OMRON FINS protocol analysis & attack project link
1. Introduction to FINS Protocol
Omron is a global manufacturing company from Japan, and its products are industrial and manufacturing machines. Among them, small PLCs have a higher share in the domestic market, including CJ, CM and other series. PLC can support Fins, Host link and other protocols for communication. Depending on the model, Omron PLC CPUs and Ethernet communication modules that support Ethernet generally support FINS (Factory Interface Network Service) protocol, and some modules also support EtherNet/IP protocol.
TCP/UDP port used by FINIS protocol: 9600
The encoding format used by the FINS protocol is: ASCII
The Fins protocol is encapsulated on TCP/UDP, and the FINS Ethernet protocol is based on the OSI model as follows.
2. FINS protocol analysis
2.1 FINS session process
The FINS session process is based on the TCP/IP protocol. The following diagram describes the role of several data frames at the beginning of the FINS session. The session of the FINS protocol has a request frame, and the node parameters of the initiator are attached to the request frame. The PLC side (Server side) will confirm and return its node parameters to the requester.
2.2 FINS frame structure
The FINS frame structure consists of three parts, which are respectively composed of FINS Header, FINS Command Code and FINS Command Data.
2.3 FINS Header
2.3.1 FINS/TCP Header
Magic Bytes(4 bytes): 0x46494e53 (Protocol ID, protocol ID, FINS hexadecimal ASCII code)
Length(4 bytes): The length of the data, which refers to the length of the characters that follow
Reserved (3 bytes): reserved, usually 0x000000
Command Type(1 byte): Data frame type, the value is as follows:
- 0x00: connect requst connection request data frame
- 0x01: connect Response, connection request confirmation data;
- 0x02: data, data transmission;
Error Code (4 bytes): reserved, usually 0x00000000
2.3.2 FINS Header
0: ICF (1 byte): (Information Control Field) information control code:
- It consists of 4 sub-fields, which are described as follows:
- 1… …. = Gateway bit, whether to use a gateway, 0x01 means use;
- .1… …. = Data Type bit, data type bit, 0x01 means response, 0x00 means command;
- …0. …. = Reserved bit, the first reserved bit, set to 0 by default;
- …0 …. = Reserved bit, the second reserved bit, set to 0 by default;
- …. 0… = Reserved bit, the third reserved bit, set to 0 by default;
- …. .0… = Reserved bit, the fourth reserved bit, set to 0 by default;
- …. …0. = Reserved bit, the fifth reserved bit, set to 0 by default;
- …. …1 = Response setting bit, the first reserved bit is the response flag, 0x01 means no response is required, 0x00 means response must be made.
1: Rev(1 byte): (Reserved) The reservation is generally 0x00.
2: GCT (1 byte): (Gateway count) the number of gateways, generally 0x02.
3: DNA (1 byte): (Destination network address) destination network address.
- 00: local network
- 01 to 7F: remote network
4: DA1 (1 byte): (Destination node number) destination node number.
- 01 to 7E: SYSMAC NET network node number
- 01 to 3E: SYSMAC LINK network node number
- FF: broadcast node number
5: DA2 (1 byte): (Source unit number) source unit number.
- 00:PC(CPU)
- FE: SYSMAC NET connection unit or SYSMAC LINK unit connection to the network
- 10 to 1F: CPU bus unit
6: SNA (1 byte): (Source network address) source network address.
- 00: local network
- 01 to 7F: remote network
7: SA1 (1 byte): (Source node number) source node number
- 01 to 7E: SYSMAC NET network node number
- 01 to 3E: SYSMAC LINK network node number
- FF: broadcast node number
8: SA2 (1 byte): (Source Unit address) source unit address
- 00:PC(CPU)
- FE: SYSMAC NET connection unit or SYSMAC LINK unit connection to the network
- 10 to 1F: CPU bus unit
9: SID (1 byte): (Service ID) Serial number range 00-FF
10~11: Commands code (2 byte): Command code, divided into first-level command code and second-level command code. For detailed command codes, please refer to FINS Commands code.
3. Command
3.1 Client/Server Node Address establish connection
These two fields only appear when the client/server of Fins/TCP establishes a connection when the DHCP protocol client obtains an IP address, as shown below:
Before the client/server of the Fins/TCP protocol transmits valid command data, the client first sends a message containing the Client Node Address field to the server to apply for a node address, similar to the DHCP protocol, because the client does not have a node when applying Address, so this field is set to 0x00000000, as shown in the figure below: After
receiving the client’s request, the server assigns the corresponding node address to the client and announces it to the client. At the same time, the message contains the server’s own node address information. As shown below: After the
client receives the response message from the server, it uses the assigned node address to communicate with the server, and thus an effective long connection is established between the client and the server.
