B&R CP1584 FTP and Web Server Interface Reference
Overview
Every B&R CP1584 (X20CP1584) running Automation Runtime ships with two built-in network services that are invaluable when maintaining machines from defunct OEMs with no documentation: an FTP server for direct file system access to the Compact Flash card, and a web server hosting the System Diagnostics Manager (SDM) and optionally custom HTML/ASP pages with live process variable access.
Neither service requires Automation Studio to use. A laptop on the same subnet with any FTP client or web browser is sufficient to pull configuration files, extract logs, download system dumps, and inspect live PLC data. This makes them critical survival tools when you have no AS project and no OEM support.
The CP1584 uses a PCMCIA Compact Flash card that holds the Automation Runtime OS and all application data. The FTP server exposes the CF card partitions directly. The web server runs on the same Ethernet interface as SDM and any custom pages the OEM may have deployed.
FTP Server
Connection Basics
| Parameter | Value |
|---|---|
| Protocol | FTP (plain text, no encryption) |
| Default Port | 21 |
| FTPS Support | Available in AR 4.x via configuration (not SFTP) |
| Port Change | AR P4.93+ via CfgSetFTPServerPort FB; AS UI from AS 4.12.9 |
| Authentication | Configured in Automation Studio (CPU > FTP settings) |
| Anonymous Access | C: partition only (read-only); F: requires credentials |
| RBAC (AR 6.5+) | Role-based access control for authentication and permissions (AS 6.5 / AR 6.5) |
Access Levels and Partitions
The FTP server presents two root-level directories corresponding to CF card partitions:
C: – System Partition (Anonymous / Read-Only)
- Anonymous FTP login grants access to the C: partition in read-only mode.
- Contains the Automation Runtime OS files, system configuration, and log files.
- Attempting
CWD F:while anonymous returns550 Guest access denied. - You cannot write to C: via FTP under any circumstances.
F: – User Partition (Requires Credentials)
- The F: (user) partition stores application data, project backups, recipe files, CSV logs, and anything the PLC program writes via FileIO.
- Access requires the username and password configured in the AS project under CPU > FTP configuration.
- If no credentials were configured by the OEM, common defaults reported in the field include
admin/adminor empty credentials. - On very old B&R systems, any username/password combination reportedly worked.
- Read/write access level is also configured per-file-device in the AS project.
File System Layout
Key directories typically found via FTP:
C:\
BrWebSvr.ini -- Web server configuration
BrWebSvr.cfg -- Web server user/group definitions (legacy)
arlogsys.log -- System logger output
SysDir\ -- System configuration directory
*.cfg -- Runtime configuration files
*.ini -- Initialization files
AS\ -- Automation Runtime module libraries
WebServer\ -- Web server binary and support files
Temp\ -- Temporary files
web\ -- Default web server root directory
index.htm -- Default start page
PV_Access.js -- JavaScript library for process variable access
*.asp -- Active Server Pages (if deployed)
mappView\ -- mappView HMI files (if mappView is used)
*.widget -- Widget definitions
*.page -- Page definitions
*.css -- Stylesheets
F:\
(user files - varies by OEM project)
*.csv -- Data logs, recipes, production records
*.txt -- Text log files
*.zip -- Project backups (if OEM stored them here)
*.dat -- Parameter or recipe files
TimLogger\ -- If mapp TimLogger is used
*.csv -- Time-stamped log files
DataXfer\ -- File transfer directories
UserDir\ -- Custom user data directory
The USER_PATH keyword in Automation Runtime automatically resolves to the F: partition root.
Practical FTP Commands
Connecting with FileZilla (recommended over WinSCP for B&R):
Host: <PLC_IP_ADDRESS>
Username: <configured_username or "anonymous" for C: only>
Password: <configured_password or blank for anonymous>
Port: 21
FileZilla works reliably across all AR versions. WinSCP has known compatibility issues with AR P4.93+ due to FTP server implementation changes.
