HikVision IP Cameras not allowing admin to change the password or reset them. No reset button on the cameras...

G

GreyLine

n3wb
Jul 25, 2022
6
0
Stockton KS
Normally, I can make about anything work when it comes to technology. However, these IP cameras are proving to be a substantial foe. Below is a general overview of my situation. No VLAN setup yet. All but one camera is connected to a switch, the NVR connects to the core switch. Right now, the 2 cameras, noted in red below, are the only ones I am unable to get access to.

Can you help me get on top of this issue so I can actually use the cameras we bought? How can I access the config on each of the cameras if SADP and the Hikvision PW reset tools don't allow me to connect to the cameras?

Thanks!

  • Hikvision DS-7616NI-E2 / 16P NVR - with up to date firmware
  • 12 cameras (10 of which actually work and allow connection)
    • PTZ-4818X-IZ
      • Unable to connect
      • password recovery using the Hikvision Password Recovery tool failed
      • Time's out when trying to update the IP and device info - admin password verified on all other cameras
      • SADP can see the camera but am unable to modify its settings or reset the password
      • default IP does not allow connection from any machine neither does the IP listed in SADP...
    • HES328-TD-2.8
    • DS-2CD2122FWD
    • DS-2CD2122FWD-ISB
    • DS-2CD2032-I
    • DS-2CD2122FWD-ISB
    • DS-2CD2032-I
    • DS-2CD2122FWD-ISB
    • DS-2CD2032-I
    • DS-2CD2032-I
    • DS-2CD2032-I
    • DS-2CD2032-I
    • PTZ-4818X-IZ
      • Unable to connect
      • password recovery using the Hikvision Password Recovery tool failed
      • Time's out when trying to update the IP and device info - admin password verified on all other cameras
      • SADP can see the camera but am unable to modify its settings or reset the password
      • default IP does not allow connection from any machine neither does the IP listed in SADP...
 
Support was very unhelpful. I opened the camera and dug around for a reset button but found none. I can see the devices in SADP however trying to access the IP to load the GUI fails every time. I tried using the PWD reset feature and it times out, every time. Is there a circuit that I could trace that would allow for a factory reset?
 
Make your life easier and throw those motherfuckers in the River. Some Hik Knock off stuff I have dealt with are less user friendly than the Dahua knock off's I've worked with.
A guy shouldn't have to be a hacker to work a camera.
 
  • Like
Reactions: halewood and GreyLine
Flintstone61 said:
Make your life easier and throw those motherfuckers in the River. Some Hik Knock off stuff I have dealt with are less user friendly than the Dahua knock off's I've worked with.
A guy shouldn't have to be a hacker to work a camera.
Click to expand...
I'd love to... unfortunately, I need 2 more cameras and these are what I have to work with.
 
trempa92 said:
Try watchfullIP CVE , it might work, once you are in shell run paramReset. It will put camera to inactive state.
Click to expand...
Going to need more info on this one if I'm going to try it. Honestly, it would be nice if SADP would tell you why it can not connect to the cameras. OR, if there was a way to connect to it directly from a computer... even that would be nice.
 
My introduction to Camera world was buying my Sister in Law a Costco Nightowl system. Turned out to be a HiKvision motherboard on the DVR, and when I stumbled in here, and people tried to tell me oh yeah you can stream your NVR to Blue iris.... Well not that one. not until a year later when I stumbled across some string of Code some Super Geeks had figured out, and by then I was fed up with inferior hardware and bizarro U.I.'s. After learning what was really out there in Camera World,,,,I think I will avoid Hik for my personal purchases going forward.
 
just one cavemans experience
 
GreyLine said:
Going to need more info on this one if I'm going to try it. Honestly, it would be nice if SADP would tell you why it can not connect to the cameras. OR, if there was a way to connect to it directly from a computer... even that would be nice.
Click to expand...
github.com

GitHub - Aiminsun/CVE-2021-36260: command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messa

command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by...
github.com github.com
 
GreyLine said:
Honestly, it would be nice if SADP would tell you why it can not connect to the cameras.
Click to expand...
Just in case of any misunderstanding -
These are not Hikvision cameras - they are 'Hikvision compatible'.

