Alternative way of recovering HikVision NVR password

sfitz527 said:
How complicated is the process to decrypt the configuration files/is there a way to make that process not too complex?
Click to expand...
It's pretty easy if you are running Linux, or have access to the openSSL tools.
I've posted about the method quite a few times on the forum here, example:

DS-CD2035-1 password changed, hacked or a fault?

Hi, I've lost connection to a couple of Chinese DS-CD2035 (v5.4.0) camera's on my network. I'm not sure how but my password is no longer valid, I've also tried the default 12345 with no luck. I've tried contacting HIKvision, but naturally they're not able to provide a code. Is there anything...
ipcamtalk.com ipcamtalk.com

The link that @Oleglevsha posted about is interesting!
The Russians are pretty smart with their coding abilities, I'm not surprised this has been done.
Though I do wonder if Method 3 has been cribbed from this ipcamtalk thread!
Though I've not tested it yet.

And I can confirm that the passwords quoted above matches what's in the decrypted configuration files.
 
Pjlord said:
Hello, I am @Pjlord from Carmel in California, and I am new to this board, but I have been working with a couple HikVision systems for several years now. Hopefully, I posted this in the right forum section.

Recently, I purchased a new home which had a HikVision system with 3 cameras installed. Unfortunately, the original owner could not remember the password. I need to thank @alastairstevenson for his help in troubleshooting this situation. Here are the details:

System setup:
NVR: DS-7604NI-E1/4P running Software Version V3.4.90build 161008
Cameras: 3 X DS-2CD2342WD-I Running V5.4.5build 170124

Of course, HikVision USA refused to help reset the password as they view the system as a gray market one.

I tried many ways to TFTP into the NVR to no avail as it would not take. I did not have the right tools to connect to the serial COM port on the NVR and I could not use the backdoor trick as the firmware was too new on both he cameras and the NVR. There was no way without the password to extract the configuration file from the camera by using this URL in the browser, replacing the IP address as needed : http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Solution:
After trying quite a few things, and a little bit out of desperation, I decided to downgrade the firmware on one of the cameras to a version prior to 5.4.5 using TFTP.

1) I downgraded the firmware on one of the cameras. I used 5.4.4 build 161125​
2) I then plugged the camera back into the POE port side of the NVR and relied on the Pug-&-Play mode of the NVR which by default uses the NVR password for the cameras. Effectively I watched with SADP the camera go from inactive to active after being plugged in back into the NVR​
3) I then issued the URL command with the right camera IP address to extract the configurationFile: http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
4) @alastairstevenson was then kind enough to help me decrypt the file and extract the camera (and NVR) password.​
5) Voila! … NVR password recovered. I then finally re-upgraded the camera firmware to 5.4.5.​

I hope this can help others that find themselves in the same predicament I was in with my NVR forgotten password. Of course while it worked for me, use at your own risk as YMMV.

Again, many thanks to @alastairstevenson for his help.

Best!
Click to expand...

Background on what I'm trying to do: I dislike the Ezviz NVR / software. I'm building and NVR using a small Ubuntu box and PoE switch. I'd like to use the cameras with alternative software (like ZoneMinder etc.) I'm trying to either reset the admin passwords on my cameras, or recover the original passwords, so I can modify their settings using Hikvision's SADP tool.

I am hoping this admin password recovery exploit will work with my Ezviz cameras (CS-CV110-A1-68R). From what I understand Ezviz and Hikvision are practically the same company. If anyone knows what Hikvision camera model uses the same firmware as my Ezviz CS-CV110-A1-68R that would be tremendous to know.

A few questions about the process:
1. Where to obtain the old firmware and new firmware files?
2. What tool or process was used to flash the firmware on the cameras? Seems like TFTP was used?

Much thanks!