Connecting with curl (command line, for scripting):
# List system partition files (anonymous)
curl -s ftp://192.168.0.1/ --user anonymous:
# Download a configuration file
curl -s ftp://192.168.0.1/SysDir/Config.cfg --user anonymous: -o Config.cfg
# Download a file from the user partition
curl -s ftp://192.168.0.1/data/recipe.csv --user admin:admin -o recipe.csv
# Upload a file to the user partition
curl -s -T local_file.csv ftp://192.168.0.1/data/ --user admin:admin
# List user partition contents
curl -s ftp://192.168.0.1/ --user admin:admin
# Download the entire web directory for offline inspection
curl -s ftp://192.168.0.1/web/ --user admin:admin --list-only
Bulk backup with lftp (mirrors the entire user partition):
lftp -e "mirror --verbose / /path/to/local_backup" -u admin,admin ftp://192.168.0.1
Python script for automated log retrieval:
import ftplib
ftp = ftplib.FTP("192.168.0.1")
ftp.login("admin", "admin")
ftp.cwd("TimLogger")
filenames = ftp.nlst()
for f in filenames:
with open(f, "wb") as fh:
ftp.retrbinary(f"RETR {f}", fh.write)
ftp.quit()
FTP Configuration in Automation Studio
If you have access to an AS project (or can obtain one), the FTP server is configured under:
CPU > Properties > FTP Server
Key settings:
- FTP Server Enabled: Checkbox to enable/disable
- Password: Sets the FTP access password
- File Device Access: Per-device read/write permissions under the File Device configuration
- User Partition Minimum Size: Must be > 0 for F: to exist (check CPU > Module system on target)
FTP Gotchas and Known Issues
-
WinSCP incompatibility with AR P4.93: The FTP server implementation changed in P4.93, breaking WinSCP directory listing. Use FileZilla instead. This is a known regression.
-
No SFTP: B&R supports FTPS (FTP over SSL/TLS) but not SFTP (SSH-based). For AR 4.x, configure FTPS in the CPU properties. For security on plant networks, consider tunneling FTP through an SSH tunnel or VPN rather than relying on FTPS.
-
Minimum user partition size: If the “Minimum user partition size” in CPU > Module system on target is set to 0, the F: partition will not exist and FTP access to user data will fail. This must be set > 0 and the CF card must be re-initialized (offline installation).
-
Concurrent connection limits: The FTP server supports limited concurrent connections (typically 4-8 sessions). Excessive simultaneous sessions may cause connection refused errors or intermittent timeouts.
-
File locking: Files currently open by the PLC program (via FileIO) cannot be overwritten via FTP. This is particularly relevant for active log files. Lock duration is typically until the FileIO handle is closed or the PLC program cycle ends.
-
Path navigation quirk: The FTP root shows a
..entry (parent directory) that returns “Permission denied” when clicked. This is normal – you are already at the partition root. -
Timeout behavior: Long-running transfers may timeout on slow networks. The FTP server does not support resume/partial transfers reliably on older AR versions.
-
Case sensitivity: The B&R file system is case-insensitive on C: but this can vary on F: depending on AR version. Use exact case when in doubt.
FTP Active vs Passive Mode
FTP uses two channels: a control channel (port 21, always used for commands) and a data channel (for file transfers). The data channel can be established in two ways:
Active Mode (PORT):
Client → Server: PORT command with client IP and port number
Server → Client: Server initiates data connection TO the client
Problem: The server connects back to the client on an unpredictable port (typically 20).
Most firewalls and NAT routers block incoming connections on arbitrary ports.
Passive Mode (PASV):
Client → Server: PASV command
Server → Client: Server responds with IP and port number
Client → Server: Client initiates data connection TO the server
Solution: The client connects to a known server port. Only outbound connections from client needed.
Works through firewalls and NAT.
For B&R FTP on plant networks:
| Scenario | Recommended Mode | Why |
|---|---|---|
| Direct connection (same subnet) | Either mode works | No firewall in path |
| Through corporate firewall | Passive | Firewall blocks server-to-client data connections |
| Behind NAT/DSL modem | Passive | NAT cannot forward server’s data connection |
| VPN tunnel | Passive preferred | Some VPNs block active mode data connections |
| Automation Studio “Transfer to target” | Active (AS default) | AS manages the connection automatically |
Configuring passive mode in clients:
# curl (useful for scripted FTP operations)
curl --ftp-pasv ftp://admin:[email protected]/F:/logfile.txt -o logfile.txt
# FileZilla: Edit > Settings > Connection > FTP > Transfer Mode > Passive
# Python ftplib
from ftplib import FTP
ftp = FTP('192.168.1.10')
ftp.login('admin', 'password')
ftp.set_pasv(True) # Force passive mode
# lftp
lftp -e "set ftp:passive-mode on; ls" admin:[email protected]
Passive port range on B&R controller: B&R’s FTP server uses a default passive port range (typically ports 49152-65535). If a firewall sits between the client and controller, open this port range for TCP traffic. The range cannot be reconfigured on AR 4.x controllers.
FTPS Configuration
B&R supports FTPS (FTP over SSL/TLS) for encrypted file transfers. This is distinct from SFTP (which B&R does not support — confirmed on B&R Community).
Configuration in Automation Studio:
-
CPU > Properties > FTP Server
-
Enable FTPS checkbox
-
Select SSL/TLS mode:
- Explicit FTPS (AUTH TLS): Client requests TLS upgrade via
AUTH TLScommand on port 21. Most compatible option. - Implicit FTPS: TLS is assumed from the start on port 990. Less compatible, deprecated by RFC.
