The deployment page on the touchscreen links the upper lamp to Y22, and the lower lamp to Y12.
In GX3, a simple control screen is drawn:
So, which lamp do you think will light up?
If you think the Y22 lamp will light up — you've fallen into the trap!
This issue involves how data is read/written between GX and GT.
In GX, Y output uses octal (base-8) addressing.
But in GT, Y data is processed in hexadecimal (base-16).
An attacker can exploit this discrepancy to wrap malicious code in an "undetectable shell."
Calculation verification confirms this.
Simulated Scenario: An internal, confidential-level sewage treatment facility. Only the programming department is connected to the internet. However, the internal network is isolated, making lateral movement impossible from programming machines.
- Event 1: The internal programming team finalizes the PLC program, then sends it to technical reviewers for manual inspection. Once deemed secure, it's burned into the PLC.
- Event 2: You’ve infiltrated a machine in the programming department and obtained the source program.
- Event 3: You're only allowed to modify the GOT3 project.
| Functional Area | Device/Signal | Type | Address (Octal) | Description |
|---|---|---|---|---|
| Water Inlet | Low Water Level | DI Input | X000 | Level switch, low water level alarm |
| High Water Level | DI Input | X001 | Level switch, starts pump when high | |
| Inlet Pump | DO Output | Y000 | Start/Stop control of pump | |
| Grating Tank | Grating Motor Start Btn | DI Input | X002 | Manual start of grating motor |
| Grating Motor Status | DI Input | X003 | Feedback signal | |
| Grating Motor Output | DO Output | Y001 | Start/Stop control | |
| Sand Settler | Scraper Start Button | DI Input | X004 | Manual control |
| Scraper Status Feedback | DI Input | X005 | Status feedback | |
| Scraper Output | DO Output | Y002 | Start/Stop control | |
| Primary Tank | Inlet/Outlet Valve | DO Output | Y003 | Electric valve control |
| Level Detection | DI Input | X006 | Level switch | |
| Bio Tank | DO Sensor | AI Input | D100 | DO level detection (analog) |
| Aerator Blower | DO Output | Y004 | Start/Stop control | |
| Mixer Control | DO Output | Y005 | Mixer control | |
| Mixer Status Feedback | DI Input | X007 | Status feedback | |
| Secondary Tank | Sludge Pump Start Btn | DI Input | X010 | Manual start |
| Sludge Pump | DO Output | Y006 | Start/Stop control | |
| Mud Pump Start Btn | DI Input | X011 | Manual start | |
| Mud Pump | DO Output | Y007 | Start/Stop control | |
| Dosing System | pH Sensor | AI Input | D101 | pH value detection |
| Flocculant Pump | DO Output | Y010 | Flocculant dosing | |
| pH Regulator Pump | DO Output | Y011 | pH dosing pump | |
| Disinfectant Pump | DO Output | Y012 | Disinfectant dosing | |
| Disinfection | Disinfectant Level Det. | DI Input | X012 | Level alarm |
| Disinfection Start Btn | DI Input | X013 | Manual start | |
| Disinfection Pump | DO Output | Y013 | Start/Stop control | |
| Alarm System | Fault Alarm Input | DI Input | X014 | Equipment fault alarm |
| Alarm Output | DO Output | Y014 | Sound/Light alarm |
Alarm function works properly. Chemical activation: XB ⇒ X13 Alarm: XC ⇒ X14
Chemical Output: YA ⇒ Y12 Alarm Output: YC ⇒ Y14
Completely disabling the emergency stop function.
- Confirm the logic of chemical output
Y12in the program:
- Confirm the logic of alarm/emergency stop output
Y14in the program:
- Since we cannot modify ladder logic, modify the GOT screen.
Bind the emergency stop button to 0x14.
- Send the malicious
Main.GTXproject to the engineering team.
Disinfection starts normally:
Emergency stop fails:
If Main.gx3 is modifiable, pressing the emergency stop will continue disinfection/dosing instead of stopping it.
Since we already bound the alarm control to 0x14, it corresponds to Y24 in ladder logic.
So we OR X24 into the chemical output logic:
During admin review, seeing control X14 may mislead them into thinking it's still legitimate logic:
P.S.: In reality, this does not point to the true emergency stop target.
Disinfection starts as usual:
Emergency stop replaced — dosing continues:
