Hikvision camera admin password reset tool

kbarb

n3wb
Joined
Aug 25, 2014
Messages
8
Reaction score
2
I think alastairstevenson is going to be the best guide here as he's probably more familiar with Hikvision on a daily basis.

Still, a couple questions . . . .

For the NVR, isn't there some kind of ID plate on the physical box itself, identifying what it is ? Some kind of model number ?
If you Google for NVR328, you do get some hits including :
Maxtec NVR328 (cached, as their system is under maintenance).
Perhaps you could post a photo of it.

When you say, "I have full access to the system", you mean, using the IOS app - to access the NVR ?
Or something else.
It'd be nice if you could plug your laptop directly into the NVR, via USB or ethernet.

But you are saying the alarm company " . . . took a look at the UI " and "Clicking through the system" - so how is that happening ? Using a keyboard and monitor attached to the NVR ?
If so, can't you change settings via that route ? Or that's where you need an admin password.
Remember we are not there to see what you're doing so you need to make things clear.

Worse comes to worse, I suppose you could reset the whole system, getting a default login and password, and set it all up again.
I'd not like to do that unless I knew what I was working with, so as to know what the defaults are going to be.
Plus you'll also need access to the cameras themselves, which you hopefully will get following along with alastairstevenson.
But I know a total reset is not what you're hoping to do.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
I need to buy an ethernet adaptor for my laptop
Ideal with a wired connection as opposed to WiFi, however you might still be able to gather some potentially useful info on the system the could determine the way forward :

With the laptop on WiFi as normal, start SADP.
This presumably will just show you the NVR itself.
At the NVR, disconnect the ethernet cable that connects to the LAN port (the one by itself), and connect it in to an unused NVR PoE port.
If there isn't a free one, temporarily disconnect a camera.
Use the 'Refresh' button in SADP, hopefully the cameras and NVR will appear, so you can see and screenshot the models, IP addresses and the firmware versions.
Reconnect the ethernet cable to the NVR LAN port.
 

m41k

n3wb
Joined
Jul 20, 2021
Messages
5
Reaction score
1
Location
Canada
Thanks Kbarb and alastairstevenson.

Kbarb:

But you are saying the alarm company " . . . took a look at the UI " and "Clicking through the system" - so how is that happening ? Using a keyboard and monitor attached to the NVR ?
If so, can't you change settings via that route ? Or that's where you need an admin password.


--> yes that is correct. I have a monitor and mouse hooked up to it. Keyboard is onscreen. I have full access to it and can change camera settings, export files etc. I don't think there are any restrictions on the system based on what I see and what I can do. Thing is, I unlock it with a password pattern. With that I have full access, however if I'd try to change the admin password (which is different to the unlock sequence) the password that the previous owner gave me doesn't work.

So in Summary, system works totally fine, can access cameras - only thing I need is a way to reset admin password. If looking at the Hikvision App is any indication, I seem to need this exact admin/password combination to tie the cameras into the app as well.

@alastairstevenson
I managed to export a config file directly through the system. It gave me a bin file, I've attached it below.

Cheers,
Mike
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
I managed to export a config file directly through the system. It gave me a bin file, I've attached it below.
Unfortunately, I can't do anything with that file as they are also encoded with data that's specific to the NVR it was exported from.

Did you manage to see the camera firmware versions with SADP when the ethernet cable going to the NVR LAN port was temporarily moved to an NVR PoE port instead?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
Unfortunately, I can't do anything with that file as they are also encoded with data that's specific to the NVR it was exported from.
Actually - I take this assertion back. That's a camera config export as opposed to an NVR config export.
On this slightly older firmware, the camera config detail can be decrypted, it pre-dates some improvements Hikvision made.
It's likely that the camera admin password is the same as the NVR admin password.
That was the original default result under 'Plug&Play' activation.

For the cameras, the admin password is :
big_badmin12345

Try that on the NVR.
With luck it should work.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
This is the XML file.
I'm sorry, but without access to the private Hikvision support service, it's not possible to create the response file to reset the camera.

