Alternative way of recovering HikVision NVR password

[alastairstevenson]

I'm not sure whether my config file is ok as I was unable to get my camera in an 'inactive' state before plugging it in to the NVR and dumping the config.

Unfortunately - that doesn't work to extract the NVR password. The camera needs to be 'Inactive' so the NVR needs use it's own password to Activate.

When the NVR tries to add a camera under 'Plug&Play', it first tries the original default passwords of 12345 and 123456789abc and if that works OK, which it will when a camera firmware is old enough not to be 'Inactive' when reset to defaults, it doesn't need to use the NVR password to apply to the camera.
The extracted password for your DS-2CD2032 camera is 12345 - the old default password.

A suggestion though, that will work OK :
Update the camera firmware to 5.3.0 or higher such that when it's reset to defaults, it goes to an 'Inactive' state.
If it's a China region camera, you'll need to convert it to EN to avoid 'bricking' it with the updated firmware.
See the brickfixV2 method here :
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

 

[airborneaussie]

Unfortunately - that doesn't work to extract the NVR password. The camera needs to be 'Inactive' so the NVR needs use it's own password to Activate.

When the NVR tries to add a camera under 'Plug&Play', it first tries the original default passwords of 12345 and 123456789abc and if that works OK, which it will when a camera firmware is old enough not to be 'Inactive' when reset to defaults, it doesn't need to use the NVR password to apply to the camera.
The extracted password for your DS-2CD2032 camera is 12345 - the old default password.

A suggestion though, that will work OK :
Update the camera firmware to 5.3.0 or higher such that when it's reset to defaults, it goes to an 'Inactive' state.
If it's a China region camera, you'll need to convert it to EN to avoid 'bricking' it with the updated firmware.
See the brickfixV2 method here :
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Thanks for the help Alastair - I'll do as you suggested. I haven't played around with this camera for some time.... It was originally a Chinese version cam with firmware 5.2.3 and I somehow managed to flash English firmware 5.1.6 onto it (not sure how I did this exactly). At any rate, I'd love to be able to upgrade it in future with current English firmware without fear of bricking the thing. I'm keenly aware of the backdoor vulnerability that exists with the older Hikvision firmware!

Just to be clear, I should be able to launch straight in to the instructions that you posted in your brickfix thread without fear of causing any grief from the current firmware?

 

[alastairstevenson]

Yes, the camera doesn't have to be bricked before using the brickfixV2 method.
Good luck!

 

[airborneaussie]

Success! (I think....). I did as you suggested - Brickfixed the camera and upgraded to 5.3.0. I then watched the status change using SADP and Voila!

 

[airborneaussie]

One more question.... Am I safe to install camera firmware 5.4 or newer after the password has been extracted from the config file? Will I need to do anything beyond renaming the (new) firmware 'digicap.dav' and completing the steps outlined in your Brickfix post (below)? To confirm, the edits made using the Hex editor during the brickfix process are permanent?

Again - thank you so much for your help. You are a true asset to the Internet and society in general.

How To Upgrade

1. Rename the firmware to digicap.dav
2. Put the firmware under the same folder of this TFTP
3. Set the IP of computer as 192.0.0.128
4. Camera's IP can be anyone.
5. Run the tftpserv.exe
6. Power off and power on the DVR/DVS/IPC. The device will search the new firmware and upgrade it automatically.
7. Please wait until TFTP shows "Device [192.0.0.64] system update completed!" It takes about 5 minutes.
8. Close the TFTP before the camera reboots.
9. DVR/DVS/IPC will restart automatically after upgrading.

 

[alastairstevenson]

Success! (I think....). I did as you suggested - Brickfixed the camera and upgraded to 5.3.0. I then watched the status change using SADP and Voila

Looking good, well done!

The password for admin is
boebs7gg
Hopefully that will be what the NVR uses also.

 

[alastairstevenson]

One more question.... Am I safe to install camera firmware 5.4 or newer after the password has been extracted from the config file?

Yes, you can fully update, to the 5.4.5 or 5.4.41 version.
Maybe easiet to just use the camera web GUI to do that.

 

[airborneaussie]

Looking good, well done!

The password for admin is
boebs7gg
Hopefully that will be what the NVR uses also.

Success!

Thank you again Alastair. I hereby declare you the winner of the Internet for today

 

[alastairstevenson]

Excellent!
It's always good to get a positive outcome.

 

[venuebo]

Well I got this far, I hope and think that I have the configuration file correctly saved... Password Help? Please and thank you!

 

[alastairstevenson]

I hope and think that I have the configuration file correctly saved

Yes, you did.

The password for admin on the 'REPAIR E audio' HIKVISION DS-2CD2532F-IS - 572053283
is
Dexter11
Hopefully this will also be the NVR's own password.

 

[Oleglevsha]

Well I got this far, I hope and think that I have the configuration file correctly saved... Password Help? Please and thank you!

I remind you that you can find out your forgotten password yourself by using the configurationFile decryption form on my blog page.

 

[jase_31]

I am trying to work out the password for my DVR. I have 2CD2146G2-ISU camera with firmware 5.5.130. I cannot there use the exploit method. Can I downgrade the firmware on this model? What do I need to download.

Once the camera is flash back to a earlier version, will it copy the admin password from the NVR to the camera - which can then be read from the camera?

 

[alastairstevenson]

I have 2CD2146G2-ISU camera with firmware 5.5.130. I cannot there use the exploit method. Can I downgrade the firmware on this model?

Unfortunately - neither that version of firmware nor that camera series has the specific security vulnerability that supports this 'trojan horse method' of recovering the NVR password.
Also - quite some time ago, Hikvision introduced a rollback block that inhibits rolling back all but minor versions of firmware.

What's the model of DVR (or NVR)?

 

[jase_31]

DS-7616NI-K2 NVR. Camera DS-2CD2646G2 or DS-2CD2146G2

 

[adrian orozco]

please help, I contacted ezviz and they say they can't help me,
i need to unbind this ipcamera
CS-CV310-A0-1B2WFR0120180511CCRRC21026842
date: 2021-04-22 15:55:50
note: i already tried to use the Hikvision Camera Password Reset Utility with no luck

 

[alastairstevenson]

i need to unbind this ipcamera

Have you checked to see if the camera firmware allows that using SADP?

SADP Tool

Locate Hikvision brand cameras within the same network, including their IP address and port.

ipcamtalk.com

 

[adrian orozco]

Have you checked to see if the camera firmware allows that using SADP?

SADP Tool

Locate Hikvision brand cameras within the same network, including their IP address and port.

ipcamtalk.com

yes you can

 

[alastairstevenson]

yes you can

OK, so did it unbind successfully?

 

[adrian orozco]

OK, so did it unbind successfully?

no, I already reset the camera, but the default password doesn't work