Alternative way of recovering HikVision NVR password

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,289
Reaction score
6,139
Location
Scotland
Do they fall back to this state if I reset the NVR?
No, they will just carry on as normal - but the NVR won't connect to them if the camera admin password no longer matches the NVR PoE channel password defined for the camera. If you reset the NVR to set a new password, the original camera password will be lost so the cameras will need to be reset as well.

The cameras are really inaccessible so I'd prefer a method that doesn't involve me having to climb onto roofs or use a cherry picker(!) to physically reset them. Can I put them into a 'receive firmware over TFPT' mode remotely?
In theory, and usually in practice, they can be reset to defaults by using the same tftp updater method as should work for the NVR.
The caveat though is that to maximise the chances of success (ie connecting via the tftp updater handshake) the cameras should be powered by 12v as opposed to PoE, and not be directly connected to the PC, each should be hooked up to a switch port.
If 12v power isn't possible - then PoE can be tried, even on the NVR, if it works, well and good.
How are the LAN-connected cameras powered?
 

16710

n3wb
Joined
May 11, 2022
Messages
6
Reaction score
2
Location
UK
Unfortunately they're all PoE.

I do have PoE injectors for other purposes so I could connect the cameras to those if eliminating the NVR's PoE supply is needed at some point in the process, but it'll be hard to give them a true 12V supply.
 

16710

n3wb
Joined
May 11, 2022
Messages
6
Reaction score
2
Location
UK
I'm sorry if this is a stupid question but having read the tftp guide I don't understand how I can use the tftp method without somehow first resetting the devices. If I simply reboot them (eg remove their PoE source then re-apply it) will they search for a tftp server as part of the boot sequence?

Thanks again for your help.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,289
Reaction score
6,139
Location
Scotland
If I simply reboot them (eg remove their PoE source then re-apply it) will they search for a tftp server as part of the boot sequence?
Yes, that's exactly what happens.
Historically, after power-on the bootloader temporarily sets the NVR or camera IP address to 192.0.0.64 and sends out a UDP broadcast packet on specific ports with destination 192.0.0.128
The tftp updater on 192.0.0.128 listens for that specific packet and on receipt sends a specific response packet.
This completes the handshake, and the tftp protocol is then used to transfer the digicap.dav firmware file to the NVR or camera to unpack, validate and install.

Hikvision removed their tftp updater from their public websites quite a few years ago, but the code that makes use of it generally, but not always these days, still exists in the device bootloaders.
But the method is still widely used, especially as the process generally includes a step to wipe the device configuration back to default values.
The target IP address is defined by a bootloader environment variable, and is sometimes set to 192.168.1.128
 

16710

n3wb
Joined
May 11, 2022
Messages
6
Reaction score
2
Location
UK
Thank you again, Alastair. I finally got time to spend on this today and it all worked flawlessly thanks to your advice and to Scott Lamb's neat python tftp server. I only had to retry one of the cameras as I'd carelessly left the tftp server running too long; other than that the NVR and the cameras all worked first time. I did the NVR with my laptop connected directly to the 'LAN' port on the back of the NVR (not a PoE socket) and the cameras were done using a non-PoE switch to which I connected my laptop and a PoE injector which was powering/connecting the camera.

A quick note for anyone coming across this post in future: the cameras that were connected directly to the NVR were were using 192.0.0.128 as their desired TFTP server and those connected via the LAN were using 192.168.1.128. 192.168.1.x is the range that my local DHCP server uses so they would have had addresses in this range before I started rebooting them, so perhaps that had confused them somehow. Best to verify using tcpdump (or Wireshark if you're on Windows) before blindly running the tftp server.

Anyway, I now have a functional NVR and 5 cameras over which I have full control. Success!

edit: One other note for any future searchers. The cameras connected directly to the NVR's PoE ports detected and were adopted by the NVR automatically. The cameras that are connected via the LAN would not do so and, although the NVR had detected them on the network, if I tried to add them I would receive a 'No more IP cameras allowed' error. To get round this you can add the cameras manually using their IP addresses.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,289
Reaction score
6,139
Location
Scotland
I finally got time to spend on this today and it all worked flawlessly
That's really good to hear!
Always nice to get a good result, well done indeed!

And thanks for sharing your experience, that will for sure help others who face a similar situation.
 
Top