Hikvision - Clearing Passwords and/or Loading Firmware via TTL Serial

[Moby80]

Nem hiszem, hogy ez egy Hikvision OEM eszköz - különösen, ha a bootloader részleteit nézzük.


Ez megerősíti, hogy nem Hikvision.


Ezek gépspecifikusak lesznek.
Hova töltötted be a memóriába?


ha így van, akkor a firmware kissé nyers lehet, ami felveti annak a lehetőségét, hogy az adminisztrátori jelszó akár sima szövegként is megtalálható egy fájlban a rendszerben.
Amire szükség van, az a fájlrendszerben való áttekintés és annak felépítésének áttekintése.


Ez pont az a fajta rejtvény, amit szeretek megoldani.
De mivel a módszernek nyomkövetésre és hibákra kell épülnie, ez kissé kanyargós lehet ezen a közegen.


Ez a soros konzolon, a webes grafikus felhasználói felületen, vagy mindkettőn van?
Érdekes lenne látni a teljes rendszerindítási naplót, esetleg becsomagolni és fájlként csatolni, mert általában hosszú.
Hasznos lenne látni a partíciók elrendezését és a használt fájlrendszerek típusait.

Íme néhány kezdeti, felső szintű javaslat:

A hozzáférés megszerzését kétféleképpen közelíteném meg.
Először is, valószínű, hogy a rendszerbetöltővel ki lehet nyerni egy teljes flash memóriakártyát.
De attól függ, hogy könnyen ki lehet-e venni a készülékből.
Bár a memóriakijelző (md) működne, hosszadalmas és sok órát venne igénybe.
A legegyszerűbb az lenne, ha a tftp kifelé is tudna fájlokat másolni, és nem csak a rendszerindításhoz lenne fixen beprogramozva.
A szintaxis egy kis feltárása megerősíti, hogy képes-e fájlokat küldeni.
Például
tftp 0x82000000 tesztfájl 0x1000

Úgy tűnik, hogy elérhetők a soros flash parancsok.
Ha igen, próbáld meg

sf szonda 0
sf beolvasás 0x82000000 0x0 0x1000000
tftp 0x82000000 allflash.bin 0x1000000

Egy másik lehetőség a teljesen elindított környezet kihasználása egy root shell használatával.
Egy gyakori, működő módszer a bootargs környezeti változó lecserélése a következőre:

setenv bootargs mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:768K(boot),2304K(dva110000),13M(rootfs) init=/bin/sh
mentési környezet
visszaállítás

És nézd meg, hogy becsapódik-e egy héjba.
Ha igen, akkor a rendszerindítást manuálisan kell elvégezni.
Nézd meg, hogy
/etc/init.d/rcS
még mindig gyökérhéjat hagy maga után.
Ha nem,
macska /etc/init.d/rcS
hogy megvizsgálja, hogyan fejezi be az rcS az inicializálást, és manuálisan végezze el a lépéseket, elkerülve azt, amelyik a fő alkalmazást hívja meg.

A jelszavak egy konfigurációs területen lesznek tárolva.
A teljes sorozatnapló valószínűleg jó nyomokat ad.
A partíciónevek is segíthetnek.
Például,
macska /proc/mtd
és
hegy
helyszínekre mutathatott volna.

Sok szerencsét!

Hello!
I would like to ask for your help because I have this recorder and I don't have the password.
Unfortunately, unfortunately, I am not as professional as the previous colleague, because I cannot set up and run TFTP.
Furthermore, it is not clear how to replace the bootargs environment variable.
Did this happen in the case of a fully started system?
I connected with Putty as described with the ST232CN adapter, but it only read unintelligible signals. Could there be a problem with the encoding?
Are you sending the bootargs to the device via TFTP?
Please help me. M.

