alastairstevenson
Staff member
Let's hope so!
The admin password for the MAIN DECK HIKVISION DS-2CD2232-I5 - 482311325 camera is
12345
Alternative way of recovering HikVision NVR password
- Thread starter Pjlord
- Start date
The admin password for the MAIN DECK HIKVISION DS-2CD2232-I5 - 482311325 camera is
12345
Thank you, this camera user and password I can find using a hexedit, but do you have any idea how to extract/find the admin password for the Nvr? The guy who installed it is gone and I need to add new ip cameras, without admin it is useless unfortunately
alastairstevenson
Staff member
The 'trojan horse method' of finding an NVR admin password depends on the fact that apart from the later versions of NVR firmware, it was the NVR admin password that was used to 'activate' an 'inactive' camera when first plugged in to an NVR PoE port.
And then the backdoor vulnerability of camera firmware of 5.4.0 or earlier could be used to extract the camera configuration file to reveal the camera password. Which was usually also the NVR admin password.
Earlier firmware than 5.3.0 does not have the active/inactive facility, it still uses the old default passwords of 12345 and 123456789abc which the NVR will try first when connecting the camera.
That may explain why the '12345' password was extracted. You may have to update the camera firmware a little for this method to work.
So - did you follow these steps :
Reset to default settings (ie 'inactive') a camera with firmware between 5.3.0 and 5.4.0 when not connected to the NVR.
Connect the camera to the NVR PoE port and wait for it to be 'activated' by the NVR and go online.
Extract the configuration file using the backdoor vulnerability.
Decrypt and decode the file to reveal the admin password.
trempa92
Getting comfortable
alastairstevenson
Staff member
Haha! You beat me to it.
4,5,6 are indicators that those cameras have been hacked using inbound internet access.
4,5,6 are indicators that those cameras have been hacked using inbound internet access.
Hi Everyone: I just got an NVR from ebay and the owner doesn't have the password because his dad passed away. Before he gives me my money back, I may try this method.
Getting the camera's password is easy enough (with SADP & getting the config file with the special link to the camera). I've tried it and there's a site that decrypts the file, and I verified that the password shown is indeed the one for the camera.
My question is: Can I force the NVR's password onto the camera I have (V 5.4.0) WITHOUT resetting the camera to factory defaults?
I ask because I'm using iVMS4200 and I set it up a LONG time ago and wouldn't remember the millions of settings I'd have to fiddle with forever to get it back to what I have now. I have 4 cameras and have been working well for 11 years without me changing anything.
Thank you in advance for any input anyone has!
-Tony
Getting the camera's password is easy enough (with SADP & getting the config file with the special link to the camera). I've tried it and there's a site that decrypts the file, and I verified that the password shown is indeed the one for the camera.
My question is: Can I force the NVR's password onto the camera I have (V 5.4.0) WITHOUT resetting the camera to factory defaults?
I ask because I'm using iVMS4200 and I set it up a LONG time ago and wouldn't remember the millions of settings I'd have to fiddle with forever to get it back to what I have now. I have 4 cameras and have been working well for 11 years without me changing anything.
Thank you in advance for any input anyone has!
-Tony
alastairstevenson
Staff member
Not with this method - it relies on the NVR 'Activating' the camera with what's usually the NVR password.
However - as you have the current password for the camera, and have been able to extract the camera configuration file, after you've used the camera to pull the NVR password, and therefore have the different password (hopefully also that of the NVR) you should be able to use that to apply the previously exported camera configuration file back to the camera, to put it back to how it was.
Wait, I can backup and restore my configuration? That's awesome!! Thank you for sharing that important information! I will do that and proceed.
<HOURS LATER> OK, I did reset the camera using iVMS4200 to default settings. However it didn't work. Both the password AND IP address I was using was still present on the camera. BUT I did find a video online that showed that if I did the default reset through a web browser interfaced directly to the camera, it would work, and it looks like it did.
When I plugged the cam into the useless NVR, the NVR showed the video stream! I was so excited that it picked up the camera for the 1st time, but was promptly disappointed when I got the config file and loaded it onto the website that decrypts it and saw that the password to the camera was 12345. I knew that I had tried 12345 on the NVR several times, but tried it anyway and it did not work.
So the NVR did NOT pass its password to my deactivated (restored to default) camera, despite showing the video feed. Any thing I'm missing?
One thing: My 4 cameras are LTS cameras and the used NVR I just got is also a premium LTS model LTN8708K-P8. From everything I've heard, LTS's are just rebranded Hikvisions, but is it possible this method does not work for LTS? My camera's version is 5.3.0, I have just discovered.
Thank you so much for the help getting my investment up and running!!
<HOURS LATER> OK, I did reset the camera using iVMS4200 to default settings. However it didn't work. Both the password AND IP address I was using was still present on the camera. BUT I did find a video online that showed that if I did the default reset through a web browser interfaced directly to the camera, it would work, and it looks like it did.
When I plugged the cam into the useless NVR, the NVR showed the video stream! I was so excited that it picked up the camera for the 1st time, but was promptly disappointed when I got the config file and loaded it onto the website that decrypts it and saw that the password to the camera was 12345. I knew that I had tried 12345 on the NVR several times, but tried it anyway and it did not work.
So the NVR did NOT pass its password to my deactivated (restored to default) camera, despite showing the video feed. Any thing I'm missing?
One thing: My 4 cameras are LTS cameras and the used NVR I just got is also a premium LTS model LTN8708K-P8. From everything I've heard, LTS's are just rebranded Hikvisions, but is it possible this method does not work for LTS? My camera's version is 5.3.0, I have just discovered.
Thank you so much for the help getting my investment up and running!!
alastairstevenson
Staff member
When you reset the camera to default settings, did it show as 'Inactive' in SADP or via the browser? I suspect not. That's important for this method.
You've originally said the camera firmware is 5.4.0 which is in the range that it no longer has the original default passwords of 12345 or 123456789abc which is what the NVR will first try when attempting to connect a new camera, before it then tries the 'Activation' process.
But you've now said the camera firmware is 5.3.0 of which there are multiple builds - maybe it has a build that still uses the old default passwords on a reset.
Suggestion :
Do a minor firmware upgrade on the camera, to a later 5.3.x version or to 5.4.0 (not higher) and re-try the process.
I can't point you to an online firmware source as you've not specified the camera model, unless it's an R0 series in which case try the attachment.
Thanks a lot for all of those thoughts Alastair!
I just did give in and paid $20 online to A1 Security Cameras (an LTS dealer) who gave me a Secure Code to reset the password. And it worked! So I'm now in!
I would have loved to figure it out just for pleasure of solving the puzzle, but this seems to be taking forever.
Thanks again!
I just did give in and paid $20 online to A1 Security Cameras (an LTS dealer) who gave me a Secure Code to reset the password. And it worked! So I'm now in!
I would have loved to figure it out just for pleasure of solving the puzzle, but this seems to be taking forever.
Thanks again!
alastairstevenson
Staff member
Well, that's a good helpful result, at a reasonable price.
If you are curious and want to take a quick look, the NVR VGA/HDMI interface camera management page will show what password has been configured to use to 'Activate' an Inactive camera that gets connected in Plug&Play mode.