Older Hik cams keep reverting to factory?...

[pozzello]

HI all, I have a few cameras in a remote install that keep reverting to factory settings.
various models and firmware versions: 2132 (dome), 2332 (bullet), 2122 (dome), etc...
Most are on a PoE switch, one is using a PoE injector.

When they disappear from my BI server, I find them with SADP and reconfigure.

I've disabled all UPNP and other settings on the cams that would cause them to go out to the Internet
(other than NTP), and my router also blocks all access to the internet from the cam IP's (other than port 123 for NTP). So i'm pretty sure they aren't being 'manipulated' externally...

I would have assumed they use NVRAM for config settings, but wondering if the cams have a battery inside that keeps configuration settings across power events, and if that battery were 'old', perhaps they lose their marbles when the power fluctuates or is disconnected?

Just fishin' for possible causes. I have extra cams available and may just replace the ones that keep being flakey, when i can get over there... TIA for any ideas...

 

[bp2008]

I don't know, I would have guessed they were being hacked. Are you absolutely sure there aren't any port forwarding rules in place that could reach the cameras (or an NVR)? I've seen some routers require a reboot before they would drop the forwarding rules UPnP had created. Of course that can be hard to determine if your router doesn't list the UPnP-created forwarding rules.

I'm not sure how the cameras store their settings, but like you I would assume it is non-volatile memory.

 

[alastairstevenson]

I would have assumed they use NVRAM for config settings, but wondering if the cams have a battery inside that keeps configuration settings across power events, and if that battery were 'old', perhaps they lose their marbles when the power fluctuates or is disconnected?

Non-volatile certainly, but in a file in a flash partition as opposed to battery-backed RAM.
Does your remote access have the capability to reach out from the location to the likes of ShieldsUp! to verify there is no external access inbound?
GRC | ShieldsUP! — Internet Vulnerability Profiling  

 

[pozzello]

brilliant. the GRC scan showed i had port 80 and 554 open.
and sure enuf, surfing to port 80 from outside gets me the latest dead cam's interface!
i had disabled UPNP etc on the cams a few weeks back, but had not rebooted the router.
did that, port closed. used the hikvisionpasswordresethelper.exe to recover the cam.
wonder what someone might have installed on the cam(s) while they were exposed?
should prolly update them to a less vulnerable firmware...

thanx guys!

 

[alastairstevenson]

should prolly update them to a less vulnerable firmware...

Quite do-able - even for those China-region R0 cameras -
Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

 

[Tolting Colt Acres]

just because they can't be hacked from the internet doesn't mean they cannot be hacked internally.

 

[pozzello]

i've never been able to find fixup.sh script in the /dav directory after tftping the binary over...

 

[alastairstevenson]

i've never been able to find fixup.sh script in the /dav directory after tftping the binary over...

Odd - and that was after an 'Update completed' message on the Hikvision tftp updater window with either brickfixv2EN or brickfixv2CN renamed as digicap.dav and then a power cycle?