 

[freextr]

I don't know if it's case-sensitive - but if it doesn't get you to the bootloader prompts, use a lower-case b

Then use either
printenv
or if that is ignored
setenv ';printenv'

and check out the values shown against
serverip
ipaddr
These are what are used for the tftp updater, may be 192.168.1.128 instead of the old 192.0.0.128

If the firmware filesize is larger than 32MB, the Hikvision tftp updater won't handle it, in which case either use a standard tftp server and the command :
setenv ';update'

or the Scott Lamb tftp updater Python2 clone :

GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP

Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd

github.com

I had the same problem as @Madorion had. I'm trying to resurrect a indoor station (DS-KH6351-WTE1) as when I power it on it just shows a person icon. I have the serial connection established and have the PC and indoor station connected to a switch (tried also the two connected directly same problem). The PC static IP is 192.0.0.128 and using TFTP32 by Jounin. After some time I figured out what use command b means - for anyone reading it means pressing the letter b when asked to press the letter u after canceling the normal boot with any key.

You can see in the extract from putty here is my normal boot without interrupting it with - Hit any key to stop autoboot: 0 :

U-Boot 2017.09-svn528740 (Dec 02 2022 - 20:21:41 +0800)


DRAM:  128 MiB

MMC:   dwmmc@10300000: 0

*** Warning - bad CRC, using default environment


In:    uart@0x18400000

Out:   uart@0x18400000

Err:   uart@0x18400000


Current Mode: Release.

Net:   eth0: ethernet@1b800000

### CRAMFS load complete: 8965 bytes loaded to 0x40000000

Hit any key to stop autoboot:  0

### CRAMFS load complete: 2403040 bytes loaded to 0x40008000

### CRAMFS load complete: 870348 bytes loaded to 0x41000000

### CRAMFS load complete: 22675 bytes loaded to 0x41800000

### CRAMFS load complete: 824 bytes loaded to 0x41810000

Signature verification uImage OK.

Signature verification ramdisk.gz OK.

## Booting kernel from Legacy Image at 40008120 ...

   Image Name:   Linux-4.9.138

   Image Type:   ARM Linux Kernel Image (uncompressed)

   Data Size:    2402688 Bytes = 2.3 MiB

   Load Address: 40008000

   Entry Point:  40008000

   Verifying Checksum ... OK

## Loading init Ramdisk from Legacy Image at 41000120 ...

   Image Name:   ramdisk_xxx_CPL-HZV-AVI-GEN-74-1

   Image Type:   ARM Linux RAMDisk Image (gzip compressed)

   Data Size:    869996 Bytes = 849.6 KiB

   Load Address: 00000000

   Entry Point:  00000000

   Verifying Checksum ... OK

## Flattened Device Tree blob at 41800000

   Booting using the fdt blob at 0x41800000

   Loading Kernel Image ... OK

   Loading Ramdisk to 45f2b000, end 45fff66c ... OK

   reserving fdt memory region: addr=41800000 size=6000

   Loading Device Tree to 45f22000, end 45f2afff ... OK


Starting kernel ...


init started: BusyBox v1.34.1 (2024-07-15 11:33:44 CST)

Starting mdev:      [ OK ]

mntpath decompress

len decompress  0

chmod: loadko.sh: Read-only file system

mmz_start: 0x46000000, mmz_size: 32M

show logo Fri Jan  2 02:07:46 UTC 1970

---not show logo

start decompress  Fri Jan  2 02:07:46 UTC 1970

rm: can't remove '/home/app/app.tar.lzma': No such file or directory

tar: unexpected EOF

tar: short read

rm: can't remove '/home/app/vistalk.tar.lzma': No such file or directory

rm: can't remove '/home/app/misc.tar.lzma': No such file or directory

rm: can't remove '/home/app/audio.tar.lzma': No such file or directory

end decompress  Fri Jan  2 02:07:53 UTC 1970

cp: can't stat '/home/app/cam_default.xml': No such file or directory

rm: can't remove '/home/app/cam_default.xml': No such file or directory

chmod: /home/app/HCIoTMT: No such file or directory

path:/home/app/log4j_path  size = 0x100000  sync 0x5000   level 1 storage level ime 1800 s

/home/app/log4j_path/log.4j open !!!!

log4j_main_halt start do accept loop

BusyBox v1.2.1 Protect Shell (psh svn641615) Build Time: Nov 27 2023:14:49:21

Enter 'help' for a list system commands.


