Camera Keeps resetting it's own password

OK. You can't upgrade Chinese cameras that operate with hacked English firmware without first taking some remedial action. You didn't do that so you have most likely bricked your cameras. But they are not dead, rather they have simply gone into zombie mode which is where they shall will stay until Dr. @alastairstevenson comes to make a house call.
zombie3.gif
 
Q™ said:
OK. You can't upgrade Chinese cameras that operate with hacked English firmware without first taking some remedial action. You didn't do that so you have most likely bricked your cameras. But they are not dead, rather they have simply gone into zombie mode which is where they shall will stay until Dr. @alastairstevenson comes to make a house call.

Click to expand...

Bummer. I was just reading his thread, and I'm pretty confused. I'm going to have to do some more reading to figure it out. I don't even know how to access the camera now. It's not viewable on SADP.

@alastairstevenson I need your help brother. LOL

All my cameras have the CCH, so I guess I have to figure out what actions I need to take to be able to upgrade them.
 
I found this guide...

How to reflash the firmware on Hikvision cameras (Hikvision TFTP procedure) - Security Cameras Reviews

This is going to take a while. Looks like I need to install one of my ethernet over powerline things to that room/camera and then hardwire it to my network. then change IP, use TFTP...

Probably something I'll have to do on my day off.

In the meantime, I have to figure out how to do the MTD hack...

this is alot of work. I need to figure out how to get a VPN up, maybe that'll be easier. lol I have Linksys Velop which doesn't really support any VPNs like openvpn etc it seems.
 
razorseal said:
Tried updating fw of the camera. Now I no longer can access it... been over 10 minutes. That's a bummer.
Click to expand...
razorseal said:
Let me guess... What I dreaded earlier just happened to me. This is a Chinese fw and I just tried uploading EN fw to it, and bricked it.
Click to expand...

It does sound like it's a CN region camera that has been bricked.
But don't worry - it's recoverable with a little work. Loads of folk have done it, it's not that bad.
Just follow the brickfixv2 method that @Mike linked to above.
The scripting does a lot of the messy stuff for you.
You'll be fine!
 
This is a classic case of how Hikvision hates its customers. Letting the camera accept firmware that by all indications should work, but won't, and they know damn well it won't work because they broke it on purpose.

Anyway, for Hik cameras I always recommend to leave the firmware as-is, and simply secure the network so they can't be hacked from the outside. Updating the firmware disables the existing password recovery tools, and only protects you until the next major vulnerability is found.
 
  • Like
Reactions: fenderman and Q™
bp2008 said:
This is a classic case of how Hikvision hates its customers. Letting the camera accept firmware that by all indications should work, but won't, and they know damn well it won't work because they broke it on purpose.

Anyway, for Hik cameras I always recommend to leave the firmware as-is, and simply secure the network so they can't be hacked from the outside. Updating the firmware disables the existing password recovery tools, and only protects you until the next major vulnerability is found.
Click to expand...

The password recovery tool gets disabled!? So how do you reset a password if you need to?

I was looking into securing my network. I have disabled UPnP on all cameras and port forwarding was never turned on for any of my cameras on my router. only Blue Iris and Plex has access via port forwarding on my network. It's something I'll have to look into with a server VPN, but that's beyond my understanding at the moment.
 
UPnP is also an option in the configuration of most routers. Check for it there, but be warned Plex might try to use UPnP and so if you disable it at the router you would need to forward ports for Plex manually.

The password recovery tool exploits the same vulnerability that hackers use to access your camera, so when you update to a firmware version that is no longer vulnerable, you can't use the password recovery tool either.
 
  • Like
Reactions: fenderman
Got it. I'll check my Linksys Velop when I get home. All camera UPnPs are disabled now...

So how do you reset the password god forbid you forget?

edit - I think I understand now that I did my research. the "tool" no longer works. the .exe... however you can still use the thing on the wiki here with the serial number and time of day to reset password from sadptool. Correct?

I made my camera inaccessible to the outside world, but I'm sure there is something I may have missed and make it possible for someone getting in...
 
Last edited:
Me being the curious cat. I started doing some digging... I can't believe how easy it is to "hack" these cameras. I don't even want to call it hacking because it's so easy. All you have to do is go to shodan and search for a specific string which is on the internet already. then you use a password reset tool from one of the cameras that you can access and copy paste IP... click get users and there are the users just waiting to be assigned a new password. It's easier than resetting my own password!

Shame on hikvision for not seeing this lol.
 
razorseal said:
So how do you reset the password god forbid you forget?
Click to expand...
The newer firmware has a self-service password reset method by the use of a Security Q&A that the user sets up.
No need for any 3rd party involvement.

The older firmware will allow a password reset using the @bp2008 'password reset tool'.

The in-between firmware has vulnerabilities that can be exploited, the worst of which is the notorious 'Hikvision backdoor' which @bp2008 updated password reset tool makes use of.

And if that doesn't work you can extract the configuration file, decrypt and decode it and pull out the password.
If the version of firmware on the camera is older than 5.4.5 try this, see if it demands authentication.
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
 
alastairstevenson said:
The newer firmware has a self-service password reset method by the use of a Security Q&A that the user sets up.
No need for any 3rd party involvement.

The older firmware will allow a password reset using the @bp2008 'password reset tool'.

The in-between firmware has vulnerabilities that can be exploited, the worst of which is the notorious 'Hikvision backdoor' which @bp2008 updated password reset tool makes use of.

