds). A much faster approach uses ASP pages that output JSON data, loaded via fetch():

Step 1: Create an ASP page with all variables as a JSON array (C:\web\data.asp):

[
    "<%ReadPLC("Program:array[0]");%>",
    "<%ReadPLC("Program:array[1]");%>",
    "<%ReadPLC("Program:array[2]");%>",
    "<%ReadPLC("Program:temperature");%>",
    "<%ReadPLC("Program:pressure");%>",
    "<%ReadPLC("Program:status_word");%>"
]

Step 2: Fetch with JavaScript:

function cyclicFetch(url, interval) {
    function fetchData() {
        fetch(url)
            .then(response => response.json())
            .then(data => {
                // Process array data
                document.getElementById("temp").innerText = data[3];
                document.getElementById("pressure").innerText = data[4];
                document.getElementById("status").innerText = data[5];
                setTimeout(fetchData, interval);
            })
            .catch(error => console.error('Error:', error));
    }
    fetchData();
}

// Refresh every 200ms
cyclicFetch("/data.asp", 200);

Performance comparison (measured on B&R 4PPC30, local network):

Method100 INT variables10 INT variables
PV_Access.js (one-by-one)>15 seconds~2 seconds
JSON ASP + fetch()<80 ms<20 ms

The JSON approach is roughly 200x faster than individual PV_Access reads because:

  1. A single HTTP request retrieves all variables
  2. The web server processes all <%ReadPLC()%> tags server-side in one pass
  3. No per-variable HTTP overhead
  4. The fetch() API is non-blocking and efficient

Important considerations:

  • This technique works on AR 4.x with the legacy web server (not mappView)
  • The ASP page must be served from the B&R web server (not a local file)
  • Array variables use the syntax Program:array[index] where Program is the task/library name
  • Global variables (no program prefix) are also accessible: <%ReadPLC("gVarName");%>

Custom Web Services via AsHTTP Library

For maximum control over web server responses, B&R provides the AsHTTP library for creating custom HTTP endpoints in IEC/C code running on the PLC:

  • Build custom REST/JSON APIs entirely within PLC tasks
  • Define URL routes, request parsing, and response formatting
  • No dependency on goform/ReadWrite limitations
  • Full control over data formatting, caching, and access control
  • Requires more development effort but provides the best performance and flexibility

This approach is preferred when:

  • You need to expose structured data (JSON/XML) to external systems
  • You need authentication beyond what BrWebSvr.cfg provides
  • You need to serve large datasets efficiently
  • You are building custom dashboards or IIoT integrations

mappView (HTML5 HMI)

Modern B&R systems use mappView, an HTML5-based HMI framework built on OPC UA FX. If the CP1584 is running a mappView application, the HMI will be accessible via:

http://<PLC_IP>/mappView/       (AR 4.x)
https://<PLC_IP>/mappView/      (AR 6.x)

mappView requires the OPC UA server to be running on the PLC. The HMI loads in any modern browser and provides the full visualization that was deployed by the OEM.

The mappView files are typically stored in C:\mappView\ on the CF card and can be inspected via FTP for understanding the HMI structure without AS.


Using FTP and Web Server for Diagnostics and Data Extraction

Procedure: Full Remote Backup Without Automation Studio

This procedure captures everything available without AS:

PLC_IP="192.168.0.1"
BACKUP_DIR="./cp1584_backup_$(date +%Y%m%d)"
mkdir -p "$BACKUP_DIR/system" "$BACKUP_DIR/user" "$BACKUP_DIR/web" "$BACKUP_DIR/sdm"

# 1. Download SDM system dump (via browser or curl)
curl -k -o "$BACKUP_DIR/sdm/sysdump.tar.gz" \
  "https://$PLC_IP/sdm/systemdump" 2>/dev/null || \
curl -o "$BACKUP_DIR/sdm/sysdump.tar.gz" \
  "http://$PLC_IP/sdm/systemdump" 2>/dev/null

# 2. Mirror system partition (C:) via anonymous FTP
lftp -e "mirror --verbose / '$BACKUP_DIR/system'" \
  -u anonymous, "ftp://$PLC_IP"

# 3. Mirror user partition (F:) via authenticated FTP
#    Replace credentials with those from the AS project or try common defaults
lftp -e "mirror --verbose / '$BACKUP_DIR/user'" \
  -u admin,admin "ftp://$PLC_IP/F:"

