Hikvision - Clearing Passwords and/or Loading Firmware via TTL Serial

facar04

n3wb
Joined
Dec 2, 2020
Messages
10
Reaction score
0
Location
Santa Fe Springs, California
It does look like you have the correct items.

As a test of the PuTTY configuration, connect the USB convertor to the null model cable and at the female end of the cable, the end that you would connect to the NVR, use a small piece of wire, or a paper clip or similar to join pin 2 to pin 3.
Then see what happens on the PuTTY window when you type some characters at the PC.

Do you have a link to where USB convertor and the null modem cable were purchased?
Here are the two links:



Ty
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Those look ok.
Looking at the detail in your USB convertor link - it looks like it's already wired for a null modem type of connection.
So - try connecting it directly into the NVR without using the null modem cable.
 

facar04

n3wb
Joined
Dec 2, 2020
Messages
10
Reaction score
0
Location
Santa Fe Springs, California
Those look ok.
Looking at the detail in your USB convertor link - it looks like it's already wired for a null modem type of connection.
So - try connecting it directly into the NVR without using the null modem cable.
I have tried all the possible combinations with the different cables that I have, direct etc...getting the same result of a black screen in Putty.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Try connecting pins 2 and 3 together and see if the characters that you type appear on the screen.
That will confirm that the convertor and PuTTY are working ok.
 

facar04

n3wb
Joined
Dec 2, 2020
Messages
10
Reaction score
0
Location
Santa Fe Springs, California
Try connecting pins 2 and 3 together and see if the characters that you type appear on the screen.
That will confirm that the convertor and PuTTY are working ok.
Hi, alastairstevenson

Ok, I did what you tell me (pins 2 and 3 together) using only this cable (photo) allows to type characters (Putty), that means this cable has Cord Cross TX RX line for data?
Supposedly I should only use this cable for this process?
Anyway, I had already tried and it didn't work, I keep trying...
Any other suggestions? or is this just passed away?
That red light on the motherboard is normal? (Photo)
Any other type of communication discarding ethernet And RS232 to make communication on this motherboard?

Thank you very much for your time and suggestions.
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
The idea of connecting 2 and 3 together and seeing if characters you type are repeated is to confirm that the PC and PuTTY is working ok.
It seems like it is, so the problem must be with the NVR.
 

jmb

n3wb
Joined
Jun 12, 2019
Messages
1
Reaction score
0
Location
Euro
Yes, the original data is held in the flash partition.
And devCfg.lzma may be encrypted in that firmware version.

Suggestion :
Check if the DVR has a tftp command by using the command 'tftp'
If so, install a tftp server on the PC.
Such as the 32bit version of this :

Then try this command, using the PC IP address -
tftp -p -l devCfg.lzma <PC_IP_address>

Also - again I'm not familiar with that DVR, so guessing here - try the commands -
ded -d devCfg.lzma cfgtemp
tftp -p -l cfgtemp <PC_IP_address>

And in the unlikely event that it works, zip up the files that transferred to the tftp folder and attach here.
Besides the 'ded' command, you can try 'unlzma'.
Inside BusyBox.
 

gregbendes

n3wb
Joined
Feb 16, 2021
Messages
3
Reaction score
0
Location
Hungary
Hey guys,

I have a similar situation to the others before me, I got a DVR with a password protection, and I'd like to reset it.

I've managed to connect to the TTL serial, so I can see the console and write to it, however, if I interrupt it at boot, it will just give me the basic commands like printenv and such, and the tftp transfer keeps timing out, so I'm not sure what else to do.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
tftp transfer keeps timing out, so I'm not sure what else to do.
That may be due to a network configuration.

At the bootloader :
Please show the result of using printenv, the IP address of the PC, and specify what tftp server you are using.
Also the result of using the help command.
To make it easy for us and you, use the 'code' tags in the menu bar in the post to paste in the text from the serial terminal (PuTTY?).

What firmware are you attempting to load?
Is it the same firmware as is already installed, confirmed by SADP?
 

gregbendes

n3wb
Joined
Feb 16, 2021
Messages
3
Reaction score
0
Location
Hungary
That may be due to a network configuration.

At the bootloader :
Please show the result of using printenv, the IP address of the PC, and specify what tftp server you are using.
Also the result of using the help command.
To make it easy for us and you, use the 'code' tags in the menu bar in the post to paste in the text from the serial terminal (PuTTY?).

What firmware are you attempting to load?
Is it the same firmware as is already installed, confirmed by SADP?