3.2 Operation mode switching: RUN/MONITOR/STOP/RESET
PLC mode switching
Commands Code:
function code, 0x0401
Program No.:
Program code, usually 0xFFFF
Mode:
Mode
- Monitor mode 0x02
- Run mode 0x04
STOP mode:
- Command Code: Function code, 0x0402
- Program No.: Program code, usually 0xFFFF
RESET mode:
- Command Code: Function code, 0x0403
- Program No.: Program code, usually 0xFFFF
3.3 Mandatory Setting & Canceling Mandatory Setting
The Forced function code can be forcibly set or reset. You can also set the state and release state forcibly. The program will not be able to continue execution until the mandatory state is restored.
3.3.1 Mandatory setting
The command structure is shown in the figure below.
Commands Code: Function code, 0x2301
No.of bits/flags:位号。
Force Set/Reset data: Force/set data.
- Set/Reset Designation: Perform actions.
- 0x0000: Forced reset
- 0x0001: Forced to be set
- 0x8000: Forced release and reset
- 0x8001: Forced release and set
- 0xFFFF: Release the forced state
Memory Area Code: storage area code, which needs to be determined according to the PLC model
Bit/Flags: bit/state setting
3.3.2 Cancel mandatory settings
Command Code:0x2302
3.4 Read/write IO Memory Area
3.4.1 Read IO Memory Area
Command Code:0x0101
IO Memory area code: IO memory area code
Beginning address: starting address
No of items (binary): 0~15
3.4.2 Write IO Memory Area
Command Code:0x0102
IO Memory area code: IO memory area code
Beginning address: starting address
No of items (binary): 0~15
Data: The data to be written
Remember to change the packet length in the fins/tcp header according to the data length
3.4.3 Fill IO Memory Area
Fill the IO Memory Area
Command Code with the same data : 0x0103
IO Memory area code: IO memory area code
Beginning address: starting address
No of items (binary): 0~15
Data: The data to be filled
3.5 Non-dedicated IO storage area
Non-dedicated IO storage area: Parameter Area, Program Area
3.5.1 Read Parameter Area
3.5.1 Read Program Area
3.6 Read/write/delete a single file
3.6.1 Read a single file
Command Code:0x2202
Disk No: Disk number
- 0x8000:Memory Card
- 0x8001: EM flie memory
File name: The maximum length is 12 bytes, and the value is hexadecimal ascii code, and 0x00 is added after the missing
File position: the starting byte adress, the file starts at 0x00000000
Data length: the length of the data to be read
Directory length: The length of the directory name where the file is located includes \, 0x0000 is the default root directory
Absolute Directory path: up to 65 characters, starting with \(0x5c)
Remember to change the packet length in the fins/tcp header according to the data length
3.6.2 Write to a single file
Command Code:0x2203
Disk No: Disk number
- 0x8000:Memory Card
- 0x8001: EM flie memory
File name: The maximum length is 12 bytes, and the value is hexadecimal ascii code, and 0x00 is added after the missing
File position: the starting byte adress, the file starts at 0x00000000
Data length: the length of the data to be read
File data: the file data to be written, the value is hexadecimal ascii code
Directory length: The length of the directory name where the file is located includes \, 0x0000 is the default root directory
Absolute Directory path: up to 65 characters, starting with \(0x5c)
Remember to change the packet length in the fins/tcp header according to the data length
3.6.3 Delete file
Command Code:0x2202
Disk No: Disk number
- 0x8000:Memory Card
- 0x8001: EM flie memory
No of files: Specify the number of files to be deleted, write 0x0001 individually
File name: The maximum length is 12 bytes, and the value is hexadecimal ascii code, and 0x00 is added after the missing
Directory length: The length of the directory name where the file is located includes \, 0x0000 is the default root directory
Absolute Directory path: up to 65 characters, starting with \(0x5c)
4. Attack
Due to the design flaws of the fins protocol, an attacker can attack it through the following steps:
- Establish a tcp connection with plc
- Send fins protocol session initiation packet
- The packet structure of the corresponding function of the fins protocol analyzed according to the protocol
- Sending malicious messages: such as starting and stopping PLC, tampering with designated memory, reading and writing files, etc.