I received a used DS-2TD4237-10/V2 from ebay yesterday. I paid $400 plus $25 shipping and $20 tax. The listed price went up to $450 not long after I ordered.
The seller listed this camera as Dahua, but it is clearly made by Hikvision based on the model number.
I've attached the datasheet and user manual for this camera, but here are the highlights:
Thermal Module
* 24v AC 30w (no PoE) Note this takes alternating current, not direct current. This is common on PTZs.
Notes
The ebay seller I got this camera from did not factory reset the camera and did not know the password and did not mention this in the listing. This should not have been surprising, considering the seller did not even know what brand of camera this is. The firmware is too new to have its password extracted or reset by any vulnerability I know about, so Hikvision's official password reset procedure was the only way I could get in. More about that after the snapshots.
Snapshots
Optical Zoom
The last optical snapshot above was fully zoomed out. Here are some at max zoom. Note how the thermal image picture-in-picture overlay is not changing zoom level at all. This camera only supports zooming the optical module.
Resetting the Password
The camera was NOT factory reset by the seller.
It was configured with:
IP address:
Subnet:
Gateway:
Software Version:
DSP Version:
None of the common default passwords I tried worked. So I asked the seller for the login credentials and got a quick response saying they didn't know them. I should have expected as much, given that the seller doesn't even know the brand of camera they were selling. Based on one of the photos included in the ebay listing, I believe these cameras were originally purchased via a system integrator called "LiveView Tech", so it is likely the cameras were only accessed through a proprietary cloud connection and never accessed via their local credentials except by the integrator.
The firmware was too new to use any vulnerability I know of to recover or reset the password, and there was no reset button on the most accessible PCB inside the camera. Luckily, this is a Hikvision camera with a "WR" serial number so the hardest part about following the official reset procedure was finding an up-to-date set of instructions. This procedure works as of 2024 July: How to reset your Hikvision devices password using SADP
Here are the basic steps to reset the password:
1. Get the latest version of SADP software and use its forgot password function to export a so-called "XML file" from the camera.
2. Fill out this web form and attach the "XML file".
3. Wait 3-4 minutes for their automated system to send the response to your email. The response has the file attached that can be uploaded to the camera via SADP complete the password reset.
Once again I question why resetting a password on a Hikvision camera requires contacting Hikvision. This offers no cybersecurity benefit whatsoever. This isn't about security. It is about control.
Datasheet and Manual
I've attached the datasheet and manual for this camera from Hikvision's website.
The seller listed this camera as Dahua, but it is clearly made by Hikvision based on the model number.
I've attached the datasheet and user manual for this camera, but here are the highlights:
Thermal Module
- Resolution: 384 x 288
- Frame rate: 25 FPS
- Field of View: 37.7° x 28.7° (H x V)
- Resolution: 1920 x 1080
- Sensor: 1/2.8" Progressive Scan CMOS
- Field of View: 65.6° to 2.46° (horizontal).
- Frame rate: 30 FPS (NTSC mode), 25 FPS (PAL mode)
* 24v AC 30w (no PoE) Note this takes alternating current, not direct current. This is common on PTZs.
Notes
- The optical module has 32x optical zoom. This is not well indicated on the spec sheet. The thermal module has a fixed lens.
- The optical sensor is pretty typical compared with other thermal hybrids I've seen. It is a bit noisy in low light, substantially worse than a modern low-light sensor. That said, nobody buys a thermal hybrid cam expecting top tier optical performance.
- The camera has pretty bright IR LEDs, as is typical for a midrange PTZ.
- There is no thermal/visible image blending feature. You can consume the two video feeds separately and/or use picture-in-picture mode which doesn't handle aspect ratios well.
- After I got into the camera's web interface, the camera worked but I got errors attempting to change some settings such as the thermal image color palette. A factory reset via the web interface resolved that.
- After a factory reset, some video analytics feature was enabled by default causing the camera to move and zoom in on an object, then a few seconds later return to its original position (repeated every few seconds). I found the responsible feature in Configuration > Event > Smart Event > Dynamic Fire Source Detection > Enable Dynamic Fire Source Detection. It was just false-alarming looking at a cluster of very-slightly warm cables.
The ebay seller I got this camera from did not factory reset the camera and did not know the password and did not mention this in the listing. This should not have been surprising, considering the seller did not even know what brand of camera this is. The firmware is too new to have its password extracted or reset by any vulnerability I know about, so Hikvision's official password reset procedure was the only way I could get in. More about that after the snapshots.
Snapshots
Optical Zoom
The last optical snapshot above was fully zoomed out. Here are some at max zoom. Note how the thermal image picture-in-picture overlay is not changing zoom level at all. This camera only supports zooming the optical module.
Resetting the Password
The camera was NOT factory reset by the seller.
It was configured with:
IP address:
10.0.1.4
Subnet:
255.255.255.0
Gateway:
10.0.1.10
Software Version:
V5.5.12build 200902
DSP Version:
V8.0 build 200901
None of the common default passwords I tried worked. So I asked the seller for the login credentials and got a quick response saying they didn't know them. I should have expected as much, given that the seller doesn't even know the brand of camera they were selling. Based on one of the photos included in the ebay listing, I believe these cameras were originally purchased via a system integrator called "LiveView Tech", so it is likely the cameras were only accessed through a proprietary cloud connection and never accessed via their local credentials except by the integrator.
The firmware was too new to use any vulnerability I know of to recover or reset the password, and there was no reset button on the most accessible PCB inside the camera. Luckily, this is a Hikvision camera with a "WR" serial number so the hardest part about following the official reset procedure was finding an up-to-date set of instructions. This procedure works as of 2024 July: How to reset your Hikvision devices password using SADP
Here are the basic steps to reset the password:
1. Get the latest version of SADP software and use its forgot password function to export a so-called "XML file" from the camera.
2. Fill out this web form and attach the "XML file".
3. Wait 3-4 minutes for their automated system to send the response to your email. The response has the file attached that can be uploaded to the camera via SADP complete the password reset.
Once again I question why resetting a password on a Hikvision camera requires contacting Hikvision. This offers no cybersecurity benefit whatsoever. This isn't about security. It is about control.
Datasheet and Manual
I've attached the datasheet and manual for this camera from Hikvision's website.
Attachments
As an eBay Associate IPCamTalk earns from qualifying purchases.