Reset Admin Password on HikVision NVR Model : KEPLER-7604/4P

[Silas]

depends where in oz they are ;-)

 

[alastairstevenson]

Yes, and it's a pretty big country.
How are you coping with the high temperatures?

 

[Hillarys]

depends where in oz they are ;-)

I'm in Perth, Western Australia. Thankfully no fires near my home!

 

[alastairstevenson]

I'd guessed that from your forumid.
We were in Perth for 7 weeks a few years ago and visited Hillarys a couple of times and loved the atmosphere there.

 

[Hillarys]

Yep - we love it here - close to the perfect Perth beaches!

So I've got the bits you've suggested on order (in the mail). Also emailed HikVision to request a password code/file, but as I expected they have given me the "we don't deal with consumers directly" nonsense. Very frustrating. Contacted several local security firms and all want a $150 call-out fee, then extra per hour to 'fix' it. No guarantee of a fix either, so could be $150 down the toilet.

Once the bits are here, what's next? I'm assuming I'm going to a do a firmware re-install to the NVR via the Serial port? Or is there a way to get the password out through PuTTY terminal session?

 

[alastairstevenson]

There is some uncertainty about what series the model number relates to, and for what I have in mind and have done a few times there is a need for some specific commands in the bootloader.
Hikvision have progressively removed 'useful' commands from the bootloader as people have made use of them.

It should be straightforward enough to apply the NVR firmware to reset it, but that would leave the cameras isolated as there doesn't seem to be firmware that they accept.
So I'd suggest the first approach would be to see if the NVR configuration can be extracted.
I've done this on DS-7604NI a couple of times.

 

[saniaowner]

Yep - we love it here - close to the perfect Perth beaches!

So I've got the bits you've suggested on order (in the mail). Also emailed HikVision to request a password code/file, but as I expected they have given me the "we don't deal with consumers directly" nonsense. Very frustrating. Contacted several local security firms and all want a $150 call-out fee, then extra per hour to 'fix' it. No guarantee of a fix either, so could be $150 down the toilet.

Once the bits are here, what's next? I'm assuming I'm going to a do a firmware re-install to the NVR via the Serial port? Or is there a way to get the password out through PuTTY terminal session?

Hello
I see you seriously took on the reset of the NVR, it's worth the respect. I will try to help you. Reboot the NVR and send me the XML file for reset on Monday. Also, please find on the Hikvision website a model similar to yours and write me the name of this model. I think we will solve your problem together)

 

[alastairstevenson]

The NVR can be reset by applying the same firmware using the tftp updater.
But that would leave the cameras in an inaccessible state as no compatible firmware has been found that they would take.

In my view, it would be best to first try to extract the NVR password, which will probably work for the cameras, before resetting the NVR.

 

[Hillarys]

So the parts arrived... except for the JST ZH connector
On order from Ebay now. Inching closer to the solution!

 

[Hillarys]

The parts have arrived and I've managed to connect to the Serial Port through PuTTY. When it boots, I'm getting all the log data coming through the PuTTY Terminal.
Starts with "U-Boot 2010.06-svn (Aug 15 2015 - 15:18:43)" then all the login scripts start scrolling past. I can't seem to attach the .txt file to this for some reason - is it not allowed?
Am I looking for something in particular in these scripts?

(I feel like we might be inching closer to a solution here - optimism!)

 

[alastairstevenson]

When it boots, I'm getting all the log data coming through the PuTTY Terminal.

That's good, you've got it hooked up correctly.
Now for the fun part.
And here's hoping that your 'Kepler' NVR will respond in the same way as I've seen on others.
The process does depend on the specific bootloader commands still being available on your NVR - Hikvision do have a habit of stripping out the more 'useful' commands as they update the firmware.

First you will need to create a normal tftp server on your PC.
This one should work OK - create a folder for it and install :

Tftpd32: an opensource free firewall friendly dhcp, syslog sntp and tftp server/service for windows, tftp client

A free tftp and dhcp server for windows, freeware tftp server

tftpd32.jounin.net

You will need to know the IP address of your PC, this will become the IP address of the tftp server that the NVR will connect to.
In the example I'll show below, I'm using 192.168.1.99 as the PC IP address. Replace this with your own.
You will also need to pick a temporary IP address for the NVR to use, one that isn't in use already.
In the example I'll show below, I'm using 192.168.1.214 as the temporary NVR IP address. Replace with your own choice.

Here are the steps that I hope will work to extract the flash partition segment that holds the NVR cameras configuration, the passwords for which are very likely to be the NVR password also.

