Alternative way of recovering HikVision NVR password

[martian_mart]

Hi all -- I am so happy that I found this helpful thread!

I have recently purchased a property with a HIKVision camera & NVR installed - however, the previous owner says they can't remember any of the passwords.

The hardware & firmware are as follows:
NVR: DS7608NI-K2 (V4.30.061 build 210313)
Cam: DS2DE5225IW-AE (V5.6.14 build 190826)

I tried accessing the config file through http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK , without success.
From reading this thread, I understand that the camera's firmware is too new. But the camera model also seems to be rather uncommon.
Do you think it would be possible to downgrade this particular camera to an older firmware version, and then exploit the vulnerability?

Thanks!

 

[iTuneDVR]

I tried accessing the config file through http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK , without success.
From reading this thread, I understand that the camera's firmware is too new. But the camera model also seems to be rather uncommon.
Do you think it would be possible to downgrade this particular camera to an older firmware version, and then exploit the vulnerability?

Thanks!

reboot device;
run SADP;
export xml separated;
remember startime at device;
do not reboot that;
send letter to support;
get answer;
use code to reset password

 

[laukkis85]

Yes, that's confirmed by decrrypting the first configuration file. The Russian site was correct.

If the camera firmware is old enough that it still uses the hard-coded default passwords when reset to defaults, the NVR when adding the camera under Plug&Play will use those if it finds that they work, instead of using it's own admin password to activate and add the camera.
In other words - very old camera firmware means that this 'trojan horse' method of extracting an NVR password does not work.

If it's the NVR password you are trying to recover - you will need to use a camera that has firmware in the range 5.3.0 to 5.4.0

What does SADP show for the camera models, serial numbers (are they Chinese) and firmware versions?

Where can I download 5.3.0 for dahua Model DH-IPC-HDBW1230EP?

 

[iTuneDVR]

Where can I download 5.3.0 for dahua Model DH-IPC-HDBW1230EP?

5.3.0?
for dahua?

 

[laukkis85]

5.3.0?
for dahua?

Put it this way; Is It possible to use dahua camera Model DH-IPC-HDBW1230EP to get that nvr password through the vulnerabilitity?

 

[iTuneDVR]

Put it this way; Is It possible to use dahua camera Model DH-IPC-HDBW1230EP to get that nvr password through the vulnerabilitity?

You need to know password from dahua ipc or ?

 

[laukkis85]

You need to know password from dahua ipc or ?

No, need to retrieve truvision nvr password. Have tried now twice with the customer service and doesnt work with their way for some reason... So thats why i Would like to know is there the vulnerability with the Dahua camera older firmware like HIKvision/truevision cameras have?

 

[trempa92]

DS7608NI-K2 (V4.30.061 build 210313) isnt this firmware subjected to RCE? U can use paramReset within, it''ll instantly go inactive state.

 

[alastairstevenson]

DS7608NI-K2 (V4.30.061 build 210313) isnt this firmware subjected to RCE?

Not according to Hikvision's original list (since removed) or use-ip's enhanced list.

Firmware - Hikvision declare new vulnerabilities in mass email blast sent Saturday 18th September 2021

Yesterday evening I received an email from Hivision detailing a critical vulnerability in a number of their products and a link to new firmware. The advisory is: Here It appears I have two camera models affected by this, as they match the document, but the link to new firmware produces no...

www.use-ip.co.uk

But check the device serial number here :

Firmware Download

www.hikvision.com

 

[trempa92]

I wouldn't be surprised if the list were only half full.

Still might wanna check with tool considering the firmware was released in march prior rce

 

[tgazda]

Hello, can I ask you to put 2 EZVIZ cameras away from parents who forgot both the login and the password of the account?
I canot Unbind in SADP

 

[alastairstevenson]

Hello, can I ask you to put 2 EZVIZ cameras away from parents who forgot both the login and the password of the account?
I canot Unbind in SADP

You are trying to unbind the EzViz account from the cameras?
It's not something I i know anything about, sorry.

Do you know that in the plaintext configuration files that you have attached there appears to be passwords - but I don't know if they are associated with the EzViz account :

admin / UXSRRE for the -Tube camera
admin / UWXDKV
Did you use these in the SADP unbind attempt?

 

[tgazda]

You are trying to unbind the EzViz account from the cameras?
It's not something I i know anything about, sorry.

