alastairstevenson
Staff member
Thanks, and what about this NVR :
Firmware version : V3.4.91build 161220
Device : DS-7616NI-E2/16P
Hello, everyone! I'm trying to recover the admin password of one very old NVR. Here's some background:
Around 2017 a company that no longer exists installed a CCTV system on a site of ours. The system consists of a NVR and a couple of analogue cameras. The NVR is WTR-2008-HDT, branded by a Czech company (Wonderex), but it seems like it's just a branded HikVision. I have no manual for the specific NVR.
I have an user access to the NVR and it seems to run the following software versions:
Firmware Version: V3.3.2 build 160427
Web Version: V4.0.1 build 150925
The NVR is succesfully found with SADP, but I'm unable to change the password with a code as all the SADP builds I tried expect a XML file and not an unlock code.
Any ideas?
Around 2017 a company that no longer exists installed a CCTV system on a site of ours. The system consists of a NVR and a couple of analogue cameras. The NVR is WTR-2008-HDT, branded by a Czech company (Wonderex), but it seems like it's just a branded HikVision. I have no manual for the specific NVR.
I have an user access to the NVR and it seems to run the following software versions:
Firmware Version: V3.3.2 build 160427
Web Version: V4.0.1 build 150925
The NVR is succesfully found with SADP, but I'm unable to change the password with a code as all the SADP builds I tried expect a XML file and not an unlock code.
Any ideas?
Сброс пароля Hikvision
Сброс пароля Hikvision - все подробности в блоге компании ALARMSYSTEM, системы безопасности и видеонаблюдение в Волгограде и области.
alarmsystem-cctv.ru
Ibrahim1212
n3wb
hello so i did everything and tried the tool, i got my key and used it and it tells me reset password succeeded but even after i use the password i created on log in page of my dvr or sadp tool admin password it still tells me im using the wrong password. please i need help
cheynestoker
n3wb
Hey,
Sorry, very new to this.
what is the trojan horse method?
My NVR software version is V3.0.15build 150528 so it is safe to assume the cameras are just as old.
alastairstevenson
Staff member
Due to a security vulnerability, many cameras with firmware version 5.4.0 or earlier will export their configuration file via the web GUI without requiring credentials.
That file is encrypted and XOR encoded, but is readily decrypted and decoded to reveal the admin password in plain text.
OK, so what's that got to do with the NVR lost admin password?
Historically, NVRs with the PoE ports set in the default Plug&Play mode will 'activate' an 'inactive' camera that gets connected to a PoE port by using the NVR admin password. So the camera admin password is now the same as that of the NVR.
Newer NVR firmware (after Hikvision read about this neat trick here on ipcamtalk) now has an option for a separate, camera-specific password for activation under Plug&Play.
So, in summary :
Take a camera with firmware of 5.4.0 or earlier and reset it to default settings so it's 'inactive'.
Connect it to an NVR PoE port so the NVR 'activates' it.
Pull the camera configuration file using the specific URL that does not require authentication.
Decrypt and decode the configuration file to reveal the camera admin password, which is usually also the NVR admin password.
cheynestoker
n3wb
Hey Alastairstevenson,
Thank you for the info there that helped a lot.
I have uploaded my configuration file if you would be so kind as to help with the password.
I tried the link somebody else posted a while back (looks like a russian link) but it says it cannot proceed.
If you could help me with this it would be greatly appreciated.
Thank you,
Cheynestoker
alastairstevenson
Staff member
The password for admin for both the Room Two South camera and NorthEast Side camera is
asdf1234
Interestingly, this is a password that used to be used when cameras exposed to the internet were hacked and their password changed.
asdf1234
Interestingly, this is a password that used to be used when cameras exposed to the internet were hacked and their password changed.
cheynestoker
n3wb
Oh, that is interesting, we bought the house a year ago and only just connected everything, it had been sitting there left by the previous tenants
The strange thing here though is in the SADP tool I can't use asdf1234 as the administrator password, it comes up "editing network parameters failed 2009 device refused parameters"
The NVR doesn't accept it as the password either :/
alastairstevenson
Staff member
When I'm back later today let me recheck the workings to be sure I didn't transcribe it incorrectly.
alastairstevenson
Staff member
Is the PC that SADP is running on connected to an unused NVR PoE port, assuming the camera is also connected to an NVR PoE port?
cheynestoker
n3wb
yeah, i had it directly connected to the poe port on the back
i did it again from my PC in another room by just changing the IP address on the pc as the switch was connected to the poe port
I reconnected all but one camera so I could still have it connected to the switch allowing me to access from my pc downstairs.
i got the password 12345, with that it lets me edit the cameras but sadly, not the nvr.
i got the 12345
I am thinking I may need to try flashing the firmware by USB if that is possible.
edit: added the extra files, something else I just noticed, in the original file I uploaded, there are two admin and passwords. The one at the end (admin asdf1234) and just before where it says main stream profile_1 there is another admin password there too (admin 12345).
edit2: weirdly, all cameras accept the 12345 password the first one i sent has locked me out, but the NVR doesn't accept either password.