Random number is:120450069

So if anyone is struggling like me when interrupting the boot with any key and after being asked to press the letter u like here:

This program will upgrade software.

*******************************************************

*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *

*  Don't reset machine,or anything that interrupt it. *

*  The upgrade process must finish in 10 minutes!     *

*  If this program fails,machine might be unusable,   *

*  and you will need to reflash again.                *

*  If you find this too risky,power off machine now.  *

*******************************************************


Now press [u/U] key to upgrade software:b

You need to press letter b if not you end up in entering the IP of the device and IP of your TFTPD server infinitely.
After pressing b this happens:

Now press [u/U] key to upgrade software:b

U-Boot# update

Do you want to erase devcfg partition after update? (y/n/q): y

ethernet@1b800000 Waiting for PHY auto negotiation to complete. done

Using ethernet@1b800000 device

TFTP from server 192.0.0.128; our IP address is 192.0.0.64

Filename 'digicap.dav'.

Load address: 0x40000000

Loading: #################################################################

         ####################################################

         6.5 MiB/s

done

Bytes transferred = 17867520 (110a300 hex)

UPD info:header verification ok! file_num=2

UPD info:file[devType.list] date is encrypted

UPD debug:unsupported device_type

digicap update failure.

So to my next problem now. I downloaded the firmware from hikvision Europe website (DS-KH6351-WTE1) and as seen here I get the error unsupported device_type.
Also I bricked the device when I upgraded the firmware over iVMS but forgot to extract digicap.dav first - I dont know how it started the process if I sent the zip file or is this also ok and the whole time the firmware is not the right one.
Anyone can help me please?

 

[freextr]

Forgot to say that the firmware which was used for the upgrade was not the latest one and I cant really say which version it was. Now after reading the PDF of the latest firmware I see that the current device firmware must not be older than V2.2.92_build241008 to accept the V2.2.108_250718 which is the latest.
I tried with this v2.2.92 firmware and it went through at least I think. here is the output:

U-Boot# update
Do you want to erase devcfg partition after update? (y/n/q): y
ethernet@1b800000 Waiting for PHY auto negotiation to complete. done
Using ethernet@1b800000 device
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename 'digicap.dav'.
Load address: 0x40000000
Loading: #################################################################
         ######################################
         6.2 MiB/s
done
Bytes transferred = 15721216 (efe300 hex)
UPD info:header verification ok! file_num=2
UPD info:file[devType.list] date is encrypted
UPD info:file date is encrypted
===>>> Enter dec
<<<=== Out   dec

I could not do anything in the terminal any more so I restarted the device with toggling power.
now the boot looks like this and with the command help I get those options which were not available before.

SIT
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMOFB
MLE
RBE
SPL Nor Load!
SPL Nor flash boot!
Secure boot enable
Secure verify ok
LzmaDecode start
LzmaDecode end(0)


U-Boot 2017.09-svn528740 (Dec 02 2022 - 20:21:41 +0800)

DRAM:  128 MiB
MMC:   dwmmc@10300000: 0
*** Warning - bad CRC, using default environment

In:    uart@0x18400000
Out:   uart@0x18400000
Err:   uart@0x18400000

Current Mode: Release.
Net:   eth0: ethernet@1b800000
### CRAMFS load complete: 8965 bytes loaded to 0x40000000
Hit any key to stop autoboot:  0
### CRAMFS LOAD ERROR<ffffffff> for uImage!
### CRAMFS load complete: 863052 bytes loaded to 0x41000000
### CRAMFS load complete: 22675 bytes loaded to 0x41800000
U-Boot# help
?       - alias for 'help'
base    - print or set address offset
bdinfo  - print Board Info structure
blk     - blk sub-system
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bubt    - update uboot image
cmp     - memory compare
cp      - memory copy
cramfsload- load binary file from a filesystem image
cramfsls- list files in a directory (default /)
ddr_info- ddr training info molchip soc
env     - environment handling commands
eraseenv- eraseenv environment variables from persistent storage
ext4load- load binary file from a Ext4 filesystem
ext4ls  - list files in a directory (default /)
ext4size- determine a file's size
fdt     - flattened device tree utility commands
go      - start application at address 'addr'
hdb     - update HDB info
help    - print command description/usage
logo    - show boot logo.

