Camera Keeps resetting it's own password

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,990
Reaction score
3,989
Location
Megatroplis, USA
OK. You can't upgrade Chinese cameras that operate with hacked English firmware without first taking some remedial action. You didn't do that so you have most likely bricked your cameras. But they are not dead, rather they have simply gone into zombie mode which is where they shall will stay until Dr. @alastairstevenson comes to make a house call.
zombie3.gif
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
OK. You can't upgrade Chinese cameras that operate with hacked English firmware without first taking some remedial action. You didn't do that so you have most likely bricked your cameras. But they are not dead, rather they have simply gone into zombie mode which is where they shall will stay until Dr. @alastairstevenson comes to make a house call.

Bummer. I was just reading his thread, and I'm pretty confused. I'm going to have to do some more reading to figure it out. I don't even know how to access the camera now. It's not viewable on SADP.

@alastairstevenson I need your help brother. LOL

All my cameras have the CCH, so I guess I have to figure out what actions I need to take to be able to upgrade them.
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
I found this guide...

How to reflash the firmware on Hikvision cameras (Hikvision TFTP procedure) - Security Cameras Reviews

This is going to take a while. Looks like I need to install one of my ethernet over powerline things to that room/camera and then hardwire it to my network. then change IP, use TFTP...

Probably something I'll have to do on my day off.

In the meantime, I have to figure out how to do the MTD hack...

this is alot of work. I need to figure out how to get a VPN up, maybe that'll be easier. lol I have Linksys Velop which doesn't really support any VPNs like openvpn etc it seems.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
Tried updating fw of the camera. Now I no longer can access it... been over 10 minutes. That's a bummer.
Let me guess... What I dreaded earlier just happened to me. This is a Chinese fw and I just tried uploading EN fw to it, and bricked it.
It does sound like it's a CN region camera that has been bricked.
But don't worry - it's recoverable with a little work. Loads of folk have done it, it's not that bad.
Just follow the brickfixv2 method that @Mike linked to above.
The scripting does a lot of the messy stuff for you.
You'll be fine!
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,007
Location
USA
This is a classic case of how Hikvision hates its customers. Letting the camera accept firmware that by all indications should work, but won't, and they know damn well it won't work because they broke it on purpose.

Anyway, for Hik cameras I always recommend to leave the firmware as-is, and simply secure the network so they can't be hacked from the outside. Updating the firmware disables the existing password recovery tools, and only protects you until the next major vulnerability is found.
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
This is a classic case of how Hikvision hates its customers. Letting the camera accept firmware that by all indications should work, but won't, and they know damn well it won't work because they broke it on purpose.

Anyway, for Hik cameras I always recommend to leave the firmware as-is, and simply secure the network so they can't be hacked from the outside. Updating the firmware disables the existing password recovery tools, and only protects you until the next major vulnerability is found.
The password recovery tool gets disabled!? So how do you reset a password if you need to?

I was looking into securing my network. I have disabled UPnP on all cameras and port forwarding was never turned on for any of my cameras on my router. only Blue Iris and Plex has access via port forwarding on my network. It's something I'll have to look into with a server VPN, but that's beyond my understanding at the moment.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,007
Location
USA
UPnP is also an option in the configuration of most routers. Check for it there, but be warned Plex might try to use UPnP and so if you disable it at the router you would need to forward ports for Plex manually.

The password recovery tool exploits the same vulnerability that hackers use to access your camera, so when you update to a firmware version that is no longer vulnerable, you can't use the password recovery tool either.
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
Got it. I'll check my Linksys Velop when I get home. All camera UPnPs are disabled now...

So how do you reset the password god forbid you forget?

edit - I think I understand now that I did my research. the "tool" no longer works. the .exe... however you can still use the thing on the wiki here with the serial number and time of day to reset password from sadptool. Correct?

I made my camera inaccessible to the outside world, but I'm sure there is something I may have missed and make it possible for someone getting in...
 
Last edited:

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
Me being the curious cat. I started doing some digging... I can't believe how easy it is to "hack" these cameras. I don't even want to call it hacking because it's so easy. All you have to do is go to shodan and search for a specific string which is on the internet already. then you use a password reset tool from one of the cameras that you can access and copy paste IP... click get users and there are the users just waiting to be assigned a new password. It's easier than resetting my own password!

Shame on hikvision for not seeing this lol.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
So how do you reset the password god forbid you forget?
The newer firmware has a self-service password reset method by the use of a Security Q&A that the user sets up.
No need for any 3rd party involvement.

The older firmware will allow a password reset using the @bp2008 'password reset tool'.

The in-between firmware has vulnerabilities that can be exploited, the worst of which is the notorious 'Hikvision backdoor' which @bp2008 updated password reset tool makes use of.

And if that doesn't work you can extract the configuration file, decrypt and decode it and pull out the password.
If the version of firmware on the camera is older than 5.4.5 try this, see if it demands authentication.
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
The newer firmware has a self-service password reset method by the use of a Security Q&A that the user sets up.
No need for any 3rd party involvement.

The older firmware will allow a password reset using the @bp2008 'password reset tool'.

The in-between firmware has vulnerabilities that can be exploited, the worst of which is the notorious 'Hikvision backdoor' which @bp2008 updated password reset tool makes use of.

