Hikvision NVR password reset

[JCamNet]

Hello everyone!

I recently purchased a used Hikvision NVR on ebay and the previous owner did not factory reset it before shipping it. The problem is that I purchased it from a reseller and they didn't have the password from the previous owner either. I ended up getting a full refund because hikvision wouldn't help me because ebay isn't an authorized dealer. I would still like to use the NVR and I've tried using the password reset code generator and I also tried using the downloadable tool to try and use the exploit to reset the password, neither of those worked. I checked the motherboard and do not see a reset switch. I'm not 100% sure which jumpers to short because I couldn't find J1/2 on the board (maybe I'm just blind! lol) I've attached images of the motherboard and the alarm board. If anyone has any suggestions I would greatly appreciate it!

NVR details.
DS-7616NI-I2/16P
Software version: 4.50.01 build 210322
DSP version V5.0 build 210318

 

[alastairstevenson]

I checked the motherboard and do not see a reset switch. I'm not 100% sure which jumpers to short

There isn't a reset switch, and I'm not aware of any reset jumpers on that model.

Here are 3 ways to reset to factory defaults :

The classic tftp firmware updater method - but not using the Hikvision tftp updater as the firmware is larger than its 32MB filesize limit.
Scott Lamb's Python2-based tftp updater clone would work, if the NVR bootloader still has the tftp update facility built in.

GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP

Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd

github.com

Use the same version of firmware, downloaded from here :

https://www.hikvisioneurope.com/eu/portal/?dir=portal/Technical%20Materials/02%20%20NVR/00%20%20Product%20Firmware/04%20I-series/%5B76%2077%2096%20NI-I%5D

Then there is the 'trojan horse' method, which I've used loads of times for used NVRs bought off eBay.
You need a Hikvision camera that's running firmware 3.4.0 (* edit 5.4.0 *)or earlier so it has the 'backdoor vulnerability'.
In summary - reset the camera to defaults so it's 'Inactive', connect it to an NVR PoE port so the NVR 'Activates' it, by default with the NVR admin password, pull a copy of the camera configuration file via the backdoor (no authentication needed ...), decrypt and decode the file to yield a plaintext admin password.
Example -

Hikvision NVR password reset

Hey all, I got an NVR from a friend of mine, and they don't remember the password, and the NVR is not one that was sold thru Hikvision here in north america, so the password reset page from Hikvision is of no help to me. I'm wondering if anyone on here can help me out with it. Thanks, Kevin

www.ipcamtalk.com

And you can use the device serial console to do a firmware update via a normal tftp server, which resets to defaults.
But that's a bit more complicated to set up the environment to do it.

 

[JCamNet]

Awesome thanks for replying, I'll give these a try and let you know how it goes!

 

[alastairstevenson]

I'm sure you will manage!
Let us know how you get on.

 

[trempa92]

Holly crap, a free 16channel I-serie NVR Did u just share how to scam ebay to get refund for hikvision devices and keep them?