Alternative way of recovering HikVision NVR password

[Pjlord]

Hello, I am @Pjlord from Carmel in California, and I am new to this board, but I have been working with a couple HikVision systems for several years now. Hopefully, I posted this in the right forum section.

Recently, I purchased a new home which had a HikVision system with 3 cameras installed. Unfortunately, the original owner could not remember the password. I need to thank @alastairstevenson for his help in troubleshooting this situation. Here are the details:

System setup:
NVR: DS-7604NI-E1/4P running Software Version V3.4.90build 161008
Cameras: 3 X DS-2CD2342WD-I Running V5.4.5build 170124

Of course, HikVision USA refused to help reset the password as they view the system as a gray market one.

I tried many ways to TFTP into the NVR to no avail as it would not take. I did not have the right tools to connect to the serial COM port on the NVR and I could not use the backdoor trick as the firmware was too new on both he cameras and the NVR. There was no way without the password to extract the configuration file from the camera by using this URL in the browser, replacing the IP address as needed : http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Solution:
After trying quite a few things, and a little bit out of desperation, I decided to downgrade the firmware on one of the cameras to a version prior to 5.4.5 using TFTP.

1) I downgraded the firmware on one of the cameras. I used 5.4.4 build 161125
2) I then plugged the camera back into the POE port side of the NVR and relied on the Pug-&-Play mode of the NVR which by default uses the NVR password for the cameras. Effectively I watched with SADP the camera go from inactive to active after being plugged in back into the NVR
3) I then issued the URL command with the right camera IP address to extract the configurationFile: http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
4) @alastairstevenson was then kind enough to help me decrypt the file and extract the camera (and NVR) password.
5) Voila! … NVR password recovered. I then finally re-upgraded the camera firmware to 5.4.5.​

I hope this can help others that find themselves in the same predicament I was in with my NVR forgotten password. Of course while it worked for me, use at your own risk as YMMV.

Again, many thanks to @alastairstevenson for his help.

Best!

 

[alastairstevenson]

I hope this can help others that find themselves in the same predicament I was in with my NVR forgotten password

I think this is a brilliant little trick, that could help others who have lost or don't know their NVR password, and credit to @Pjlord for thinking it up.

It's almost like using the camera as a trojan horse to attack the NVR.
Plug an inactive camera that has the Hikvision backdoor vulnerability into an NVR PoE port that's in Plug&Play mode - and the NVR just gives away it's password to the camera.
Which can then be tricked into giving up its configuration file, which is readily decrypted and decoded.
So easy and simple when you think about it.

 

[fenderman]

Brilliant!

 

[med benaamer]

name : hamada
email : kds.benaamer@gmail.coM
CONTRY : MOROCCO
COMPANY : RVINFO SARL
PHONE NEMBER :00212666488325
ADDRESS : LA VILLE HAUT KENITRA
TYPE : INSTALLER


s/n : 111115370
software version : v3.4.84 26/6/2017
DSP VERSION : V5.0 17/6/2017
START TIME SADP : 12/6/2019

HELLO
I WANT TO RESET PASSWORD FOR DVR
please


thank you


DS-7208HGHI-F1/N0820171013CCWR111115370WCVU

 

[muddywaters7]

So assuming I am locked out of my DVR because I forgot my password and I want to perform the trick above to retrieve the config file. I need the IP address of the camera which will not show using the SADP tool. It only shows the DVR IP address. How can I determine my Camera IP Address so that I can run the trick listed above to extract the config file.

http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

 

[alastairstevenson]

I need the IP address of the camera which will not show using the SADP tool.

It will when you connect the PC into an unused NVR PoE port.

The important thing to see from SADP is what firmware version is on the camera.
You need a version of 5.4.0 or earlier, that has the 'Hikvision backdoor'.

Assuming the camera matches that requirement:
The camera will likely be in the 192.168.254.x IP address range.
You need to set the PC IP address to be in the same range, so you can access the camera web GUI, say 192.168.254.100
Then you can use the special URL quoted above, replacing the camera IP address as you have found it in SADP.

 

[muddywaters7]

Great advice. I never thought of the poe ports as being just another switch. I can't wait to try this.
So one last question. Do you have a link for how to decrypt the config file?

 

[alastairstevenson]

Do you have a link for how to decrypt the config file?

It's not a link - it's from a program from some code I have on my Linux machine.

If you do manage to get the configurationFile - and that does depend on the camera having a vulnerable firmware version - I can decrypt and decode the file if you zip it and attach it here.

 

[muddywaters7]

Super good. I will definitely send you the file when I get it. My cameras are atleast 5 to 6 years old and I have never updated the software, so I think I will have a valid camera to perform this trick.

 

[muddywaters7]

Ok, initial attempt did not work. I was able to connect my laptop to the back of one of the ports on my NVR. Then I could see the cameras IP.
However, I am wondering where the auth code in the link was generated from and is it different for me. My camera builds are V5.2.0 and 5.2.5

 

[IAmATeaf]

Do you not need the password to get into the cam in the first place to downgrade the firmware or can you simply reset the cam to defaults and get into it that way?

Doesn’t this also mean that there must be another backstory to the cams if by simply plugging the cam into the NVR it is able to talk to it and set a password on the cam?

The above are just my thoughts, don’t have an NVR or Hik cams

 

[muddywaters7]

OK problem solved. I simply needed to change the IP Address of my laptop to be in the range of the Camera IP's just like you said above.
However, initially the link shown above gave me an XML error message.
So then I simply typed in http://<camera_IP_address>/System/configurationFile without the auth code and it asked me if I wanted to download the config file. It was that easy.

 

[muddywaters7]

First off, hats off to alastairStevenson for providing so much help. This guy was amazing in helping me find the solution I am about to detail below.