loop    - infinite loop on address range
lzmadec - lzma uncompress a memory region
md      - memory display
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
phdb    - print HDB info
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reboot  - reboot molchip soc
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
tftpboot- boot image via network using TFTP protocol
update  - update digicap image
version - print monitor, compiler and linker version

On the screen I still have only the icon. What can I try next?

 

[freextr]

Funny thing I had an option to download two v2.2.92 versions one is STD other is NEU. So I tried with the other one and it looks like I was just impatient. at the

===>>> Enter dec
<<<=== Out   dec

I just had to wait a minute or less and after it completed the flash.
Maybe my mistakes help someone

 

[freextr]

With the v2.2.92 working and being presented with a welcome screen I still want the latest version. So retried to TFTPD the latest v2.2.108 and again I get the error UPD debug:unsupported device_type
Now the device after reboot still works but with v2.2.92 FW

 

[Dutchlincoln]

Hello,

I bought a Hikvision NVR DS-7732NI-M4 serial L22893***
Owner doesnt recall the password, an i tried to unbrick it.

I have connected a TTL serial converter to RS232 port, pin 2 and 3 (5 Gnd) and it did not work. putty spit all garbage.
So, i bought several other different converters, as the one used is fairly old and i assumed it could not handle the speed.
Settings like starting post at 115000 8N1
Doesnt matter which adapter or which speed, i get garbage from putty.

Now, im not a serial expert, but how hard can this be?
i see all pictures of ppl that get readable results, but i get garbage in my putty screen, so it has to be something that i overlook and/or do wrong...

Anyone that can point me into the correct direction maybe?
Below a potty screenshot.

Thanks ahead!

ps. If someone is able to get me a reset password that would be absolutely great as well!

 

[alastairstevenson]

The RS232 port isn't serial TTL. It's RS232.

 

[alastairstevenson]

Now, im not a serial expert, but how hard can this be?

You need a USB to RS232 adaptor with a null modem interface standard. Totally different signal levels and polarities than serial TTL.

 

[Nanedj]

Someone tried this same thing on an AX-PRO panel (DS-PWA64-WB), connecting different USB-TTL cables, but I can't get it to communicate via the serial port. There's no communication on the serial monitor. There's a Hikvision manual that mentions RS232 cables, but I'm not sure if that's the case here, since there are also examples of RS232 cables for cameras or DVRs. Any suggestions? After an app update, it stopped working and only shows a permanent green light.

 

[bozmanx]

Hi all, looking for some help and or advice

Im in Australia and have a Digiguard D-NVR7708-P8 , it has the exact same board as the one listed on page one (DS-7608).

I have had a lot of experience with UART , NAND and the associated processes ( mainly md386 which is a divinci from TI).

I have been given the unit from a friend that requires the footage off it for a court case. They dont know what the admin pass is, they thought that they changed it but none of there passwords work.

I have contacted Hikvision and Digiguard support overseas and in Australia as well as some of the local retailers but I get the same answers mentioned in other posts.

If it was me I would just boot it and using the UART look at the linux passwords file and get the hash. Once I had that I would just crack the hash and discover the password. I could even dd out the part from the NAND and mount if in a Linux OS to explorer it and see if the password is stored somewhere in plain text. Unfortunately these systems appear to be very locked down, once busybox boots I have very few commands to explore the firmware. In my version there is not even the LS command so I cant even browse the OS.