# 4. Mirror web directory
lftp -e "mirror --verbose /web '$BACKUP_DIR/web'" \
  -u admin,admin "ftp://$PLC_IP"

Procedure: Extracting Configuration Files

Key configuration files to retrieve for understanding a PLC setup:

# Network configuration
curl "ftp://$PLC_IP/SysDir/Config.cfg" --user anonymous: -o Config.cfg
curl "ftp://$PLC_IP/SysDir/ARConfig.ini" --user anonymous: -o ARConfig.ini

# Web server configuration (if custom pages exist)
curl "ftp://$PLC_IP/BrWebSvr.ini" --user anonymous: -o BrWebSvr.ini
curl "ftp://$PLC_IP/BrWebSvr.cfg" --user anonymous: -o BrWebSvr.cfg

# Runtime parameters
curl "ftp://$PLC_IP/SysDir/Param.cfg" --user anonymous: -o Param.cfg

# System log
curl "ftp://$PLC_IP/arlogsys.log" --user anonymous: -o arlogsys.log

Procedure: Pulling Data Logs and Production Records

OEMs commonly store production data, alarm logs, and recipes on the F: partition:

# List all CSV files on the user partition
curl "ftp://$PLC_IP/" --user admin:admin --list-only | grep -i csv

# Download all CSV files
curl "ftp://$PLC_IP/" --user admin:admin --list-only | while read f; do
  [[ "$f" == *.csv ]] && curl "ftp://$PLC_IP/$f" --user admin:admin -o "$f"
done

# Download TimLogger archives (if mapp TimLogger is used)
curl "ftp://$PLC_IP/TimLogger/" --user admin:admin --list-only

Procedure: Checking if a Project Backup Exists on the CF Card

OEMs sometimes store project files on F: for recovery:

# Search for zip files (project archives)
curl "ftp://$PLC_IP/" --user admin:admin --list-only | grep -i zip

# Search for AS project files
curl "ftp://$PLC_IP/" --user admin:admin --list-only | grep -i "\.apj\|\.at2\|\.at4"

If a project archive exists on F:, it can be downloaded via FTP and opened in the matching version of Automation Studio to recover full source code.

Procedure: Real-Time Variable Monitoring via Web

If PV_Access pages exist (check for .asp or .htm files with PV_Access.js references in the web\ directory):

  1. Browse to http://<PLC_IP>/ or http://<PLC_IP>/web/
  2. Check the page source for PV_Access.js script tags
  3. If custom monitoring pages exist, they provide live variable readout without any software

Procedure: Checking Hardware State via SDM

Without any software installed:

  1. Open http://<PLC_IP>/sdm
  2. Navigate through each tab:
    • Overview: Lists all X20 I/O modules, their order in the X2X bus, firmware versions, and status
    • Logger: Shows runtime errors, warnings, and info messages with timestamps
    • Task Monitor: Reveals task class assignments and cycle times
    • Memory: Shows RAM and Flash utilization
  3. Use this information to document the hardware configuration for a machine with no existing documentation

Default Credentials and Discovery

Finding the IP Address

When no documentation exists:

  1. B&R Automation Studio “Project Configuration”: Can auto-detect controllers on the network
  2. B&R Service Tool (RUC - Runtime Utility Center): Can scan for devices
  3. Wireshark: Capture DHCP requests or B&R discovery packets on startup
  4. Default IP: Many B&R X20 controllers ship with 192.168.0.1 as the default IP address with DHCP enabled
  5. Physical inspection: Check the front panel display (if equipped) or the AS project backup on the CF card

FTP Credentials Recovery

If FTP credentials are unknown:

  1. Check C:\BrWebSvr.cfg for legacy web server credentials (may hint at password patterns)
  2. Check C:\SysDir\*.cfg files for configuration references
  3. Try common defaults: admin/admin, br/br, operator/operator, empty/empty
  4. On legacy systems, any username/password was reported to work
  5. If you have the AS project file (.apj), open it in Automation Studio and check CPU > FTP settings

SDM Authentication

SDM typically requires no authentication in AR 4.x. In AR 6.x, it may require login if configured by the OEM. There is no standard default credential for SDM – if locked, the AS project must be modified to reset it.


Undocumented Features and Gotchas

Undocumented Behaviors

  1. Anonymous C: access persists even when FTP is “disabled”: On some AR versions, disabling the FTP server in the AS project only disables authenticated access. Anonymous read-only access to C: may still function.