I too forgot my NVR Password and needed to recover it.
This all began after I was contacted by the local Police and told that my cameras may have recorded some very valuable video for a crime in our neighborhood. My cameras had been rolling for 5 years with no major drama except for the part where I forgot the NVR password. Woops!!!

Specs of my equipment
My NVR was model: DS-7604NI-E1/4P running Software Version V3.4.1build 180723
Camera model: DS-2CD2132F-IS V5.2.0 and DS-2CD2032-I V5.2.5

Because my cameras were older running firmware 5.2.5, I needed to get the 5.3.3 English firmware version in order to make this recovery process work. Also, it was key to make sure the cameras Security State was set back to Inactive.

I was able to find a 5.2.5 firmware version from an old post by WhosLooking.
Older English firmware 5.2.5 digicap.dav file here:
Dropbox - 5.30 Downgrader.rar - Simplify your life Downgrader.rar?dl=0

I had tried resetting the camera back to the default settings, but this did not work. The NVR still saw the camera as active. I think the process of the NVR reading the camera for the first time and having the camera go from inactive to active is when the NVR dumps it's credentials onto the cameras config file.

After talking with alastairStevenson I decided to use AlastairStevenson's brickfixV2 recovery tool to get the camera back on track with it's original state of 5.2.5 English firmware and also set the camera back to it's original inactive state. Basically this creates a inactive camera as if NEW out of the box.

Do NOT attempt to connect the camera to the NVR until after the 5.3.3 firmware has been loaded onto the camera.
Also, I had to use a separate POE switch in order to complete these steps. I am not sure if there is another way around it.
This is required to communicate between your laptop and your camera while not be connected to the NVR.​

BrickFixV2 is located here:
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

So using the BrickFixV2 method I was able to install the 5.2.5 digicap.dav file onto my camera. Basically setting it back to factory new English Firmware. My camera was a Chinese gray market camera, so don't worry if it's not US camera. This process will still work using the 5.2.5 digicap.dav file mentioned above.

The brickfixV2 procedure not only works, it allows you to upgrade the camera with English firmware upgrades.

Then I proceeded to use the TFTP tool to upgrade the firmware to the english 5.3.3 version firmware which I downloaded from the Hikvision USA website.
Firmware

https://us.hikvision.com/sites/default/files/firmware/ds-2xx2_5.3.0_151016.zip

In order for the NVR to download it's username and password to the camera, the camera needs to be running firmware version 5.3.3 and the cameras state needs to be inactive. The above steps allowed me to achieve this.

Now you can hook your camera back up to your NVR.​

I had to hook my laptop back into one of the POE ports on the NVR.
Then use the SADP tool to read the cameras IP config address.
Then I was able to run the following command to get the config file. http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

After finally getting a good copy of the Cameras config file with the NVR password, alastairStevenson was able to decrypt and extract the password for the config file. I was beyond excited that this recovery process worked. Many thanks to alastairStevenson for all of his hard work.

Cheers. I hope this might help someone else.
MuddyWaters

 

[alastairstevenson]

Thanks for the write-up, that will very likely be useful for others in a similar situation.
It was fun - and we all learned something in the process.

 

[ADSTech-Seb]

Good afternoon, first and foremost, this forum and thread has been extremely helpful and I just want to thank you all!

I have been trying to follow your instructions for a Hikvision OEM camera, model #: NX304-XD, version 5.3.3build 151028. I managed to acquire the configuration file and would like to know how I can proceed with cracking the password. I know the backdoor works with this firmware but I want to extract the current password, so see if they are uniform across all others.

To give a little background as to what I am doing, we are replacing OEM NVR's with Hik vision ones but multiple cameras had their passwords changed and no one knows them. All those are either 5.4.5 or 5.5.3 and cannot crack the password using the backdoor fix. Currently, the camera I have the configuration file for is not on the NVR, as I am no longer on-site but wanted to test with one beforehand, to see if this is something we can do. Needless the say, getting the NVR password would be very beneficial as well.

Again, thank you for the knowledge and for any assistance.

 

[alastairstevenson]

I managed to acquire the configuration file and would like to know how I can proceed with cracking the password.

Well done for extracting the configuration file (In conversations ...) - unfortunately it's the first one that has not succumbed to the decryption and decoding method that has worked for the tens of other files I've managed to process.
I can only assume there is a different encryption key in those OEM cameras.

Is there any way you can use an R0 camera (with firmware of 5.3.0 to older than 5.4.5) to hook up to the NVR?
These have been proven to work well with this method.

 

[alastairstevenson]

unfortunately it's the first one that has not succumbed to the decryption and decoding method that has worked for the tens of other files I've managed to process.

But - on looking closely at the extracted configuration file - there are an extra 2 bytes on the head of the file, which invalidates the required block alignment of the OpenSSL AES128 decryption algorithm.
So, when these are removed, the decryption works OK and the password has been successfully extracted!
I'm quite chuffed, as we say here.

An interesting result.
Awaiting confirmation that the extracted password worked OK.
I'm sure it will.

 

[fredjohnson2008@gmail.com]

It's not a link - it's from a program from some code I have on my Linux machine.

If you do manage to get the configurationFile - and that does depend on the camera having a vulnerable firmware version - I can decrypt and decode the file if you zip it and attach it here.

Hello Alastair, attached is the zipped config file from firmware 5.3.0, please let me now the password, thank you in advance.

 

[alastairstevenson]

please let me now the password,

The file decrypted OK.
And the password for admin on the HIKVISION DS-2CD2132F-I - 561429512 is

360sytems

 

[superkp]

I CAN BORROW A camera with software version, v5.4.3_160902.
would this be suitable to grab the password?