"Grey" market camera, forgotten password

gazzaman2k said:
v5.4.52 build170572
Click to expand...
OK - so that firmware version is just new enough to no longer have the 'Hikvision backdoor' through which the configuration file could have been pulled.

I don't believe that camera model has a reset button.
If not - and as the firmware is I believe just under 32MB filesize - the Hikvision tftp updater if it connects OK will reset the camera to defaults, set it to 'Inactive' so a new password can be set.
Assuming they are not Chinese models running 'hacked to English' firmware.
 
gazzaman2k said:
they are chinese hacked english versions
Click to expand...
Ouch!
So scratch the tftp updater suggestion.
That would either brick them, or turn them to CH menus.

That limits the next move - probably to taking a look at what useful commands if any remain in the bootloader.
For that you'll need -
A serial TTL to USB convertor, such as a PL2303TA-based device.
A 4-pin 1.5mm JST ZH wired connector, usually sold in 10-packs.

When you re-connected to the PoE switch - did the IP address return to an expected value?
 
ive made the ttl cable and have coms in putty i figured out yo have to power the cam seperatly i can stop the boot process and i see options for erase bootloaders etc...

what do i do from here? i cant seem to find any firmware for this camera ive been searching online for hours
 


U-Boot 2010.06-277604 (May 04 2017 - 19:53:45)

NAND: 128 MB
Hit Ctrl+u to stop autoboot: 0
HKVS # printenv
bootargs=console=ttyAMA0,115200
bootcmd=loadk
bootdelay=3
baudrate=115200
netmask=255.255.255.0
bootfile="uImage"
ipaddr=192.0.0.64
serverip=192.0.0.128
stdin=serial
stdout=serial
stderr=serial
verify=n
mdio_intf=mii
phy_addr=3
ethaddr=64:db:8b:48:47:c8
ver=U-Boot 2010.06-277604 (May 04 2017 - 19:53:45)

Environment size: 305/262140 bytes
HKVS # help
erase - erase flash except bootloader area
go - start application at address 'addr'
help - print command description/usage
loadk - load kernel to DRAM
update - update digicap.dav
updateb - update bootloader
upf - update firmware, format and update (factory use)
ddr - ddr training function
mii - MII utility commands
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
HKVS #
 
If it wasn't a Chinese camera, and given suitable firmware, the update command would be all that's needed.

But that's quite a dumb set of commands remaining in the bootloader.
No flash manipulation commands.

As a slight long shot - try -

setenv bootargs console=ttyAMA0,115200 init=/bin/sh single
saveenv
reset

and see if it boots to a root shell.
 
alastairstevenson said:
If it wasn't a Chinese camera, and given suitable firmware, the update command would be all that's needed.

But that's quite a dumb set of commands remaining in the bootloader.
No flash manipulation commands.

As a slight long shot - try -

setenv bootargs console=ttyAMA0,115200 init=/bin/sh single
saveenv
reset

and see if it boots to a root shell.
Click to expand...

not much is happening just says

HKVS # setenv bootargs console=ttyAMA0,115200 init=/bin/sh single
Unknown command 'setenv' - try 'help'
 
How about help erase?

erase config may well reset the config.

I don't think update even with Chinese firmware would touch the config (password) on this model.
 
  • Like
Reactions: alastairstevenson
it comes up with a few options


U-Boot 2010.06-277604 (May 04 2017 - 19:53:45)

NAND: 128 MB
Hit Ctrl+u to stop autoboot: 0
HKVS # erase
Please input the erase area,support: erase env/sysflg/sys0/sys1/app0/app1/cfg0/cfg1/log/all
HKVS #
 
Excellent! That's going to work ok.
I'd held off suggesting the erase command as the description suggested the target was "all flash except the bootloader" which would have broken a Chinese camera with no valid firmware.
My fingers are crossed ...
 
  • Like
Reactions: gazzaman2k
alastairstevenson

watchful_ip


thankyou very much you 2 have been great help, the cams are now inactive and still in english firmware, still no clue the the password but now the plug and play works on the nvr so hopefully they will have adpoted the verify key from the nvr

brilliant work guys my mum will be happy when i install these for her at the weekend on her bunglalow

never thought id be puttying into a camera lol i was looking for reset points all over the pcbs but couldnt find any on these cameras

great work thanks :D
 
  • Like
Reactions: watchful_ip and alastairstevenson
Hello I see that this thread covers the exact issue I am having at the moment. My question my already be answered above. If it has been please disregard the redundancy and put it down to my lack of knowledge. I have a NVR and 11 cameras in my system. I have somehow gotten locked out of my entire system. The only camera that I can access is my doorbell cam. Ive been going back and forth with HIK vision for a few weeks now and recently found out that my NVR is a gray market version. Can someone help me get back into it again so I dont have to buy a new system. Mine is in the 4.2 version so Im hoping it is one that has the backdoor access exploit for getting around the pw lockout.. I am pretty green so if someone could spare the time to help me fix this very expensive paperweight I would be eternally grateful. At this point to be honest I would gladly pay somebody to help me. I have a security system installer coming on Thursday to replace the NVR if I can't get to the bottom of it before then. Thanks guys. its a version 4.16 build and a NR32P if that helps.
 
Last edited:
You must log in or register to reply here.
Top Bottom