Reset Admin Password on HikVision NVR Model : KEPLER-7604/4P

[Hillarys]

Hi folks,
I'm hoping someone can assist me with resetting the password on this NVR. We purchased a house with a 4-camera system, but unfortunately the Owner gave us a bum-steer on the password, so we can't get into the system!
After reading several threads, I've tried using SADP to connect to the device and I've exported an XML file (attached). But I don't know who the unit was purchased from, so I don't know how to get an "Input Key" or "Import File"?
Any ideas how to get this? Or how to reset the password some other way? Can youpull the unit apart to do a hard factory reset, for example?

Any suggestions appreciated!
Hillarys

 

[TonyR]

Have you tried ==>> Hikvision Password Reset Tool

 

[alastairstevenson]

I'm hoping someone can assist me with resetting the password on this NVR.

Suggestion. NVR PoE-connected cameras are usually 'Activated' in Plug&Play mode by using the NVR password.
If there are Hikvision cameras connected that have firmware or 5.4.4 or older, the camera password can be extracted by pulling the configuration file via the 'Hikvision backdoor' and decrypting and decoding it.

So - connect the PC to an unused NVR PoE port, use SADP to find the cameras, check the firmware version.
If 5.4.4 or earlier, and 5.3.0 or later, that's good.
Note down the camera IP address(s).

Change the PC IP address to one in the same range as used by the camera, maybe 192.168.254.100
Use this URL to attempt an extraction of the configuration file, replacing the camera IP address as needed :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

If that works OK, zip up the file and attach here and I will decrypt and decode it and extract the password.

 

[Hillarys]

Thanks alastairstevenson - I've connected my laptop to a port on the NVR, set my Laptops IP address to the same subnet as the NVR, and running SAPD I can see the NVR device. I can't see any of the cameras that are plugged in though - and looking at the back of the NVR, none of the lights are flashing on the ethernet ports that the cameras are plugged into. Is this normal? (ie. do they not flash normally with the camera's plugged in?) or does this indicate a problem with the camera's?

 

[Hillarys]

Have you tried ==>> Hikvision Password Reset Tool

Yes - I have tried this, but it doesn't seem to work. Thanks for the suggestion

 

[alastairstevenson]

looking at the back of the NVR, none of the lights are flashing on the ethernet ports that the cameras are plugged into. Is this normal?

That is odd - not, it's not normal, for working cameras. Both lights should be on.
Have you managed to successfully connect the VGA/HDMI output of the NVR to a TV or monitor?
If live video shows, this would confirm if the cameras are in a connected and working state. No password is needed for simple live viewing.
But if SADP doesn't show them, and there are no lights on the NVR PoE ports, it suggests they are not working, or the NVR has failed and is not powering them, or maybe the cameras were powered separately and it's inactive, though that seems unlikely.

I've connected my laptop to a port on the NVR, set my Laptops IP address to the same subnet as the NVR, and running SAPD I can see the NVR device.

Just to clarify :
An unused PoE port on the NVR?
What was the IP address you used / what guided the choice?

When the laptop is on the LAN as normal, what IP address does SADP show for the NVR, and does it match requirements for the LAN?
If so, when you double-click on the IP address shown in SADP, and the browser is started, do you get a login page?
What firmware version does SADP show for the NVR?
Presumably you have already tried some common simple passwords such as 12345 123456 123456789abc Password123 etc

Is it in any way feasible for you to power one of the cameras with an external 12v power supply and see if SADP then finds the camera when the laptop is connected to an unused NVR PoE port?
If so - you can check the firmware version, and if within the range specified, extract the configuration file?

 

[Hillarys]

That is odd - not, it's not normal, for working cameras. Both lights should be on.

Hi Alastair,
I'll have to get one of the camera's out of the roof and see how it is powered. It is strange that all 4 camera's aren't working - because we saw the system working when we purchased the house.
But the system is also making a "Dii-Dii-Dii- Di-Di" sound when it is turned on, which I just ready means the HDD is either not working or needs to be initialised (which can only be done once I login....). Is it possible that the system is not powering the camera's up because the HDD hasn't initialised? Or do you need to log into the unit after powering it on, before the camera's will initialise?
I'll get a camera out of the ceiling and take a look at how they are powered.

In the meantime, here's a picture of how I've connected the laptop. When I plug into one of the camera ports, and set the IP on my laptop to the same IP subnet as the device (I read online 192.168.254.x is the default IP subnet - and that seems to work), I can find the device on SADP. Strangely, when I plug into the LAN port on the device directly, I can discover the device with SADP, but it shows IP address 0.0.0.0 and I can't get to the login page...

From the login page in the web-browser I have tried multiple passwords (always turning it off before I get to 6 tries..) and none of them work.
I have also plugged the device into my TV (through HDMI) and the "Wizard" login screen appears. But the same problem in that I need to login with the password, and I don't have it. None of the camera's come up on the TV screen - it has the 4 'placeholder' images (I can attach a picture if that helps).

In the Photo below the Yellow cable is my laptop connection, the blue are the camera's - and you can see none of the activity lights flashing on the blue cables.

 

[Hillarys]

OK - so after pulling one of the cameras out, it has 2 plugs on the camera - an ethernet cable that was plugged in, and a circular plug which, after checking out the online specs for the camera, it is the power cord/plug. This power cord/plug was not connected to anything. The camera's are HikVision DS-2CD2345-I 2.8mm camera's. I assume the previous owner had a PoE hub/switch that all the camera's connected to, then connected from that into the NVR. The whole system was disconnected when they left, so I am guessing that they took the PoE switch. Does that sound right? Would these systems normally have a PoE switch which all the camera's plug into, then have a single cable from the PoE switch into the NVR?

 

[alastairstevenson]

But the system is also making a "Dii-Dii-Dii- Di-Di" sound when it is turned on, which I just ready means the HDD is either not working or needs to be initialised (which can only be done once I login....).

Yes, maybe been removed even? The (lack of) screws underneath would be a giveaway.

Is it possible that the system is not powering the camera's up because the HDD hasn't initialised? Or do you need to log into the unit after powering it on, before the camera's will initialise?

No, the cameras should normally at least light up the LEDs on the PoE ports.

it has 2 plugs on the camera - an ethernet cable that was plugged in, and a circular plug which, after checking out the online specs for the camera, it is the power cord/plug. This power cord/plug was not connected to anything

That's normal when the cameras are power by a PoE switch or NVR.

I assume the previous owner had a PoE hub/switch that all the camera's connected to, then connected from that into the NVR. The whole system was disconnected when they left, so I am guessing that they took the PoE switch. Does that sound right?

That's certainly a possibility. It's not mandatory to use the built-in PoE ports of the NVR.
The PoE channels can be manually configured to use LAN IP addresses with the cameras on an external PoE switch.

Which brings me to a possible hypothesis that might explain what you are seeing :

I just experimented with a DS-7604NI-K1/4P
Configured one of the PoE channels to connect to a camera on the LAN as opposed to one of the 192.168.254.x PoE port addresses.
The NVR connects OK to the LAN-connected camera, and a camera plugged in to the corresponding PoE port gets power - both LEDs come on.

I did the same on a DS-7816N-E2/8P NVR. This is much the same hardware series as your DS7604NI-E1/4p
When connecting to the PoE port that corresponds to a channel which the LAN-connected camera is connected to, the camera does not receive power, and the LEDs stay off.
So the way that channel has been configured, to connect to a LAN-connected camera, disables the physical PoE port.
So if the previous owner had the cameras on an external PoE switch and the NVR is configured to connect to what would then be LAN-connected cameras, maybe the ports are all disabled.
I think it's a plausible theory.

So, a suggestion:
Get hold of a 12v power supply to connect to the accessible camera.
Connect the camera ethernet cable in to a router port if one is available, so it's on the LAN.
Find the camera with SADP, check out the firmware version, and with luck it may be old enough to have the backdoor vulnerability such that the password can be extracted.

The NVR will be able to be reset to defaults by applying the same firmware version as is currently installed using the Hikvision tftp updater.
It's easy enough to do.
The same method can also be used for the cameras.
If the method above doesn't work, the tftp updater will work OK, and we can help with the how-to.

 

[Hillarys]

Suggestion. NVR PoE-connected cameras are usually 'Activated' in Plug&Play mode by using the NVR password.
If there are Hikvision cameras connected that have firmware or 5.4.4 or older, the camera password can be extracted by pulling the configuration file via the 'Hikvision backdoor' and decrypting and decoding it.

So - connect the PC to an unused NVR PoE port, use SADP to find the cameras, check the firmware version.
If 5.4.4 or earlier, and 5.3.0 or later, that's good.
Note down the camera IP address(s).

Change the PC IP address to one in the same range as used by the camera, maybe 192.168.254.100
Use this URL to attempt an extraction of the configuration file, replacing the camera IP address as needed :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

If that works OK, zip up the file and attach here and I will decrypt and decode it and extract the password.

Hi Alastairstevenson - so I've had some success. After realising that the Power supply I was using was only 12V (!!), I found a 48V Power supply - and the system now starts up correctly -> the HDD runs (no more Di-Di-Di beeps), and the Camera POE is working correctly.
I've managed to do what you suggested and can confirm the Camera is running Software version V5.4.24 build 170303. I'm guessing thats bad, as .24 is outside the range you mentioned.

So when I login to the URL http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK - the browser comes up with a Sign-in page and asks for a Username and Password box. So I guess that means this method won't work?

 

[alastairstevenson]

Well, that explains a lot! And kills off my hypothesis.
So the previous owner didn't leave the power supply.

A pity the camera firmware is just new enough to not have the backdoor. That would have been a simple enough way of extracting the NVR password.

You've got several options to gain access now.
I think you're going to have to use the Hikvision tftp updater, and it might be interesting to use it to apply the 5.4.0 firmware, that still had the backdoor.
The tftp updater and instructions are in the downloads area of the forum.
I'm not sure if these are R6 or G0 cameras, but try the R6 firmware first.
The tftp updater works best with a 12v power supply as opposed to the PoE of the NVR.
If it applies ok, the camera ends up reset to 'Inactive'. It would be interesting to just then plug it in to the NVR at which point the NVR will activate it.
You should then be able to extract the configuration file and this obtain the NVR password which should work for the other cameras too. This would save doing the tftp update for the NVR and other cameras.

 

[Hillarys]

I think you're going to have to use the Hikvision tftp updater, and it might be interesting to use it to apply the 5.4.0 firmware, that still had the backdoor.
The tftp updater and instructions are in the downloads area of the forum.
I'm not sure if these are R6 or G0 cameras, but try the R6 firmware first.
The tftp updater works best with a 12v power supply as opposed to the PoE of the NVR.

Hi Alastair - so I plugged the camera into a 12v Power supply. I then connected it to my laptop via Ethernet (direct connection, no switch for the first time, then I plugged through a standard switch - without PoE - the 2nd time). I set the IP on my laptop to 192.0.0.128. I've downloaded the Version 5.4 from here.
and copied into the TFTP folder. I then ran the TFTP as per the instructions, and ti comes up with the messages:
Device (192.0.0.64) test tftpserver
Connect client success
Start file
Resend required (x 5 times)
Completed file transmit

and no "Device system updated completed!" message
I then plugged the device back into the NVR and checked the version again through SADP - sadly it is still V5.4.24build 170303.
Any idea why the "Resend required" message is coming up?

The camera has "DS-2CD2345-I" written on it. Is it possible that the camera is a G1 model? If it is, I've also tried the 5.4 versions from here (DOWNLOAD) - but same problem -> lots of "Resend required" messages. I'm beginning to wonder if the camera is designed to prevent TFTP of earlier versions of Firmware....

 

[alastairstevenson]

'resend required' just means there was a transmit error and a block was re transmitted. It's not a fatal error.

The 'completed file transmit' just means the file transferred ok but did not match the camera.
So it's a matter of finding the right firmware.
What letters were in the serial number as seen by SADP? There is a chance these are CN cameras, which might be why the firmware was not accepted.

 

[Hillarys]

'resend required' just means there was a transmit error and a block was re transmitted. It's not a fatal error.

The 'completed file transmit' just means the file transferred ok but did not match the camera.
So it's a matter of finding the right firmware.
What letters were in the serial number as seen by SADP? There is a chance these are CN cameras, which might be why the firmware was not accepted.

The Serial Number of the Camera through SADP is DS-2CD2345-I20170320AAWR730894594

 

[alastairstevenson]

That's good, not a CN camera.

 

[Hillarys]

Looking through the firmware sites, I can't find any reference to a DS-2CD2345-I camera on any of the firmware notes. Google-searches also don't seem to come up with 2CD2345 camera's anywhere. However, the physical appearance of the Camera is identical to the DS-2CD2342WD-I camera (here).
I'm thinking that this could be the actual camera? Although why the SADP details would say differently, has me stumped....

