Camera Keeps resetting it's own password

Discussion in 'Hikvision' started by razorseal, Jan 6, 2019.

Share This Page

  1. Q™

    Q™ IPCT Contributor

    Joined:
    Feb 16, 2015
    Messages:
    4,289
    Likes Received:
    2,853
    Location:
    Megatroplis, USA
    OK. You can't upgrade Chinese cameras that operate with hacked English firmware without first taking some remedial action. You didn't do that so you have most likely bricked your cameras. But they are not dead, rather they have simply gone into zombie mode which is where they shall will stay until Dr. @alastairstevenson comes to make a house call.
    zombie3.gif
     
  2. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    Bummer. I was just reading his thread, and I'm pretty confused. I'm going to have to do some more reading to figure it out. I don't even know how to access the camera now. It's not viewable on SADP.

    @alastairstevenson I need your help brother. LOL

    All my cameras have the CCH, so I guess I have to figure out what actions I need to take to be able to upgrade them.
     
  3. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    I found this guide...

    How to reflash the firmware on Hikvision cameras (Hikvision TFTP procedure) - Security Cameras Reviews

    This is going to take a while. Looks like I need to install one of my ethernet over powerline things to that room/camera and then hardwire it to my network. then change IP, use TFTP...

    Probably something I'll have to do on my day off.

    In the meantime, I have to figure out how to do the MTD hack...

    this is alot of work. I need to figure out how to get a VPN up, maybe that'll be easier. lol I have Linksys Velop which doesn't really support any VPNs like openvpn etc it seems.
     
  4. Mike

    Mike Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    2,428
    Likes Received:
    1,570
    Location:
    New York
  5. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    It does sound like it's a CN region camera that has been bricked.
    But don't worry - it's recoverable with a little work. Loads of folk have done it, it's not that bad.
    Just follow the brickfixv2 method that @Mike linked to above.
    The scripting does a lot of the messy stuff for you.
    You'll be fine!
     
  6. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,562
    Likes Received:
    5,574
    This is a classic case of how Hikvision hates its customers. Letting the camera accept firmware that by all indications should work, but won't, and they know damn well it won't work because they broke it on purpose.

    Anyway, for Hik cameras I always recommend to leave the firmware as-is, and simply secure the network so they can't be hacked from the outside. Updating the firmware disables the existing password recovery tools, and only protects you until the next major vulnerability is found.
     
    fenderman and Q™ like this.
  7. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    The password recovery tool gets disabled!? So how do you reset a password if you need to?

    I was looking into securing my network. I have disabled UPnP on all cameras and port forwarding was never turned on for any of my cameras on my router. only Blue Iris and Plex has access via port forwarding on my network. It's something I'll have to look into with a server VPN, but that's beyond my understanding at the moment.
     
  8. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,562
    Likes Received:
    5,574
    UPnP is also an option in the configuration of most routers. Check for it there, but be warned Plex might try to use UPnP and so if you disable it at the router you would need to forward ports for Plex manually.

    The password recovery tool exploits the same vulnerability that hackers use to access your camera, so when you update to a firmware version that is no longer vulnerable, you can't use the password recovery tool either.
     
    fenderman likes this.
  9. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    Got it. I'll check my Linksys Velop when I get home. All camera UPnPs are disabled now...

    So how do you reset the password god forbid you forget?

    edit - I think I understand now that I did my research. the "tool" no longer works. the .exe... however you can still use the thing on the wiki here with the serial number and time of day to reset password from sadptool. Correct?

    I made my camera inaccessible to the outside world, but I'm sure there is something I may have missed and make it possible for someone getting in...
     
    Last edited: Jan 7, 2019
  10. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    Me being the curious cat. I started doing some digging... I can't believe how easy it is to "hack" these cameras. I don't even want to call it hacking because it's so easy. All you have to do is go to shodan and search for a specific string which is on the internet already. then you use a password reset tool from one of the cameras that you can access and copy paste IP... click get users and there are the users just waiting to be assigned a new password. It's easier than resetting my own password!

    Shame on hikvision for not seeing this lol.
     
  11. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    The newer firmware has a self-service password reset method by the use of a Security Q&A that the user sets up.
    No need for any 3rd party involvement.

    The older firmware will allow a password reset using the @bp2008 'password reset tool'.

    The in-between firmware has vulnerabilities that can be exploited, the worst of which is the notorious 'Hikvision backdoor' which @bp2008 updated password reset tool makes use of.