And if that doesn't work you can extract the configuration file, decrypt and decode it and pull out the password.
If the version of firmware on the camera is older than 5.4.5 try this, see if it demands authentication.
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

ahhh... Gotcha, no more use of any kind of password reset tool. Better remember your security q&a! lol
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
I got it up and running with the latest EN fw guys. Thanks!

Now when I have time, I will do it to the rest of the cameras... but I need to figure out how to do it without a bricked device lol.
 

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
keep in mind that even tho you may have found and disabled the cam's UPNP setting which probably allowed the hack, the port remains open on your router until you reboot it or otherwise remove the previously opened port...

btw, I also once had a hik bullet which kept reverting to factory settings on it's own. turned out to be a stuck reset switch, addressed with a little cleaning...
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
but I need to figure out how to do it without a bricked device lol.
Bricked or not bricked - you can follow the same process, it makes no difference.
What's important is that you know what the exact model number is so you can get the devType from the list.

You could if you wished bypass the use of the Hikvision tftp updater by installing the brickfixV2EN or CN firmware via the camera web GUI that is still available.
But you still then have to do the telnet access and use the normal tftp updater so not a lot saved.

By the way - the R0 series cameras firmware stops at version 5.4.41 which doesn't have the self-service password reset.
It's available in the other series with the later firmware.
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
Ahh ok. So instead of doing the thing where I change my computer's ip to .128 to push that brickfixv2, I just install it from the web gui.

Then I'd just connect to camera using its own ip via putty and tftp32 to do the mdt hack using the /dav/fixup.sh command?

I'm not sure what R0 series is then, because I couldn't get 5.4.41 to install. Only 5.4.5... I guess I don't have R0. Is that the thing in hxd where you change a number to 01 or something?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
I have a DS-2CD2432F-I(W) with V 5.2.5. I don't recall where I bought it. I believe it was 2015 when i purchased it.
If that's the camera model, then it's an R0 series and the brickfixv2 method will work OK.
For China region R0 cameras, generally installing any firmware above 5.3.0 will brick the camera, or give a 'language mismatch error' at the web GUI.

Ahh ok. So instead of doing the thing where I change my computer's ip to .128 to push that brickfixv2, I just install it from the web gui.
As the first step, yes you can do that. All it avoids is the need to use the Hikvision tftp updater tool though.

Then I'd just connect to camera using its own ip via putty and tftp32 to do the mdt hack using the /dav/fixup.sh command?
Not quite - the PC still needs the IP address to be 192.0.0.128 as the camera IP address when running in the 'min-sytem recovery mode' will be 192.0.0.64 and it will use the 192.0.0.128 address for the tftp server.
The normally-user-defined IP address only comes into play when the camera is normally booted into valid firmware.

I guess I don't have R0.
A DS-2CD2432F-IW model is definitely an R0 camera.

Is that the thing in hxd where you change a number to 01 or something?
What you may be thinking of here is the 'language byte' in location 0x10 of the hardware signature, where 02=CN and 01=EN
But with the 'enhanced MTD hack' to convert to EN / updatable there are a couple of other locations also to adjust, as per the guide.
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
Thanks @alastairstevenson

I have the same camera somewhere else in my house. That one is like version 5.1.6 or something (def R0 as the OSD weekday is in Chinese lol). That's not bricked however. I guess where I'm confused is, how do I put the camera into "min-system recovery mode" when it's not bricked and just working fine so I can have it listen to 192.0.0.128.

When I upload that EN (or CN) file from the brickfixv2 folder through web gui, will the camera go into min-system recovery mode?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
I guess where I'm confused is, how do I put the camera into "min-system recovery mode" when it's not bricked and just working fine so I can have it listen to 192.0.0.128.
You just install the brickfixV2EN.dav firmware from the web GUI.
It doesn't matter if it's installed via the Hikvision tftp updater tool, or from a working camera web GUI.
When it executes, on the reboot after installation, it does all the needed tasks - drops the payload, inhibits the downgrade block, installs the fixup.sh script etc and then initiates the reboot into the min-system recovery mode where the /dav/fixup.sh script does its work.

When I upload that EN (or CN) file from the brickfixv2 folder through web gui, will the camera go into min-system recovery mode?
Yes, it will, on the automated reboot, that's how it's designed to operate.
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
You just install the brickfixV2EN.dav firmware from the web GUI.
It doesn't matter if it's installed via the Hikvision tftp updater tool, or from a working camera web GUI.
When it executes, on the reboot after installation, it does all the needed tasks - drops the payload, inhibits the downgrade block, installs the fixup.sh script etc and then initiates the reboot into the min-system recovery mode where the /dav/fixup.sh script does its work.


Yes, it will, on the automated reboot, that's how it's designed to operate.
Awesome, so the install will be same as I did it before except the 1st part with the hikvision tftp or whatever it was.

system will still be listening on 192.0.0.64 though. I can just connect to it without changing my IP then. I'll have putty connect to 192.0.0.64. I will give it a try tonight and see how it works out!

@alastairstevenson You've been great help!

This makes me want to tackle the backyard camera (2CD-2032F-IW) that I have which pretty much stopped working one day. I stopped seeing it even on SADP Tool. I gave up on that one for almost a year now lol....
 
Top