Via SADP:
Firmware v5.5.3 build 180122
DSP v7.3 build 180122
 
Last edited:
Hello,

Hopefully someone here may be able to assit me. I have already DM'd @alastairstevenson , but just in case he is not able to respond, perhaps some here may be able to assist me. I purchased a few seconhand IP camera's from shopgoodwill.com that need thier passwords reset. They are all Hikvision DS-2CD2142FWD-I camera's running Firmware V5.4.5build 170124. Hikvision flat out refuses to assist me, stating that I am in the U.S. and the camera's serial numbers indicate that they were not sold here. I have attached the three most recent XML files from the SADP tool for these camera's as well as the QR codes. You can find the camera's current start dates , keyed on the last 4 digits of each camera's Serial number below. If you require any other information please let me know. I would greatly appreciate any help you can provide me. Thank you!

BTW, I have also tried other methods of resetting the passwords, including modifying the first python script in this incredible post to use a dictionary attack against my camera. It didn't work, neither did the hikxploit due to the firmware being impervious to it. I am not up to snuff on the rules of this forum yet, but if anyone wants that moded script please feel free to DM me.



7039 2020-03-24 18:08:38

7050 2020-03-20 21:20:05

3481 2020-03-24 18:22:35
 

Attachments

Last edited:
daehnomel said:
Hello,
Hopefully someone here may be able to assit me.
Click to expand...
Have you tried this method?

Hikvision backdoor IP camera

Hello With the help of Mr. alastairstevenson and a few instructions ( WormChickenWizard/hikvision-xor-decrypter), I managed to create a tool a few months ago to reset the password of Hikvision IP cameras with firmware 5.4.4 and below. I was a little surprised when I noticed that this tool has...
ipcamtalk.com ipcamtalk.com
 
daehnomel said:
Hello,

Hopefully someone here may be able to assit me. I have already DM'd @alastairstevenson , but just in case he is not able to respond, perhaps some here may be able to assist me. I purchased a few seconhand IP camera's from shopgoodwill.com that need thier passwords reset. They are all Hikvision DS-2CD2142FWD-I camera's running Firmware V5.4.5build 170124. Hikvision flat out refuses to assist me, stating that I am in the U.S. and the camera's serial numbers indicate that they were not sold here. I have attached the three most recent XML files from the SADP tool for these camera's as well as the QR codes. You can find the camera's current start dates , keyed on the last 4 digits of each camera's Serial number below. If you require any other information please let me know. I would greatly appreciate any help you can provide me. Thank you!

BTW, I have also tried other methods of resetting the passwords, including modifying the first python script in this incredible post to use a dictionary attack against my camera. It didn't work, neither did the hikxploit due to the firmware being impervious to it. I am not up to snuff on the rules of this forum yet, but if anyone wants that moded script please feel free to DM me.



7039 2020-03-24 18:08:38

7050 2020-03-20 21:20:05

3481 2020-03-24 18:22:35
Click to expand...


Most of the dome cameras have a reset button inside. Just take off the dome and it should be on the mainboard of the camera. It is just a simple momentary switch. Once you find it then do the 30-30-30 method.

First 30 sec just be pushing down the button
Second 30 sec - Unplug the power while holding down the button
3rd 30 secs - Plug the power back in while holding down button
Then let go of the button and the camera will click and reboot. In about 30-45 seconds it will be in the inactive state.

Hope this helps!
 
spear0815 said:
I've done a reset of the cam and let the NVR configure the cam.
Click to expand...
That should be OK then, provided that the NVR password is still the one it uses when activating a camera.
The newer firmware has the option for a separate camera activation password.

The password of the camera now is :
Yamaha94
 
backjack said:
Took me a while as I had to get an ethernet adaptor to my laptop. The firmware on it is V5.4.0build 160511
Click to expand...
Go to the following IP address in your browser
http://camera_ip/System/configurationFile?auth=YWRtaW46MTEK
Where, camera_ip - IP address of the camera. You can find out IP using the SADP program
If you are lucky, then the configurationFile is downloaded, it has no extension

Then attach this file here, or follow the link that I sent above
 
  • Like
Reactions: alastairstevenson
backjack said:
I tried that but it didn't connect. Does a pop appear to download the file or does it just download into desktop
Click to expand...

The file should automatically download. Send the line you used
 
You must log in or register to reply here.
Top Bottom