Dahua NVR 4.0 Password Recovery

rapsodi1

Young grasshopper
Joined
Sep 11, 2020
Messages
34
Reaction score
1
Location
turkey
Hello everyone:

I have Dahua NVR4216-16P-4KS2. The password for this device has been forgotten. The e-mail address saved on the device is no longer accessible.

NVR 4.0 firmware is installed on the device.

I tried to downgrade this software to v3. but it does not allow it.
When I upgrade other 4.0 firmware via tftp, the password is not reset.

the device does not have a reset button on its motherboard.

Is there a method for me to recover the password?
 

cmos

Young grasshopper
Joined
Aug 9, 2020
Messages
35
Reaction score
5
Location
usa
Does it have a removable coin battery?
 

cmos

Young grasshopper
Joined
Aug 9, 2020
Messages
35
Reaction score
5
Location
usa
As far as I know, there is no way to recover a lost password. Your only hope is to reset the device to factory and make a new password. There must be a battery somewhere, perhaps soldered on. If a soldered on battery is the case, then the only thing you can do is un-solder the battery and reinstall or short it out for 10 seconds or so. Shorting out a battery is not a good thing as it will shorten its file but if your only other choice is to throw the unit away I guess its worth a shot if you don't have soldering skills. Good Luck.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,173
Reaction score
5,239
Location
Scotland
There must be a battery somewhere, perhaps soldered on. If a soldered on battery is the case, then the only thing you can do is un-solder the battery and reinstall or short it out for 10 seconds or so. Shorting out a battery is not a good thing as it will shorten its file but if your only other choice is to throw the unit away I guess its worth a shot if you don't have soldering skills.
The battery is used to maintain the RTC (real-time clock) while the device is powered off.
The admin password, and all the other configurable items, are stored in the flash memory.
 

cmos

Young grasshopper
Joined
Aug 9, 2020
Messages
35
Reaction score
5
Location
usa
The battery is used to maintain the RTC (real-time clock) while the device is powered off.
The admin password, and all the other configurable items, are stored in the flash memory.
Flash memory or CMOS memory? I know computer motherboards use battery backed up cmos. Removing the battery resets everything. Is there really no way for him to completely reset the device? Seems like an odd design choice.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,173
Reaction score
5,239
Location
Scotland
Flash memory or CMOS memory?
The admin password, and all the other configurable items, are stored in the flash memory.
Seems like an odd design choice.
There are various methods designed in, though they vary with the model and firmware version.
Initiated by clicking the 'Forgot password' link on the login screen -

Reset via email
Reset via pre-configured security Q&A
Reset via scan QR code to get a reset code via email.
But these mostly require that the measures were set up as encouraged by the firmware on initialisation.

Next up with requiring some hardware access -
Reset button internally on the main board.
Serial console access on the main board to use bootloader commands.

Recovery methods -
Re-apply firmware using tftp updater method.

Fun methods -
Hack the device by exploiting a security vulnerability.
 

rapsodi1

Young grasshopper
Joined
Sep 11, 2020
Messages
34
Reaction score
1
Location
turkey
these methods do not work.

Reset via email
Reset via pre-configured security Q&A
Reset via scan QR code to get a reset code via email.
But these mostly require that the measures were set up as encouraged by the firmware on initialisation.
The e-mail address entered on the device cannot be accessed, so I have no chance to do this method. :/

Next up with requiring some hardware access -
Reset button internally on the main board.
Serial console access on the main board to use bootloader commands.
Installing firmware via tftp with serial connection. however, the user information remains the same. Because NVR is 4.0. This method would work if I could downgrade the device to V3. however, the device is not downgraded.

btw;
there is an rs232 input on the device. but when i plug usb ttl / serial adapter into it, i read different data
Like "Nq▒? X▒ ▒▒ @ ▒".

very interesting..


Is there any way I can see the user's password via serial connection via putty?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,173
Reaction score
5,239
Location
Scotland
there is an rs232 input on the device.
If that is a DB9 connector on the back panel - it will likely be RS232 and not serial TTL.
In which case you'd need a USB to RS232 convertor, and a null modem cable unless the convertor is already set as a null modem connection.

Connecting an RS232 interface to a serial TTL convertor is likely to damage the convertor, it uses up to 15v bipolar signals.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,173
Reaction score
5,239
Location
Scotland
The e-mail address entered on the device cannot be accessed, so I have no chance to do this method. :/
I believe the newer firmware (not sure which version) allows the email address to be specified at the time of the QR code based reset request.
 

tomasi

n3wb
Joined
Jan 4, 2021
Messages
5
Reaction score
0
Location
Warsaw
I had very similar model (only without poe). After contact with Dahua helpdesk I sent them my nvr. Apparently you cannot put codes and the reset button is not there. After 1 week I got it back.
 
Top