With the importance of the data in this unit and not knowing enough about how the system works I am a little concern that if I flash the firmware to restore the box back to default and I brick the box is the encryption on the hard drive tied to something on the boxes hardware (currently the hard drive has been removed to ensure there are no accidents, I plan to clone it as well).

I have tried the CCTV Super Password app but the password never works. I have tried all possible combinations of the serial number to generate the password. I also tried the Hik-Connect app but was not able to see the box but not having the admin password I dont know if I can actually add it into the app?

There are a lot of videos going around where people are shorting out pins on the board to rest the admin password, there i nothing on my board that looks similar and once again, I dont want to brick the board.

Has anyone looked into the boxes website ? You can auth into it with the admin username and password, its also http so low security, I was wondering if it was vulnerable to a SQL injection style attack which would allow me to login as the admin?

Updating the firmware was a TFTP server is a last resort for me, what other options are there so I can get to the data on the drive? I did connect the drive to a Linux system and could see a partition but I was not able to mount it and see any data. If I just put this drive in another NVR will I be able to see the data ?

Any suggestions?

 

[alastairstevenson]

If it was me I would just boot it and using the UART look at the linux passwords file and get the hash.

That's the Linux passwords, not the NVR admin passwords.

If that's actually a Hikvision OEM E-series, NVR, there are various ways to extract the NVR admin password.
If you can get your hands on a Hikvision R0-series IP camera that has the vulnerable firmware between 5.3.0 and 5.4.4 the 'trojan horse' method usually works OK :

Post in thread 'Alternative way of recovering HikVision NVR password'

Jun 11, 2019

I hope this can help others that find themselves in the same predicament I was in with my NVR forgotten password

I think this is a brilliant little trick, that could help others who have lost or don't know their NVR password, and credit to @Pjlord for thinking it up.

It's almost like using the camera as a trojan horse to attack the NVR.
Plug an inactive camera that has the Hikvision backdoor vulnerability into an NVR PoE port that's in Plug&Play mode - and the NVR just gives away it's password to the camera.
Which can then be tricked into giving up its configuration file...

• alastairstevenson

• 

Also, depending on firmware version, the admin password is held in plaintext in a hidden flash partition that can be extracted and inspected.

Example :

alastair@PC-I5 ~/cctv/DS-7604NI-E1-4P-A_eBay/Custom/password_extract $ ll
total 140
drwxrwxr-x 2 alastair alastair 4096 Jan 31 20:53 ./
drwxrwxr-x 3 alastair alastair 4096 Jan 31 20:09 ../
-rw-rw-rw- 1 tftp tftp 131072 Jan 31 20:07 mtd1_via_tftp
-rw-rw-r-- 1 alastair alastair 103 Jan 31 20:44 text.txt
alastair@PC-I5 ~/cctv/DS-7604NI-E1-4P-A_eBay/Custom/password_extract $ dd if=mtd1_via_tftp of=mtd1_part1.gz bs=64k count=1
1+0 records in
1+0 records out
65536 bytes (66 kB, 64 KiB) copied, 0.00013043 s, 502 MB/s
alastair@PC-I5 ~/cctv/DS-7604NI-E1-4P-A_eBay/Custom/password_extract $ dd if=mtd1_via_tftp of=mtd1_part2.gz bs=64k count=1 skip=1
1+0 records in
1+0 records out
65536 bytes (66 kB, 64 KiB) copied, 0.000445694 s, 147 MB/s
alastair@PC-I5 ~/cctv/DS-7604NI-E1-4P-A_eBay/Custom/password_extract $ gunzip -k mtd1_part1.gz

gzip: mtd1_part1.gz: decompression OK, trailing garbage ignored
alastair@PC-I5 ~/cctv/DS-7604NI-E1-4P-A_eBay/Custom/password_extract $ gunzip -k mtd1_part2.gz