And if that doesn't work you can extract the configuration file, decrypt and decode it and pull out the password.
If the version of firmware on the camera is older than 5.4.5 try this, see if it demands authentication.
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
Click to expand...


ahhh... Gotcha, no more use of any kind of password reset tool. Better remember your security q&a! lol
 
I got it up and running with the latest EN fw guys. Thanks!

Now when I have time, I will do it to the rest of the cameras... but I need to figure out how to do it without a bricked device lol.
 
keep in mind that even tho you may have found and disabled the cam's UPNP setting which probably allowed the hack, the port remains open on your router until you reboot it or otherwise remove the previously opened port...

btw, I also once had a hik bullet which kept reverting to factory settings on it's own. turned out to be a stuck reset switch, addressed with a little cleaning...
 
razorseal said:
but I need to figure out how to do it without a bricked device lol.
Click to expand...
Bricked or not bricked - you can follow the same process, it makes no difference.
What's important is that you know what the exact model number is so you can get the devType from the list.

You could if you wished bypass the use of the Hikvision tftp updater by installing the brickfixV2EN or CN firmware via the camera web GUI that is still available.
But you still then have to do the telnet access and use the normal tftp updater so not a lot saved.

By the way - the R0 series cameras firmware stops at version 5.4.41 which doesn't have the self-service password reset.
It's available in the other series with the later firmware.
 
  • Like
Reactions: razorseal
Ahh ok. So instead of doing the thing where I change my computer's ip to .128 to push that brickfixv2, I just install it from the web gui.

Then I'd just connect to camera using its own ip via putty and tftp32 to do the mdt hack using the /dav/fixup.sh command?

I'm not sure what R0 series is then, because I couldn't get 5.4.41 to install. Only 5.4.5... I guess I don't have R0. Is that the thing in hxd where you change a number to 01 or something?
 
razorseal said:
I have a DS-2CD2432F-I(W) with V 5.2.5. I don't recall where I bought it. I believe it was 2015 when i purchased it.
Click to expand...
If that's the camera model, then it's an R0 series and the brickfixv2 method will work OK.
For China region R0 cameras, generally installing any firmware above 5.3.0 will brick the camera, or give a 'language mismatch error' at the web GUI.

razorseal said:
Ahh ok. So instead of doing the thing where I change my computer's ip to .128 to push that brickfixv2, I just install it from the web gui.
Click to expand...
As the first step, yes you can do that. All it avoids is the need to use the Hikvision tftp updater tool though.

razorseal said:
Then I'd just connect to camera using its own ip via putty and tftp32 to do the mdt hack using the /dav/fixup.sh command?
Click to expand...
Not quite - the PC still needs the IP address to be 192.0.0.128 as the camera IP address when running in the 'min-sytem recovery mode' will be 192.0.0.64 and it will use the 192.0.0.128 address for the tftp server.
The normally-user-defined IP address only comes into play when the camera is normally booted into valid firmware.

razorseal said:
I guess I don't have R0.
Click to expand...
A DS-2CD2432F-IW model is definitely an R0 camera.

razorseal said:
Is that the thing in hxd where you change a number to 01 or something?
Click to expand...
What you may be thinking of here is the 'language byte' in location 0x10 of the hardware signature, where 02=CN and 01=EN
But with the 'enhanced MTD hack' to convert to EN / updatable there are a couple of other locations also to adjust, as per the guide.
 
  • Like
Reactions: razorseal
Thanks @alastairstevenson

I have the same camera somewhere else in my house. That one is like version 5.1.6 or something (def R0 as the OSD weekday is in Chinese lol). That's not bricked however. I guess where I'm confused is, how do I put the camera into "min-system recovery mode" when it's not bricked and just working fine so I can have it listen to 192.0.0.128.

When I upload that EN (or CN) file from the brickfixv2 folder through web gui, will the camera go into min-system recovery mode?
 
razorseal said:
I guess where I'm confused is, how do I put the camera into "min-system recovery mode" when it's not bricked and just working fine so I can have it listen to 192.0.0.128.
Click to expand...
You just install the brickfixV2EN.dav firmware from the web GUI.
It doesn't matter if it's installed via the Hikvision tftp updater tool, or from a working camera web GUI.
When it executes, on the reboot after installation, it does all the needed tasks - drops the payload, inhibits the downgrade block, installs the fixup.sh script etc and then initiates the reboot into the min-system recovery mode where the /dav/fixup.sh script does its work.

razorseal said:
When I upload that EN (or CN) file from the brickfixv2 folder through web gui, will the camera go into min-system recovery mode?
Click to expand...
Yes, it will, on the automated reboot, that's how it's designed to operate.
 
  • Like
Reactions: razorseal
alastairstevenson said:
You just install the brickfixV2EN.dav firmware from the web GUI.
It doesn't matter if it's installed via the Hikvision tftp updater tool, or from a working camera web GUI.
When it executes, on the reboot after installation, it does all the needed tasks - drops the payload, inhibits the downgrade block, installs the fixup.sh script etc and then initiates the reboot into the min-system recovery mode where the /dav/fixup.sh script does its work.


Yes, it will, on the automated reboot, that's how it's designed to operate.
Click to expand...

Awesome, so the install will be same as I did it before except the 1st part with the hikvision tftp or whatever it was.

system will still be listening on 192.0.0.64 though. I can just connect to it without changing my IP then. I'll have putty connect to 192.0.0.64. I will give it a try tonight and see how it works out!

@alastairstevenson You've been great help!

This makes me want to tackle the backyard camera (2CD-2032F-IW) that I have which pretty much stopped working one day. I stopped seeing it even on SADP Tool. I gave up on that one for almost a year now lol....
 
You must log in or register to reply here.
Top Bottom