- Explicit FTPS (AUTH TLS): Client requests TLS upgrade via
-
Certificate management: FTPS requires an SSL/TLS certificate on the controller.
- For AR 4.x: Certificates are managed in CPU > Properties > SSL/TLS
- Self-signed certificates can be generated in Automation Studio
- Certificate is stored on the CF card and loaded at startup
FTPS gotchas:
- FTPS requires multiple ports — the control connection on 21 AND the data connection ports must both allow TLS. Active mode adds another connection direction.
- Minimum TLS version should be set to TLS 1.0 or higher in client settings (some B&R AR versions may have issues with TLS 1.2 negotiation — check community posts for your specific AR version).
- Certificate validation may fail with self-signed certificates unless the client is configured to accept them.
Using FTPS with FileZilla:
Host: ftps://192.168.1.10
Username: admin
Password: [configured password]
Port: 21
Protocol: Require explicit FTPS
SFTP is NOT available:
B&R Community confirmed: “SFTP Support — B&R does not provide SFTP (SSH-based file transfer). FTPS (FTP + TLS/SSL) is the only encrypted file transfer option.” Source: https://community.br-automation.com/t/sftp-support/8247
Web Server and System Diagnostics Manager (SDM)
Web Server Overview
B&R Automation Runtime includes an integrated web server that serves multiple purposes:
- System Diagnostics Manager (SDM) – Built-in diagnostic web interface
- Custom HTML/ASP pages – OEM-deployed web pages for monitoring/control
- PV_Access – JavaScript-based live process variable read/write from the browser
- mappView – HTML5 HMI served directly from the PLC
SDM Access
| Parameter | Value |
|---|---|
| URL (AR 4.x default) | http://<PLC_IP>/sdm |
| URL (AR 6.x default) | https://<PLC_IP>/sdm (HTTPS by default) |
| Port | 80 (HTTP) or 443 (HTTPS) |
| Alternative port | 81 sometimes used for web app separation |
| Authentication | None by default (AS 6.x can enable auth) |
| AR Version Required | V3.0+ for SDM; V3.08+ for System Dump |
| Enabled by default | Yes in AR 4.x; No in AS 6.0+ (must enable manually) |
Accessing SDM
- Configure your laptop’s Ethernet adapter to the same subnet as the PLC
- Open a web browser (Chrome recommended)
- Navigate to
http://<PLC_IP>/sdm - If HTTP fails, try
https://<PLC_IP>/sdm
SDM remains accessible even when the PLC is in SERVICE mode, as long as the network configuration is intact.
SDM Capabilities
The SDM provides:
- Hardware Overview: All connected modules, firmware versions, serial numbers
- Task Monitor: Real-time cycle time monitoring for all task classes (Cyc0-Cyc3)
- Logger: View system log entries (arlogsys) without needing Automation Studio
- System Dump: Download a complete diagnostic archive (.tar.gz) over HTTP
- Network Configuration: View IP, subnet, gateway, DNS settings
- CF Card Status: Partition sizes, free space, file system health
- User Partition Status: Monitor F: partition usage
Downloading a System Dump via SDM
This is the single most valuable diagnostic procedure available without Automation Studio:
- Open
http://<PLC_IP>/sdmin Chrome - Click the System Dump icon (center of the SDM interface)
- Select Parameters + Data-Files
- Click OK on the confirmation dialog
- Click Upload from target
- Wait for the download to complete (Chrome may show a “Keep” warning – click Keep)
- The file will be named
BuR_SDM_Sysdump_<timestamp>.tar.gz
The system dump contains:
arlogsys.log– System logger output- Configuration files from SysDir
- Hardware topology information
- Task and module status data
- Memory usage snapshots
To analyze the dump, open it in Automation Studio Logger (File > Load Data) or use the third-party SystemDumpViewer tool. The AS version must match the AR major version on the PLC.
Custom Web Pages (Legacy ASP/HTML)
Older B&R systems (AR 2.x/3.x era) used the legacy BrWebSvr web server with ASP-like pages. The configuration file is C:\BrWebSvr.ini:
BaseDir = C: ; Base directory on the CF card
WebDir = web ; Subdirectory containing web pages
StartPage = index.htm ; Default start page
The web server binary is located at C:\AS\WebServer\i386\webserv.br.
