DS-2CD3345-I Cannot Change Firmware/PW

Town · Apr 9, 2019

Hi all,
after 3 year of working with DS-2CD3345-I i forgot password to camera

HDD with NVR software formatted and PW is lost.

So now problem to recover/reet password.
Camera Firmware is :
5.4.24 build 170303
SN is:
SADP 2.0: DS-2CD3345-I20170214AACH713157881

initial wirmware was english and show me same serial, but WR region
DS-2CD3345-I20170214AA[WR]713157881

i tried to flash some firmwares to reset password with tftpserv.exe but always version and build remains the same.
the onlyt effect - now CAM is CN language only.
tftpserv.exe flashes tells that file uploaded ok.
5.4.24 build 170303
IPC_G0_CN_STD_5.4.24_170303.zip - become Chinese only
IPC_G0_CN_STD_5.4.41_170710.zip - version not chnaged, same 5.4.24 170303 remains in SADP.

other FW versions include EN - tftp says only "Resend needed" and nothing more.

As i hear some CAMs cannot support firmware changing, so any way to recover password or changing the FW with resetting?

Thanks!

alastairstevenson · Apr 9, 2019

Some of those Chinese DS-2CD3345-I cameras have customised firmware that blocks any updates.

Town said:
i tried to flash some firmwares to reset password with tftpserv.exe but always version and build remains the same.
the onlyt effect - now CAM is CN language only.

Usually, the tftp updater would reset the camera to defaults, and leave it in an 'Inactive' state as seen by SADP, which would then allow you to set your own strong password to 'Activate' it.
Odd that it changed the region part of the serial number, and the language.

That version of firmware may still have the Hikvision backdoor vulnerability.
If so, try this URL, changing the IP address to suit :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If it extracts a file, zip it up and attch it here and I will decrypt and decode and extract the password for you.

Town · Apr 9, 2019

Thanks for the answer,
it asks me for the login/password when im enterning:
http://192.168.1.13/System/configurationFile?auth=YWRtaW46MTEK
if no password enter:
Access Error: 401 -- Unauthorized
Authentication Error: Your client does not have permission to get URL /System/configurationFile from this server.

tftp updater flashing with status ok, (onlr 2-3 lines with resend required appears and end with "Completed file [c:\tftprec\digicap.dav] transmit").
But nothing changes. CN firmwares like 5.3.1 /5.3.3/5.3.9 stops at message "Resend required ".

i unpacked the downloaded firmware from IPC_G0_CN_STD_5.4.24_170303.zip file
Decrypted and extracted the "davinci_bak" file.
YWRtaW46MTEK is EVP base64 encoded string 'admin:11', right?
i see it DVP_decode and parse 'auth=' string, but dont see yet any hardcoded sequences.
is i see it expects that password will be not more 0x10 bytes, so it strips it anyway to 16.

As i uderstand, if i will conenect with serial PL2303 i will have the same tftp server....
Do you think, any chance to get into ssh of CAM without user/ password ?

Town · Apr 9, 2019

alastairstevenson said:
Some of those Chinese DS-2CD3345-I cameras have customised firmware that blocks any updates.

Do you have dumps from such cameras?
for now The only thing i can do is to export REQUEST file vith SADP Recovery Password XML file.
it contains encrypted xml file
built frpom this info:

<?xml version="1.0" encoding="UTF-8"?>
<ProbeMatch><Uuid>33730C90-757E-4564-9A91-1C1C0933C56A</Uuid>
<MAC>54-c4-15-71-b2-31</MAC>
<Types>getencryptstring</Types>
<Result>success</Result>
<EncryptString>BAAAAFrOEyPT8x32RkJbOR6C3FdxbTVDjzS7y5GWURruYW5Fe4zomKWKT8fN7pHPEg2Xlc5dcJrEDwhXOwIsIWaujFrwMnqHgwYUlmbgISOiGQ4cSkZwG3vYx3epDkHSYCQ5z7PSzc4/qA0lvQG52SOM1CkLyZYyNFsjshRRiAQypgBy</EncryptString>
</ProbeMatch>

As i understant, these cryped buffers does not contains any passwords or similar info.
Its just parts of RSA challenge algo, with fixed header 0x12345678 and date/time stamps. If validation of challenge is ok, then appropriate action if performed, based on UUID type of operation.

So withut knoledgle of RSA private keys we can make own responses in new firmware releases, right?

alastairstevenson · Apr 9, 2019

Town said:
Access Error: 401 -- Unauthorized
Authentication Error: Your client does not have permission to get URL /System/configurationFile from this server.

That's a pity - the response means that the firmware in use is not vulnerable to the 'Hikvision backdoor' - which is unexpected, given that thge apparent version is older than 5.4.5
Actually - or maybe not older, if the last number is an ascending numeric as opposed to a decimal fraction, if you understand what I mean.