Start PuTTY.
Keep Control-U pressed until it auto-repeats and power on the NVR.
You should get a screen like this :

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software:

Type the letter b and press return.
You should get to a prompt like this :

HKVS #

To list the environment variables, for future reference use the printenv command like so :

HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
device_type=DS-7604NI-E1/4P/A
identification=0000000100000001000002000000002a00000001000000020005
update_ip=192.0.0.64
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=bc:ad:28:87:7e:c4
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Aug 15 2015 - 15:18:43)

Environment size: 577/4092 bytes
HKVS #

Start the tftp server.
The commands below will read the flash memory, and transfer the data to the tftp server on the PC.
You can copy / paste each command line in turn to the PuTTY screen.
Just do one at a time.

setenv ipaddr 192.168.1.214
setenv serverip 192.168.1.99

sf probe 0

sf read 0x80400000 0x00000 0x10000
tftp 0x80400000 mtdblock0 0x10000

sf read 0x80400000 0x10000 0x20000
tftp 0x80400000 mtdblock1_part1 0x20000

sf read 0x80400000 0x30000 0x20000
tftp 0x80400000 mtdblock1_part2 0x20000

sf read 0x80400000 0x50000 0xFB0000
tftp 0x80400000 mtdblock2 0xFB0000

Here is a transcript of what you'd expect to see :

HKVS # setenv ipaddr 192.168.1.214
HKVS # setenv serverip 192.168.1.99
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS #
HKVS # sf read 0x80400000 0x00000 0x10000

HKVS # tftp 0x80400000 mtdblock0 0x10000
timeout for link [4999]!
MAC:   BC-AD-28-87-7E-C4
TFTP to server 192.168.1.99; our IP address is 192.168.1.214
Upload Filename 'mtdblock0'.
Upload from address: 0x80400000, 0.064 MB to be send ...
Uploading: #    [ Connected ]

         0.064 MB upload ok.
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # tftp 0x80400000 mtdblock1_part1 0x20000
timeout for link [5000]!
MAC:   BC-AD-28-87-7E-C4
TFTP to server 192.168.1.99; our IP address is 192.168.1.214
Upload Filename 'mtdblock1_part1'.
Upload from address: 0x80400000, 0.128 MB to be send ...
Uploading: #    [ Connected ]
#
         0.128 MB upload ok.
HKVS # sf read 0x80400000 0x30000 0x20000

HKVS # tftp 0x80400000 mtdblock1_part2 0x20000
timeout for link [5000]!
MAC:   BC-AD-28-87-7E-C4
TFTP to server 192.168.1.99; our IP address is 192.168.1.214
Upload Filename 'mtdblock1_part2'.
Upload from address: 0x80400000, 0.128 MB to be send ...
Uploading: #    [ Connected ]
#
         0.128 MB upload ok.
HKVS #
HKVS # sf read 0x80400000 0x50000 0xFB0000

HKVS # tftp 0x80400000 mtdblock2 0xFB0000
timeout for link [5000]!
MAC:   BC-AD-28-87-7E-C4
TFTP to server 192.168.1.99; our IP address is 192.168.1.214
Upload Filename 'mtdblock2'.
Upload from address: 0x80400000, 15.704 MB to be send ...
Uploading: #    [ Connected ]
################################        [ 2.888 MB]
################################        [ 5.752 MB]
################################        [ 8.616 MB]
################################        [11.480 MB]
################################        [14.344 MB]
###############
         15.704 MB upload ok.
HKVS #

Assuming that all works OK, zip up the mtdblock1_part1 and mtdblock1_part2 files and attach here.
I should be able to extract the camera passwords, which hopefully will match the NVR password.

Good luck!

 

[Hillarys]

Assuming that all works OK, zip up the mtdblock1_part1 and mtdblock1_part2 files and attach here.
I should be able to extract the camera passwords, which hopefully will match the NVR password.

Good luck!

It looks like it all worked - here are the files (attached). FINGERS CROSSED!

 

[alastairstevenson]

It looks like it all worked

So far, so good.
Let's see. Camera passwords as follows for admin :
g373skk1987 Spa Area
g373skk1987 Driveway
g373skk1987 Front Door
g373skk1987 Front Door

Now - if that works for the NVR, great.
But if it doesn't, at least it's the camera paswords (for which no compatible firmware could be found) which would allow the NVR to be reset without orphaning the cameras.

 

[Hillarys]

So far, so good.
Let's see. Camera passwords as follows for admin :
g373skk1987 Spa Area
g373skk1987 Driveway
g373skk1987 Front Door
g373skk1987 Front Door

Now - if that works for the NVR, great.
But if it doesn't, at least it's the camera paswords (for which no compatible firmware could be found) which would allow the NVR to be reset without orphaning the cameras.

You are a champion! That's it. Thanks for your help on this. Now to plug it in and see if I can get all the cameras to reset as well.

 

[alastairstevenson]

You are a champion! That's it.

That's a great result!
You did pretty well hooking up the serial console, and follwoing the instructions.

