Q-See NVR won't boot.

[Jim Kailey]

QC828 POE NVR was running pretty flawless for about five years but quit recently and won't boot.

Tried w/o hard drive, with two different hard drives, checked both NVR and camera power supplies, nothing on the board look fried and the caps look new. Fan comes on and hard drive spins up but no "beep" and nothing on HDMI output or video out. Can't access through Smart PSS, no video.

Ideas?

 

[mat200]

QC828 POE NVR was running pretty flawless for about five years but quit recently and won't boot.

Tried w/o hard drive, with two different hard drives, checked both NVR and camera power supplies, nothing on the board look fried and the caps look new. Fan comes on and hard drive spins up but no "beep" and nothing on HDMI output or video out. Can't access through Smart PSS, no video.

Ideas?

Power supply gone? Fuze?

 

[damianos]

the same thing did happen with 4 diferent nvr model.

 

[damianos]

I can't update no signal out via HDMI and vga.Lan port unknown ip

 

[Jim Kailey]

Think we were hacked...

 

[damianos]

yes we were hacked I think.Now I suppose we have to flash the firmware to the board.But how?

 

[Jim Kailey]

Check out my other threads, not a lot of help leads me to think we're fooked:

Help unbricking a Dahua NVR with TFTP and serial connection.

Flash Dahua NVR with TFTP and RS232?

 

[BertCCTV]

Based on information posted on the dark web (e.g DeepPaste with a NSFW language warning) it sounds like a wide range of DVRs and IP cameras are being targeted. If you don't have a firmware that's newer than April 2017 your camera or DVR will be vulnerable to being reset, reconfigured or bricked. The symptoms match this device as well, is it a rebranded Dahua? Your best bet is to explore options for updating the firmware.

 

[Jim Kailey]

My Q-See was a re-branded Dahua from what I read. It had old firmware and was exposed through open ports. I think I fall into the second scenerio below:


Attacks against Dahua units:

* 'Bashis Generation 2 and 3' authentication bypasses (CVE-2017-7927,
ICSA-17-124-02) are attempted against the web interface. The first
viable-looking account in the userlist is targeted (usually 888888).
If login is successful, camera settings are tampered with to dim the
feeds and display "HACKED" as a watermark. Recently some feeds will
also get the text "UPGRADE" and "FIRMWARE" for additional clarity.
Unit's network settings are tampered with in an attempt to disconnect
the vulnerable unit from the WAN.
* If unit has an exposed telnetd interface some well-known backdoor
account logins (CVE-2013-3612) are attempted, and on successful login
the unit will be bricked. The symptoms in this case will be a bricked
device, all partitions overwritten with random data.
* If port 6789's or 19058's management interface is open to the WAN an
attempt is made to extract the userlist from the data port 37777
(CVE-2013-6117). If a hash is successfully extracted an attempt to
reverse it is carried out (CVE-2013-3615). If hash reversing isn't
successful or port 37777 isn't exploitable then common logins are used
instead. On successful management interface login the unit will be
bricked. The symptoms in this case will be a bricked device, with all
partitions overwritten with random data. Although these vulnerabilities
are now 4 years old there are still sadly some new units appearing
every day.