Last edited:
alastairstevenson
Staff member
Yes, that's pretty normal in the plaintext version of the configuration files.
One of them is the default value to use when reset.
But the format of the files does vary with the firmware version.
In the 7 files from your last configurationFile attachment, there is just one reference to admin in each, and all have 12345 set as the password, as follows :
lounge 12345
side yard 12345
back area 12345
driveway 12345
garage 12345
bus stop 12345
upstairs hall 12345
A suggestion :
With the hope that the NVR PoE ports are configured as Plug&Play, and with the PC IP address set to be in the same range as that of the NVR-PoE-port-connected cameras, such as 192.168.254.100
Leave SADP running so it can show the status, maybe needing the refresh button pressed to update this.
Reset one of the cameras to Inactive either via the web GUI of one you can log in to, or if I remember correctly the DS-2CD2032 has a reset button at the back (power off, keep the button pressed, power on, leave the button pressed for about 30 seconds).
With luck the NVR will 'activate' the camera.
Then pull the configuration file to see what the NVR used to 'activate' it.
I hope that makes sense.
alastairstevenson
Staff member
There is something I just remembered that I should have realised earlier - I should have asked what version of firmware SADP is showing for the cameras.
Firmware older than 5.3.0 does not have the inactive/active status after having been reset to default values. It just has the old fixed password of 12345 or 123456789abc as the default.
When a camera is first connected to an NVR PoE port in Plug&Play mode - it first tries these old default passwords.
And if one works - there is no need to move on to 'activating' the camera with the NVR password, so the 'trojan horse' method does not happen.
If the camera firmware is older than 5.3.0 then it needs to be updated to at least that so that a reset to defaults sets it to 'inactive' and the NVR handles it accordingly.
Provided these are not Chinese region cameras (what are the serial numbers, to they contain CH?), a web GUI firmware update to 5.3.0 should work OK.
Note that firmware should be applied in increments.
R0 series firmware can be found here :
www.ipcamtalk.com
Firmware older than 5.3.0 does not have the inactive/active status after having been reset to default values. It just has the old fixed password of 12345 or 123456789abc as the default.
When a camera is first connected to an NVR PoE port in Plug&Play mode - it first tries these old default passwords.
And if one works - there is no need to move on to 'activating' the camera with the NVR password, so the 'trojan horse' method does not happen.
If the camera firmware is older than 5.3.0 then it needs to be updated to at least that so that a reset to defaults sets it to 'inactive' and the NVR handles it accordingly.
Provided these are not Chinese region cameras (what are the serial numbers, to they contain CH?), a web GUI firmware update to 5.3.0 should work OK.
Note that firmware should be applied in increments.
R0 series firmware can be found here :
R0 series DS-2CD2x32x-Ixx IP camera firmware - Updates
cheynestoker
n3wb
Hey,There is something I just remembered that I should have realised earlier - I should have asked what version of firmware SADP is showing for the cameras.
Firmware older than 5.3.0 does not have the inactive/active status after having been reset to default values. It just has the old fixed password of 12345 or 123456789abc as the default.
When a camera is first connected to an NVR PoE port in Plug&Play mode - it first tries these old default passwords.
And if one works - there is no need to move on to 'activating' the camera with the NVR password, so the 'trojan horse' method does not happen.
If the camera firmware is older than 5.3.0 then it needs to be updated to at least that so that a reset to defaults sets it to 'inactive' and the NVR handles it accordingly.
Provided these are not Chinese region cameras (what are the serial numbers, to they contain CH?), a web GUI firmware update to 5.3.0 should work OK.
Note that firmware should be applied in increments.
R0 series firmware can be found here :
R0 series DS-2CD2x32x-Ixx IP camera firmware - Updates
Thank you heaps for your help, I found a random Reddit post from a guy that fixes them and it worked.
On the login screen on the NVR itself you can click in the lower left hand corner to get a code, it is a long number, completely different to the one in sadp. With it we managed to generate a password that let me in (using the cctv superpassword app).
Hikvision USA also sent me the reset file at 3am my time. I honestly thought after hikvision Australia told me to get stuffed that I would have no hope in hell.
It made me reset the default 12345 login for all the cameras too.
Thanks again for all your help with this Alastarstevenson!