Complete Legacy ASP Function Reference
These functions are available in .asp files on the legacy web server. The web server binary is located at C:\AS\WebServer\i386\webserv.br (or C:\AS\WebServer\Y0200\i386\webserv.br on newer AR versions).
| Function | Syntax | Purpose |
|---|---|---|
| ReadPLC | <% ReadPLC("varname"); %> | Insert the current value of a global PLC variable. Only global variables are accessible. If the variable does not exist, “Unknown variable” is displayed. Supports array indexing: <% ReadPLC("Program:array[0]"); %> |
| WebPrint | <% WebPrint("param"); %> | Insert the value of an HTTP GET/POST parameter into the page output. Used with form submissions and the ReadWrite action. |
| UserGroup | <% UserGroup(rights); %> | Conditional display — HTML after this tag only renders if the logged-in user has the required rights bitmask. Rights are checked as bitwise AND. Call with UserGroup(0) to re-enable display for all users. |
| ErrorMsg | <% ErrorMsg(); %> | Display the authorization error message from the last UserGroup() check. Shows why access was denied. |
| ReadALARM | <% ReadALARM("Errorstr", index); %> | Display alarm history from Visual Components. Index: 1=date/time, 2=group number, 3=alarm number, 4=alarm text, 5=alarm status. The errorstring comes from VA_GetAlarmList or VA_GetExAlarmList VISAPI calls. |
| UserLogin | /goform/UserLogin?username=X&password=Y&redirect=page.asp&error_redirect=err.asp | Authenticate a user. Credentials are defined in BrWebSvr.cfg. Only one user per IP address can be logged in simultaneously. Login persists until logout or web server restart. |
| UserLogout | /goform/UserLogout?redirect=page.asp | Log out the current user. Must be from the same IP as login. |
UserGroup Rights Bitmask System
The UserGroup function uses a bitmask to check authorization. Rights values are summed from individual permission bits:
| Bit | Decimal | Meaning |
|---|---|---|
| Bit 0 | 1 | Permission level 1 |
| Bit 1 | 2 | Permission level 2 |
| Bit 2 | 4 | Permission level 3 |
| Bit 3 | 8 | Permission level 4 |
| Bit 4 | 16 | Permission level 5 |
Example: UserGroup(20) checks if the user has bits 3 and 4 set (8 + 16 = 24, or 4 + 16 = 20). The user’s rights bitmask in BrWebSvr.cfg is ANDed with the parameter.
BrWebSvr.cfg Configuration File Format
The BrWebSvr.cfg file defines web server users, passwords, and rights:
[User1]
Name=admin
Password=mypassword
Rights=31
[User2]
Name=operator
Password=operator
Rights=1
- One user per IP address can be logged in simultaneously
- If no BrWebSvr.cfg exists or it contains no users, no login is required
- Passwords are stored in plaintext in the configuration file (not hashed)
Read/Write Variables via HTTP Forms (goform/ReadWrite)
The /goform/ReadWrite endpoint is the primary mechanism for bidirectional variable access from web pages:
/goform/ReadWrite?variable=VarName&value=NewValue&write=1&redirect=result.asp
Parameters:
| Parameter | Description |
|---|---|
variable | PLC variable name to read/write (indexed arrays supported: myArray[5]) |
value | Value to write (for write operations) |
write | Set to 1 to write, or omit/0 for read-only |
read | Set to 1 to read the variable |
redirect | Page to redirect to after the operation |
var | Name of the variable in the redirect (echoes back the variable name) |
val | Value of the variable in the redirect (echoes back the value) |
Batching multiple variables in a single call: The goform/ReadWrite endpoint supports up to 10 variables per call. Additional variables use suffixed parameter names:
/goform/ReadWrite?redirect=target.html
&variable=myVar[0]&value=none&read=1
&variable__1__=myVar[1]&value__1__=none&read=1
&variable__2__=myVar[2]&value__2__=none&read=1
...
&variable__9__=myVar[9]&value__9__=none&read=1
This is critical for performance — reading 10 variables in one request is roughly 10x faster than 10 individual requests.
Read result page example (result.asp):
<%-- Display the variable name and value from the redirect parameters --%>
Variable: <% WebPrint("var"); %> = <% WebPrint("val"); %>
PV_Access (Modern JavaScript API)
For AR 4.x systems, the modern approach uses PV_Access.js located in the web server root (C:\web\PV_Access.js). This JavaScript library provides real-time read/write access to PLC process variables directly from the browser using HTTP or WebSocket connections.