Town said:
tftp updater flashing with status ok, (onlr 2-3 lines with resend required appears and end with "Completed file [c:\tftprec\digicap.dav] transmit").

Transmit just means the file has been downloaded - you'd then need the 'System update successful' message to say the firmware was validated and has been applied.

Town said:
i see it DVP_decode and parse 'auth=' string, but dont see yet any hardcoded sequences.

There are not any, for HTTP access.
In the 'backdoor' vulnerability, that request skips the authorisation check. Fixed in 5.4.5 and later firmware.

Town said:
As i uderstand, if i will conenect with serial PL2303 i will have the same tftp server....
Do you think, any chance to get into ssh of CAM without user/ password ?

If SSH is enabled - it will dump you into the Hikvision 'psh' restricted shell, which provides no useful shell commands, and is protected with strong authentication.
But with serial console access, the bootloader should provide some access opportunities.
One of the easiest might be to alter the bootargs to include some combination of init=/bin/sh or single or debug=9
This varies with the specific version of bootloader.

If you can't find a version of firmware that would be accepted by the tftp updater (or maybe not blocked if it's running hacked firmware), then the serial console connection will be needed.

Town said:
Do you have dumps from such cameras?

Not for the DS-2CD3345-I - but I had a couple of DS-2CD3335-I that had been running the 'Dieter and Fiona' hacked firmware that had the update capabilities inhibited.
I fixed them up manually by using the serial console to boot the kernel only, then copying in the replacement application and rootfs files manually.

Sometimes its not clear, at least to me, if these models are G0 or G1 series.
Maybe try some G1 firmware to see if it takes.
ftp://ftp.hikvision.ru/02.%202-line%20cameras/4.%20G1%20platform%20-%20DS-2CD2XX5%202XX3G0/
海康威视是以视频为核心的物联网解决方案提供商

Town · Apr 13, 2019

Logged via TTL into Camera:

Code:

U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03)
NAND:  128 MB
Hit Ctrl+u to stop autoboot: 
HKVS #
NAND:  128 MB
HKVS # help
erase   - erase flash except bootloader area
go      - start application at address 'addr'
help    - print command description/usage
loadk   - load kernel to DRAM
update  - update digicap.dav
updateb - update bootloader
upf     - update firmware, format and update (factory use)
ddr     - ddr training function
mii     - MII utility commands
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv  - set environment variables
HKVS # printenv
bootargs=console=ttyAMA0,115200
bootcmd=loadk
bootdelay=3
baudrate=115200
netmask=255.255.255.0
bootfile="uImage"
ipaddr=192.0.0.64
serverip=192.0.0.128
stdin=serial
stdout=serial
stderr=serial
verify=n
mdio_intf=mii
phy_addr=3
ethaddr=54:c4:15:71:b2:31
ver=U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03)
Environment size: 305/262140 bytes
HKVS #

Town · Apr 13, 2019

davinci commands set

Code:

help
Support Commands:
taskShow                        printPart                       prtHardInfo
getPreviewStatus                setIp                           setV6ip
setGateway                      dspStatus                       outputClose
outputOpen                      getDebug                        setDebug
debugLog                        getIrstate                      getMtu
camCmd                          getCamVer                       getIrstate
getLux                          getMcuInfo                      getMotion
getRawdata                      setIrcmd                        setRectFrame
updateCamera                    setLaserMode                    getLaserMode
setIrMode                       getIrMode                       setBaiguangMode
getBaiguangMode                 setYTLock                       InquireFanSwitch
StartLaser                      CloseLaser                      LaserMotReset
EnlargeCur                      ReduceCur                       SetCur
LaserMotDirect                  LaserTeleOffset                 LaserWideOffset
InqSwitch                       InqCurrent                      InqCurMotDirect
getMcuStateInfo                 setFastFocus                    getTrackStatus
getSelfcheckResult              setLdcMode                      getLdcMode
getPreviewStatus                appCmd                          camCmd
ezoomlens_start_t2_test         prtLensCurve                    getLensCurve
getIp                           gdbcfg                          {Test1}
{Test2}                         {Test3}                         {Test4}
{TestN}                         {TestY}                         getIsp
getISP                          getisp                          setIsp
setISP                          setisp                          regread
regwrite                        setAgingMode                    getAgingMode
setAgingTime                    getAgingTime                    setLensZoomPos
getLensZoomPos                  dm365                           ss
showKey                         showServer                      showUpnp
showStatus                      showDefence                     setLBS
setAlarm                        cloudService                    t1
ifconfig                        netstat                         ping
ping6                           top                             iostat
mpstat                          ps                              reset
dmesg                           wl                              iwpriv
setWifiEnable                   getWifiInfo                     exit
getDateInfo                     diagnose                        help
zhimakaimen

prtHardInfo

Code:

