Down-grade camera to vulnerable firmware

[Sam Perrett]

Hi Guys,

I've got a DS-7608ni-e2/8p NVR, bought from ebay and believe it to be a chinese version with EN firmware. Lost the password and cannot access recordings or do anything..
After reading through alot of forums and threads i think my only option is to downgrade one of my old/spare cameras to the vulnerable firmware. Plug into the NVR and hope that it pushes the config/password etc onto the camera. Then with the exploit get a copy of the configuration file and decode it. Hopefully getting the NVR password and we are good to go.

Does anyone have the vulnerable firmware for a DS-2CD3345D-I chinese camera available for download?

Alos, I did think about flashing the NVR firmware and starting again, but when i goto plug the cameras back in they will have the wrong(old) password that i dont know and wont connect, correct?

cheers,
Sam

 

[alastairstevenson]

I've got a DS-7608ni-e2/8p NVR, bought from ebay and believe it to be a chinese version with EN firmware.

If that's the correct model number - the 'NI' suggests it's not a Chinese version. A Chinese version would have 'N' in the suffix.
If not Chinese, you could reset to default settings by using the tftp updater to apply the same version of firmware as is currently installed.
What's the current version of firmware on the NVR?

Alos, I did think about flashing the NVR firmware and starting again, but when i goto plug the cameras back in they will have the wrong(old) password that i dont know and wont connect, correct?

Yes, that's correct.
It's a trap that a few have fallen into when doing a factory reset on an NVR with PoE ports.
Did the cameras come with the NVR as a working set?

Does anyone have the vulnerable firmware for a DS-2CD3345D-I chinese camera available for download?

What version of firmware is currently on the camera?
You might be caught by the 'downgrade block' that prevents going down a major version.
Also, I may be wrong - others may confirm - but I think that's a G1 series camera that never started with a backdoor-vulnerable firmware version.

 

[Sam Perrett]

Thanks Alastair for your reply mate.
Please see below details of the NVR and also the spare camera I am hoping to down-grade.

The cameras that are plugged into the NVR are purchased separately (so they did not come as a working set). FYI, those cameras are still onsite so I don't have them with me to test etc.



If we can't get the NVR password and we were to purchase a new NVR, we will still be stuck with those cameras being locked out. Surely we don't have to purchase a whole new setup? lol

thanks for your help mate.

Sam

 

[alastairstevenson]

I'm pretty sure that's not a Chinese NVR.
And I'm pretty sure that camera series doesn't have a vulnerable firmware that could be used to extract the NVR password.
You should be able to reset it by applying the same firmware with the tftp updater.

Before attempting that, is there any chance you can borrow a camera with older firmware, 5.4.0 or earlier?

 

[Sam Perrett]

amazingly i managed to find an old hikvision DS-2CD2532F-I with firmware 5.2.0 on it.
After running a quick test to http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK i was able to pulldown the config file without needing creds.

So as its in an active state, do i need to get it to an in-active state by just resetting to factory settings using its web interface?



Once back to factory settings then i can plug into the NVR and hopefully it will push the NVR config/password to it?
Then run the back door link on the camera to get config file?

 

[alastairstevenson]

amazingly i managed to find an old hikvision DS-2CD2532F-I with firmware 5.2.0 on it.

Well, that will be useful, you should be able to use it with the 'trojan horse method' of extracting the NVR password.

So as its in an active state, do i need to get it to an in-active state by just resetting to factory settings using its web interface?

Yes, it needs to be in the 'Inactive' state, as shown by SADP.
That 5.2.0 version of firmware uses default passwords as opposed to going 'Inactive' when reset to default settings.
You'll need to update it to at least 5.3.0 to be able to get it into the needed Inactive state.
Often these older camera are Chinese imports, but your SADP screenshot suggests it's an EN language camera, so a firmware update shouldn't brick it.
Some firmware downloads here :

R0 series DS-2CD2x32x-Ixx IP camera firmware - Updates

ipcamtalk.com

Don't make too big a jump, I think 5.3.0 should be OK.

 

[Sam Perrett]

Hi Alastair,

I managed to upgrade the Cam to the 5.3.0 firmware via TFTP. It became inactive in SADP tool.
I then plugged into the NVR and after a minute the camera picture displayed on the monitor. So it looks like the plug and play piece worked.
I have then run the backdoor config exploit and managed to get a copy of the config file without needing credentials. Is there anyway you think you could please work your magic and see if you can get the password from it?

thanks,
Sam

 

[alastairstevenson]

I managed to upgrade the Cam to the 5.3.0 firmware via TFTP. It became inactive in SADP tool.
I then plugged into the NVR and after a minute the camera picture displayed on the monitor. So it looks like the plug and play piece worked.
I have then run the backdoor config exploit and managed to get a copy of the config file without needing credential

Hey, well done!

And ... the password for admin on the
HIKVISION DS-2CD2532F-I - 493305936 camera
is : Passw0rddddddd
Fingers crossed that's also the NVR admin password - it usually is.

 

[Sam Perrett]

Hi Alastair,

Very sad news... that password strangely does not work on the NVR. I must say the password didn't look familiar to me but tried it anyway.
I reset the camera to defaults again, pushed the 5.3 firmware to it. Checked SADP and it was in the inactive state. Opened the camera GUI in IE browser and it was prompting to create a password(which I did not).
Plugged into the NVR and the plug and play process looked to work again as camera picture appeared on the monitor.
Removed the camera and plugged back into network and accessed the GUI. Logged in with admin and Passw0rddddddd and it logs in... So surely it must be getting that password from the NVR. Is there another hidden user or something other than admin?
Or should I try the 5.4 firmware on the camera?

