Help me with cracking my forgotten IP camera password. Any firmware download links?

[admindeco]

Hello there. I have ran in some trouble of forgetting my IP cam password. NVR failed after a year so I have to connect the cameras to new NVR. But then I realized that I have forgotten the password at all and there is no reset button. I believe that this camera is from JUAN cctv. The camera is quite old and I cannot find the firmware. I tried the developers software IP Cam Suite but it cannot reset the camera. It can only search it with details. Details by images including similar board is below.

Please help me cracking it or any link for its firmware 1.8.7.56422016. Thanks.

 

[VorlonFrog]

And there's no RESET button, so you could just start over?

Here's a quote from @alastairstevenson that might be helpful:

For those readers who'd be interested (possibly the minority) attached is a transcript of the bootloader command interface - well enough featured to do bad things.
Also a transcript of the serial console on a normal startup.
The firmware originates from JUAN at juanvision.com / juancctv.com
A bit like herospeed in that they supply firmware to other manufacturers.

There is no direct access to a shell - it's protected by a login and I don't know the password.
And I don't have firmware that can be unpacked and the password hash cracked.
But no problem - with serial console access you own the camera, and sure enough, changing the bootargs parameter init=/linuxrc to init=/bin/sh gets us to a command shell.
Then it's just a matter of completing the system initiallisation, mounting a NAS NFS share and pulling out the flash partitions and anything that looks useful.
Such as passwd and passwd-
root:ab8nBoH3mb8.g:0:0::/root:/bin/sh
root:ABgia2Z.lfFhA:0:0::/root:/bin/sh
from which the root password is cracked as helpme and j1/_7sxw
Which works OK.

 

[admindeco]

And there's no RESET button, so you could just start over?

Here's a quote from @alastairstevenson that might be helpful:

Dude, thanks for replying. The new NVR connection is failing if connected to cameras due to invalid password. That is why I need to factory reset or at least know the telnet password to retrieve the actual password. Sure that JUAN CCTV company already fixed that password as I tried it before and it is not working. I believe that the other hash password is decrypted as "helpme" password. Both are not working and I am thinking my camera have a different hash even it is from JUAN CCTV.

I need at least the firmware version as I mentioned to directly look into its password hash. Any support is very well appreciated. Thanks.

 

[alastairstevenson]

I need at least the firmware version as I mentioned to directly look into its password hash

A google search does not yield any hits for that firmware version that could be downloaded for unpacking and cracking.
Do you have an other way to identify the camera?
For example - does SADP see it? JUAN have implemented SADP with weak or non-existent security. It may be worth trying the Hikvision 'batch Configuration Tool' to see if it would do a reset to defaults or admin password change without authentication - DOWNLOAD PORTAL
Does ONVIF Device Manager (even without valid credentials) give any useful info?

 

[admindeco]

A google search does not yield any hits for that firmware version that could be downloaded for unpacking and cracking.
Do you have an other way to identify the camera?
For example - does SADP see it? JUAN have implemented SADP with weak or non-existent security. It may be worth trying the Hikvision 'batch Configuration Tool' to see if it would do a reset to defaults or admin password change without authentication - DOWNLOAD PORTAL
Does ONVIF Device Manager (even without valid credentials) give any useful info?

Hi @alastairstevenson. Thanks for your suggestions. I attached all the screenshots below. I think I have used a SADP tool before but cannot search my camera. I tried also the one you suggested but no avail. Onvif device manager shows the same details and I include the web page login.

I have tried to install iSpy software. Selected JUAN/Other from the list of camera and leaving username and password blank. Successfully I have a video stream, but I need full access by resetting the camera because have to connect it to the NVR. I have read that iSpy developers embedded the JUAN cctv camera settings inside the software. Does it mean they know the telnet password, embedded it inside the software so I am getting a video stream? Any chances to find the JUAN cctv settings in iSpy software? Thanks for helping.

 

[alastairstevenson]

Does it mean they know the telnet password, embedded it inside the software so I am getting a video stream?

Probably not, but you could confirm by also seeing if VLC will play the video stream with no authorisation.

The does look like a JUAN login page.
And the firmware version seems like an early one.
Presumably at the web GUI you have tried admin with a blank password?
Using ODM, does the Maintenance menu give the possibility to 'Reset to defaults', even with no logon authorisation?

If you are prepared to take the time to connect to the serial console - you might find that the firmware has the same major flaw that I found in the 2.2.6.5 firmware ...
The serial console is protected by a Login: prompt with (initially) an unknown password.
But the login does not respawn after the maximum of 4 or 5 incorrect passwords - it simply exits, to a full shell (!) at which point full access is available to extract files and make changes.
*edit* Actually - in retrospect, not quite correct. This was only after one of my experimental tweaks. Please ignore this claim.

