Hikvision camera admin password reset tool

[alastairstevenson]

After reset i have change two times the admin password,
If i log in with a brouwser i can see live and can configure it

OK, that's good.
You have managed to reset the camera and can apply your own password.
No longer a lost password.

can configure it. but it is not recording.

I think that is a new topic, either already covered (what recording destination?) or the start of a new thread.

 

[Autodelta]

It is now configured with a strong admin password, when i have some time this weekend i want to reset it to default values.
If this not works i will open a new topic.

 

[iTzaZkrit]

Hi. I have a used hikvision setup, 1 cam and a NVR. Its a DS-7604 and a DS-2CD fisheye cam. Previous owner cannot remember nvr password. Firmware details are below. Can any of you guys tell me if I should be able to use the backdoor url to get config file? I tried it, setup ip on same subnet, but getting file not found garbage when I try to go to it. If not, is firmware downgrade on the camera the only way? Thanks!

Camera
DS-2CD6362F-IV
Software Version: V5.0.9build 141009
DSP Build V4.0, build 141027

NVR
DS-7604NI-E1/4P
Software: V3.4.92build 170518
DSP Version V5.0, build 170228

 

[iTzaZkrit]

I was able to reset the camera password using the Password Reset Tool. however, I'm still at a loss as what I can do to reset NVR. Thanks!

 

[Autodelta]

After reinstalling the iVMS-4200 client on my DS-2CD2T85FWD-I5 everything is working now fine, thanks for helping.

 

[Sebastian Duran]

Good afternoon, I don't know if this is the right place to ask but I have a few cameras and an NVR that I need to get into. The models are:

DS-2CD1021-I
DS-2CD1321-I

I tried the program but it tells me "Unauthorized User" which leads me to believe that their firmware is newer.I also extracted the config files for each camera and the NVR.

Are their any new or different methods to crack the password that you guys may suggest?

 

[alastairstevenson]

I also extracted the config files for each camera and the NVR.

If you like I could decrypt and decode the camera configuration files for you to extract the password.
Zip them up and attach here, or in 'Conversations'.

If the cameras were on PoE ports on the NVR, they will likely be using the NVR password if they were added under Plug&Play.

 

[Sebastian Duran]

Here are the config files, thank you Alastair!

 

[alastairstevenson]

Here are the config files

Sorry, but these are not configuration files, these are unlock key request files, to be processed by Hikvision.

What is the firmware version of the cameras, as shown by SADP?
If it is between 5.3.0 and 5.4.4 inclusive, the Hikvision backdoor can be used to extract the configuration files, using this URL :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

 

[Sebastian Duran]

Sorry, but these are not configuration files, these are unlock key request files, to be processed by Hikvision.

What is the firmware version of the cameras, as shown by SADP?
If it is between 5.3.0 and 5.4.4 inclusive, the Hikvision backdoor can be used to extract the configuration files, using this URL :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Roger that, I am going back there tonight and I will double check the firmware.

Also, for future reference, how do I get the config file from a locked camera?
Edit: never mind, did not realize that link WAS to get the config file. Thank you!

 

[Oldman11]

Just another note of thanks to Alastair for his great work. With his help my son was able to "find" his forgotten password on HIK Vision cameras with a build v5.4.5 (after the upgrade in their security when the old back door method was made public)
My son has a system with 16 cameras that were all working but he was un-able to modify secure settings without the password but that is now all fixed!
Good on you Alastair!

 

[CC-100]

Hi I have a Hikvision DS-7616NI-I2/16P that was bought used, and I found that the system was not reset to defaults. I am working with the vendor to recover the original password, but looking for a Plan B in case that fails. I tried using the online generator here to create a reset code, but that was rejected by the NVR.

I also tried the TFTP method which I have successfully used on cameras before. When I try this I tried latest firmware 4.22.005 - the NVR started the TFTP download but never reached the success message and after about 2 mins started the download again - it seems to stay in this 2 min download and try again mode. Next I tried the same version of firmware 4.1.11 (which is what it is running) but get the same result via TFTP, ie a 2 min cycle of startign a download.

