Alternative way of recovering HikVision NVR password

[alastairstevenson]

Do they fall back to this state if I reset the NVR?

No, they will just carry on as normal - but the NVR won't connect to them if the camera admin password no longer matches the NVR PoE channel password defined for the camera. If you reset the NVR to set a new password, the original camera password will be lost so the cameras will need to be reset as well.

The cameras are really inaccessible so I'd prefer a method that doesn't involve me having to climb onto roofs or use a cherry picker(!) to physically reset them. Can I put them into a 'receive firmware over TFPT' mode remotely?

In theory, and usually in practice, they can be reset to defaults by using the same tftp updater method as should work for the NVR.
The caveat though is that to maximise the chances of success (ie connecting via the tftp updater handshake) the cameras should be powered by 12v as opposed to PoE, and not be directly connected to the PC, each should be hooked up to a switch port.
If 12v power isn't possible - then PoE can be tried, even on the NVR, if it works, well and good.
How are the LAN-connected cameras powered?

 

[16710]

Unfortunately they're all PoE.

I do have PoE injectors for other purposes so I could connect the cameras to those if eliminating the NVR's PoE supply is needed at some point in the process, but it'll be hard to give them a true 12V supply.

 

[16710]

I'm sorry if this is a stupid question but having read the tftp guide I don't understand how I can use the tftp method without somehow first resetting the devices. If I simply reboot them (eg remove their PoE source then re-apply it) will they search for a tftp server as part of the boot sequence?

Thanks again for your help.

 

[alastairstevenson]

If I simply reboot them (eg remove their PoE source then re-apply it) will they search for a tftp server as part of the boot sequence?

Yes, that's exactly what happens.
Historically, after power-on the bootloader temporarily sets the NVR or camera IP address to 192.0.0.64 and sends out a UDP broadcast packet on specific ports with destination 192.0.0.128
The tftp updater on 192.0.0.128 listens for that specific packet and on receipt sends a specific response packet.
This completes the handshake, and the tftp protocol is then used to transfer the digicap.dav firmware file to the NVR or camera to unpack, validate and install.

Hikvision removed their tftp updater from their public websites quite a few years ago, but the code that makes use of it generally, but not always these days, still exists in the device bootloaders.
But the method is still widely used, especially as the process generally includes a step to wipe the device configuration back to default values.
The target IP address is defined by a bootloader environment variable, and is sometimes set to 192.168.1.128

 

[16710]

Right! Ok, that makes perfect sense, thank you. I think I'll have to go that route.

 

[16710]

Thank you again, Alastair. I finally got time to spend on this today and it all worked flawlessly thanks to your advice and to Scott Lamb's neat python tftp server. I only had to retry one of the cameras as I'd carelessly left the tftp server running too long; other than that the NVR and the cameras all worked first time. I did the NVR with my laptop connected directly to the 'LAN' port on the back of the NVR (not a PoE socket) and the cameras were done using a non-PoE switch to which I connected my laptop and a PoE injector which was powering/connecting the camera.

A quick note for anyone coming across this post in future: the cameras that were connected directly to the NVR were were using 192.0.0.128 as their desired TFTP server and those connected via the LAN were using 192.168.1.128. 192.168.1.x is the range that my local DHCP server uses so they would have had addresses in this range before I started rebooting them, so perhaps that had confused them somehow. Best to verify using tcpdump (or Wireshark if you're on Windows) before blindly running the tftp server.

Anyway, I now have a functional NVR and 5 cameras over which I have full control. Success!

edit: One other note for any future searchers. The cameras connected directly to the NVR's PoE ports detected and were adopted by the NVR automatically. The cameras that are connected via the LAN would not do so and, although the NVR had detected them on the network, if I tried to add them I would receive a 'No more IP cameras allowed' error. To get round this you can add the cameras manually using their IP addresses.

 

[alastairstevenson]

I finally got time to spend on this today and it all worked flawlessly

That's really good to hear!
Always nice to get a good result, well done indeed!

And thanks for sharing your experience, that will for sure help others who face a similar situation.

 

[njarecki]

Hi guys, can't reset my NVR, no response from hikvision. can any of you fine folks please help me either find the password or export a recovery for me? Config file attached. would greatly appreciate thank you.
nick
nick@greenroomfilms.net

 

[bluebear911]

Hey guys,
Can anyone help me to decrypt the attached file so I can my camera UP again?
Thank a lot !
Please send the PW in private if possible.

