Here is a general overview of the process, though exact steps can vary by version:
However, the most authoritative "solid paper" and technical deep-dive on this specific topic is: Key Technical Resource "Breaking Siemens SIMATIC S7 PLC Protection Mechanism" by Gao Jian (GEWU Lab). : This was presented at the Hack In The Box (HITB) Security Conference
Siemens logic controllers utilize unique password levels to restrict device privileges. Before trying to clear a device, identify which protection block is preventing access: s7 200 smart plc password unlock work
utility or a "reset to factory defaults" operation to clear the password, though this deletes the existing program Memory Card Reset
: When prompted for a password during the "Clear All" operation, enter CLEARPLC (case-insensitive) to bypass the prompt and reset the device to factory defaults. Here is a general overview of the process,
Password required only for writing (downloading) to the PLC. Least Privilege/No Access (Level 3/4):
Applied inside STEP 7-Micro/WIN SMART ( .smart or .mwp file protection). This blocks engineers from opening the offline code file on a PC without entering credentials. Password required only for writing (downloading) to the PLC
Only use these tools on your own projects or programs for which you have permission. Download tools from trusted sources, and always scan them with antivirus software. The use of these tools may void your Siemens warranty.
It is important to identify which "unlock" you need, as methods vary: