[Solved] reset password Juan IP Camera (Hi3518E+OV9712)

[zzzhirkanzzz]

Hi.
I have a Hi3518E+OV9712 Ip Camera. I need to reset its password.
telnet is open, but common passwords are not working.
I have access to UART, but i found no helpful command about config or password reset.
I can not find any pin or reset button on the board.

login page


web interface with guest: (blank)
open ports:
23/tcp open telnet
80/tcp open http

UART Connection commands:


board:



any recomendation or solution?
thanks.

 

[alastairstevenson]

telnet is open, but common passwords are not working.

Is this after startup, not at the bootloader?
I don't have that camera, but ages back had a Vanxse camera with a similar user interface, since sold for more than I paid for it.
At the telnet prompt, try root/helpme as a logon.

 

[alastairstevenson]

At the telnet prompt, try root/helpme as a logon.

Optimistic I know - without knowing what the firmware is, but from the GUI similarity to one I once had:
try also root/juantech

 

[zzzhirkanzzz]

I am not sure which ports are open at boot process.
Ports 23, 80 are open when camera is completely up.
I tried both "juantech" and "helpme" as password. not working.
I tried these common telnet password that can be found on the net. (using hydra)

root:xc3511
root:vizxv
root:admin
admin:admin
root:888888
root:xmhdipc
root:default
root:juantech
root:123456
root:54321
support:support
root:
admin:password
root:root
root:12345
user:user
admin:
root:pass
admin:admin1234
root:1111
admin:smcadmin
admin:1111
root:666666
root:password
root:1234
root:klv123
Administrator:admin
service:service
supervisor:supervisor
guest:guest
guest:12345
guest:12345
admin1:password
administrator:1234
666666:666666
888888:888888
ubnt:ubnt
root:klv1234
root:Zte521
root:hi3518
root:jvbzd
root:anko
root:zlxx.
root:7ujMko0vizxv
root:7ujMko0admin
root:system
root:ikwb
root:dreambox
root:user
root:realtek
root:00000000
admin:1111111
admin:1234
admin:12345
admin:54321
admin:123456
admin:7ujMko0admin
admin:1234
admin:pass
admin:meinsm
tech:tech

Optimistic I know - without knowing what the firmware is

ONVIF Device Managershows this information about camera


I monitored packets recieving from camera by wireshark.
phase 1: (16 seconds after connecting power) first 3 packets are ARP request like this:

Frame 12: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: PolarisC_18:01:65 (00:10:85:18:01:65), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: PolarisC_18:01:65 (00:10:85:18:01:65)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: PolarisC_18:01:65 (00:10:85:18:01:65)
    Sender IP address: 192.168.1.168
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 192.168.1.169

Camera is searching for 192.168.1.169 (may be like dahua and hikvision, is looking for tftp server?)

phase 2: (at 23 seconds after connecting power)
camera runs as usual with given IP. searching for 192.168.1.1
but this time with different MAC

Frame 270: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1516282698.184227000 seconds
    [Time delta from previous captured frame: 0.383103000 seconds]
    [Time delta from previous displayed frame: 0.383103000 seconds]
    [Time since reference or first frame: 23.163712000 seconds]
    Frame Number: 270
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:arp]
    [Coloring Rule Name: ARP]
    [Coloring Rule String: arp]
Ethernet II, Src: 00:9a:15:d6:f4:ff (00:9a:15:d6:f4:ff), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: 00:9a:15:d6:f4:ff (00:9a:15:d6:f4:ff)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: 00:9a:15:d6:f4:ff (00:9a:15:d6:f4:ff)
    Sender IP address: 192.168.1.119
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 192.168.1.1

is there a tftp instruction about this type of chinese cameras?

 

[zzzhirkanzzz]

I found something interesting.
In uboot.txt file attached to the first post, lines 10 and 201 are the times you can interrupt and get a command line with different access.
I posted available commands on first one (from interrupting at line 10) in the first post. nothing helpful about config reset.
In the second one that I found today, if you be fast enough to answer the question with pressing "n" key, you get a command line similar to a telnet session with the root access.
Now there is my question: which file or folder must be modified to reset user setting such as admin's password.

 

[alastairstevenson]

In the second one that I found today, if you be fast enough to answer the question with pressing "n" key, you get a command line similar to a telnet session with the root access.

That's good. It saves cracking the root password.

Now there is my question: which file or folder must be modified to reset user setting such as admin's password.

There is a good chance that the web GUI user/password info is held in plain text in a configuration file, or maybe in a flash partition.
You should be able to find these by inspection, the location varies with different types of firmware.

Suggestion to start the search:
See if any flash partition has 'config' in it's name
cat /proc/mtd
If so, see where it's mounted. The mount point is the last path listed.
mount
Look in the mount point
cd /whatever_the_path_listed_was
ls -al

For config files, start listing the file structure to see where to look
ls -al /
If it's not too big - you may be able to list all and copy the scrollback into a text editor for inspection
ls -alR /

Once you have found a candidate file (maybe something like filename.conf) you can see the contents if it's just text, for example
cat /path_to_file/file.txt

 

[alastairstevenson]

Out of curiosity I unpacked this firmware - UPG_ipc3580ar-w7-M20-hi3518e-20150728_013643 - on the long-shot basis that it might be for the same camera series as yours, and had a look at the root filesystem.
The config files will be held in /mnt/config
But judging from the format of the config files used for resetting back to defaults, in /bin/vslocal/config_default.bin the config may not be held in plain text files.
config_default.bin is a gzip archive, holding a binary file.
Within it, the web GUI default users / passwords are
admin / admin
operator / 123456
visitor / 123456
If by pure chance your camera uses the same series of firmware, and also that the operator account doesn't have limited access and can do admin tasks, that may work for you.