Sorry for being rather short yesterday, I was a bit tired and stressed out at the end of the day about not being able to solve the issue at the proverbial "finish line".

My device is a TechSon TC-DVR SS3004AHD - this is a Hungarian brand that knocks off Chinese brands, so I'm not surprised that it has a Hikvision-like hardware inside.
A previous flat owner left it at a rented flat, so it doesn't really matter if I cannot get it to work (the 1TB WD Purple is ultimately still valuable), but you know, it would be nice if I could.
Being a 30-something programmer (previously back-end, now front-end developer) by trade who also dabbles with Arduino from time to time, this looked like a cool challenge.

The device boots up nicely, but it is password-protected and I've tried a couple of the common passwords (like 000000, 666666, 123456, "password" and such) to no avail.
I've attached pictures of the inside, so you can see the hardware as well as the writing at the back of the device, which I suppose means that it had version 3.4.4.U of the firmware initially, and then later it got upgraded to 3.4.5U.
After soldering some pins to the UART and a bit of playing around, I've successfully connected my FTDI232, so I can read and write to the console using PuTTY.

If I don't interrupt the device, after booting up, it asks for a login user and password (also tried things, no luck)

If I interrupt the boot sequence, I have a "hisilicon" prompt with a set of u-boot commands:

Code:
U-Boot 2010.06 (Jun 19 2014 - 11:30:32)



DRAM:  256 MiB

Check spi flash controller v300. found

Spi(cs1) ID: 0x01 0x20 0x18 0x03 0x01 0x00

Spi(cs1): Block:64KB Chip:16MB Name:"S25FL128P-1"

In:    serial

Out:   serial

Err:   serial

current hi352xx version 201406191112

current used param offset 11111111111111111

current do_check_flash_boot_param

current prod net 100m

init gpio led setting

dev 0 set background color!

dev 2 set background color!

dev 0 opened!

dev 2 opened!

jpeg decoding ...

<<addr=0x80080000, size=0xae14, vobuf=0x8fd00000>>

mmu_enable

<<imgwidth=480, imgheight=320, linebytes=960>>

decode success!!!!

dev 0 set background color!

dev 2 set background color!

dev 0 opened!

vo hd 0 end

dev 2 opened!

vo cvbs end

graphic layer 0 opened!

graphic layer 2 opened!

USB:   scanning bus for devices... 2 USB Device(s) found

0 Storage Device(s) found

judge ddr init

user init finish.

Hit any key to stop autoboot:  0

hisilicon #

hisilicon # help

?       - alias for 'help'

base    - print or set address offset

bootm   - boot application image from memory

bootp   - boot image via network using BOOTP/TFTP protocol

cmp     - memory compare

cp      - memory copy

crc32   - checksum calculation

decjpg  - jpgd   - decode jpeg picture.



ext2load- load binary file from a Ext2 filesystem

ext2ls  - list files in a directory (default /)

fatinfo - print information about filesystem

fatload - load binary file from a dos filesystem

fatls   - list files in a directory (default /)

getinfo - print hardware information

go      - start application at address 'addr'

help    - print command description/usage

loadb   - load binary file over serial line (kermit mode)

loady   - load binary file over serial line (ymodem mode)

loop    - infinite loop on address range

md      - memory display

mii     - MII utility commands

mm      - memory modify (auto-incrementing address)

mtest   - simple RAM read/write test

mw      - memory write (fill)

nm      - memory modify (constant address)

ping    - send ICMP ECHO_REQUEST to network host

printenv- print environment variables

rarpboot- boot image via network using RARP/TFTP protocol

reset   - Perform RESET of the CPU

saveenv - save environment variables to persistent storage

setenv  - set environment variables

setvobg - setvobg   - set vo backgroud color.

        - setvobg [dev color]

sf      - SPI flash sub-system

startgx - startgx   - open graphics layer.

        - startgx [layer addr stride x y w h]



startvo - startvo   - open interface of vo device.

        - startvo [dev type sync]

stopgx  - stopgx   - close graphics layer.

        - stopgx [layer]

stopvo  - stopvo   - close interface of vo device.