On the basis that it could be, and the firmware notes for R6 include this model (2CD2342WD), I have tried TFTP of Versions 5.4.1, 5.4.3 and 5.4.4. None of them take -> they all give the same messages and conclude with the Complete File Transmit - but not "Success" message.

 

[alastairstevenson]

I can't find any reference to a DS-2CD2345-I camera on any of the firmware notes.

No, it's an uncommon model number, and I'm not sure exactly what series it belongs to.
I've had some DS-2CD3xx5 and DS-2CD2xx5 cameras that have been G0 series, but I've not had any DS-2CD2345
I've found the distinction between G0 and early G1 to be a bit blurred.

But at least the tftp updater appears to be rejecting any firmware that's not valid for the model.
By the way - don't try any firmware above 5.4.4 as in my experience that will likely trigger the 'downgrade block' even if not successful.
That triggers a bit of a Catch-22 situation.

The only G0 firmware of 5.4.0 that I have is Chinese firmware.
I've attached a copy.


Just some thoughts on possible routes forward, with the aim of gaining access to the NVR and cameras so that you can make use of them -

The idea of resetting a camera with 5.4.0 or earlier firmware to 'Inactive' and connecting to the NVR for it to 'Activate' is to use a way of extracting the NVR password, which probably would also apply to the other cameras.
Given the ability to tftp update the firmware to do the reset, that should be straightforward.
But getting valid firmware seems an obstacle.

On the hopefully not optimistic assumption that the Kepler-7604/4P is actually a DS-7604NI/4P NVR, it should also be possible to use the tftp updater to apply the same firmware as is currently installed and implicitly reset to defaults.
That if successful would give access to the NVR, but 'orphan' the cameras with their unknown password.
What does SADP show for the NVR model and firmware version?

Another, more fiddly, approach would be to connect to the NVR serial console to grab a copy of the configuration file, which usually holds camera (therefore probably NVR) passwords in plain text.
It's not that hard to do, but it would depend on how much time and effort you'd want to invest in it, at the expense of all the painting and decorating that your better half will be keen that you pursue.

 

[Hillarys]

The idea of resetting a camera with 5.4.0 or earlier firmware to 'Inactive' and connecting to the NVR for it to 'Activate' is to use a way of extracting the NVR password, which probably would also apply to the other cameras.
Given the ability to tftp update the firmware to do the reset, that should be straightforward.
But getting valid firmware seems an obstacle.

On the hopefully not optimistic assumption that the Kepler-7604/4P is actually a DS-7604NI/4P NVR, it should also be possible to use the tftp updater to apply the same firmware as is currently installed and implicitly reset to defaults.
That if successful would give access to the NVR, but 'orphan' the cameras with their unknown password.
What does SADP show for the NVR model and firmware version?

Another, more fiddly, approach would be to connect to the NVR serial console to grab a copy of the configuration file, which usually holds camera (therefore probably NVR) passwords in plain text.
It's not that hard to do, but it would depend on how much time and effort you'd want to invest in it, at the expense of all the painting and decorating that your better half will be keen that you pursue.

Thanks for the G0 CN firmware - but unfortunately, same problem. The TFTP runs through to "Completed", but without any "Success" and the camera shows no change in its firmware when plugged back into the NVR.

The NVR Model and firmware versions are :
KEPLER-7604/5P0420161221AARR695594255WCVU
Software : V3.4.90 build 161008

Does this make it an "NI" NVR?

I am willing to try the NVR serial console method if you can point me to a guide/info on how to do it? I'm reasonably savvy with IT and my wife gave up on trying to get me painting years ago

 

[Hillarys]

KEPLER-7604/5P0420161221AARR695594255WCVU

Make that KEPLER-7604/4P.....

 

[alastairstevenson]

I am willing to try the NVR serial console method if you can point me to a guide/info on how to do it?

OK, let's do it!

You will need 2 items of hardware, widely available via your favourite on-line store.

A PL2303TA-based USB to serial TTL convertor.
Watch out for the common PL2303HX-based versions - an older chip not supported by Win10 but OK on Win7
A wired 4-pin 1.5mm JST ZH connector, usually sold in 10-packs
And to talk to the serial console, PuTTY works well -

Download PuTTY: latest release (0.81)

www.chiark.greenend.org.uk

Thanks for the G0 CN firmware - but unfortunately, same problem. The TFTP runs through to "Completed", but without any "Success" and the camera shows no change in its firmware when plugged back into the NVR.

That's a pity.
I don't suppose you know anyone you could borrow a Hikvision camera from?