Really appreciate your help with this, I felt we were going to get this one in the bag!

If there's nothing else to try, would my next options be?

• Factory reset NVR.
• Factory reset each IP CAM and plug back into NVR.

thanks,
Sam

 

[alastairstevenson]

At some point Hikvision realized that just using the NVR admin password to activate cameras under Plug&Play and then being able to extract that password from a camera was not a good scheme.
They added a feature where the NVR could be configured with a password specifically for the cameras.
So it seems the NVR may have been configured by an aware user who made use of this facility.
That's a pity, as I doubt most users would be aware enough to have done so.

It was definitely worth a try.
The next approach is to see what reset facilities are available for the devices.

 

[alastairstevenson]

Alos, I did think about flashing the NVR firmware and starting again, but when i goto plug the cameras back in they will have the wrong(old) password that i dont know and wont connect, correct?

Did you get the other cameras along with the NVR from the same eBay seller?
If so, and they had been connected to the NVR, presumably that extracted password will work on the other cameras.
Then you'd only need to do the tftp updater firmware update on the NVR to reset it back to default settings.

 

[Sam Perrett]

yeah mate that was my next plan to just update the NVR first as hoping that password will work for the 4 cameras.
The cameras I got from a different seller t-maxe on ebay. From the pics on the order looks like they are the "do not upgrade firmware" DS-2CD3345-I . I've sent a message to him hoping they will have firmware i can use if i need to(if that password doesn't work).

Failing that, alot learnt in the process.
Either pay the exorbitant amount to the hikvision resellers of legitimate US cams. or make sure we keep good record of all passwords etc.. Had a good 3 years on this NVR though.

Will give it a go this weekend and report back.

 

[Sam Perrett]

Hey Alastair,

the tftp updater worked a breeze on the camera i tried resetting. However using the same method on the NVR doesn't seem to work.
The NVR has a fixed IP address of 192.168.1.70. does that cause a problem for the tftp client? even through it says connect is successful?



I tried using firmware from: DOWNLOAD EU PORTAL (hikvisioneurope.com)
And used NVR_K41_BL_EN_STD_V3.4.98_171121.zip which looks to be the same version as on the NVR. Does that firmware look correct? or have you got a file i should be using?

thanks,
Sam

 

[alastairstevenson]

The NVR has a fixed IP address of 192.168.1.70. does that cause a problem for the tftp client? even through it says connect is successful?

Unless the serverip address variable has been modified in the NVR bootloader - the IP address it would try to connect with when probing for the tftp updater would be 192.0.0.64 as opposed to the different IP address that's configured for normal running.
From your screenshot it looks like it's skipping the probe completely, and just giving the usual (misleading) Arecontvision probe on bootup.
Your firmware source looks OK.

Sometimes it can take several attempts on an NVR to connect to the updater.

If the NVR just won't connect to the tftp updater, another way to reset is via the serial console.
To hook up to that, you need a couple of items -
A serial TTL to USB convertor such as a PL2303TA-based device.
A wired 4-pin JST ZH connector, usually sold in 10-packs.
Both of which are readily available at low cost on eBay.

 

[alastairstevenson]

If the NVR just won't connect to the tftp updater, another way to reset is via the serial console.

If you do decide to go down this route - there is a method you could consider that might be quite interesting and useful to extract the needed password.
Just the steps on the 'extracting the hardware descriptor block' from this post :
It's a read-only method, doesn't make changes.

How to - Fix your 15-beep-bootloop Hikvision DS-76xxN-Ex NVR, or convert to EN and make it updatable

Here is a worked example of how to permanently change a Hikvision China language DS-76xxN-Ex NVR to an EN language device that will then take the stock EN/ML firmware. I've used a few Hikvision CN NVRs, bought at low cost off Aliexpress, and typically installed 'hacked to English' firmware to...

ipcamtalk.com

 

[Sam Perrett]

Looks like ill have my serial TTL to USB convertor and the JST connectors today.
Originally I was going to just blow the NVR away with the same firmware right up until you mention there's a method of extracting the password from the descriptor block. I had a read through that thread you sent me but i cant seem to find anything that relates to collecting the password from it. Seems to be for changing the Language.
Have you got a little more information of getting the password from it? Would love to try that first before i blow the NVR away.

 

[alastairstevenson]

you mention there's a method of extracting the password from the descriptor block.

Certainly the camera passwords can be extracted - and I have to admit I'm speculating a bit about the NVR password, as the 'split camera / NVR password' option isn't something I've explored.
It's possible that it might be squirreled away in an even more hidden place.

But just for completeness, here are the commands at the bootloader to extract the entire flash, which can be analysed in the interest of research.
The extra effort won't take long, and should be interesting.
As per the linked thread - these need a normal tftp server running, and the environment variable serverip set to point to it.
The variable doesn't (and ideally shouldn't) need to be saved as long as the device isn't reset before the tftp commands are issued.

*edit And I should have indicated that before executing the commands below, a 'sf probe 0' command is required.

sf read 0x80400000 0x00000 0x10000
tftp 0x80400000 mtdblock0 0x10000


sf read 0x80400000 0x10000 0x20000
tftp 0x80400000 mtdblock1_part1 0x20000


sf read 0x80400000 0x30000 0x20000
tftp 0x80400000 mtdblock1_part2 0x20000


sf read 0x80400000 0x50000 0xFB0000
tftp 0x80400000 mtdblock2 0xFB0000


sf read 0x80400000 0x00000 0x1000000
tftp 0x80400000 flash_all.bin 0x1000000

i cant seem to find anything that relates to collecting the password from it. Seems to be for changing the Language.

You are quite right.
But the device configuration is also held in that flash segment, in compressed form.