        - stopvo [dev]

tftp    - tftp  - download or upload image via network using TFTP protocol

usb     - USB sub-system

usbboot - boot from USB device

version - print monitor version

hisilicon #
Printenv displays the following:

Code:
hisilicon # printenv

baudrate=115200

ethaddr=00:00:23:34:45:66

bootfile="uImage"

bootcmd=sf probe 0;sf read 0x82000000 0x0C0000 0x240000;bootm 0x82000000

phyintfx=1

auversion=2

auversion0=53a259c3

auversion1=52143d1c

bootargs=mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:768K(boot),2304K(dva110000),13M(rootfs)

auversion2=55e66f47

bootdelay=3

ipaddr=192.168.2.123

serverip=192.168.2.2

netmask=255.255.254.0

stdin=serial

stdout=serial

stderr=serial

verify=n

jpeg_addr=0x80080000

jpeg_size=0xae14

vobuf=0x8fd00000

ver=U-Boot 2010.06 (Jun 19 2014 - 11:30:32)



Environment size: 619/131068 bytes
I have tftpd64 running on a windows machine that I've set up as a tftp server on my local network (192.168.2.x), and I've already set my computer's IP address is for the serverip variable and a random IP for ipaddr.
If I have a uImage file, it starts downloading when I run tftp, but it times out about halfway. I've also added a screenshot of my tftp server settings to this post.

I've run SADP on my network but sadly, no luck there either, it doesn't show any devices, I'm not sure why, probably because it's not exactly a Hikvision hardware?

If you could help me identifying the correct firmware that I should use to reset this device, as well as find out why it times out, that would be great.

Let me know if you need any other info.

Regards,
Greg
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
My device is a TechSon TC-DVR SS3004AHD - this is a Hungarian brand that knocks off Chinese brands, so I'm not surprised that it has a Hikvision-like hardware inside.
I don't believe it's a Hikvision OEM device - especially when seeing the bootloader details.

I've run SADP on my network but sadly, no luck there either, it doesn't show any devices
That's a confirmation it's not Hikvision.

If I have a uImage file, it starts downloading when I run tftp, but it times out about halfway.
These are going to be machine-specific.
Where in memory did you load it to?

this is a Hungarian brand that knocks off Chinese brands,
if so - the firmware may be a bit crude, giving the possibility that the admin password may even be in plaintext in a file in the system.
What's needed is the ability to look around the file system and see how it's organised.

this looked like a cool challenge.
This is just the sort of puzzle that I quite like tackling.
But given what must be a trail and error approach, could be a bit tortuous over this medium.

The device boots up nicely, but it is password-protected
Is this on the serial console, or the web GUI, or both?
It would be interesting to see the full boot log, maybe zip it up and attach as a file as it's usually lengthy.
It would be useful to see the partition layout and the types of file systems in use.

Here are some initial top-level suggestions :

I'd approach gaining access in a couple of ways.
First of all, it's likely that the bootloader can be used to extract a full flash dump.
It does depend though on being able to easily extract it from the device.
Although a memory display (md) would work, it's lengthy and would take many hours.
Easiest would be if tftp can also transfer files out, and not just hardcoded for booting.
A little exploration of the syntax will confirm if it can send files.
For example
tftp 0x82000000 testfile 0x1000

It looks like serial flash commands are available.
If so, try

sf probe 0
sf read 0x82000000 0x0 0x1000000
tftp 0x82000000 allflash.bin 0x1000000

Another option is to make use of the fully booted environment by trying for a root shell.
A common method that may work is to replace the bootargs environment variable with

setenv bootargs mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:768K(boot),2304K(dva110000),13M(rootfs) init=/bin/sh
saveenv
reset

And see if it boots to a shell.
If so - the bootup will need to be manually completed.
See if
/etc/init.d/rcS
still leaves a root shell.
If not,
cat /etc/init.d/rcS
to examine how rcS completes the initialisation and do the steps manually, avoiding the one that invokes the main app.

The passwords will be held in a configuration area.
The full serial log will likely provides good clues.
The partition names can also help.
For example,
cat /proc/mtd
and
mount
could point to locations.

Good luck!
 

gregbendes

n3wb
Joined
Feb 16, 2021
Messages
3
Reaction score
0
Location
Hungary
I don't believe it's a Hikvision OEM device - especially when seeing the bootloader details.


That's a confirmation it's not Hikvision.


These are going to be machine-specific.
Where in memory did you load it to?


if so - the firmware may be a bit crude, giving the possibility that the admin password may even be in plaintext in a file in the system.
What's needed is the ability to look around the file system and see how it's organised.


This is just the sort of puzzle that I quite like tackling.
But given what must be a trail and error approach, could be a bit tortuous over this medium.


Is this on the serial console, or the web GUI, or both?
It would be interesting to see the full boot log, maybe zip it up and attach as a file as it's usually lengthy.
It would be useful to see the partition layout and the types of file systems in use.