The data sheet suggests that there is a reset button under the dome, next to the SD card slot.
If there is - keep the button pressed, power on the camera, and hold the button for 30 seconds.
SADP should then show the status as 'Inactive' allowing you to 'Activate' with a new password of your choice.
 

m41k

n3wb
Joined
Jul 20, 2021
Messages
5
Reaction score
1
Location
Canada
Thank you Alastairstevenson - much appreciated and impressive how you managed to extract that!

Unfortunately the NVR doesn't like that password, so will try to get into the system via cables. (still waiting on my cable adaptor or will see if I can borrow a laptop from a friend)

Thank you all for your help!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
Unfortunately the NVR doesn't like that password
Well, that's disappointing, and slightly surprising.
I thought we were on to something there.
But at least it will be the cameras password, if you end up resetting the NVR the cameras will still be able to be connected.
 

m41k

n3wb
Joined
Jul 20, 2021
Messages
5
Reaction score
1
Location
Canada
Hi all,

Apologies for the delay, quick update on where I am at.

Alastair, it seems the cameras like the password you extracted. As mentioned above, it doesn't work for the NVM unfortunately.

That said, I have now managed to get my NVM feed connected through the Guarding Vision app. The NVM is an OEM Hikvision sytem and through the app it was still bound to the previous owner. Luckily the owner was able to unbind his device from the app and his account and I now have the video feed on my phone :)

So to sum it up, I can access the UI on the device itself through an unlock pattern and I can access the feed remotely through the app without having the Admin password. Sooooo... I have everything that I need without requiring the admin password.

Thank you all for your help and advice, much appreciated!
Mike
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
customer requires footage but no admin and old vendor disappear.
A little optimistic - but easy enough to try :

And a common method is to use the tftp updater to apply the same version of firmware as is already in place.
This usually resets the config to factory defaults, but does not erase the data.

Hik no want to help.
Have you tried LTS? It's their re-brand.

If all else fails - an off-the wall method if there is urgency - it's surprising how many forensic tools are out there for reading DVR/NVR HDDs on a Windows PC, even those HDDs that the DVR/NVR has 'formatted'.
Often there are trial versions for limited use.
 

RacerX10

n3wb
Joined
Nov 8, 2021
Messages
2
Reaction score
1
Location
Arkansas
Unfortunately - only the Hikvision support system can generate the reset response file for that reset request.

Presuming this is an NVR with PoE ports - do you by any chance have a Hikvision camera connected that has 5.4.0 or earlier firmware?
If so - the camera configuration file can be extracted using a security vulnerability, and a plaintext password exposed after decryption and decoding.
By default, the camera password is the same as the NVR password.

I'm in the situation you describe. Have 16 cameras that were plugged in to the on-board PoE, but I can't get the password for them. 3 of the 16 cameras are on firmware 5.3.3, and 13 are on 5.4.4. Can I extract the password from one of those 5.3.3 cameras ?

How do I go about doing that ?

Thanks !
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
Can I extract the password from one of those 5.3.3 cameras
Quite likely - that firmware will probably have the 'Hikvision backdoor' vulnerability, depending on the specific model.

Have 16 cameras that were plugged in to the on-board PoE
Are they still connected to NVR PoE ports?

Assuming they are -
Install SADP so that you can inventory the cameras and see some of their detail.

Connect the PC to an unused NVR PoE port, and note down from SADP the cameras IP addresses and the associated firmware versions.
The addresses are likely to be in the range 192.168.254.x
Change the PC IP address to be in the same range, for example 192.168.254.100
In the browser, use this URL to hopefully extract a configuration file :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
replacing the IP address with a selected one from your list.
Maybe do this for each of the firmware versions.

Zip up any extracted configuration files and attach here, I should be able to decrypt and decode them to extract the camera password.
 
Joined
Nov 9, 2021
Messages
2
Reaction score
0
Location
Sweden
Hi alastairstevenson,
I'm trying to get into one of my customers old Hikvision cameras. Could you please have a look in this config-file to see if you could extract any password from it.
 

Attachments

Top