 

[iTuneDVR]

Hey guys,
Can anyone help me to decrypt the attached file so I can my camera UP again?
Thank a lot !
Please send the PW in private if possible.

No one can.
What about common support?
support@hikvision.com
If firmware version contain vuln, so use script ...
This file for support & try not reset your ipc...

 

[bluebear911]

Hi @iTuneDVR
Already sent email to support@hik.... still waiting for an answer (if there will be one....)
Thanks

 

[alastairstevenson]

Can anyone help me to decrypt the attached file so I can my camera UP again?

What's the firmware version of the camera? Check with SADP.

 

[trempa92]

What's the firmware version of the camera? Check with SADP.

Funny how 4MP of this model got reset button while 2MP does not. Its only model i encountered this. And yes RCE might work on it with paramReset function executed in shell

 

[bugmenot01]

My name is Colin. I hope there is someone that is still able to help me as this tread is a bit dated.

I moved into a Condo that had 8 cameras installed quite a while ago. The system seems to be still working but unfortunate the admin password died with the former president of the condo. The NVR is a TruVision 10s but I think it might be a Hikvision under the hood. In reading some of this tread, I have managed to obtain the configurationFile from two of the cameras. Can you provide me the password from them? File attached.

Thanks in advance.

Colin

 

[Oleglevsha]

My name is Colin. I hope there is someone that is still able to help me as this tread is a bit dated.

I moved into a Condo that had 8 cameras installed quite a while ago. The system seems to be still working but unfortunate the admin password died with the former president of the condo. The NVR is a TruVision 10s but I think it might be a Hikvision under the hood. In reading some of this tread, I have managed to obtain the configurationFile from two of the cameras. Can you provide me the password from them? File attached.

Thanks in advance.

Colin

админ 1234` х

You can decrypt the configuration file yourself, you need to use the form on the website Видеонаблюдение в Волгограде - продажа, монтаж, ремонт, обслуживание
In your case, this is method 3
Link to the page on the website

 

[bugmenot01]

админ 1234` х

You can decrypt the configuration file yourself, you need to use the form on the website Видеонаблюдение в Волгограде - продажа, монтаж, ремонт, обслуживание
In your case, this is method 3
Link to the page on the website

Thanks for the link. I'll give it a try.

Colin

 

[alastairstevenson]

Thanks for the link. I'll give it a try.

@Oleglevsha already supplied the extracted password - 1234

 

[bugmenot01]

@Oleglevsha already supplied the extracted password - 1234

Sorry, I didn't realize that 1234 was the extracted password.

I have tried that password on the NVR but it doesn't work. Also tried 12345. I have logged into one of the cameras with 1234 password and tried a reset on it, hoping that it would convince the NVR to give up the password. But now it doesn't respond to the NVR. I know the camera is still working because when I shut the room light down, I see the IR Leds come on.

I'm going to try a packet sniffer on the camera to see if I can figure out what's going on.

 

[alastairstevenson]

I have tried that password on the NVR but it doesn't work.

What's the firmware version of the camera that was presumably 'Inactive' when you connected it to the NVR PoE port and the NVR 'Activated' it?

 

[bugmenot01]

What's the firmware version of the camera that was presumably 'Inactive' when you connected it to the NVR PoE port and the NVR 'Activated' it?

The firmware on the camera is V3.0 FP10.

I just managed to get the camera back working. It is a Interlogix TVW-5305. I took it off the wall when it stopped responding. The reason I could get into the camera was because the default admin password was left on this one. (1234) So I did a factory reset to see if I could get the NVR to give up the password. Didn't work.

When I reset the camera to factory, it assigns a static IP to 192.168.1.70. Had to re-assign it to what the NVR was expecting. I pulled the config file from the camera after but it still hasn't revealed the NVR password.

I found a PC in the office that has the TruVision Navigator software still working for the NVR. In looking at the software, I can see the password is probably 11 characters (***) long. I pulled a backup DB file and imported onto a second computer and the cameras display on the second computer. So I now know that the DB file contains the password for the NVR. Loaded the DB into SQLite and see the user and password, it is hashed in the database.

I put a Throwing Star with a packet sniffer on the port into the NVR and it appears the user name is clear text but the password is hashed there too. I expected as much but it was worth a try.