Here are some initial top-level suggestions :

I'd approach gaining access in a couple of ways.
First of all, it's likely that the bootloader can be used to extract a full flash dump.
It does depend though on being able to easily extract it from the device.
Although a memory display (md) would work, it's lengthy and would take many hours.
Easiest would be if tftp can also transfer files out, and not just hardcoded for booting.
A little exploration of the syntax will confirm if it can send files.
For example
tftp 0x82000000 testfile 0x1000

It looks like serial flash commands are available.
If so, try

sf probe 0
sf read 0x82000000 0x0 0x1000000
tftp 0x82000000 allflash.bin 0x1000000

Another option is to make use of the fully booted environment by trying for a root shell.
A common method that may work is to replace the bootargs environment variable with

setenv bootargs mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:768K(boot),2304K(dva110000),13M(rootfs) init=/bin/sh
saveenv
reset

And see if it boots to a shell.
If so - the bootup will need to be manually completed.
See if
/etc/init.d/rcS
still leaves a root shell.
If not,
cat /etc/init.d/rcS
to examine how rcS completes the initialisation and do the steps manually, avoiding the one that invokes the main app.

The passwords will be held in a configuration area.
The full serial log will likely provides good clues.
The partition names can also help.
For example,
cat /proc/mtd
and
mount
could point to locations.

Good luck!
Let me just tell you that you are amazing!

I've started to quote and reply to your answer line by line, and everything you've written down has worked!

First, the copy via tftp worked and I got the .bin file, although I didn't know what to do with it.

And then I've tried your bootargs change, and it gave me the full root access!

A Hungarian forum I've read previously has mentioned that a very similar product to mine, a TechSon SS3004+ (could be the exact same as my SS3004AHD, who knows) has the password in a config.dat file as plain text under /mnt/mtd/config - but his product didn't ask for a password so he could just look at it.

Based on that information coupled with the root access I had thanks to your bootargs change suggestion, I could successfully look at the config.dat file, where the password was (if you're curious, it was 010203 - duh!).

So I can now successfully log in and use the device, thanks to you!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
First, the copy via tftp worked and I got the .bin file, although I didn't know what to do with it.
It's a full image of the flash contents, it could be split down into the component partitions and the relevant contents unpacked, file systems extracted etc.
Useful for exploring when other access is blocked.
But your direct access to the running system was easier.
 

cloneman

n3wb
Joined
Mar 31, 2021
Messages
6
Reaction score
0
Location
Canada
I got the TTL cable working with putty , and I'm able to type characters in the terminal and see them on screen (during most of the boot process)

But no matter what ctrl+u is not doing anything, I can't stop uboot. I tried to disconnect the ground and tx/Rx works.. I guess it's just there for safety or reliability?

Anyway any advice on how to get ctrl+u to work to stop uboot would be nice
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I got the TTL cable working with putty , and I'm able to type characters in the terminal and see them on screen (during most of the boot process)
That's a good indication that your serial TTL connection is OK.

But no matter what ctrl+u is not doing anything, I can't stop uboot.
The character to interrupt varies with the model / brand of NVR.
What are you connecting to?
And often - you'd need to keep Control-U pressed long enough to auto-repeat before powering on the device.
Try also Control-C and *
 

ilya77

n3wb
Joined
Apr 3, 2021
Messages
7
Reaction score
0
Location
rus
Serial Port for KV6103-PE1 has a mirror pins
Pin 4 = Grd
Pin 3 = TX
Pin 2 = RX
Pin 1 = 3.3v
 

GiovanniG

Young grasshopper
Joined
May 18, 2021
Messages
33
Reaction score
5
Location
Italy
Hi mates, I've a DS-H216Q that was running (if I don't remember wrong) an old 2017 version 3.1, I've updated it to the latest DS-H216Q_V4.21.100_200508 and now I can't login more, it doesn't give any result at the web logon page, even if I use wrong password. The Hikvision service for password recovery sent me the xml but didn't work. I believe there configuration of old FW corrupting the new FW, probably they never tested upgrading on version 4 from a too old FW.
SADP see it and shows the new FW, but also there it refuses password, I've tried also with HDMI, there also anything works.

I think the only chance I've is to use the serial port but instead of loading the FW I would try to clear only the configuration memory, any way to do it safely?
I can upload again the entire dav, I'm just guessing if really this process will erase the config file too.
I'll just type "update"? (first I'll be sure to have tftp ready with file and proper IP address). Thank you a lot
 
Top