A common story. You've inherited a machine, or the installer has moved on, or you just want to back up the touchscreen before something goes wrong. You plug in a laptop, fire up the programming software, and hit upload. The panel asks for a password. Nobody knows it. The person who set it isn't reachable, isn't answering, or has retired years ago.
You own the machine. You own the panel. You own the program. But you can't get at it.
This comes up more than most operators realise. Here's what's actually possible, what isn't, and how we approach it when the legitimate owner of the equipment needs to recover their own program.
Who This Applies To
Before going any further: this article is about operators and owners recovering programs off equipment they own or are responsible for. Inherited machinery, gear installed by a contractor who's no longer around, plants that have changed hands. Legitimate asset owners needing to back up their own systems.
We don't help anyone bypass protection on equipment they don't own or aren't authorised to access. Proof of ownership is a standard part of any recovery conversation.
Why HMI Upload Passwords Exist
Most industrial touchscreens let the programmer set an upload password. The intent is to protect intellectual property: the OEM who built the machine doesn't want the end customer copying their control logic and handing it to a competitor.
In practice, it protects the installer more than the customer. The customer ends up locked out of their own panel, and when the relationship with the installer ends (they retire, go under, sell up, or just lose interest), the password often goes with them.
What We Can Recover, Brand by Brand
Different HMI brands handle upload protection differently. Some are straightforward, some are a proper specialist job.
Weintek (EasyBuilder Pro)
Weintek has always had a reasonable balance. EasyBuilder Pro projects have an upload password but the panel also supports a system-level admin password. If the project upload password is lost but the system admin password is known (or default), recovery is usually possible. Without either, we assess case by case depending on the firmware and series (iP, iE, cMT).
Kinco (HMIware / DTools)
Kinco panels are more variable. Older MT series are often straightforward. Newer GL and HP series with current DTools are tighter. Upload passwords on GL panels are a real lockout in most cases, but there are recovery paths depending on the model and firmware version.
Touchwin / Xinje (EditTool)
Touchwin panels are the most forgiving. Upload protection on older TH and THA panels is comparatively weak. If you've got a running Touchwin and no project file, rebuild or extraction is usually possible, often faster than chasing the original installer.
Delta DOP (DOPSoft)
Delta DOPSoft projects use a password that's set at project level. Default passwords exist on some older DOP series. Newer DOP-100 and DOP-H series are tighter.
Siemens (TIA Portal / WinCC Flexible)
Siemens is the most protected. Comfort Panels and KTP Basic panels in TIA Portal have proper password protection on upload, and legacy MP / TP panels running WinCC Flexible are similar. Recovery is possible in some cases depending on the panel series and firmware, but it's the hardest of the common brands.
Proface (GP-Pro EX)
Proface uses its own protection scheme. Factory reset is often searched for (we see "proface hmi factory reset" as a common query) but factory reset on a Proface without a backup will wipe the running program. Don't factory reset a Proface unless you have confirmed backup.
When Recovery Isn't Possible, Rebuild Is
If we can't pull the project off the panel, that doesn't always mean you're out of options. The panel is still running, which means we can document everything it does:
- Capture every screen the operator can navigate to
- Watch the live comms and rebuild the register map
- Document the alarm logic by observing normal operation
- Rebuild the project in the native editor from scratch
It's more work than a straightforward upload, but it's the same approach we use for any reverse-engineering job. You end up with a clean, documented project file that you own, in a supported editor, without needing to break anything.
The Alternative: Don't Let This Happen to You
For operators with panels that aren't yet locked down or where the password is still known:
- Back up now, while you can. If the upload password is known today but the person who knows it is 60 years old, back it up before they retire.
- Get the project file to a neutral location. Not on the installer's laptop. On your own server or a site document register.
- Record the passwords. If your installer won't give you the upload password, that's a conversation worth having before you sign the next job. Some OEMs will agree in writing; some won't. Either way, know where you stand.
- Check at handover. When taking over a plant or buying used equipment, make a project-file and password audit part of the acceptance.
How We Approach Recovery Jobs
When someone calls about a locked HMI, the first conversation covers:
- What panel, what firmware, what software version
- How the panel came to be locked (inherited, installer gone, password forgotten)
- What documentation exists (we ask for proof of ownership)
- Whether a rebuild from the running panel is an acceptable path if direct upload recovery doesn't work
Most of these jobs end with a working backup, documented register map, and a project file the customer owns. A few don't, and we'll say so early rather than bill for work that isn't going to succeed.
If you're staring at a password prompt on a panel you own, get in touch. We cover Weintek, Kinco, Touchwin, Delta, Siemens, Proface and others, across Australia.