  2. BrWebSvr.ini overrides AS project settings: If a BrWebSvr.ini file exists on C:, it takes precedence over AS project web server settings. Deleting or renaming this file reverts to project-configured behavior.

  3. Multiple web servers can coexist: The legacy BrWebSvr and the modern SDM web server can run simultaneously on different ports (e.g., 80 and 443). Check both.

  4. PV_Access port 81 convention: While not enforced, B&R documentation recommends using port 81 for PV_Access application traffic to separate it from SDM on port 80. Check if the OEM configured this.

  5. CF card partition scheme: B&R typically creates 4 partitions on CF cards. Standard consumer CF cards may not support the multi-partition layout, which is why B&R branded cards are often required. Attempting to clone to a generic card may fail.

  6. FTP file device path must use USER_PATH: When configuring file devices in AS, the path for the user partition device must be set to USER_PATH (not USER_PATH:\ or F:\). An incorrect path causes FTP directory listing to fail with “Permission denied”.

  7. System dump requires SDM enabled: If the OEM disabled SDM, you cannot download system dumps via the web interface. As a fallback, pull arlogsys.log directly via FTP from C:.

  8. Logger buffer wraps: The system logger (arlogsys.log) has a fixed buffer size. On long-running systems, old entries are overwritten. If a fault occurred days ago, the log entry may already be gone. Extract logs proactively.

  9. AR 6.x drive mapping changes: In Automation Runtime 6, the drive mappings C: through F: no longer correspond to the same partitions as in AR 4.x. If the CP1584 was upgraded from AR 4.x to AR 6.x, file locations change. See cf-card-boot.md for details.

  10. Web server start page: If no custom pages exist, browsing to http://<PLC_IP>/ may return a generic B&R page, a 404, or the SDM redirect depending on AR version and configuration.

Security Warnings

  • The FTP server transmits credentials in plain text. On shared plant networks, anyone with a network sniffer can capture passwords.
  • SDM has no authentication by default in AR 4.x, exposing full hardware and diagnostic information.
  • Custom ASP pages with ReadWrite forms can modify PLC variables from any browser – a potential safety hazard on process equipment.
  • If the machine controls physical equipment, verify that web-accessible variables cannot cause unintended motion or state changes.

Known Security Vulnerabilities (CVEs)

The following CVEs affect the FTP and web server interfaces on CP1584 systems. Check your AR version against the B&R security advisories:

CVEComponentSeverityStatus in AR 4.93Mitigation
CVE-2025-11044Multiple (AR core)CriticalPatchedUpgrade to AR R4.93
CVE-2025-3450Multiple (AR core)HighPatchedUpgrade to AR R4.93
CVE-2023-3242FTP weak TLSMediumNot patchedUse VPN or isolated network segment; FTPS if available
Webserver buffer overflowBrWebSvrHighNot patchedDisable custom web pages; restrict web server access via firewall
SDM XSSSDM web UIMediumNot patchedRestrict SDM access to trusted networks; do not click untrusted links
SDM session fixationSDMMediumNot patchedClear browser session after SDM access
SDM CSV injectionSDM exportLowNot patchedOpen exported CSV files in a sandboxed viewer

Practical recommendations for undocumented machines:

  1. Place the CP1584 on an isolated VLAN, not the corporate network
  2. If FTP must be used across network segments, tunnel through SSH or a VPN
  3. Disable custom web pages (remove .asp files from C:\web\) if not needed
  4. Consider the OPC-UA to MQTT bridge pattern from iiot-retrofit.md to expose data without exposing the FTP/web attack surface

Sources

Official Documentation

  • B&R AR WebServer Technical ManualPDF (infoPLC) — Complete BrWebSvr ASP function reference, configuration files, and deployment guide
  • B&R Automation Studio Online Help — Web server configuration, FTP settings, SDM configuration

B&R Community Forum Discussions

  • cf-card-boot.md: CF card partition layout, boot sequence, AR installation files, and CF card cloning procedures
  • config-file-formats.md: Detailed format reference for BrWebSvr.ini, BrWebSvr.cfg, ARConfig.ini, and other configuration files accessible via FTP
  • diagnostics-sdm.md: Comprehensive SDM usage guide, log interpretation, system dump analysis, and error code reference
  • iiot-retrofit.md: Building modern monitoring dashboards using B&R web server, OPC-UA, and custom REST endpoints
  • custom-diagnostic-tools.md: Building custom diagnostic tools on the PLC including AsHTTP-based web services

Key Findings

  1. FTP and SDM are the primary no-software-required access methods for undocumented B&R CP1584 systems. Together they provide full file system access, complete hardware diagnostics, and all system logs over a standard Ethernet connection.