Start at 1970-01-06 03:41:31
Serial NO :DS-2CD3345-I20170214AACH713157881
V5.4.24 build 170303
NetProcess Version: 1.7.1.179932 [14:53:09-Dec 10 2016]
Db Encrypt Version: 65537
Db Major Version: 1176
Db svn info:
Path: /Camera/Platform/Branches/branches_frontend_software_platform/db_process_for_5.4.20
Last Changed Rev: 233659
Last Changed Date: 2016-11-08 11:13:39 +0800 (Tue, 08 Nov 2016)
hardwareVersion = 0x0
hardWareExtVersion      = 0x0
encodeChans             = 1
decodeChans             = 1
alarmInNums             = 0
alarmOutNums            = 0
ataCtrlNums             = 0
flashChipNums           = 0
ramSize                 = 0x100
networksNums            = 1
language                        = 2
devType                 = 0x22528
net reboot count        = 0
vi_type                 = 32
Path: /Camera/Platform/Branches/branches_frontend_software_platform/IPC_develop_branch/IPC_5.4.x/ipc_5.4.24_g0
Last Changed Rev: 260047
Last Changed Date: 2017-03-03 10:04:53 +0800 (Fri, 03 Mar 2017)

Town · Apr 13, 2019

Got it working putting the orignial digicap.dav with tftpd32.exe
booted into u-boot by ctrl+U
then issued command upf (update not working, it just uploads the original locked firmware)
with upf command new firmware loaded ok and settings resetted.
so i was able to set new password, but camera remains chinesed.

alastairstevenson · Apr 14, 2019

Town said:
Got it working putting the orignial digicap.dav with tftpd32.exe
booted into u-boot by ctrl+U
then issued command upf

Well done for getting there.

If you want to see how the internals work, this may be worth trying :

Code:

setenv bootargs console=ttyAMA0,115200 debug single loglevel=8

to get to an ash prompt.

And attached is a bunch of language files to play with from a DS-2CD2335

Town · Apr 14, 2019

Thank, installed
IPC_G0_EN_STD_5.5.53_180716
firmware.
Working ok.
Planning to switch to EN.

hiktools05R1 changing lang to 02 not succeed, decrypting manually and tryin gto change fields by bytes.

alastairstevenson · Apr 14, 2019

Yes, that change language is only for the header of the firmware.

Town · Apr 14, 2019

Do yo mean, only header checked when firmware installing?

Code:

HIK firmware header converter 0.5R 

Head raw data(108b) :
00000000 8A FF F7 B6 8E ED DD D3 D6 B9 A3 AB BF CB B5 BE    ................
00000010 42 C0 0F D7 CB DD D3 BA 46 5C 54 40 34 4A 41 45    B.......F\T@4JAE
00000020 43 01 29 35 22 2C 45 46 5C 54 40 34 87 8E 8B FD    C.)5",EF\T@4....
00000030 CE E3 FA ED E0 8B 88 92 9A 8E FA 85 8E 88 FC BC    ................
00000040 E4 FA EC E3 8A 8C 93 9B 8C FA 84 8F 8B FC 8D CE    ................
00000050 FA EF E2 BA B8 51 B6 B0 0E B2 63 1C F4 26 8F 42    .....Q....c.&.B
00000060 B1 D3 BA B9 80 D7 4E CA 8A 44 0B 34 

Head decoded data(108b) :
00000000 30 32 4B 48 58 27 00 00 6C 00 00 00 00 00 00 00    02KHX'..l.......
00000010 8F 7C F1 01 01 00 00 00 FF FF FF FF FF FF FF FF    .|..............
00000020 FF FF FF FF FF FF FF FF FF FF FF FF 32 30 31 30    ............2010
00000030 30 35 30 30 33 31 31 31 31 31 31 30 30 32 31 00    050031111110021.
00000040 32 30 31 30 30 35 30 30 33 31 31 31 31 31 31 30    2010050031111110
00000050 30 32 31 00 01 F2 1D 0F C5 07 DD A6 39 9A 71 94    021........9.q.
00000060 6C 00 00 00 23 7C F1 01 3F FA B1 F9 

Magic number :    0x484B3230
iHeaderCheckSum : 0x00002758 [10072]
iHeadTotalLen :   0x0000006C [108]
iFileNum :        0x00000000 [0]
iLanguage :       0x01F17C8F [32603279]
iDeviceClass :    0x00000001
iOEMCode :        0xFFFFFFFF
iFirmwareVer :    0xFFFFFFFF
iFeature:         0xFFFFFFFF
Calculated CheckSum :        0x00002758 [10072]

iLanguage : 0x01F17C8F - seems is not LangID tag. Maybe only first byte? or next dword.

alastairstevenson · Apr 14, 2019

Yes, the header only checked as part of the firmware validation.
Hiktools51 does not work with that newer version of firmware, the header information is not correct.

xpresion · Sep 16, 2019

im s

Town said:
Got it working putting the orignial digicap.dav with tftpd32.exe
booted into u-boot by ctrl+U
then issued command upf (update not working, it just uploads the original locked firmware)
with upf command new firmware loaded ok and settings resetted.
so i was able to set new password, but camera remains chinesed.