The app may also create a folder /etc/ipcamera
Worth looking in there for config files - any with a .ini extension will be text that you can use the 'cat' command to see the contents of.

 

[alastairstevenson]

Looking at the cgi-bin folder of the UPG_ipc3580ar-w7-M20-hi3518e-20150728_013643 firmware, this is the script that's used to reset to factory settings.
If it's the same firmware as yours, it gives some good clues as to where the configuration data is held.
If you can find .ini files under /etc/ipcamera/conf_xxxx these should be plain text viewable with 'cat'.

#!/bin/sh

CONFIG_PATH_MNT="/mnt"
CONFIG_DEFAULT="/bin/vslocal/config_default.bin"
CONFIG_TMP_DEFAULT="/tmpfs/config_default.bin"
CONFIG_DEFFALT_EXCLUDE_FILE="/mnt/config/exclude.lst"

producttype=`cat /etc/ipcamera/config_devm.ini  | grep ^producttype | awk -F "=" '{printf $2}'`

if [ -z $producttype ];then
    exit
fi

if [ $producttype == "29" ] || [ $producttype == "30" ]; then
    echo "============720p============="
    cp /etc/ipcamera/config_devm.ini /etc/ipcamera/conf_720p/
    cp /etc/ipcamera/config_mpmng.ini /etc/ipcamera/conf_720p/
elif [ $producttype == "31" ];then
    echo "============1080p============="
    cp /etc/ipcamera/config_devm.ini /etc/ipcamera/conf_1080p/
    cp /etc/ipcamera/config_mpmng.ini /etc/ipcamera/conf_1080p/
elif [ $producttype == "32" ];then
    echo "============960p============="   
    cp /etc/ipcamera/config_devm.ini /etc/ipcamera/conf_960p/
    cp /etc/ipcamera/config_mpmng.ini /etc/ipcamera/conf_1080p/
fi

tar -X /mnt/config/exclude.lst -czvf $CONFIG_TMP_DEFAULT $CONFIG_PATH_MNT && cp $CONFIG_TMP_DEFAULT $CONFIG_DEFAULT -raf

 

[zzzhirkanzzz]

I appreciate your help. Thank you.
But ...
I gave up!
I tried everything.
I even found this software from the original manufacturer. The software finds the camera and has a reset command. It shows "successfully reset" but nothing happens.

http://download.dvr163.com/tool/IPCamSuite-1.2.22.4.rar

Also, I doubt second console (in the second interrupt) is exactly like a telnet session. Some programs are not loaded at that moment.

 

[alastairstevenson]

I gave up!
I tried everything.

I've bumped into someone who is looking to mount a camera - even a bricked one - as a deterrent due to a rising level of burglaries.
@zzzhirkanzzz
Do you want to sell?
Where are you based?

 

[zzzhirkanzzz]

It is not mine. One of our costumers had an issue with this camera.
The camera has the video stream on Dahua NVR but I can not change the setting.
I gave it back to the owner.
It is working.
Thanks again for your time.

 

[alastairstevenson]

OK, understood.

 

[zzzhirkanzzz]

I had this IP Camera again!
But this time I find the steps to reset password.
-------------------------------
How to reset forgotten password for Juan IP Camera. (Guangzhou Juan Intelligent Tech Joint Stock Co.,Ltd)
1) Find Device ID:
You can use ONVIF Device Manager.



2) Install Juan IPCamSuite
from this link directly:

http://download.dvr163.com/tool/IPCamSuite-1.2.22.4.rar

or from this page:
IPC-WEB-TOOL - Guangzhou Juan Intelligent Tech Joint Stock Co.,Ltd

3) Reset password
Select IP camera, then:



After reboot password is set to default. (blank)
then try login as admin with no password.
Done!

 

[bpmittal]

i have this same jiuan ipcamera , these are wifi camera but we can connect these camera with only network cables ,

how to connect these wifi ip camera wirelessly without NVR , only with my PC ?

 

[Ghafor]

Hi.
I have a Hi3518E+OV9712 Ip Camera. I need to reset its password.
telnet is open, but common passwords are not working.
I have access to UART, but i found no helpful command about config or password reset.
I can not find any pin or reset button on the board.

login page
View attachment 25570

web interface with guest: (blank)
View attachment 25571 open ports:
23/tcp open telnet
80/tcp open http

UART Connection commands:
View attachment 25574

board:
View attachment 25572
View attachment 25573

any recomendation or solution?
thanks.

Use ipcamsuite

 

[dayvidd]

Hi.
I have a Hi3518E+OV9712 Ip Camera. I need to reset its password.
telnet is open, but common passwords are not working.
I have access to UART, but i found no helpful command about config or password reset.
I can not find any pin or reset button on the board.

login page
View attachment 25570

web interface with guest: (blank)
View attachment 25571 open ports:
23/tcp open telnet
80/tcp open http

UART Connection commands:
View attachment 25574

board:
View attachment 25572
View attachment 25573

any recomendation or solution?
thanks.

please friend, where is the serial port (tx - rx pin) on the board, forgive my english

 

[Behnam ghorbani]

Thanks for every answer