gzip: mtd1_part2.gz: decompression OK, trailing garbage ignored
alastair@PC-I5 ~/cctv/DS-7604NI-E1-4P-A_eBay/Custom/password_extract $ ll
total 9372
drwxrwxr-x 2 alastair alastair 4096 Jan 31 20:55 ./
drwxrwxr-x 3 alastair alastair 4096 Jan 31 20:09 ../
-rw-r--r-- 1 alastair alastair 4658176 Jan 31 20:54 mtd1_part1
-rw-r--r-- 1 alastair alastair 65536 Jan 31 20:54 mtd1_part1.gz
-rw-r--r-- 1 alastair alastair 4658176 Jan 31 20:54 mtd1_part2
-rw-r--r-- 1 alastair alastair 65536 Jan 31 20:54 mtd1_part2.gz
-rw-rw-rw- 1 tftp tftp 131072 Jan 31 20:07 mtd1_via_tftp
-rw-rw-r-- 1 alastair alastair 103 Jan 31 20:44 text.txt
alastair@PC-I5 ~/cctv/DS-7604NI-E1-4P-A_eBay/Custom/password_extract $ file *.gz
mtd1_part1.gz: gzip compressed data, last modified: Thu Jan 31 18:25:57 2019, max compression, from Unix
mtd1_part2.gz: gzip compressed data, last modified: Thu Jan 31 18:25:57 2019, max compression, from Unix
alastair@PC-I5 ~/cctv/DS-7604NI-E1-4P-A_eBay/Custom/password_extract $

To extract video if the HDD has been 'formatted' via the NVR web GUI, there are a variety of forensic programs that understand the Hikvision proprietary file system and can extract stored video from the apparently blank HDD. A Googles search will show some examples.

 

[bozmanx]

That's the Linux passwords, not the NVR admin passwords.

If that's actually a Hikvision OEM E-series, NVR, there are various ways to extract the NVR admin password.
If you can get your hands on a Hikvision R0-series IP camera that has the vulnerable firmware between 5.3.0 and 5.4.4 the 'trojan horse' method usually works OK :

Post in thread 'Alternative way of recovering HikVision NVR password'

Jun 11, 2019

I hope this can help others that find themselves in the same predicament I was in with my NVR forgotten password

I think this is a brilliant little trick, that could help others who have lost or don't know their NVR password, and credit to @Pjlord for thinking it up.

It's almost like using the camera as a trojan horse to attack the NVR.
Plug an inactive camera that has the Hikvision backdoor vulnerability into an NVR PoE port that's in Plug&Play mode - and the NVR just gives away it's password to the camera.
Which can then be tricked into giving up its configuration file...

• alastairstevenson

• 

Also, depending on firmware version, the admin password is held in plaintext in a hidden flash partition that can be extracted and inspected.

Example :


To extract video if the HDD has been 'formatted' via the NVR web GUI, there are a variety of forensic programs that understand the Hikvision proprietary file system and can extract stored video from the apparently blank HDD. A Googles search will show some examples.

OK , I got there and Im not sure why it worked as I would assume all the unlock sites used the same seed for encryption.

So I was sent this video



I was like , yep I have seen this 100 times and it doesnt work

For some reason this nvr has a date of 1/1/1970 ( I assume it lost its battery).

I punched that date in and it didnt work. I then thought that the NVR might have moved a day or two if the battery charged up or something. So I tried 2/1/1970 and the 3/1/1970.

I then noticed that I didnt hit tab or enter when I added the diggets for the day. So I did that and saw the code change.

I then went back and entered 1/1/1970 again, hit tab and when I checked that code with the original code generated it was different. So I tried this new code and it worked. I was then able to change the password. This NVR is now unlocked and I have access to admin functions and features. I hope this helps someone else.

This is the site I did the unlock on

Hikvision Password Reset

The other thing is that may serial number I need to use was not the one in SAPD, it was the one from the reset password screen.

My serial number in SAPD was
D-NVR7708-P80820150820AARR535773400WCVU

it also had a short serial number of
535773400

but what worked was (and what was in the reset password screen)
0820150820AARR535773400WCVU

A big shout out to the Jason Reset youtube channel where I got this information from.

Jason Reset

You can fix most problem with a simple Reset.

www.youtube.com