There are no official documentation on DHIP protocol, what you see about DHIP in "Dahua Console" is 100% reverse engineered. Maybe I should write the protocol specification one day soon. (?)
Dahua Login Bypass Tool - Chrome Extension
- Thread starter bp2008
- Start date
There are no official documentation on DHIP protocol, what you see about DHIP in "Dahua Console" is 100% reverse engineered. Maybe I should write the protocol specification one day soon. (?)
No, that is the official API, Dahua DHIP is their binary protocol - normally on TCP/5000, JSON looks exactly the same as with with http(s), but have totally different entry level in Sonia/Challenge. DHIP seems to be main internal protocol, where DVRIP, HTTP, HTTPS, RTSP... etc ending up. Think I should write down the protocol specification one day and share...
This is amazing.
I have some cut-cord Alibi Security cameras from Ebay that I believe are Dahua clones. They are turrets without a reset button and I don't have the credentials. I tried to run the scripts from the Github but I got the error
Is it possible to modify my local copy of the extension to fill in these fields?
Thanks
I have some cut-cord Alibi Security cameras from Ebay that I believe are Dahua clones. They are turrets without a reset button and I don't have the credentials. I tried to run the scripts from the Github but I got the error
[p2p] EOFError(). The extension doesn't recognize the login page as dahua. The following is the relevant code from the login page:
HTML:
<input type="text" class="in_text" id="userName" onkeypress="LoginPage.check_username(this)" maxlength="32" autocomplete="off">
<input type="password" autocomplete="off" class="in_text" id="password" onkeypress="LoginPage.check_passwd(this)" maxlength="32">Is it possible to modify my local copy of the extension to fill in these fields?
Thanks
In
However this will only enable the extension to perform the login automatically. You could just do the login manually when instructed. If the login fails, then most likely the camera uses different script to actually do the login, so the part that injects the exploit payload into the login transaction won't work.
background.js there is an array named allSelectorSets that tells the extension what user name, password, and login button combinations there are. You'd need to add an element to the array to teach it how to log in with your camera. I don't know what your login button looks like but you could try this which uses a generic button selector and assumes the first <input> element with type="button" on the page will be the login button. It is probably incorrect.
Code:
, { user: '#userName', pass: '#password', login: 'input[type="button"]' }However this will only enable the extension to perform the login automatically. You could just do the login manually when instructed. If the login fails, then most likely the camera uses different script to actually do the login, so the part that injects the exploit payload into the login transaction won't work.
@bashis So how do you actually use method 2? From that my understanding you'll need a browser to sign in, but method 2 doesn't work over http and the password it saves in the dhConsole.json isn't actually a real password, and doesn't work if you try to login in a browser with it. What am I missing?
Exactly, method #2 do not work with http/https (only method #1), it only working when using Dahua's undocumented protocol called 'DHIP'.
- One of the reasons I've released the updated 'DahuaConsole' script. (working with both method #1 and #2)
Regarding passwords in 'dhConsole.json', is actually MD5 hashes of valid password that Dahua using in their /mnt/mtd/Account1[Sec]
- I didn't want to store clear text password in 'dhConsole.json',so the best alternative were to store these Dahua MD5 hashes and reuse them to complete the 'random' MD5 hashes during login.
- Please note now, I use this for connecting multiple Dahua devices in sequence, only to later easily switch between devices - and this will also allow 'unattended' connection(s) that could be used for collecting all 'events'
Hope this will clarify a bit.
To anybody affected by current HACK going on all Dahua Cams and guys who lose their password and cannot recover "admin" account.
There is a way to recover camera and regain access to "admin" account without resetting camera. I wont make it public because it's a new loophole in FW (CVE 344 and 345)
. But anyone from this forum who has problems with regaining access and doesnt want to reset camera - PM me. I will help everyone. But i wont disclose method public because it will give attacker another method of destroying hardware.
There is a way to recover camera and regain access to "admin" account without resetting camera. I wont make it public because it's a new loophole in FW (CVE 344 and 345)
. But anyone from this forum who has problems with regaining access and doesnt want to reset camera - PM me. I will help everyone. But i wont disclose method public because it will give attacker another method of destroying hardware.
Last edited:
It's not the newly published CVE-2021-33046?
Security Advisory - Access control vulnerability found in some Dahua products
CVE-2021-33046 | Dahua IP Camera/PTZ Dome Camera password recovery
This saved me from at least having to rent a boom lift to factory reset 30 cameras at one site I picked us as the old CCTV guys don't want to give anything up (bad breakup). XVR's luckily were the models that have the 888888 user and i can factory reset and add users if needed. and with this I can at least make a second admin and add cameras if XVR ever takes a dump, but sadly you can't factory reset from the GUI either without admin password so only way to factory reset still is manually or with admin password.
Hi bro are using chrome ? I cant use chrome , asking plugin . I was install plugin but asking plugin and I cant login. can you help me ?what I can do?
i have 32 dahua camera which were disconnected because their switch was off, then i changed the password of nvr by email address cuz i don't know the old one, now these 32 cameras have the old password which i dont know it and can't access them, the extension didn't work with them i guess cuz firmware version. can you help me?
this is the model of the camera [DH-IPC-HDW1230t1-S5]
any suggestions please?
i have 32 dahua camera which were disconnected because their switch was off, then i changed the password of nvr by email address cuz i don't know the old one, now these 32 cameras have the old password which i dont know it and can't access them, the extension didn't work with them i guess cuz firmware version. can you help me?
this is the model of the camera [DH-IPC-HDW1230t1-S5]
I recommend pressing the Reset button, as per the manual's instructions "perform factory reset."
Hi, not trying to hijack a thread, i thought this somewhat related
I have a similar problem, I just took over a stores 2 x NV54A24-P24-4k-S2 NVR with 24 channels on each. I scanned and sent the QR code with DMSS and it said it sent the info too the email address ) This store has had a forceful change of management due to some financial irregularities , so its a system that the new management has been locked out. I am temped to look inside the NVR for a hard reset but I will not know the passwords well all be defaulted and I will loose the IP camera info. i have tried to scan the QR code but it sends thee reset to some outlook email that there is no access to.
What would be my best options on recovering system access?
I have a similar problem, I just took over a stores 2 x NV54A24-P24-4k-S2 NVR with 24 channels on each. I scanned and sent the QR code with DMSS and it said it sent the info too the email address ) This store has had a forceful change of management due to some financial irregularities , so its a system that the new management has been locked out. I am temped to look inside the NVR for a hard reset but I will not know the passwords well all be defaulted and I will loose the IP camera info. i have tried to scan the QR code but it sends thee reset to some outlook email that there is no access to.
What would be my best options on recovering system access?
unfortunately this model doesn't have reset button, i have to unscrew it and unscrew board and make a short circuit between two pins which will take so long time and it's risky cuz might do short circuit to something else by mistake and lose the camera.
But thanks for your reply