    And if that doesn't work you can extract the configuration file, decrypt and decode it and pull out the password.
    If the version of firmware on the camera is older than 5.4.5 try this, see if it demands authentication.
    http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
     
  12. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6

    ahhh... Gotcha, no more use of any kind of password reset tool. Better remember your security q&a! lol
     
  13. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    I got it up and running with the latest EN fw guys. Thanks!

    Now when I have time, I will do it to the rest of the cameras... but I need to figure out how to do it without a bricked device lol.
     
  14. pozzello

    pozzello Getting comfortable

    Joined:
    Oct 7, 2015
    Messages:
    1,565
    Likes Received:
    467
    keep in mind that even tho you may have found and disabled the cam's UPNP setting which probably allowed the hack, the port remains open on your router until you reboot it or otherwise remove the previously opened port...

    btw, I also once had a hik bullet which kept reverting to factory settings on it's own. turned out to be a stuck reset switch, addressed with a little cleaning...
     
  15. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    Bricked or not bricked - you can follow the same process, it makes no difference.
    What's important is that you know what the exact model number is so you can get the devType from the list.

    You could if you wished bypass the use of the Hikvision tftp updater by installing the brickfixV2EN or CN firmware via the camera web GUI that is still available.
    But you still then have to do the telnet access and use the normal tftp updater so not a lot saved.

    By the way - the R0 series cameras firmware stops at version 5.4.41 which doesn't have the self-service password reset.
    It's available in the other series with the later firmware.
     
    razorseal likes this.
  16. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    Ahh ok. So instead of doing the thing where I change my computer's ip to .128 to push that brickfixv2, I just install it from the web gui.

    Then I'd just connect to camera using its own ip via putty and tftp32 to do the mdt hack using the /dav/fixup.sh command?

    I'm not sure what R0 series is then, because I couldn't get 5.4.41 to install. Only 5.4.5... I guess I don't have R0. Is that the thing in hxd where you change a number to 01 or something?
     
  17. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    If that's the camera model, then it's an R0 series and the brickfixv2 method will work OK.
    For China region R0 cameras, generally installing any firmware above 5.3.0 will brick the camera, or give a 'language mismatch error' at the web GUI.

    As the first step, yes you can do that. All it avoids is the need to use the Hikvision tftp updater tool though.

    Not quite - the PC still needs the IP address to be 192.0.0.128 as the camera IP address when running in the 'min-sytem recovery mode' will be 192.0.0.64 and it will use the 192.0.0.128 address for the tftp server.
    The normally-user-defined IP address only comes into play when the camera is normally booted into valid firmware.

    A DS-2CD2432F-IW model is definitely an R0 camera.

    What you may be thinking of here is the 'language byte' in location 0x10 of the hardware signature, where 02=CN and 01=EN
    But with the 'enhanced MTD hack' to convert to EN / updatable there are a couple of other locations also to adjust, as per the guide.
     
    razorseal likes this.
  18. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    Thanks @alastairstevenson

    I have the same camera somewhere else in my house. That one is like version 5.1.6 or something (def R0 as the OSD weekday is in Chinese lol). That's not bricked however. I guess where I'm confused is, how do I put the camera into "min-system recovery mode" when it's not bricked and just working fine so I can have it listen to 192.0.0.128.

    When I upload that EN (or CN) file from the brickfixv2 folder through web gui, will the camera go into min-system recovery mode?
     
  19. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    You just install the brickfixV2EN.dav firmware from the web GUI.
    It doesn't matter if it's installed via the Hikvision tftp updater tool, or from a working camera web GUI.
    When it executes, on the reboot after installation, it does all the needed tasks - drops the payload, inhibits the downgrade block, installs the fixup.sh script etc and then initiates the reboot into the min-system recovery mode where the /dav/fixup.sh script does its work.

    Yes, it will, on the automated reboot, that's how it's designed to operate.
     
    razorseal likes this.
  20. razorseal

    razorseal Getting the hang of it

    Joined:
    Oct 17, 2014
    Messages:
    149
    Likes Received:
    6
    Awesome, so the install will be same as I did it before except the 1st part with the hikvision tftp or whatever it was.

    system will still be listening on 192.0.0.64 though. I can just connect to it without changing my IP then. I'll have putty connect to 192.0.0.64. I will give it a try tonight and see how it works out!

    @alastairstevenson You've been great help!

    This makes me want to tackle the backyard camera (2CD-2032F-IW) that I have which pretty much stopped working one day. I stopped seeing it even on SADP Tool. I gave up on that one for almost a year now lol....