What encryption do HIKVision cameras use?

[Merik]

I'm trying to understand the protocol that HikVision SADPTool uses to activate a camera. I used Wireshark to capture some packets, and below are contents of those packets in plain text:

Packet 1 (sent from SADPTool)

<?xml version="1.0" encoding="utf-8"?><Probe><Uuid>00000083-006B-0049-AA08-A27A4E43C359</Uuid><MAC>54-c4-15-10-8e-91</MAC><Types>exchangecode</Types><Code>MIGJAoGBAN/UA0Eb3qWpVMrMLMeb10o728LL2KKq1JkTmPdjM6xBfKfmRQ3zvYMNb4qwudAeAgKbtqdW98R4oEzK6mpA3mUGS2714eo6fLVYgEyHJdSonkHL5gr+67VARwxuA1ml3UKtm3WGme+5Rt25ai1WnJ7VcrJWBIg5iGsUE1725xGpAgMBAAE=</Code></Probe>​

Packet 2 (sent from camera)

<?xml version="1.0" encoding="UTF-8"?>
<ProbeMatch><Uuid>00000083-006B-0049-AA08-A27A4E43C359</Uuid>
<Types>exchangecode</Types>
<Result>success</Result>
<Code>Xw3TbMQjWBEra2wRaeIBGSTC32skuAyUklOgxw8VTl9MhA96iF2Lcmyl9dROlrUMymw1PWZkCl69ol+jqWE+NHCPsOtSeHw+FM9515PFlRnm8GNfdbYgwYZb5Po/djfjuqs0ebZXki3k883TlQ/Amwh9k7yL90OT+hYRfg/dbbQ=</Code>
</ProbeMatch>​

Packet 3 (sent from SADPTool)

<?xml version="1.0" encoding="utf-8"?><Probe><Uuid>00000074-00D7-0044-AF07-B183EB6F4A82</Uuid><MAC>54-c4-15-10-8e-91</MAC><Types>activate</Types><Password>28mktLmZtb+siv6HKmZ9Qm/+7fYZVtF9VifboX5HqXk=</Password></Probe>​

The first 2 packets are to exchange Codes which are used to encrypt the password that is sent in packet 3, I guest. Could anyone please help me what encryption method is used here?
The password is HikVision which is encrypted as '28mktLmZtb+siv6HKmZ9Qm/+7fYZVtF9VifboX5HqXk='

Cheers,

DM

 

[StewartM]

I'm no expert, but this might provide some clues.

"The password is HikVision which is encrypted as '28mktLmZtb+siv6HKmZ9Qm/+7fYZVtF9VifboX5HqXk="
I suspect that 44 character string is an AES 256-bit key in base64.

When logging onto a camera we see:


And poking around in SADP there are several references:


Also, many references to BCrypt.