How PV_Access.js Works Internally
PV_Access.js wraps the legacy goform/ReadWrite ASP endpoint. Under the hood, every readVariable() or writeVariable() call from PV_Access.js generates an HTTP request to /goform/ReadWrite with the appropriate parameters. This means:
- PV_Access is not a WebSocket or binary protocol — it is HTTP-based
- Each variable read/write is a separate HTTP request by default
- The 10-variable batching limit of goform/ReadWrite applies to PV_Access as well
- Port 80 is used by default; port 81 is recommended to separate web application traffic from SDM
Basic PV_Access Usage
<html>
<head>
<script src="PV_Access.js"></script>
</head>
<body>
<script>
var pv = new PVAccess("192.168.0.1");
pv.readVariable("gMachineStatus", function(value) {
document.getElementById("status").innerText = value;
});
pv.writeVariable("gCmd_Start", 1);
</script>
<div>Machine Status: <span id="status">--</span></div>
</body>
</html>
High-Performance JSON Data Approach (Recommended for Data-Rich Pages)
Reading variables one-by-one via PV_Access is slow for large datasets (100 variables via PV_Access can take 15+ seconds). A much faster approach uses ASP pages that output JSON data, loaded via fetch():
Step 1: Create an ASP page with all variables as a JSON array (C:\web\data.asp):
[
"<%ReadPLC("Program:array[0]");%>",
"<%ReadPLC("Program:array[1]");%>",
"<%ReadPLC("Program:array[2]");%>",
"<%ReadPLC("Program:temperature");%>",
"<%ReadPLC("Program:pressure");%>",
"<%ReadPLC("Program:status_word");%>"
]
Step 2: Fetch with JavaScript:
function cyclicFetch(url, interval) {
function fetchData() {
fetch(url)
.then(response => response.json())
.then(data => {
// Process array data
document.getElementById("temp").innerText = data[3];
document.getElementById("pressure").innerText = data[4];
document.getElementById("status").innerText = data[5];
setTimeout(fetchData, interval);
})
.catch(error => console.error('Error:', error));
}
fetchData();
}
// Refresh every 200ms
cyclicFetch("/data.asp", 200);
Performance comparison (measured on B&R 4PPC30, local network):
| Method | 100 INT variables | 10 INT variables |
|---|---|---|
| PV_Access.js (one-by-one) | >15 seconds | ~2 seconds |
| JSON ASP + fetch() | <80 ms | <20 ms |
The JSON approach is roughly 200x faster than individual PV_Access reads because:
- A single HTTP request retrieves all variables
- The web server processes all
<%ReadPLC()%>tags server-side in one pass - No per-variable HTTP overhead
- The
fetch()API is non-blocking and efficient
Important considerations:
- This technique works on AR 4.x with the legacy web server (not mappView)
- The ASP page must be served from the B&R web server (not a local file)
- Array variables use the syntax
Program:array[index]whereProgramis the task/library name - Global variables (no program prefix) are also accessible:
<%ReadPLC("gVarName");%>
Custom Web Services via AsHTTP Library
For maximum control over web server responses, B&R provides the AsHTTP library for creating custom HTTP endpoints in IEC/C code running on the PLC:
- Build custom REST/JSON APIs entirely within PLC tasks
- Define URL routes, request parsing, and response formatting
- No dependency on goform/ReadWrite limitations
- Full control over data formatting, caching, and access control
- Requires more development effort but provides the best performance and flexibility
This approach is preferred when:
- You need to expose structured data (JSON/XML) to external systems
- You need authentication beyond what BrWebSvr.cfg provides
- You need to serve large datasets efficiently
- You are building custom dashboards or IIoT integrations
mappView (HTML5 HMI)
Modern B&R systems use mappView, an HTML5-based HMI framework built on OPC UA FX. If the CP1584 is running a mappView application, the HMI will be accessible via:
http://<PLC_IP>/mappView/ (AR 4.x)
https://<PLC_IP>/mappView/ (AR 6.x)
mappView requires the OPC UA server to be running on the PLC. The HMI loads in any modern browser and provides the full visualization that was deployed by the OEM.
The mappView files are typically stored in C:\mappView\ on the CF card and can be inspected via FTP for understanding the HMI structure without AS.
