Hikvision ds-7616nxi-i2/16p/s factory reset?

F

fryc88

n3wb
Sep 26, 2021
9
1
UK
Hi,
I have purchased completely dead ds-7616nxi-i2/16p/s from a guy who seems to be reselling big quantities of them with random faults. I have fixed power issue, now however it will not let me log in or reset it - no password is known.
I have tried to reset it, but there's no email or security questions set.
I have seen TFTP methods, but these don't seem to work on this particular NVR with current firmware, while watching its boot via serial it does not go to upgrade messages, etc., i can only stop auto boot or watch it 'boot successfully'.
Are there any other methods that i'm missing to get the password reset? Is there any hardware method to reflash the memory, or do 'something else' to get it to factory state and be able to use it?
Thanks
 
Often, but not always, a reset can be effected via the serial console. What's possible varies with the model, firmware, manufacture date etc.

fryc88 said:
I have seen TFTP methods, but these don't seem to work on this particular NVR with current firmware,
Click to expand...
The Hikvision tftp updater can't be used because it has a filesize limit of 32MB.
The Scott Lamb Python2 clone gets round this.
github.com

GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP

Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd
github.com github.com

fryc88 said:
i can only stop auto boot or watch it 'boot successfully'.
Click to expand...
When you interrupt the bootloader with Control-U, do you get the firmware update dialogue?
Usually, when a firmware update is done here it also wipes the configuration and sets the device to 'Inactive' after which yo 'Activate' it by creating your own password.

Also - at the upgrade dialogue, you should be able to exit to the bootloader command line using the 'b' command.
Although on some bootloader versions, Hikvision have obscured the usual commands to see/change variables and commands, check if
printenv
help
setenv ';printenv'
setenv ';help'
work.
Sometimes there is an 'erase' command that will wipe the configuration, either at the bootloader, or the higher-level menu.
Example :
* edit * But don't do this if you don't know the partition layout or you could trash the device.
This program will upgrade software.
*******************************************************
  • ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY! *
  • Don't reset machine,or anything that interrupt it. *
  • The upgrade process must finish in 10 minutes! *
  • If this program fails,machine might be unusable, *
  • and you will need to reflash again. *
  • If you find this too risky,power off machine now. *
*******************************************************

Now press [u/U] key to upgrade software: f
Please input part num (0 / 1 / 2): Confirm to format part 0 ?(y/n): n
Click to expand...

Suggestion :
Capture the bootloader commands and environment variables, post here, and maybe something can be suggested.
 
Last edited:
fryc88 said:
I have fixed power issue,
Click to expand...
I'm guessing you replaced the PSU.
Loads available on Aliexpress - but quite pricey.
They can actually be sourced at lower cost here in the UK ...

52V Power Supplies Archives - Hunterfield Ltd

Below are the power supply units (PSU) which have 52V output voltage with different output current capability (max current). As long as your device requires a 52V power supply and its max current consumption is not greater than a PSU’s rated output current, the PSU will work for your device...
hunterfield.co.uk hunterfield.co.uk
 
alastairstevenson said:
I'm guessing you replaced the PSU.
Loads available on Aliexpress - but quite pricey.
They can actually be sourced at lower cost here in the UK ...

52V Power Supplies Archives - Hunterfield Ltd

Below are the power supply units (PSU) which have 52V output voltage with different output current capability (max current). As long as your device requires a 52V power supply and its max current consumption is not greater than a PSU’s rated output current, the PSU will work for your device...
hunterfield.co.uk hunterfield.co.uk
Click to expand...
I simply used 12v PSU as I don't need Poe in my set up, I have external switch with Poe. If I'll get NVR working I might consider getting proper-style PSU but for now without password it's just a brick.

alastairstevenson said:
Often, but not always, a reset can be effected via the serial console. What's possible varies with the model, firmware, manufacture date etc.


The Hikvision tftp updater can't be used because it has a filesize limit of 32MB.
The Scott Lamb Python2 clone gets round this.
github.com

GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP

Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd
github.com github.com


When you interrupt the bootloader with Control-U, do you get the firmware update dialogue?
Usually, when a firmware update is done here it also wipes the configuration and sets the device to 'Inactive' after which yo 'Activate' it by creating your own password.

Also - at the upgrade dialogue, you should be able to exit to the bootloader command line using the 'b' command.
Although on some bootloader versions, Hikvision have obscured the usual commands to see/change variables and commands, check if
printenv
help
setenv ';printenv'
setenv ';help'
work.
Sometimes there is an 'erase' command that will wipe the configuration, either at the bootloader, or the higher-level menu.
Example :
* edit * But don't do this if you don't know the partition layout or you could trash the device.


