Advanced users can password-protect specific subroutines. You may be able to see the main program, but a critical auto-sequence block remains locked.
Unlike Siemens or Allen-Bradley, Fatek stores the password hash (sometimes in plain text or a simple XOR cipher) inside specific system registers (R 3839 and R 4094, depending on the firmware). This architectural flaw is what makes "cracking" possible.
Published: April 12, 2026 | Category: Industrial Automation fatek plc password crack fix
There’s a sinking feeling every controls engineer knows too well: You plug into a Fatek PLC (FBs, B1, or WinPro ladder series) to modify a timer or diagnose a fault, only to be met with the dreaded "Password Protected" error.
The original programmer left the company six years ago. The source code is on a dead hard drive. The machine is down. Advanced users can password-protect specific subroutines
Here is the reality of recovering access to a locked Fatek PLC, ranging from legitimate fixes to low-level recovery methods.
You will find software online claiming to "brute force" Fatek passwords over RS232. They work, but painfully slowly (hours to days for 8 numeric digits). Physical EEPROM read is faster. Brute force is only useful if you cannot open the panel. This architectural flaw is what makes "cracking" possible
Disclaimer: This article is provided for educational and informational purposes only. Passwords are implemented by OEMs (Original Equipment Manufacturers) and system integrators to protect intellectual property and ensure safety. Attempting to bypass a password on equipment you do not own or are not authorized to service may violate laws and OEM agreements. The author assumes no liability for misuse of this information. Always attempt to obtain the legitimate password from the system owner first.