I am in the same psoition as you were with your cameras. I am unable to remember the passwords and atempting to flash a new FW results with the same problems you had.

I am tryin gto work out this (uboot) you mentioned off to help update the firmware rather then just send it to the cam.

Is Uboot a linux thing? or another app i can download and work with?

alastairstevenson · Sep 16, 2019

What is the model of camera?
What is the version of firmware as shown by SADP?
If it's 5.4.4 or earlier the password can be reset or extracted.

xpresion · Sep 17, 2019

alastairstevenson said:
What is the model of camera?
What is the version of firmware as shown by SADP?
If it's 5.4.4 or earlier the password can be reset or extracted.

I will find out and let you know. The old nvr i have can still view the cameras as the password is saved on it. Is there a way to extract the password from the nvr? I want to upgrade the nvr to an 8 channel one, that's why i am in need of the passwords for the cameras.

P.s i also tried the nvr password on the camera as i know the nvr sometimes changes the password on the cameras when they are initialized.

xpresion · Sep 17, 2019

alastairstevenson said:
What is the model of camera?
What is the version of firmware as shown by SADP?
If it's 5.4.4 or earlier the password can be reset or extracted.

The version according to SADP is v5.4.24 for 2 cameras and v5.4.52 for another 2 cameras.

The backdoor trick dosent work on any camera either

alastairstevenson · Sep 17, 2019

xpresion said:
The backdoor trick dosent work on any camera either

If you use the Hikvision tftp updater to apply the 5.4.4 or earlier firmware, the camera will be reset to an Inactive state.

nz850 · Oct 30, 2019

Hi there, I have six DS-2CD3345-i cameras where the passwords were unknown, I have managed to reset four of them with assistance from HiK Support via the SADP "forgot password" key file function, but for two cameras I am unable to create the key file using SADP. Upon trying I get an error: "Failed to get the Key:Timeout" and "Failed to generate QR code". This did not happen to the others. The Support request simply advised to generate a key file using SADP, but since I am unable to they have not provided any further advice.

I have read several posts about various password issues, but so far can't find anything related to not being able to create the key file? Is there any suggestions on what could be causing this and how to solve it?

The camera's (and DVR) are Chinese versions (as the previous owner of the house who installed them was Chinese), but that in itself is not an issue for me. I am just wanting to reset the remaining cameras if possible. They are both running firmware v5.5.0_170728 (Chinese) and manufactured in Dec 2017.

Any suggestions or assistance I will be grateful.

George

Sergii · Nov 1, 2019

nz850 said:
Hi there, I have six DS-2CD3345-i cameras where the passwords were unknown, I have managed to reset four of them with assistance from HiK Support via the SADP "forgot password" key file function, but for two cameras I am unable to create the key file using SADP. Upon trying I get an error: "Failed to get the Key:Timeout" and "Failed to generate QR code". This did not happen to the others. The Support request simply advised to generate a key file using SADP, but since I am unable to they have not provided any further advice.

I have read several posts about various password issues, but so far can't find anything related to not being able to create the key file? Is there any suggestions on what could be causing this and how to solve it?

The camera's (and DVR) are Chinese versions (as the previous owner of the house who installed them was Chinese), but that in itself is not an issue for me. I am just wanting to reset the remaining cameras if possible. They are both running firmware v5.5.0_170728 (Chinese) and manufactured in Dec 2017.

Any suggestions or assistance I will be grateful.

George

Try this tool,
I was able to reset the password after 2 weeks of googling, My firmware is 5.4.20 and it has this backdoor vulnerability. bp2008/HikPasswordHelper

Search

DS-2CD3345-I Cannot Change Firmware/PW

Town

n3wb

alastairstevenson

Town

n3wb

Town

n3wb

Attachments

alastairstevenson

Town

n3wb

Town

n3wb

Town

n3wb

alastairstevenson

Attachments

Town

n3wb

alastairstevenson

Town

n3wb

alastairstevenson

xpresion

n3wb

alastairstevenson

xpresion

n3wb

xpresion

n3wb

alastairstevenson

nz850

n3wb

Sergii

n3wb