Using FTP and Web Server for Diagnostics and Data Extraction
Procedure: Full Remote Backup Without Automation Studio
This procedure captures everything available without AS:
PLC_IP="192.168.0.1"
BACKUP_DIR="./cp1584_backup_$(date +%Y%m%d)"
mkdir -p "$BACKUP_DIR/system" "$BACKUP_DIR/user" "$BACKUP_DIR/web" "$BACKUP_DIR/sdm"
# 1. Download SDM system dump (via browser or curl)
curl -k -o "$BACKUP_DIR/sdm/sysdump.tar.gz" \
"https://$PLC_IP/sdm/systemdump" 2>/dev/null || \
curl -o "$BACKUP_DIR/sdm/sysdump.tar.gz" \
"http://$PLC_IP/sdm/systemdump" 2>/dev/null
# 2. Mirror system partition (C:) via anonymous FTP
lftp -e "mirror --verbose / '$BACKUP_DIR/system'" \
-u anonymous, "ftp://$PLC_IP"
# 3. Mirror user partition (F:) via authenticated FTP
# Replace credentials with those from the AS project or try common defaults
lftp -e "mirror --verbose / '$BACKUP_DIR/user'" \
-u admin,admin "ftp://$PLC_IP/F:"
# 4. Mirror web directory
lftp -e "mirror --verbose /web '$BACKUP_DIR/web'" \
-u admin,admin "ftp://$PLC_IP"
Procedure: Extracting Configuration Files
Key configuration files to retrieve for understanding a PLC setup:
# Network configuration
curl "ftp://$PLC_IP/SysDir/Config.cfg" --user anonymous: -o Config.cfg
curl "ftp://$PLC_IP/SysDir/ARConfig.ini" --user anonymous: -o ARConfig.ini
# Web server configuration (if custom pages exist)
curl "ftp://$PLC_IP/BrWebSvr.ini" --user anonymous: -o BrWebSvr.ini
curl "ftp://$PLC_IP/BrWebSvr.cfg" --user anonymous: -o BrWebSvr.cfg
# Runtime parameters
curl "ftp://$PLC_IP/SysDir/Param.cfg" --user anonymous: -o Param.cfg
# System log
curl "ftp://$PLC_IP/arlogsys.log" --user anonymous: -o arlogsys.log
Procedure: Pulling Data Logs and Production Records
OEMs commonly store production data, alarm logs, and recipes on the F: partition:
# List all CSV files on the user partition
curl "ftp://$PLC_IP/" --user admin:admin --list-only | grep -i csv
# Download all CSV files
curl "ftp://$PLC_IP/" --user admin:admin --list-only | while read f; do
[[ "$f" == *.csv ]] && curl "ftp://$PLC_IP/$f" --user admin:admin -o "$f"
done
# Download TimLogger archives (if mapp TimLogger is used)
curl "ftp://$PLC_IP/TimLogger/" --user admin:admin --list-only
Procedure: Checking if a Project Backup Exists on the CF Card
OEMs sometimes store project files on F: for recovery:
# Search for zip files (project archives)
curl "ftp://$PLC_IP/" --user admin:admin --list-only | grep -i zip
# Search for AS project files
curl "ftp://$PLC_IP/" --user admin:admin --list-only | grep -i "\.apj\|\.at2\|\.at4"
If a project archive exists on F:, it can be downloaded via FTP and opened in the matching version of Automation Studio to recover full source code.
Procedure: Real-Time Variable Monitoring via Web
If PV_Access pages exist (check for .asp or .htm files with PV_Access.js references in the web\ directory):
- Browse to
http://<PLC_IP>/orhttp://<PLC_IP>/web/ - Check the page source for PV_Access.js script tags
- If custom monitoring pages exist, they provide live variable readout without any software
Procedure: Checking Hardware State via SDM
Without any software installed:
- Open
http://<PLC_IP>/sdm - Navigate through each tab:
- Overview: Lists all X20 I/O modules, their order in the X2X bus, firmware versions, and status
- Logger: Shows runtime errors, warnings, and info messages with timestamps
- Task Monitor: Reveals task class assignments and cycle times
- Memory: Shows RAM and Flash utilization
- Use this information to document the hardware configuration for a machine with no existing documentation
Default Credentials and Discovery
Finding the IP Address
When no documentation exists:
- B&R Automation Studio “Project Configuration”: Can auto-detect controllers on the network
- B&R Service Tool (RUC - Runtime Utility Center): Can scan for devices
- Wireshark: Capture DHCP requests or B&R discovery packets on startup
- Default IP: Many B&R X20 controllers ship with
192.168.0.1as the default IP address with DHCP enabled - Physical inspection: Check the front panel display (if equipped) or the AS project backup on the CF card
FTP Credentials Recovery
If FTP credentials are unknown:
- Check
C:\BrWebSvr.cfgfor legacy web server credentials (may hint at password patterns) - Check
C:\SysDir\*.cfgfiles for configuration references - Try common defaults:
admin/admin,br/br,operator/operator, empty/empty - On legacy systems, any username/password was reported to work
- If you have the AS project file (
.apj), open it in Automation Studio and check CPU > FTP settings
SDM Authentication
SDM typically requires no authentication in AR 4.x. In AR 6.x, it may require login if configured by the OEM. There is no standard default credential for SDM – if locked, the AS project must be modified to reset it.
Undocumented Features and Gotchas
Undocumented Behaviors
-
Anonymous C: access persists even when FTP is “disabled”: On some AR versions, disabling the FTP server in the AS project only disables authenticated access. Anonymous read-only access to C: may still function.