 

[admindeco]

Probably not, but you could confirm by also seeing if VLC will play the video stream with no authorisation.

The does look like a JUAN login page.
And the firmware version seems like an early one.
Presumably at the web GUI you have tried admin with a blank password?
Using ODM, does the Maintenance menu give the possibility to 'Reset to defaults', even with no logon authorisation?

If you are prepared to take the time to connect to the serial console - you might find that the firmware has the same major flaw that I found in the 2.2.6.5 firmware ...
The serial console is protected by a Login: prompt with (initially) an unknown password.
But the login does not respawn after the maximum of 4 or 5 incorrect passwords - it simply exits, to a full shell (!) at which point full access is available to extract files and make changes.

It is working in vlc with this url: http://admin:@192.168.1.68/snapshot.jpg?user=admin&pwd=
I think any username and password will work even I remove it.

In web GUI I tried all the basic usernames and passwords including admin and blank password. This will surely not work as I changed the password a year ago but now I forgotten it.

In ODM in Maintenance section, any option there will show me a blank error except for "reboot" which I can reboot the camera successfully.

I do not have the materials for a serial connection right now. But as per your findings, files can be modified. Is this means that camera can be factory reset from this procedure?

Any links or guides to do this? Please tell me not to brick the camera. If it is very risky, I may not do the modification and find another way to crack it. Thanks.

 

[alastairstevenson]

Is this means that camera can be factory reset from this procedure?

Yes, but probably not necessary if the firmware behaves in the same way as that in the juanvision camera module I recently looked at.
During startup the serial console lists out all the web GUI logon IDs and passwords in plaintext.

I do not have the materials for a serial connection right now.

Assuming that the camera board has pads with through holes for the serial console connection, all you need is something like a
"serial TTL to USB convertor" - usually a PL2303HX-based one. Very low cost and widely available at your favourite on-line store.

 

[admindeco]

Yes, but probably not necessary if the firmware behaves in the same way as that in the juanvision camera module I recently looked at.
During startup the serial console lists out all the web GUI logon IDs and passwords in plaintext.

You mean connecting by serial will reveal the password that I have forgotten before in plaintext? Any thread or procedure you can guide me for juanvision camera?

Help me also if the 3 holes are the RX/TX/GND pinouts (attached image). Can you confirm? Thank you so much for helping.

 

[alastairstevenson]

You mean connecting by serial will reveal the password that I have forgotten before in plaintext?

It does that on the serial console of the camera module I have that uses JUAN firmware.

Help me also if the 3 holes are the RX/TX/GND pinouts (attached image). Can you confirm?

Yes, those 3 holes certainly look like they could supply the serial console.

Any thread or procedure you can guide me for juanvision camera?

You need a serial TTL to USB convertor, such as a PL2303HX-based one, these are low cost.
Find the COM port that Windows assigns to it. Use PuTTY for the terminal program. Download PuTTY: latest release (0.70)
Create a profile for a serial connection on the found COM port, baud=115200 8 bits no parity.
Connect the serial TTL convertor GND to a camera ground.
You need to figure which signals are on which pads, I don't see any labelling for those.
Connect the RX of the serial TTL convertor to one of the 3 pads, say the middle one.
Power cycle the camera. If you get readable characters, you've found the TX pad.
If not, try the next pad.
Then you can connect the serial TTL convertor to a pad, looking for the RX pad. If it responds to typing, that's it.


It's nothing like as difficult as it might seem.

 

[admindeco]

It does that on the serial console of the camera module I have that uses JUAN firmware.


Yes, those 3 holes certainly look like they could supply the serial console.


You need a serial TTL to USB convertor, such as a PL2303HX-based one, these are low cost.
Find the COM port that Windows assigns to it. Use PuTTY for the terminal program. Download PuTTY: latest release (0.70)
Create a profile for a serial connection on the found COM port, baud=115200 8 bits no parity.
Connect the serial TTL convertor GND to a camera ground.
You need to figure which signals are on which pads, I don't see any labelling for those.
Connect the RX of the serial TTL convertor to one of the 3 pads, say the middle one.
Power cycle the camera. If you get readable characters, you've found the TX pad.
If not, try the next pad.
Then you can connect the serial TTL convertor to a pad, looking for the RX pad. If it responds to typing, that's it.


It's nothing like as difficult as it might seem.

Thank you for your support all the way. I am searching now a local supplier for UART USB to TTL converter and will try what you have instructed. I will update you as soon as I got things up.