Any further suggestions of things I could try?

 

[alastairstevenson]

the NVR started the TFTP download but never reached the success message and after about 2 mins started the download again - it seems to stay in this 2 min download and try again mode.

The Hikvision tftp updater has a 32MB filesize limit - that firmware is a fair bit larger, so it hits the end and restarts.

Any further suggestions of things I could try?

There are a couple of things that should work.

There is the Scott Lamb 'tftp updater' emulator, that does not suffer from the 32MB filesize limit - scottlamb/hikvision-tftpd

And as it's an NVR with PoE ports there is the 'trojan horse method' to extract the NVR password.
This relies on - the NVR PoE ports being in Plug&Play mode and the newish option to not use the NVR password to 'activate' cameras not being enabled.
And that the Inactive camera plugged in to an NVR PoE port has the 5.4.4 or older firmware (ie has the Hikvision backdoor vulnerability) such that the resulting camera password can be extracted by decrypting and decoding the configuration file it can be tricked into giving up.
See this thread :

Alternative way of recovering HikVision NVR password

Hello, I am @Pjlord from Carmel in California, and I am new to this board, but I have been working with a couple HikVision systems for several years now. Hopefully, I posted this in the right forum section. Recently, I purchased a new home which had a HikVision system with 3 cameras installed...

ipcamtalk.com

 

[alastairstevenson]

I have a Hikvision DS-7616NI-I2/16P that was bought used

I wonder if this was the one I watched recently on eBay.

 

[Git-R-Done]

I am having a password issue with an unauthorized Hikvision camera. All cameras were working fine then about a week ago this one stopped connecting due to a password failure. I have tried contacting HikvisionUSA and also tried the backdoor resolution on the first page of this thread. Neither produced any results. The camera model is DS-2CD3145F V5.4.20 build 160726. Is there someone that can send a reset code for this camera?

 

[CC-100]

Worth checking if it has a reset button - usually near the flash card slot. Failing that the TFTP method usually works

 

[alastairstevenson]

this one stopped connecting due to a password failure

If the camera was accessible externally, it might have been hacked.
The hackbots are still active for Hikvision cameras with the backdoor vulnerability and accessible over the internet.
Common passwords changed to are 1111aaaa and asdf1234

If those do not work, for that version of firmware the configuration file can be extracted via the Hikvision backdoor, with this URL, from a browser on a PC on the same subnet as the camera :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

If that works, zip it up and attach here, and I can decrypt and decode it and extract the password for you.

 

[Git-R-Done]

If the camera was accessible externally, it might have been hacked.
The hackbots are still active for Hikvision cameras with the backdoor vulnerability and accessible over the internet.
Common passwords changed to are 1111aaaa and asdf1234

If those do not work, for that version of firmware the configuration file can be extracted via the Hikvision backdoor, with this URL, from a browser on a PC on the same subnet as the camera :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

If that works, zip it up and attach here, and I can decrypt and decode it and extract the password for you.

ALASTAIR, You are the bomb. One of those passwords did the trick. Now how do I prevent this from happening again or to my other cameras??????

 

[alastairstevenson]

ALASTAIR, You are the bomb. One of those passwords did the trick. Now how do I prevent this from happening again or to my other cameras??????

My guess is that UPnP is enabled on the camera and also on the router.
This will allow inbound access to be automatically enabled by any device on the LAN - which is a pretty risky state to be in.
If you have explicitly configured 'port forwarding' on your router - be aware it's a particularly risky thing to do, allowing the entire internet in to your private network.

If you don't need inbound access, disable UPnP on the router, and the cameras.
If you do need inbound access - find out how to set up a VPN service on your LAN.
There are lots of how-tos, and user experiences, on the forum here.

 

[slabbetje]

Hello,

I have a Hikvision HiWatch HWI-D120H model 12/2018.
There is no reset button on the camera. I have also tried the SADP tool.

Nothing is working for my.

The last option is the EXPORT file.
Is there anyone who can give my the Decrypted file ?

Thanks.

Regards.