"Grey" market camera, forgotten password

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
v5.4.52 build170572
OK - so that firmware version is just new enough to no longer have the 'Hikvision backdoor' through which the configuration file could have been pulled.

I don't believe that camera model has a reset button.
If not - and as the firmware is I believe just under 32MB filesize - the Hikvision tftp updater if it connects OK will reset the camera to defaults, set it to 'Inactive' so a new password can be set.
Assuming they are not Chinese models running 'hacked to English' firmware.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
they are chinese hacked english versions
Ouch!
So scratch the tftp updater suggestion.
That would either brick them, or turn them to CH menus.

That limits the next move - probably to taking a look at what useful commands if any remain in the bootloader.
For that you'll need -
A serial TTL to USB convertor, such as a PL2303TA-based device.
A 4-pin 1.5mm JST ZH wired connector, usually sold in 10-packs.

When you re-connected to the PoE switch - did the IP address return to an expected value?
 

gazzaman2k

n3wb
Joined
Jun 15, 2021
Messages
12
Reaction score
3
Location
leicester
no they stayed on the 169.254.98.x or 169.254.115.x ranges i have that PL2303TA adapter from arduino programming
 

gazzaman2k

n3wb
Joined
Jun 15, 2021
Messages
12
Reaction score
3
Location
leicester
ive made the ttl cable and have coms in putty i figured out yo have to power the cam seperatly i can stop the boot process and i see options for erase bootloaders etc...

what do i do from here? i cant seem to find any firmware for this camera ive been searching online for hours
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
i can stop the boot process
In the bootloader, use the commands :

printenv
and
help

to show what's available.
Presumably you know that in PuTTY you can use the top left menu to do 'Copy all to clipboard' to paste text into Notepad or similar to save / review / edit / post etc.
 

gazzaman2k

n3wb
Joined
Jun 15, 2021
Messages
12
Reaction score
3
Location
leicester


U-Boot 2010.06-277604 (May 04 2017 - 19:53:45)

NAND: 128 MB
Hit Ctrl+u to stop autoboot: 0
HKVS # printenv
bootargs=console=ttyAMA0,115200
bootcmd=loadk
bootdelay=3
baudrate=115200
netmask=255.255.255.0
bootfile="uImage"
ipaddr=192.0.0.64
serverip=192.0.0.128
stdin=serial
stdout=serial
stderr=serial
verify=n
mdio_intf=mii
phy_addr=3
ethaddr=64:db:8b:48:47:c8
ver=U-Boot 2010.06-277604 (May 04 2017 - 19:53:45)

Environment size: 305/262140 bytes
HKVS # help
erase - erase flash except bootloader area
go - start application at address 'addr'
help - print command description/usage
loadk - load kernel to DRAM
update - update digicap.dav
updateb - update bootloader
upf - update firmware, format and update (factory use)
ddr - ddr training function
mii - MII utility commands
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
HKVS #
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
If it wasn't a Chinese camera, and given suitable firmware, the update command would be all that's needed.

But that's quite a dumb set of commands remaining in the bootloader.
No flash manipulation commands.

As a slight long shot - try -

setenv bootargs console=ttyAMA0,115200 init=/bin/sh single
saveenv
reset

and see if it boots to a root shell.
 

gazzaman2k

n3wb
Joined
Jun 15, 2021
Messages
12
Reaction score
3
Location
leicester
If it wasn't a Chinese camera, and given suitable firmware, the update command would be all that's needed.

But that's quite a dumb set of commands remaining in the bootloader.
No flash manipulation commands.

As a slight long shot - try -

setenv bootargs console=ttyAMA0,115200 init=/bin/sh single
saveenv
reset

and see if it boots to a root shell.
not much is happening just says

HKVS # setenv bootargs console=ttyAMA0,115200 init=/bin/sh single
Unknown command 'setenv' - try 'help'
 

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
251
Reaction score
226
Location
london
How about help erase?

erase config may well reset the config.

I don't think update even with Chinese firmware would touch the config (password) on this model.
 

gazzaman2k

n3wb
Joined
Jun 15, 2021
Messages
12
Reaction score
3
Location
leicester
it comes up with a few options


U-Boot 2010.06-277604 (May 04 2017 - 19:53:45)

NAND: 128 MB
Hit Ctrl+u to stop autoboot: 0
HKVS # erase
Please input the erase area,support: erase env/sysflg/sys0/sys1/app0/app1/cfg0/cfg1/log/all
HKVS #
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Excellent! That's going to work ok.
I'd held off suggesting the erase command as the description suggested the target was "all flash except the bootloader" which would have broken a Chinese camera with no valid firmware.
My fingers are crossed ...
 

gazzaman2k

n3wb
Joined
Jun 15, 2021
Messages
12
Reaction score
3
Location
leicester
alastairstevenson

watchful_ip



thankyou very much you 2 have been great help, the cams are now inactive and still in english firmware, still no clue the the password but now the plug and play works on the nvr so hopefully they will have adpoted the verify key from the nvr

brilliant work guys my mum will be happy when i install these for her at the weekend on her bunglalow

never thought id be puttying into a camera lol i was looking for reset points all over the pcbs but couldnt find any on these cameras

great work thanks :D
 
Joined
Jun 20, 2021
Messages
5
Reaction score
0
Location
Fort Worth
Hello I see that this thread covers the exact issue I am having at the moment. My question my already be answered above. If it has been please disregard the redundancy and put it down to my lack of knowledge. I have a NVR and 11 cameras in my system. I have somehow gotten locked out of my entire system. The only camera that I can access is my doorbell cam. Ive been going back and forth with HIK vision for a few weeks now and recently found out that my NVR is a gray market version. Can someone help me get back into it again so I dont have to buy a new system. Mine is in the 4.2 version so Im hoping it is one that has the backdoor access exploit for getting around the pw lockout.. I am pretty green so if someone could spare the time to help me fix this very expensive paperweight I would be eternally grateful. At this point to be honest I would gladly pay somebody to help me. I have a security system installer coming on Thursday to replace the NVR if I can't get to the bottom of it before then. Thanks guys. its a version 4.16 build and a NR32P if that helps.
 
Last edited:
Top