Do you know that in the plaintext configuration files that you have attached there appears to be passwords - but I don't know if they are associated with the EzViz account :

admin / UXSRRE for the -Tube camera
admin / UWXDKV
Did you use these in the SADP unbind attempt?

Yes i try unbind in SADP but doest work , i se

 

[trempa92]

Unbinding device with sadp only works if account is on hik-connect cloud not on ezviz platform. Password by default on ezviz cams is verification code on lable

 

[vmaponter]

Hello,
Can you tell me the password from my DVR, please?... I spent so many hours to reset it..but...no success!
This is the model DS-7216HWI-SH1620150228AA
Thank you in advance!

 

[SamM]

Hello,
Can you tell me the password from my DVR, please?... I spent so many hours to reset it..but...no success!
This is the model DS-7216HWI-SH1620150228AA
Thank you in advance!

Have you tried the conventional recovery?

Hikvision Password Reset Tool

Generate a reset code to change the pw of any Hikvision device w/ the serial number and date.

ipcamtalk.com

 

[SamM]

Have you tried the conventional recovery?

Hikvision Password Reset Tool

Generate a reset code to change the pw of any Hikvision device w/ the serial number and date.

ipcamtalk.com

Try the code qrqq9Qy9zQ

using the following date that you provided for serial number R505456052
year 2012
month 01
day 17

 

[16710]

Hello!

I've been reading this thread (and all the linked threads/blog posts) with interest as I've recently moved into a house and inherited a rather nice Hikvision CCTV system with NVR. Only problem is, I can't log into the NVR as nobody knows the admin password.

I've emailed hikvision EU support but not holding out much hope. I am also a bit stuck because the software the NVR and all the cameras are currently running is not vulnerable to the easy backdoor methods, so I've been unable to extract configs (and hence passwords) that way.

I like the idea of tricking the NVR into giving its config to a newly installed, and vulnerable, camera but I'm not sure if I can downgrade my existing cameras?

Software versions in use are:

Device Type            Software Version
DS-7616NI-I2/16P    V4.22.000build 190821
DS-2CD2383G0-I        V5.5.83build 190221

Many thanks in advance for any advice.


edit: I forgot to add. I don't seem to be able to use the 'Security code' reset approach either. I've tried various versions of SADP (including this old one) but whenever I select the NVR the 'security code' box disappears. Using the generated key in more recent SADP versions, in the 'Input key' box also doesn't work.

 

[alastairstevenson]

I'm not sure if I can downgrade my existing cameras?

Not the G0 cameras shown in the SADP screenshot, the 'downgrade block' would prevent that.

That NVR model quoted has 16 PoE ports - are there any other cameras connected directly?
Connect the PC to an unused NVR PoE port if so, SADP will find them.

the software the NVR and all the cameras are currently running is not vulnerable to the easy backdoor methods, so I've been unable to extract configs (and hence passwords) that way.

I believe that's correct - but the passwords are now stored as a hash so extracting a plaintext form is not practical.

You may have to resort to using the tftp updater method to re-apply the NVR firmware and therefore reset to defaults.
This would 'orphan' the cameras, where the same method would be needed, or make use of the reset button under the hatch on the body if the cameras are accessible.
In both cases, the firmware is larger than the 32MB size limit of the Hikvision tftp updater program - so the Scott Lamb clone would need to be used.
Example here :

Bricked DS-7608NI-I2 NVR (Firmware Skipped)

Hello Everyone, I was searching and trying to find a confirmation or a solution to my problem but did not see the same situations posted so I figured I would ask for help here. I was just bringing back online for the first time in a long while due to serious issues with construction delays a...

www.ipcamtalk.com

NVR firmware here - use the closest to what's already installed :

https://www.hikvisioneurope.com/eu/portal/?dir=portal/Technical%20Materials/02%20%20NVR/00%20%20Product%20Firmware/04%20I-series/%5B76%2077%2096%20NI-I%5D

 

[16710]

Thanks. There are 5 cameras, all are the same model (I've also plugged directly into the NVR and discovered the other cameras' info that way) unfortunately.

The cameras are really inaccessible so I'd prefer a method that doesn't involve me having to climb onto roofs or use a cherry picker(!) to physically reset them. Can I put them into a 'receive firmware over TFPT' mode remotely? Do they fall back to this state if I reset the NVR?

Cheers