  2. FileZilla is the safest FTP client choice. WinSCP breaks on AR P4.93+ due to a known FTP server regression. The root cause is a change in the FTP server’s directory listing response format.

  3. Anonymous FTP gives read-only access to C: – the system partition containing configuration files, logs, and web pages. Authenticated FTP (credentials from the AS project) is required for F: (user partition) access.

  4. The SDM is accessible at http://<PLC_IP>/sdm and works even when the PLC is in SERVICE mode. It provides hardware overview, task monitoring, logger output, and system dump downloads – all from a web browser.

  5. System dumps are the single most valuable diagnostic artifact. Downloadable as a .tar.gz file via SDM, they contain everything needed for B&R support to diagnose issues without physical access to the machine.

  6. OEM project backups may exist on F:. Always check for .zip or .apj files in the user partition – they can contain the full Automation Studio project with source code, enabling complete system recovery.

  7. PV_Access.js enables browser-based live variable monitoring without any installed software. If the OEM deployed custom web pages, they provide real-time process data access from any device on the network.

  8. FTP credentials are not recoverable from the PLC if the AS project is lost. The password is stored in the compiled project binary, not in a plain-text configuration file. Common defaults may work on legacy systems.

  9. AR 6.x changes defaults to HTTPS and disables SDM by default. For systems running AR 6.x, use https:// URLs and check that SDM is enabled in the AS project configuration under “System diagnostics”.

  10. The combined FTP + SDM approach covers approximately 90% of remote maintenance needs for undocumented B&R machines: configuration extraction, log retrieval, hardware inventory, data backup, and live diagnostics are all achievable without Automation Studio.

  11. The legacy BrWebSvr ASP system provides complete bidirectional PLC variable access via the /goform/ReadWrite endpoint. Up to 10 variables can be batched in a single HTTP request. The UserGroup/UserLogin/UserLogout system provides role-based page protection via BrWebSvr.cfg. On undocumented machines, checking for .asp files in the C:\web\ directory can reveal OEM-built monitoring pages with live variable displays.

  12. The JSON ASP + fetch() approach is ~200x faster than PV_Access.js for bulk variable reads. Creating an ASP page that outputs <%ReadPLC()%> tags as a JSON array, then fetching it with JavaScript fetch(), can retrieve 100 INT variables in under 80ms compared to 15+ seconds via individual PV_Access calls. This is the recommended approach for any data-rich custom monitoring pages.

  13. PV_Access.js wraps the goform/ReadWrite protocol — it is not a WebSocket or binary protocol. Each read/write generates a standard HTTP request. This means PV_Access is subject to the same 10-variable-per-request batching limit and HTTP overhead as direct goform calls.

  14. B&R provides the AsHTTP library for custom REST/JSON endpoints running directly on the PLC. For advanced IIoT integrations, this provides full control over HTTP responses without the limitations of the legacy ASP system. See iiot-retrofit.md and custom-diagnostic-tools.md for implementation approaches.

  15. Community GitHub resource: B&R expert Christoph Hilchenbach maintains github.com/hilch/br-plc-as-webserver with demonstration projects for the built-in web server. This is a practical reference for understanding web server configuration and deploying custom pages to the PLC.

  16. The web server binary location differs by AR version: C:\AS\WebServer\i386\webserv.br (older) or C:\AS\WebServer\Y0200\i386\webserv.br (newer). The Y0200 path corresponds to AR version 2.2+ module structure. Both binaries serve the same ASP/HTTP functionality.

  17. SystemDumpViewer provides GUI analysis of downloaded system dumps. After downloading a system dump via SDM (http://<PLC_IP>/sdm), use the community SystemDumpViewer Java tool or systemdump.py CLI (github.com/hilch/systemdump.py) to parse the SystemDump.xml file. This extracts logger entries, task cycle statistics, memory usage, and hardware status in a structured view. See ebpf-telemetry.md for the analysis workflow.

  18. Multiple unpatched CVEs affect FTP and web server on AR 4.93. Even the latest AR 4.x does not patch FTP weak TLS, webserver buffer overflow, or SDM XSS/session vulnerabilities. Isolate the PLC on a dedicated VLAN and restrict FTP/web access to trusted hosts. See ar-rtos.md §Security for the complete CVE table.