Alternative way of recovering HikVision NVR password

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
How complicated is the process to decrypt the configuration files/is there a way to make that process not too complex?
It's pretty easy if you are running Linux, or have access to the openSSL tools.
I've posted about the method quite a few times on the forum here, example:

The link that @Oleglevsha posted about is interesting!
The Russians are pretty smart with their coding abilities, I'm not surprised this has been done.
Though I do wonder if Method 3 has been cribbed from this ipcamtalk thread!
Though I've not tested it yet.

And I can confirm that the passwords quoted above matches what's in the decrypted configuration files.
 
Joined
Mar 17, 2020
Messages
3
Reaction score
0
Location
USA
Hello, I am @Pjlord from Carmel in California, and I am new to this board, but I have been working with a couple HikVision systems for several years now. Hopefully, I posted this in the right forum section.

Recently, I purchased a new home which had a HikVision system with 3 cameras installed. Unfortunately, the original owner could not remember the password. I need to thank @alastairstevenson for his help in troubleshooting this situation. Here are the details:

System setup:
NVR: DS-7604NI-E1/4P running Software Version V3.4.90build 161008
Cameras: 3 X DS-2CD2342WD-I Running V5.4.5build 170124

Of course, HikVision USA refused to help reset the password as they view the system as a gray market one.

I tried many ways to TFTP into the NVR to no avail as it would not take. I did not have the right tools to connect to the serial COM port on the NVR and I could not use the backdoor trick as the firmware was too new on both he cameras and the NVR. There was no way without the password to extract the configuration file from the camera by using this URL in the browser, replacing the IP address as needed : http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Solution:
After trying quite a few things, and a little bit out of desperation, I decided to downgrade the firmware on one of the cameras to a version prior to 5.4.5 using TFTP.

1) I downgraded the firmware on one of the cameras. I used 5.4.4 build 161125​
2) I then plugged the camera back into the POE port side of the NVR and relied on the Pug-&-Play mode of the NVR which by default uses the NVR password for the cameras. Effectively I watched with SADP the camera go from inactive to active after being plugged in back into the NVR​
3) I then issued the URL command with the right camera IP address to extract the configurationFile: http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
4) @alastairstevenson was then kind enough to help me decrypt the file and extract the camera (and NVR) password.​
5) Voila! … NVR password recovered. I then finally re-upgraded the camera firmware to 5.4.5.​

I hope this can help others that find themselves in the same predicament I was in with my NVR forgotten password. Of course while it worked for me, use at your own risk as YMMV.

Again, many thanks to @alastairstevenson for his help.

Best!
Background on what I'm trying to do: I dislike the Ezviz NVR / software. I'm building and NVR using a small Ubuntu box and PoE switch. I'd like to use the cameras with alternative software (like ZoneMinder etc.) I'm trying to either reset the admin passwords on my cameras, or recover the original passwords, so I can modify their settings using Hikvision's SADP tool.

I am hoping this admin password recovery exploit will work with my Ezviz cameras (CS-CV110-A1-68R). From what I understand Ezviz and Hikvision are practically the same company. If anyone knows what Hikvision camera model uses the same firmware as my Ezviz CS-CV110-A1-68R that would be tremendous to know.

A few questions about the process:
1. Where to obtain the old firmware and new firmware files?
2. What tool or process was used to flash the firmware on the cameras? Seems like TFTP was used?

Much thanks!

Via SADP:
Firmware v5.5.3 build 180122
DSP v7.3 build 180122
 
Last edited:

daehnomel

n3wb
Joined
Mar 24, 2020
Messages
1
Reaction score
0
Location
U.S.
Hello,

Hopefully someone here may be able to assit me. I have already DM'd @alastairstevenson , but just in case he is not able to respond, perhaps some here may be able to assist me. I purchased a few seconhand IP camera's from shopgoodwill.com that need thier passwords reset. They are all Hikvision DS-2CD2142FWD-I camera's running Firmware V5.4.5build 170124. Hikvision flat out refuses to assist me, stating that I am in the U.S. and the camera's serial numbers indicate that they were not sold here. I have attached the three most recent XML files from the SADP tool for these camera's as well as the QR codes. You can find the camera's current start dates , keyed on the last 4 digits of each camera's Serial number below. If you require any other information please let me know. I would greatly appreciate any help you can provide me. Thank you!

