Comelit IPNVR125A (HI3535 Chipset) - Password reset

SNAFU

n3wb
Dec 31, 2018
5
0
EU
Hello all,

As a reader, I got some great information from this forum in the past few months, so I have just joined to seek help on my current issue.

Instead of sitting on my hands, I have just inadvertently changed the admin password on my NVR and I have no idea of what it could be now.
Admin is the only user enabled on the NVR.
Now of course I cannot access the NVR settings, neither directly from the local monitor, nor via web GUI, nor via telnet because the latest known and the factory default admin credentials get rejected.
I can only see the live screens on the local monitor and change the screen tile configuration, but I have no access to any other menu item.

The unit is branded as Comelit IPNVR125A, but the chipset board is marked as HI3535_NVR_V1.1.
It is a 25ch unit, with 10 internal + 1 external HDD SATA ports.

While booting, the display shows a splashscreen with a "H. 264 NVR" logo superimposed on a world map.
The login pop up window has the same world map background and a "NVR SYSTEM" logo above the usr and pwd input fields and the login button.

There is a reset button on the front, below the ON/OFF switch. I have already tried to keep it pressed with the NVR on, off and while booting. No result.

I have a firmware file ready to upload on the NVR, but I suspect that the FW would not factory reset the NVR.

The vendor support center is closed until Jan 7th because of the holidays.
I hope someone of you might come up with a solution or an advice before that date.
Thanks in advance and have a happy New Year celebration!

SNAFU
 
I see there are firmware downloads for that model on the UK site.
There are also patches to inhibit telnet.
Did you get a login prompt when you tried the telnet access?

What version of firmware do you have installed?
 
A quick look at the firmware suggests the contents are all app-related and don't include kernel-related items that may be cracking candidates.

But - does the device allow a power-on firmware update without authentication via a USB memory stick?
If so - this MAY suggest that the admin password is reset to blank on the update :
Code:
<patch_all>
    <patch_0 key0="network_config" key1="" key2="" key3="" attr="default_if" patch_type="0" patch_value="LAN1" />
    <patch_1 key0="network_config" key1="LAN1" key2="" key3="" attr="ip" patch_type="0" patch_value="192.168.1.180" />
    <patch_2 key0="network_config" key1="LAN2" key2="" key3="" attr="ip" patch_type="0" patch_value="192.168.2.180" />
    <patch_3 key0="network_config" key1="LAN1" key2="" key3="" attr="gateway" patch_type="0" patch_value="192.168.1.1" />
    <patch_4 key0="network_config" key1="LAN2" key2="" key3="" attr="gateway" patch_type="0" patch_value="192.168.2.1" />
    <patch_5 key0="network_config" key1="" key2="" key3="" attr="preferred_dns" patch_type="0" patch_value="8.8.8.8" />
    <patch_6 key0="network_config" key1="" key2="" key3="" attr="spare_dns" patch_type="0" patch_value="8.8.4.4" />
    <patch_7 key0="network_config" key1="LAN1" key2="" key3="" attr="dhcp" patch_type="0" patch_value="1" />
    <patch_8 key0="network_config" key1="LAN2" key2="" key3="" attr="dhcp" patch_type="0" patch_value="1" />
    <patch_9 key0="resolution" key1="" key2="" key3="" attr="" patch_type="0" patch_value="1280x1024-P60" />
    <patch_10 key0="Language" key1="" key2="" key3="" attr="languageName" patch_type="0" patch_value="English" />
    <patch_11 key0="check_mode" key1="" key2="" key3="" attr="use_local" patch_type="0" patch_value="1" />
    <patch_12 key0="net_host_manager" key1="Device ID" key2="" key3="" attr="enable" patch_type="0" patch_value="1" />
    <patch_13 key0="User" key1="UserInfo" key2="admin" key3="" attr="Password" patch_type="0" patch_value="" />
    <patch_14 key0="ddns_update" key1="" key2="" key3="" attr="ddns_update_interval" patch_type="0" patch_value="720" />
    <patch_15 key0="Ntp_Set" key1="" key2="" key3="" attr="Ntp_Server" patch_type="0" patch_value="europe.pool.ntp.org" />
   

</patch_all>

Also - there does seem to be a user 'default' with blank password. Presumably limited rights though.
 
Hello Alastair,
Thank you for your lightning-fast support! Internet at its best...

The FW link is here:
http://pro.comelitgroup.com/it/modules_cms/ManualeDownload.php?id=133756
This is the same FW I have already running.

BIG STEP AHEAD:
I have managed to find a working pwd generator and I have managed to get in the NVR locally.
Now I am in with admin and a new password.
However, I have spent the last few minutes trying to get in from a PC (on the same LAN as the NVR). I get to the web GUI login page, but the admin pwd I managed to use for local access gets rejected.
Could it be that I have to fill in the "IP combine" AND "MAC combine" in the admin account to get access? Now IP combine is empty and MAC is 0 0 0 0 0 0.
 
I have managed to find a working pwd generator and I have managed to get in the NVR locally.
Wow! Is this a program specific to that NVR?
Could it be that I have to fill in the "IP combine" AND "MAC combine" in the admin account to get access? Now IP combine is empty and MAC is 0 0 0 0 0 0.
Sorry, don't know. Presumably it depends on how that program works.

If you ping the IP address, and then use 'arp -a' you can inspect the MAC address.

By the way - did you get a telnet login prompt when you tried earlier?
 
Yes, at the windows command prompt with "telnet xxx.xxx.x.x" I get a login prompt. I am not sure I have the telnet patch installed yet.
FYI, now the new admin pwd is still not working via telnet either, so I suppose I have to fix the admin LAN access issue first.
 
I am not sure I have the telnet patch installed yet.
That telnet patch replaces the original telnetd with a non-functional one, and kills any running telnet process.
The md5 hash could take a long time to crack, so telnet access is not going to help.

But does the NVR have a USB update mode, that may not require credentials?
 
Just in case you missed in my message above, I managed to get in the NVR with a superpassword generator and I have already set a new admin pwd, so I should be 90% done.
Still have to get accass through the LAN.
 
FYI, after a couple of restarts on the PC and NVR, now everything is running fine again. It might be that the web GUI connection over LAN was not working due to some cached content in the browser.
Thanks for the chat and have a great 2019!