Hikvision camera admin password reset tool

What I did:
1) hooked up all cameras to the NVR
2) connected the LAN port to my internet router
3) connected a Video port to my internet router
4) installed iVMS
5) Started iVMS and set a users

When I looked at the SADP tool the cameras came online as inactive and then automatically activated
 

Attachments

  • Capture4.PNG
    Capture4.PNG
    39.7 KB · Views: 18
Last edited:
OK, quick update, I was able to get everything going. I pieced the solution together from a lot of information found here.

1) the NVR -> I was able to access the NVR directly, I probbably had set a passwor a while ago when I installed the HDD, but I forgot it. However I was able to log in and reset the NVR to defaults, which allowed me to then reactivate the NVR once it came up again.
2) The Cameras -> Firmware 5.5. I downloaded the same firmware and the TFTP utility and flashed them manually. Again that reset the whole camera and I was able to activate them with a new password. So back to normal again.
Now the setup fun begins.
Cheers.
 
I've just published a new reset tool that exploits this vulnerabilityto achieve the reset. It should work on firmwares that are too new to use the old reset code method, but old enough to not have this backdoor patched yet.

I've edited the first post of this thread with details and the download link.

Thank you for this!!!!
Worked for my camera, DS-2CD6412FWD-20 20160516CCWR602147169, with 5.3.4 FW a surveillance peephole type camera installed in my front door. Nice not having to email Hikvision every time it gets dimentia!! An annoying random event.
Will not be upgrading the FW so I can use this reset tool. Might brick the camera anyway if it's a Chinese cam.

But, the bigger question is are the new Hikvision cams having this reset problem as well?
 
An annoying random event.
A common cause for this type of symptom is when external access is allowed to the cameras and an internet bot messes with the camera by exploiting the 'Hikvision backdoor' vulnerability that's in that version of firmware. There are also brickerbots that try to brick the camera, not just change the password.

External access would be possible if 'port forwarding' has been explicitly configured on your router so you can access when away from home, or inadvertently when UPnP is enabled on the router, and the camera, where it is enabled by default.
If you don't think there should be any external access, you can easily check using a service such as ShieldsUp! GRC | ShieldsUP! — Internet Vulnerability Profiling
Do the full port scan,. not the UPnP check.

But, the bigger question is are the new Hikvision cams having this reset problem as well?
Firmware versions after 5.4.41 are not vulnerable to the Hikvision backdoor, and don't spontaneously have their passwords reset.

It might be interesting, next time this password problem occurs, to extract a copy of the configuration file, using the backdoor vulnerability.
This does not require a password to do.
Simply put this URL in your browser, replacing the IP address with that of the camera :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
Then zip up the file and attach it here.
We can decrypt and decode it and extract the password.

Alternatively, a common password that the hackerbots set is 1111aaaa
If that works for you - it's a reasonable confirmation the camera has been hacked.
 
A common cause for this type of symptom is when external access is allowed to the cameras and an internet bot messes with the camera by exploiting the 'Hikvision backdoor' vulnerability that's in that version of firmware. There are also brickerbots that try to brick the camera, not just change the password.

External access would be possible if 'port forwarding' has been explicitly configured on your router so you can access when away from home, or inadvertently when UPnP is enabled on the router, and the camera, where it is enabled by default.
If you don't think there should be any external access, you can easily check using a service such as ShieldsUp! GRC | ShieldsUP! — Internet Vulnerability Profiling
Do the full port scan,. not the UPnP check.


Firmware versions after 5.4.41 are not vulnerable to the Hikvision backdoor, and don't spontaneously have their passwords reset.

It might be interesting, next time this password problem occurs, to extract a copy of the configuration file, using the backdoor vulnerability.
This does not require a password to do.
Simply put this URL in your browser, replacing the IP address with that of the camera :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
Then zip up the file and attach it here.
We can decrypt and decode it and extract the password.

Alternatively, a common password that the hackerbots set is 1111aaaa
If that works for you - it's a reasonable confirmation the camera has been hacked.

@alastairstevenson Thanks for that info. I've got some homework to do!
 
Hi all

Hopefully someone here might be able to help us.

A friend has a NVR 7616 and unfortunately when he acquirred the system left in a premises by the previous owner someone has changed the password from the default and there is no way to find it out.

It looked like the box is wanting the XML file method to send away and upload the new tweaked version from HIK, however, is there any way round the XML file method if HIKvision dont/wont get back to us? Is there a way to upgrade/reset the firmware via TFTP?

I seen someone has mentioned you can download the config file off it via TFTP or maybe a internal factory reset switch held whilst powering the system on.

Unfortunately, cant remember the firmware number as it was last weekend and forgot to make a note and only had a quick look at the methods to try reset things.
 
It's possible to reset to defaults using a tftp firmware update, usually to the same version.
But if it is a CN model that will break it.
So you need the full model number, and the existing firmware version, before making any changes.
SADP is your friend for those.

Also - see if the 'lost password' link at the web GUI is new enough to have any security questions set up.
 
Those instructions are reasonably OK.
A couple of comments :
Best to have the PC and the camera / NVR each wired to the usual switch / router, not connected directly together.
Best to power a camera with 12v as opposed to PoE - the timing of PoE connections can be a bit troublesome with the Hikvision tftp updater.
The first time the tftp updater is executed, there should be a Windows firewall 'allow' popup.
Be sure to click OK to allow inbound packets to the tftp updater program.
 
Seems fairly easy then. I read online that the newer firmware has stopped the 192.0.0.128 connection? is that true?

Will the TFTP method work on the latest software should the box have the latest one on it? Just makes it easier for me as I can pre-load the TFTP server onto my laptop and then its just a case of downloading the firmware from hikvision
 
Will the TFTP method work on the latest software should the box have the latest one on it?
For clearing the configuration via the tftp update in case of a lost password it's probably best to stick with the same firmware version as is currently installed.
When updating firmware - it's best to use the web GUI as there is more validation, and a better chance of the configuration database being converted correctly.
 
It’s v3.3.4 build150616. With the IP changed to the local network the router is on. 192.168.1.73 on the nvr

I tried the tftp method and comes up with a econt _Vision-AV2000. Failure

Apparently the NVR tftp different to the cameras?
 
GOt it flashed with the 192.0.0.128 IP on my laptop which has allowed me to create a new password for the NVR once it had booted back up and the pattern, so i guess its completed.

Now just need to add the cameras back on
 
That's a good result, well done.
When you've added the cameras, and configured as needed, you can export both the device and IPC configuration and save the files somewhere safe.
If/when you do upgrade the NVR firmware, there is a good built-in self-service password reset feature that uses several methods.
The 'security questions' method works well.
 
yeah, will get that done.

Struggling to add the cameras at the minute.

The POE ports on the NVR have the address 192.168.254.2-16/24 however I dont know what the camera IP is.

Ive tried plugging it into the back of the router to try see if it auto assigns a IP which i can forward to the POE switch however there is no external power to the camera, just the POE off the NVR so not sure whether the router has enough to power the camera up to allow settings to be changed.

Is there anyway to scan for the cameras whilst the NVR is connected to the router on one network?

I tried the SADP tool, however its just bringing up the NVR device on the network.