Alternative way of recovering HikVision NVR password

[alastairstevenson]

Yes, that should work ok.

 

[superkp]

cool I will give it a go thx

 

[superkp]

the nvr ip shows as 10.0.1.15
what should I switch my pc ip to?
maybe 10.0.1.1 ??

 

[superkp]

Hello, I am @Pjlord from Carmel in California, and I am new to this board, but I have been working with a couple HikVision systems for several years now. Hopefully, I posted this in the right forum section.

Recently, I purchased a new home which had a HikVision system with 3 cameras installed. Unfortunately, the original owner could not remember the password. I need to thank @alastairstevenson for his help in troubleshooting this situation. Here are the details:

System setup:
NVR: DS-7604NI-E1/4P running Software Version V3.4.90build 161008
Cameras: 3 X DS-2CD2342WD-I Running V5.4.5build 170124

Of course, HikVision USA refused to help reset the password as they view the system as a gray market one.

I tried many ways to TFTP into the NVR to no avail as it would not take. I did not have the right tools to connect to the serial COM port on the NVR and I could not use the backdoor trick as the firmware was too new on both he cameras and the NVR. There was no way without the password to extract the configuration file from the camera by using this URL in the browser, replacing the IP address as needed : http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Solution:
After trying quite a few things, and a little bit out of desperation, I decided to downgrade the firmware on one of the cameras to a version prior to 5.4.5 using TFTP.

1) I downgraded the firmware on one of the cameras. I used 5.4.4 build 161125
2) I then plugged the camera back into the POE port side of the NVR and relied on the Pug-&-Play mode of the NVR which by default uses the NVR password for the cameras. Effectively I watched with SADP the camera go from inactive to active after being plugged in back into the NVR
3) I then issued the URL command with the right camera IP address to extract the configurationFile: http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
4) @alastairstevenson was then kind enough to help me decrypt the file and extract the camera (and NVR) password.
5) Voila! … NVR password recovered. I then finally re-upgraded the camera firmware to 5.4.5.​

I hope this can help others that find themselves in the same predicament I was in with my NVR forgotten password. Of course while it worked for me, use at your own risk as YMMV.

Again, many thanks to @alastairstevenson for his help.

Best!

what is the url command? do I copy n paste the camera ip address http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEKinto my browser

 

[alastairstevenson]

what should I switch my pc ip to?

Something in the address range that the 'Internal NIC' (as see via the VGA/HDMI interface of the NVR) is set to.

do I copy n paste the camera ip address http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEKinto my browser

Yes, that's correct.
After the PC IP address has been changed to match whatever is used by the NVR PoE channels.

 

[matthewg1974]

Hey guys, Would just like to say thanks @Pjlord + @muddywaters7 for the info and links on this thread! All worked really well for me and i got to learn a bit of openSSL and XOR on the way.
Although when I finally got that blasted admin password from the config file it was password123 . I should of had a couple of guesses first!

Anyway thanks again

 

[alastairstevenson]

Well done, a good result!

 

[matthewg1974]

Well done, a good result!

Thanks, And thanks to you also @alastairstevenson for all of the trouble shooting/work you did in getting the process working.

 

[iTzaZkrit]

Hi. I have a used hikvision setup, 1 cam and a NVR. Its a DS-7604 and a DS-2CD fisheye cam. Previous owner cannot remember nvr password. Firmware details are below. Can any of you guys tell me if I should be able to use the backdoor url to get config file? I tried it, setup ip on same subnet, but getting file not found garbage when I try to go to it. If not, is firmware downgrade on the camera the only way? Thanks!

Sorry for duplicate post....this thread may be better. Cheers!

Camera
DS-2CD6362F-IV
Software Version: V5.0.9build 141009
DSP Build V4.0, build 141027

NVR
DS-7604NI-E1/4P
Software: V3.4.92build 170518
DSP Version V5.0, build 170228

 

[iTzaZkrit]

I was able to reset the camera password using the Password Reset Tool. however, I'm still at a loss as what I can do to reset NVR. Thanks!

 

[alastairstevenson]

That firmware is old enough to not have the Hikvision backdoor vulnerability.
Also, it's not new enough to have the 'Inactive' status needed to be able to extract the NVR password via this method, it needs to be between 5.3.0 and 5.4.4
Do you have any other cameras you could use?

 

[iTzaZkrit]

no. Just the one cam and nvr. I guess getting the cam password reset is okay. I could setup a computer to act as a nvr. Would just be nice to utilize the nvr I have fully.

 

[alastairstevenson]

Another method, easier than messing with the serial console, is to apply the same version of firmware as is currently installing using the Hikvision tftp updater tool.
Both available on the forum downloads area.
This would reset the NVR to default settings.

 

[iTzaZkrit]

so if I use the firmware loader to push new firmware, it will reset nvr so I can do a new password? what firmware do I flash to?

 

[alastairstevenson]

what firmware do I flash to?

The 3.4.92 firmware for that E-series NVR can be found in the downloads section here : K41 DS-76xxNI-Ex / DS-77xxNI-Ex NVR firmware - Updates

And the Hikvision tftp updater and instructions are here : TFTPServ

 

[iTzaZkrit]

The 3.4.92 firmware for that E-series NVR can be found in the downloads section here : K41 DS-76xxNI-Ex / DS-77xxNI-Ex NVR firmware - Updates

And the Hikvision tftp updater and instructions are here : TFTPServ

Thanks! I'll give it a try. I noticed the thread is referring to doing this on a camera. I take it I dont have to mess with camera and when its referring to camera, just put in info for nvr?

 

[iTzaZkrit]

I was able to get password reset by using TFTP to reflash current firmware. Thanks for all your help!

 

[alastairstevenson]

The tftp updater works the same way on Hikvision cameras and NVRs.

Essentially :
Drop the tftp updater files and the digicap.dav firmware file into a folder on the PC.
Change the PC IP address to 192.0.0.128
Have the PC and the NVR both wired to the switch/router with the NVR powered off.
Double-click the tftpserve.exe file to start the tftp updater, click OK to the Windows firewall prompt, check that the window shows 'Initiallised on 192.0.0.128'.
Power on the NVR, observe the status of the tftp updater.

Normal would be connect, file transmit, system updated successfully, taking maybe 5 minutes or so.
Close down the tftp updater.
Power cycle the NVR after a couple more minutes.
At that point SADP should find it in an 'Inactive' state where you set your own strong password to 'Activate' it.

**edit** Just saw your success post.
Well done!

 

[ceba1962]

It's not a link - it's from a program from some code I have on my Linux machine.

If you do manage to get the configurationFile - and that does depend on the camera having a vulnerable firmware version - I can decrypt and decode the file if you zip it and attach it here.

Hi there, Thanks so much for that information. I would like to recover the password for my hikvion NVR DS-7608NI-ES/8P I followed the instructions. I have attached the configuration file. Is it possible you could drecrypt the password?
Much appretiated
Regards
Carlos/ceba1962
email: xxxxxxxx Obscured for you - we don't want to add to the spam count. alastairstevenson

 

[alastairstevenson]

Is it possible you could drecrypt the password?

Yes, Carlos, no problem.

The admin password for the Back_Shed HIKVISION DS-2CD3345-I - 629946268 camera is
Admin1234