-
BrWebSvr.ini overrides AS project settings: If a
BrWebSvr.inifile exists on C:, it takes precedence over AS project web server settings. Deleting or renaming this file reverts to project-configured behavior. -
Multiple web servers can coexist: The legacy BrWebSvr and the modern SDM web server can run simultaneously on different ports (e.g., 80 and 443). Check both.
-
PV_Access port 81 convention: While not enforced, B&R documentation recommends using port 81 for PV_Access application traffic to separate it from SDM on port 80. Check if the OEM configured this.
-
CF card partition scheme: B&R typically creates 4 partitions on CF cards. Standard consumer CF cards may not support the multi-partition layout, which is why B&R branded cards are often required. Attempting to clone to a generic card may fail.
-
FTP file device path must use
USER_PATH: When configuring file devices in AS, the path for the user partition device must be set toUSER_PATH(notUSER_PATH:\orF:\). An incorrect path causes FTP directory listing to fail with “Permission denied”. -
System dump requires SDM enabled: If the OEM disabled SDM, you cannot download system dumps via the web interface. As a fallback, pull
arlogsys.logdirectly via FTP from C:. -
Logger buffer wraps: The system logger (
arlogsys.log) has a fixed buffer size. On long-running systems, old entries are overwritten. If a fault occurred days ago, the log entry may already be gone. Extract logs proactively. -
AR 6.x drive mapping changes: In Automation Runtime 6, the drive mappings C: through F: no longer correspond to the same partitions as in AR 4.x. If the CP1584 was upgraded from AR 4.x to AR 6.x, file locations change. See cf-card-boot.md for details.
-
Web server start page: If no custom pages exist, browsing to
http://<PLC_IP>/may return a generic B&R page, a 404, or the SDM redirect depending on AR version and configuration.
Security Warnings
- The FTP server transmits credentials in plain text. On shared plant networks, anyone with a network sniffer can capture passwords.
- SDM has no authentication by default in AR 4.x, exposing full hardware and diagnostic information.
- Custom ASP pages with ReadWrite forms can modify PLC variables from any browser – a potential safety hazard on process equipment.
- If the machine controls physical equipment, verify that web-accessible variables cannot cause unintended motion or state changes.
Known Security Vulnerabilities (CVEs)
The following CVEs affect the FTP and web server interfaces on CP1584 systems. Check your AR version against the B&R security advisories:
| CVE | Component | Severity | Status in AR 4.93 | Mitigation |
|---|---|---|---|---|
| CVE-2025-11044 | Multiple (AR core) | Critical | Patched | Upgrade to AR R4.93 |
| CVE-2025-3450 | Multiple (AR core) | High | Patched | Upgrade to AR R4.93 |
| CVE-2023-3242 | FTP weak TLS | Medium | Not patched | Use VPN or isolated network segment; FTPS if available |
| Webserver buffer overflow | BrWebSvr | High | Not patched | Disable custom web pages; restrict web server access via firewall |
| SDM XSS | SDM web UI | Medium | Not patched | Restrict SDM access to trusted networks; do not click untrusted links |
| SDM session fixation | SDM | Medium | Not patched | Clear browser session after SDM access |
| SDM CSV injection | SDM export | Low | Not patched | Open exported CSV files in a sandboxed viewer |
Practical recommendations for undocumented machines:
- Place the CP1584 on an isolated VLAN, not the corporate network
- If FTP must be used across network segments, tunnel through SSH or a VPN
- Disable custom web pages (remove
.aspfiles fromC:\web\) if not needed - Consider the OPC-UA to MQTT bridge pattern from iiot-retrofit.md to expose data without exposing the FTP/web attack surface
Sources
Official Documentation
- B&R AR WebServer Technical Manual — PDF (infoPLC) — Complete BrWebSvr ASP function reference, configuration files, and deployment guide
- B&R Automation Studio Online Help — Web server configuration, FTP settings, SDM configuration
B&R Community Forum Discussions
- PLC Web Server Data Read Performance — goform/ReadWrite 10-variable batching, JSON ASP + fetch() optimization technique (200x faster than PV_Access), AsHTTP custom web services
- Integrated webserver — Web server setup, ASP configuration, ReadPLC usage, GitHub demo project reference
- B&R PLC as Web Server Demo — Community sample project by B&R expert Christoph Hilchenbach
Related Documents
- cf-card-boot.md: CF card partition layout, boot sequence, AR installation files, and CF card cloning procedures
- config-file-formats.md: Detailed format reference for BrWebSvr.ini, BrWebSvr.cfg, ARConfig.ini, and other configuration files accessible via FTP
- diagnostics-sdm.md: Comprehensive SDM usage guide, log interpretation, system dump analysis, and error code reference
- iiot-retrofit.md: Building modern monitoring dashboards using B&R web server, OPC-UA, and custom REST endpoints
- custom-diagnostic-tools.md: Building custom diagnostic tools on the PLC including AsHTTP-based web services
Key Findings
-
FTP and SDM are the primary no-software-required access methods for undocumented B&R CP1584 systems. Together they provide full file system access, complete hardware diagnostics, and all system logs over a standard Ethernet connection.