BTW, I have also tried other methods of resetting the passwords, including modifying the first python script in this incredible post to use a dictionary attack against my camera. It didn't work, neither did the hikxploit due to the firmware being impervious to it. I am not up to snuff on the rules of this forum yet, but if anyone wants that moded script please feel free to DM me.



7039 2020-03-24 18:08:38

7050 2020-03-20 21:20:05

3481 2020-03-24 18:22:35
 

Attachments

Last edited:

saniaowner

Young grasshopper
Joined
Sep 17, 2019
Messages
61
Reaction score
20
Location
World
Hello,
Hopefully someone here may be able to assit me.
Have you tried this method?
 

lewic

Getting the hang of it
Joined
Mar 12, 2020
Messages
190
Reaction score
76
Location
Texas, USA
Hello,

Hopefully someone here may be able to assit me. I have already DM'd @alastairstevenson , but just in case he is not able to respond, perhaps some here may be able to assist me. I purchased a few seconhand IP camera's from shopgoodwill.com that need thier passwords reset. They are all Hikvision DS-2CD2142FWD-I camera's running Firmware V5.4.5build 170124. Hikvision flat out refuses to assist me, stating that I am in the U.S. and the camera's serial numbers indicate that they were not sold here. I have attached the three most recent XML files from the SADP tool for these camera's as well as the QR codes. You can find the camera's current start dates , keyed on the last 4 digits of each camera's Serial number below. If you require any other information please let me know. I would greatly appreciate any help you can provide me. Thank you!

BTW, I have also tried other methods of resetting the passwords, including modifying the first python script in this incredible post to use a dictionary attack against my camera. It didn't work, neither did the hikxploit due to the firmware being impervious to it. I am not up to snuff on the rules of this forum yet, but if anyone wants that moded script please feel free to DM me.



7039 2020-03-24 18:08:38

7050 2020-03-20 21:20:05

3481 2020-03-24 18:22:35

Most of the dome cameras have a reset button inside. Just take off the dome and it should be on the mainboard of the camera. It is just a simple momentary switch. Once you find it then do the 30-30-30 method.

First 30 sec just be pushing down the button
Second 30 sec - Unplug the power while holding down the button
3rd 30 secs - Plug the power back in while holding down button
Then let go of the button and the camera will click and reboot. In about 30-45 seconds it will be in the inactive state.

Hope this helps!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
I've done a reset of the cam and let the NVR configure the cam.
That should be OK then, provided that the NVR password is still the one it uses when activating a camera.
The newer firmware has the option for a separate camera activation password.

The password of the camera now is :
Yamaha94
 

backjack

n3wb
Joined
Apr 22, 2020
Messages
15
Reaction score
2
Location
Australia
Took me a while as I had to get an ethernet adaptor to my laptop. The firmware on it is V5.4.0build 160511
 

saniaowner

Young grasshopper
Joined
Sep 17, 2019
Messages
61
Reaction score
20
Location
World
Took me a while as I had to get an ethernet adaptor to my laptop. The firmware on it is V5.4.0build 160511
Go to the following IP address in your browser
http://camera_ip/System/configurationFile?auth=YWRtaW46MTEK
Where, camera_ip - IP address of the camera. You can find out IP using the SADP program
If you are lucky, then the configurationFile is downloaded, it has no extension

Then attach this file here, or follow the link that I sent above
 

backjack

n3wb
Joined
Apr 22, 2020
Messages
15
Reaction score
2
Location
Australia
I tried that but it didn't connect. Does a pop appear to download the file or does it just download into desktop
 
Top