Now to plug it in and see if I can get all the cameras to reset as well.

You shouldn't have to do anything on the cameras except get them connected to the same NVR PoE ports that there were originally set up on.
SADP will help there.
Cross-reference the IP addresses seen in SADP with the camera configuration details in the NVR web GUI.
You may have to just have one connected at a time to be sure which is which.

 

[Hillarys]

crumbs -

That's a great result!
You did pretty well hooking up the serial console, and follwoing the instructions.


You shouldn't have to do anything on the cameras except get them connected to the same NVR PoE ports that there were originally set up on.
SADP will help there.
Cross-reference the IP addresses seen in SADP with the camera configuration details in the NVR web GUI.
You may have to just have one connected at a time to be sure which is which.

I seem to have a problem with this. I don't know which camera was in each port and now they won't work. I've tried plugging one camera in at a time, moving it across each of the 4 ports. It comes up with "Detecting" in the Camera Menu, but then after 20 sec or so it comes up with a Status Triangle with red exclamation mark. And no picture. Strange thing is that in the Camera config page it has 4 cameras listed even when I don't have any plugged in. Is that normal?

 

[alastairstevenson]

Strange thing is that in the Camera config page it has 4 cameras listed even when I don't have any plugged in. Is that normal?

Yes, that's normal.
Suggestion :
Connect the PC to an unused NVR PoE port.
With one camera connected at a time, refresh SADP to identify the specific camera IP address.
Mark the camera in some way.

In the NVR web GUI, under 'Camera Configuration' look at the IP addresses specified for each channel.
Hopefully you can then match up the channel detail with the camera IP addresses that SADP found.
Then connect the camera to the corresponding channel.
Post the addresses detail here so consistency can be checked, just in case the original owner has changed things.

As an example :
The NVR channel 1 is configured to use an IP address of 192.168.254.2
Find the camera that is using the IP address of 192.168.254.2 and connect it to the NVR PoE port 1
It should connect OK.

 

[Hillarys]

Hi Alastair,
So after a bit more mucking around - reverting to the old password, then plugging in each camera - I have got it working. I have also now been able to change the Password and it has pushed the new Password to the camera's. Success!

That is, all except for the 1 camera that I fiddled with the firmware, back in the early parts of this Thread. Now that camera is coming up with "Incorrect language". And guess what - it is also reporting through SADP that it accepted the Chinese (CN) Firmware that we tried earlier in this thread (V5.4.0build 160401). The other 3 x Cameras all report Firmware v5.4.24build 170303 - and are working.

Sooooooo - the question is.... how do I get that 2nd camera back to the correct (presumably English) language? If it took that firmware that you attached (G0) - do you have another G0 firmware that isn't Chinese that I could try? Will the NVR need all the Firmware's to match, or will it run with a different firmware on 1 of the camera's (I ask, because I don't know where I will find v5.4.24build 170303).

One other thing -> in the NVR configuration menu's, the camera's that are working all have an option to 'Upgrade'. Should i do this? I'm assuming that they have sourced a new version over the internet (I have connected the NVR to my home network)

 

[alastairstevenson]

So after a bit more mucking around - reverting to the old password, then plugging in each camera - I have got it working. I have also now been able to change the Password and it has pushed the new Password to the camera's. Success!

That's good - almost there it seems.

Now that camera is coming up with "Incorrect language"

Do you mean the NVR is rejecting the camera with that error message?
An EN/ML NVR by Hikvision design will reject a CN camera.

Sooooooo - the question is.... how do I get that 2nd camera back to the correct (presumably English) language?

I'm speculating that the cameras are actually CN cameras running 'hacked to English' firmware.
Which if so would revert to CN language on any successful firmware updates.
A clue that may confirm this would be to look at the camera serial numbers as seen in the System Information page of the camera web GUI, or via SADP when the PC can see the cameras on the NVR PoE ports.
The letters CCCH in the serial number would be a clue.
If the NVR has the 'Virtual Host' facility - likely - in the NVR web GUI under Network Advanced settings / Other you will be able to access each camera web GUI via the link in the right column of the Camera Configuration page.

camera's that are working all have an option to 'Upgrade'.

Should i do this? I'm assuming that they have sourced a new version over the internet (I have connected the NVR to my home network)

That sounds like the NVR VGA/HDMI interface, which does have an ability to push updates to the cameras via a USB stick source for the firmware.
It doesn't mean that an actual upgrade is available.

Best not try that, if the cameras are CN models running hacked firmware.

 

[Hillarys]

A clue that may confirm this would be to look at the camera serial numbers as seen in the System Information page of the camera web GUI, or via SADP when the PC can see the cameras on the NVR PoE ports.
The letters CCCH in the serial number would be a clue.

One of the working camera's serial numbers is : DS-2CD2345-I20170320AAWR730894444
So no CCCH.