Suggestion :
Capture the bootloader commands and environment variables, post here, and maybe something can be suggested.
Click to expand...
Well that's the thing - when I interrupt bootloader I have nothing, just bare shell line with no commands working there unfortunately.
Also as I said when I tried to ping 192.0.0.48 it never shows up as this so I'm a bit lost
 
Last edited:
Just went to console again, that's what i can see with your posted commands:
U-Boot 2010.06-svn48500 (Mar 04 2021 - 20:49:51)

Hit ctrl+u to stop autoboot: 0
HKVS $ help
HKVS $ printenv
HKVS $ setenv ';printenv'
bootcmd=tftp 0x42000000 $(bootfile);bootm 0x42000000;
bootdelay=1
baudrate=115200
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
ver=U-Boot 2010.06-svn48500 (Mar 04 2021 - 20:49:51)
hik_ver=verison V2.0-57808-48500 (build 20210304205018 lifengfeng)
passwd=zXJA2EQF31euwAX0QZf7xMC3VJarH42guauFo28wh9U=
stdin=serial
stdout=serial
stderr=serial
phyaddr1=7
mdio_intf=rgmii
ethaddr=24:28:fd:02:24:00
sec=tftp 0x42000000 Ky2015-1-H3536-uImage_sec;bootm 0x42000000;
default=y2mount /nand;y2rdm /nand/uImage 0x42000000;
verify=n
tftpblocksize=8192
bootargs=mem=1148M console=ttyS0,115200n8 auth=1

Environment size: 639/524284 bytes
HKVS $ setenv ';help'
? - alias for 'help'
bootm - boot application image from memory
ddr - ddr training function
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
tftp - tftp - download or upload image via network using TFTP protocol
version - print monitor version
Click to expand...


TFTP seems to be requesting uImage file:


TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Download Filename 'uImage'.
Download to address: 0x40008000
Downloading: *
Click to expand...
I'm not sure how this bit works now, is it part of the firmware only that is extracted from dav file or is it looking for boot loader file only or something? Any clues?
 
Last edited:
Just another update, i have tried command that i made up:
setenv ';tftp digicap.dav'
it did download the whole file, it did reboot after, but nothing has changed regarding settings or password, goes straight back to original camera view without password
Firmware file i have downloaded for DS-7616NXI-I2/16P/S(C) as this is underneath the NVR on the label from Hik page.

Currently there's V4.40.806 there according to SADP app.

TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Download Filename 'digicap.dav'.
Download to address: 0x40008000
Downloading: #################################################
done
Bytes transferred = 162998300 (9b7281c hex)
MAC: 24-28-FD-02-24-00
data abort
pc : [<4dc02404>] lr : [<430054f0>]
sp : 4d7fed74 ip : 4d7fed54 fp : 00000000
r10: 00000000 r9 : 4d7fee65 r8 : 4d7fffe0
r7 : 4dc42dd0 r6 : 4dc3812b r5 : 430116f4 r4 : 00000002
r3 : 00000001 r2 : 00000000 r1 : 00000002 r0 : 600001d3
Flags: nZCv IRQs off FIQs off Mode SVC_32
Resetting CPU ...

resetting ...


U-Boot 2010.06-svn48500 (Mar 04 2021 - 20:49:51)

Hit ctrl+u to stop autoboot: 0
Mounting yaffs2 mount point/partnum: nand/0
Configures yaffs mount nand success!
Copy /nand/uImage to 0x42000000... [DONE]
Verifying RSA ... OK
## Booting kernel from Legacy Image at 42000000 ...
Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
[ 0.000000] need to Authorization
[ 3.338153] init(1) called reboot syscall, cmd: 0x0.
[ 7.292483] libphy: 1:07 - Link is Up - 1000/Full
Click to expand...


1752493588599.png
 
Last edited:
This command doesn't do anything unfortunately :(

on the first attempt it kind of started to boot after it? but then it started to beep back on camera preview screen, then repeated it doesn't do anything.

1752530861868.png
 

Attachments

  • 1752530761144.png
    1752530761144.png
    3.3 KB · Views: 0
I've managed to boot it fully, then go back to it and start it again, it does respond to pings on 192.0.0.64 but it's not trying to pull anything from TFTP
1752532012237.png

It's stuck on these while responding to pings:
1752532037411.png
 
Ok, after numerous of attempts and time spent on it i have managed to flash it!
1752537126038.png
For some reason, when it went to pdate it was not showing any progress in serial console. Also, after turning on and starting to respond to pings, it didn't try to pull firmware straight away! I just left it for a while, I came back and noticed it has tried but failed. I have left it for even more time, done 2-3 reboots, restarted update command and at some point it did pull whole firmware using TFTPD, flash it, then it took about 5-10 minutes for first boot and boom - status inactive!

Thank you very much for your suggestions and patience! Now time to look into power supply if i can actually fix it.
Just need to find out a few bits and bobs as it looks a bit different to my current NVR, but i'll get there :)
 
  • Like
Reactions: alastairstevenson
You must log in or register to reply here.
Top Bottom