-
FileZilla is the safest FTP client choice. WinSCP breaks on AR P4.93+ due to a known FTP server regression. The root cause is a change in the FTP server’s directory listing response format.
-
Anonymous FTP gives read-only access to C: – the system partition containing configuration files, logs, and web pages. Authenticated FTP (credentials from the AS project) is required for F: (user partition) access.
-
The SDM is accessible at
http://<PLC_IP>/sdmand works even when the PLC is in SERVICE mode. It provides hardware overview, task monitoring, logger output, and system dump downloads – all from a web browser. -
System dumps are the single most valuable diagnostic artifact. Downloadable as a
.tar.gzfile via SDM, they contain everything needed for B&R support to diagnose issues without physical access to the machine. -
OEM project backups may exist on F:. Always check for
.zipor.apjfiles in the user partition – they can contain the full Automation Studio project with source code, enabling complete system recovery. -
PV_Access.js enables browser-based live variable monitoring without any installed software. If the OEM deployed custom web pages, they provide real-time process data access from any device on the network.
-
FTP credentials are not recoverable from the PLC if the AS project is lost. The password is stored in the compiled project binary, not in a plain-text configuration file. Common defaults may work on legacy systems.
-
AR 6.x changes defaults to HTTPS and disables SDM by default. For systems running AR 6.x, use
https://URLs and check that SDM is enabled in the AS project configuration under “System diagnostics”. -
The combined FTP + SDM approach covers approximately 90% of remote maintenance needs for undocumented B&R machines: configuration extraction, log retrieval, hardware inventory, data backup, and live diagnostics are all achievable without Automation Studio.
-
The legacy BrWebSvr ASP system provides complete bidirectional PLC variable access via the
/goform/ReadWriteendpoint. Up to 10 variables can be batched in a single HTTP request. The UserGroup/UserLogin/UserLogout system provides role-based page protection via BrWebSvr.cfg. On undocumented machines, checking for.aspfiles in theC:\web\directory can reveal OEM-built monitoring pages with live variable displays. -
The JSON ASP + fetch() approach is ~200x faster than PV_Access.js for bulk variable reads. Creating an ASP page that outputs
<%ReadPLC()%>tags as a JSON array, then fetching it with JavaScriptfetch(), can retrieve 100 INT variables in under 80ms compared to 15+ seconds via individual PV_Access calls. This is the recommended approach for any data-rich custom monitoring pages. -
PV_Access.js wraps the goform/ReadWrite protocol — it is not a WebSocket or binary protocol. Each read/write generates a standard HTTP request. This means PV_Access is subject to the same 10-variable-per-request batching limit and HTTP overhead as direct goform calls.
-
B&R provides the AsHTTP library for custom REST/JSON endpoints running directly on the PLC. For advanced IIoT integrations, this provides full control over HTTP responses without the limitations of the legacy ASP system. See iiot-retrofit.md and custom-diagnostic-tools.md for implementation approaches.
-
Community GitHub resource: B&R expert Christoph Hilchenbach maintains
github.com/hilch/br-plc-as-webserverwith demonstration projects for the built-in web server. This is a practical reference for understanding web server configuration and deploying custom pages to the PLC. -
The web server binary location differs by AR version:
C:\AS\WebServer\i386\webserv.br(older) orC:\AS\WebServer\Y0200\i386\webserv.br(newer). The Y0200 path corresponds to AR version 2.2+ module structure. Both binaries serve the same ASP/HTTP functionality. -
SystemDumpViewer provides GUI analysis of downloaded system dumps. After downloading a system dump via SDM (
http://<PLC_IP>/sdm), use the community SystemDumpViewer Java tool or systemdump.py CLI (github.com/hilch/systemdump.py) to parse theSystemDump.xmlfile. This extracts logger entries, task cycle statistics, memory usage, and hardware status in a structured view. See ebpf-telemetry.md for the analysis workflow. -
Multiple unpatched CVEs affect FTP and web server on AR 4.93. Even the latest AR 4.x does not patch FTP weak TLS, webserver buffer overflow, or SDM XSS/session vulnerabilities. Isolate the PLC on a dedicated VLAN and restrict FTP/web access to trusted hosts. See ar-rtos.md §Security for the complete CVE table.