This likely means that they are running an internal 'hikserver' process that implements a subset of the Hikvision command & control protocol.
This is usually only useful for making the initial discovery by SADP and the connection to a Hikvision NVR, and won't support the full set of commands.
It also means that the usual useful set of Hikvision security exploits won't work for resetting and gaining low-level access.

GreyLine said:
  • Unable to connect
  • password recovery using the Hikvision Password Recovery tool failed
  • Time's out when trying to update the IP and device info - admin password verified on all other cameras
  • SADP can see the camera but am unable to modify its settings or reset the password
  • default IP does not allow connection from any machine neither does the IP listed in SADP...
Click to expand...
What's the IP address as seen by SADP?
What's the IP address of the PC that SADP is running on?
Does the vendor publish any firmware for the device, if so can you link to it?
There may be an SSH or telnet access with a cracked password.
 
  • Like
Reactions: Flintstone61
Looking at the firmware available on the Vikylin website 1-PTZ-4818X-IZ-firmware-800N2-PTZ-4818X-IZ_5.9.1_210420-VIKVIZ: house keeper, security guard
If it's the right firmware for the model :
The device does indeed run a hik_server module, so it can be more easily integrated into a Hikvision environment.

What happens if you click the IP address for the device on the SADP window itself?
What does SADP show for the HTTP port? It may not be set to the standard of 80.
The web_server module suggests support for ONVIF.
Suggestion - see if the device is found by ONVIF Device Manager (give ODM valid logon credentials) and see if ODM shows a web login screen, as well as live video, and confirm what the published ports are.
sourceforge.net

ODM

Download ODM for free. Device Manager for ONVIF-based Network video devices. ODM is a ONVIF protocol implementation of Network Video Client (NVC) to manage Network Video Transmitters (NVT), Network Video Storage (NVS) and Network Video Analytics (NVA) devices. Implements Discovery, Device...
sourceforge.net sourceforge.net
 
  • Like
Reactions: watchful_ip
I purchased the ViKZIV PTZ HIK Vision supported cameras off Amazon second time around. I installed two of them in January with NO Problem. They have performed well. I needed two additional cameras and this time when setting a status IP address and changing the port from 80 to 8010 I could not access the device. I thought I had bricked them. Using the ODM app link found on this forum I was able to hard reset and get back into the units. No matter what I set the port to they default to 8000. I used what I had and now cameras are working with my NVR just fine. I'm just a little disturbed about this last experience. Everything is responding as expected with PTZ controls. Use the ODM to reset.
 
GreyLine said:
PTZ-4818X-IZ
  • Unable to connect
  • password recovery using the Hikvision Password Recovery tool failed
  • Time's out when trying to update the IP and device info - admin password verified on all other cameras
  • SADP can see the camera but am unable to modify its settings or reset the password
  • default IP does not allow connection from any machine neither does the IP listed in SADP...
Click to expand...
GreyLine said:
Going to need more info on this one if I'm going to try it. Honestly, it would be nice if SADP would tell you why it can not connect to the cameras. OR, if there was a way to connect to it directly from a computer... even that would be nice.
Click to expand...

Because you have to be on the same IP address subnet for MAC address scanners like SADP to work.

So what is the brand? Because manufacturers and off labels don't run the same IP address scheme.
HIKVISION is 192.168.1.64 some older ones were 192.168.0.64 255.255.255.0 subnet mask. NVR system is 192.168.254.XXX
Panoeagle version of this camera is 192.168.1.110 default ip 255.255.255.0 subnet mask

What you will need to do is plug the computer dirctly on the switch or into the camera input of the NVR and assign it a static address that would be in the subnet of the camera.

