Hikvision camera admin password reset tool

[alastairstevenson]

Hey, well done!
The current couple of versions of QTS have been a bit troublesome.
And QVRpro has suddenly grown a whole raft of bugs.

 

[Stephenh]

Hey, well done!
The current couple of versions of QTS have been a bit troublesome.
And QVRpro has suddenly grown a whole raft of bugs.

Now he tells me

 

[number8]

I purchased a Hikvision DS-2CD3Q10FD-IW V5.4.3 camera from ebay 3 years ago and have forgotten my password over 18 months ago. I have a few queries:

1. It’s a standalone camera and I don’t know how to interrogate the camera for the date for the password reset tool. It has been powered down for over 18 months. Because its powered down for 18 months does the camera reset to default password?
I originally configure the camera to trigger on motion detection and send me the event by email, however it appears that configuration is lost since it’s been powered down for some time. I was hoping to get the camera date this way.

2. Does the SADP work without a NVR

3 . Is there a limit in number of tries admin-password-reset-tool in entering the date?

I am overly cautious as I have one more try before the camera locks me out or is the password reset tool interrogation independent on the number of failed login tries?

Thanks in anticipation.

 

[alastairstevenson]

I purchased a Hikvision DS-2CD3Q10FD-IW V5.4.3

That version of firmware I think has the Hikvision backdoor vulnerability.
Therefore you should be able to do a password reset using the updated version of the password reset tool here : Hikvision camera admin password reset tool

I don’t know how to interrogate the camera for the date for the password reset tool.

That's for the old version - not the updated one. Take another look at the post.

3 . Is there a limit in number of tries admin-password-reset-tool in entering the date?

Not relevant when using the updated version of the reset tool.

If you want to find out if your forgotten password is rude or embarrassing, your could try extracting the configuration file, zip it up and attach here, and I will decrypt and decode it for you, and extract the password.
Use this URL, see if it works, change the IP address for the actual IP address of the camera (maybe confirmed by usning SADP)
http://192.168.1.18/System/configurationFile?auth=YWRtaW46MTEK

2. Does the SADP work without a NVR

Yes, it does.

 

[number8]

Thanks alastairstevenson

I have just tried running the reset tool and got the following error "The underlying connection was closed:An unexpected error on a received" I have used the http://192.168.1.***/System/configurationFile?auth=YWRtaW46MTEK and try to send it via private message. I hope this is acceptable to you?.

Thanks again

 

[number8]

Thanks alatairstevenson
Just to report you have decoded the file.

Much appreciated

 

[alastairstevenson]

You are welcome.
Glad it worked for you.

 

[levian]

Wow thanks for the tool. I thought my cams stopped working, but turns out someone somewhere changed my passwords... Feeling a bit stupid that i started researching right after I bought new dahua cams to replace them

 

[alastairstevenson]

but turns out someone somewhere changed my passwords...

It sounds like they are accessible from the internet.
Deliberate, or unintentional?
And they must be vulnerable to the Hikvision backdoor exploit for the reset tool to work.

 

[levian]

It sounds like they are accessible from the internet.
Deliberate, or unintentional?
And they must be vulnerable to the Hikvision backdoor exploit for the reset tool to work.

It was over the course of a few months, one of my cam kept going offline, I thought it was just defective because it kept resetting to the default password (12345abc) so I changed it back and it was fine. Eventually I just couldn't access it anymore so I replaced it thinking it failed. Then the next hikvision cam would go offline too... and then the next one as well (I could still see them connected to my router, but didn't think much of it). I just thought hikvision cams I bought on ebay were crap so I went and ordered some dahua cams last week.

And then I just found out about the backdoor exploit. Tried the tool and easily changed the password and all cams were back online.

So yeah I'm still reading on how to make it more secure/disable access to internet
They're all on the V5.2.5build 141201 firmware (DS-2CD3132F-IW). I'm not sure if I can upgrade it since they were bought from ebay (A bit afraid of bricking them ) **edit: Seems a bit too troublesome to upgrade so I'll leave it as is.
I also found out that maybe the wifi was on(?) Apparently can't disable it on this firmware version, the SSID was 'davinci' by default and not secured.
Disabled UPnP on both cams and router
Disabled Telnet, SSH, NTP, P2P, WPS
Cleared DNS server

If I'm missing anything, feel free to let me know

 

[alastairstevenson]

So yeah I'm still reading on how to make it more secure/disable access to internet

It's good that you've accessed the cameras and router web GUI and disabled UPnP.
With that enabled on the router - any UPnP-enabled device on the LAN could configure the router firewall to allow inbound access.

Seems a bit too troublesome to upgrade so I'll leave it as is.

It's pretty straightforward to convert to fiull English and fully update - loads of people have done it :
Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Apparently can't disable it on this firmware version, the SSID was 'davinci' by default and not secured.

Yes, that's the default setting.
It's unlikely to be used an an attack vector - but change the SSID to something cryptic, away from the default.

 

[levian]

Tyvm for the tips, much appreciated!

 

[Shaun Casey]

Hi Guys,

My installer won't provide me with the password to login to my NVR and when I try the code generated by the password reset utility SADP "fails to reset password".

Can someone please help? Am I doing something wrong?

Hikvision DS-7104HGHI-F1 - running software version v3.4.84build 170626
Start Time 2018-09-21 20:32:14

I've uploaded the XML file.

Thanks in advance

 

[bp2008]

I don't know of a publicly available password reset tool for the XML file reset method. It might be possible to factory reset your NVR via a button or something inside it, or by sending it new firmware via the TFTP method. I am not an expert in these matters like alastairstevenson is ... he can probably tell you more.

 

[Shaun Casey]

I don't know of a publicly available password reset tool for the XML file reset method. It might be possible to factory reset your NVR via a button or something inside it, or by sending it new firmware via the TFTP method. I am not an expert in these matters like alastairstevenson is ... he can probably tell you more.

No worries - any ideas why SADP/my DVR doesn't like the codes generated by the password reset tool? Hopefully alastairstevenson can help.

 

[bp2008]

Firmware is too new. The reset code method is years old now.

 

[alastairstevenson]

by sending it new firmware via the TFTP method.

Whilst not having tried it on that specific DVR model - on all the cameras and NVRs I've seen, the Hikvision tftp updater resets the device to factory defaults and usually can be used as a last-ditch password reset method for firmware that's too new for the 'Hikvision backdoor exploit'.

 

[LightningNZ]

Hi Team, I have 3 DS-2CD2342WD-I cameras and a DS-7604NI-E1/4P NVR, all from April this year purchased at AliExpress. I was only able to install them now and have unfortunately relised I don't have the passwords as the passwords provided by the vendor are all wrong. The Firmware on the Cams is V5.5.0 and the NVR V3.4.98. What are my options to get the passwords, as I understood the new Firmwares you are out of luck with the current tools. Thanks for your help.

 

[alastairstevenson]

What does SADP show for their status?
Active or inactive?

 

[LightningNZ]

Hi Alastair, they show as active