Then try setting the computer's ip address to the usual default IP pools cameras use, then run SADP after changing to the different default IP pools.
192.168.1.170, subnet 255.255.255.0 or
192.168.0.170, subnet 255.255.255.0 or
192.168.254.170 subnet 255.255.255.0 or
192.168.168.170 subnet 255.255.255.0 or
192.0.0.170 subnet 255.255.255.0

Theoretically you could assign the computer a higher subnet address like 255.255.0.0 with an IP 192.168.254.170 but that is going to take hours to complete a scan.
 
tech_junkie said:
Because you have to be on the same IP address subnet for MAC address scanners like SADP to work.
Click to expand...
Not really, it could be entirelly different subnet, as long broadcast is in both.
Scanners work via broadcast and each IP in physical LAN no matter the subnet (without restrictions) will work just fine.

PoE NVR's is different story, their NIC2 is totally different physical network, that can have connection over virtual port aka routing usually 650XX
 
  • Like
Reactions: alastairstevenson
trempa92 said:
Not really, it could be entirelly different subnet, as long broadcast is in both.
Scanners work via broadcast and each IP in physical LAN no matter the subnet (without restrictions) will work just fine.
Click to expand...
I have only had that work 100% of the time when you plug into the POE switch or the NVR's built in switch. But it fail across a network looking for a camera on the same network. But in those cases I think its the routers that were used. However if the camera is plugged into the NVR, the camera inputs on a NVR are not going to be searchable by the network side unless the NVR is configured to have the same IP pool. Which is bad practice.
 
Like i said , NVR PoE is totally different thing. Thats another physical network. And you are right about that part, it wont work as long you do not connect to that network.

It might work if you enabled Virtual host on NVR then you would have an access to that network, but limitted.
 
  • Like
Reactions: alastairstevenson
trempa92 said:
Like i said , NVR PoE is totally different thing. Thats another physical network. And you are right about that part, it wont work as long you do not connect to that network.

It might work if you enabled Virtual host on NVR then you would have an access to that network, but limitted.
Click to expand...
I'm just wondering what brand the camera is because SADP is application specific. On cameras that are not branded Hikvision, i find using a general mac address scanner works like Colasoft MAC Scanner.
I have bonded the camera switch to the outside network interface before in certain installations were the customer wanted a redundant NVR in a different physical location in the building from the camera's NVR but in those cases, one NVR was network was connected to the camera's input on the redundant NVR and its IP pool (192.168.254.xxx).
 
to be able to be visible on SADP, camera has to have HIK_SERVER

Basicly an UDPpacket parser that SADP sends to broadcast.


packet = bytes([
0x3c, 0x3f, 0x78, 0x6d, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31,
0x2e, 0x30, 0x22, 0x20, 0x65, 0x6e, 0x63, 0x6f,
0x64, 0x69, 0x6e, 0x67, 0x3d, 0x22, 0x75, 0x74,
0x66, 0x2d, 0x38, 0x22, 0x3f, 0x3e, 0x3c, 0x50,
0x72, 0x6f, 0x62, 0x65, 0x3e, 0x3c, 0x55, 0x75,
0x69, 0x64, 0x3e, 0x37, 0x34, 0x46, 0x31, 0x45,
0x44, 0x33, 0x37, 0x2d, 0x35, 0x45, 0x38, 0x32,
0x2d, 0x34, 0x33, 0x45, 0x38, 0x2d, 0x39, 0x41,
0x36, 0x31, 0x2d, 0x36, 0x36, 0x46, 0x43, 0x44,
0x33, 0x32, 0x39, 0x32, 0x36, 0x45, 0x32, 0x3c,
0x2f, 0x55, 0x75, 0x69, 0x64, 0x3e, 0x3c, 0x54,
0x79, 0x70, 0x65, 0x73, 0x3e, 0x69, 0x6e, 0x71,
0x75, 0x69, 0x72, 0x79, 0x3c, 0x2f, 0x54, 0x79,
0x70, 0x65, 0x73, 0x3e, 0x3c, 0x2f, 0x50, 0x72,
0x6f, 0x62, 0x65, 0x3e
])


Once its parse and see its Sadp sending this. Then itshould reply with deviceInfo back SADP. Quite simple how it works.
 
You must log in or register to reply here.
Top Bottom