View unanswered posts | View active topics


Reply to topic  [ 14 posts ] 
Author Message
  
 Post subject: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Wed Jan 14, 2015 9:12 pm 
Registered User

Joined: Dec 2014
Posts: 7

Offline
Hello there,

Does anybody know telnet password for Dahua IPC-HFW4300S?
It is not root/vizxv, even though md5crypt appears to be so in /etc/passwd.
I took firmware image and dug around, but could not find anything other vizxv.
The hash in /etc/passwd (from firmware image):
$1$jSqQv.uP$jgz4lwEx2pnDh4QwXkh06/:vizxv

If anyone interested this is how I extracted this hash (and cracked the password):
http://sergei.nz/extracting-password-from-dahua-firmware-image/
http://sergei.nz/exploring-dahua-firmware/

But for all these efforts it looks like the telnet is not accepting vizxv.
I looked at strings on telnetd on the firmware and it references to /mnt/mtd/Config/passwd which is not on firmware....

Regards.

Sergei.


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Fri Jan 16, 2015 5:35 pm 
Registered User

Joined: Mar 2006
Posts: 1745

Offline
Here's a link to a post with the newer version. Not sure if it still works, though:
viewtopic.php?p=253713#p253713

From that post:
Long story short as in my case with login 'admin' and password 'admin' my telnet login is like this:
login: admin
password: 7ujMko0admin
So the prefix '7ujMko0' is the important part here.
Older ones use xc3511


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Fri Jan 16, 2015 7:34 pm 
Registered User

Joined: Nov 2009
Posts: 3863
Location: So Cal

Offline
Good work on tearing it apart. Getting from bin to the img files is easy enough, I just used WinRAR and it gave me those files. What's interesting is the bin file I have which is the latest for my ipc-hfw2100 has the img files with cramfs vs ubis and I noticed Hikvision going this route on newer cameras, probably because cramfs is a read only file system, less tampering. Maybe the firmware file you have is older and it really is that old password.

Do you think if you made a change, say to a menu or something, use the cramfs tools or ubifs, you can build a firmware file that will load into the camera? Would be cool to have a script that does what you did but extracts everything out into a file system that you can edit. Then a script that puts it all back. Seems like you are 90% there.

_________________
For network camera articles and reviews, visit my blog at
http://www.NetworkCameraCritic.com


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Fri Jan 16, 2015 9:22 pm 
Registered User

Joined: Jan 2013
Posts: 43

Offline
Neither of those two pwd work on my HDW4300C (soft v2.210 build 2014-613)


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sat Jan 17, 2015 2:38 pm 
Registered User

Joined: Nov 2009
Posts: 3863
Location: So Cal

Offline
Can you post where to get that release. I can only find slightly newer and slightly order but nothing from 6-13-2014. Once we have firmware, we may be able to get that password for you.

_________________
For network camera articles and reviews, visit my blog at
http://www.NetworkCameraCritic.com


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sat Jan 17, 2015 4:13 pm 
Registered User

Joined: Jan 2013
Posts: 43

Offline
It was already installed on my camera.


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sat Jan 17, 2015 9:40 pm 
Registered User

Joined: Dec 2014
Posts: 7

Offline
Interesting enough I found the 7ujMko0 string hardcoded in telnetd binary on the firmware.
I have just tried telnet admin/7ujMko0admin and root/7ujMko0admin with no luck.
I will try to reset password to admin, to see if that makes any difference...


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sat Jan 17, 2015 9:50 pm 
Registered User

Joined: Dec 2014
Posts: 7

Offline
Yay, I am in, after resetting to admin it worked.
I should try the following combination: admin/7ujMko0{new_password} as I assume it expects 7ujMko0 appended to the password...

Update: it worked!


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sun Jan 18, 2015 9:08 am 
Registered User

Joined: Jan 2013
Posts: 43

Offline
Yes, that worked - the bit after 7ujMko0 is the current pwd. Furthermore, the userid and current password can be any existing userid. I think it must be a admin id to login though! It is good to know that you still have to know the password to can access and that it is not 'wide-open'
thx


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sun Jan 18, 2015 4:39 pm 
Registered User

Joined: Nov 2009
Posts: 3863
Location: So Cal

Offline
SergeiF wrote:
Interesting enough I found the 7ujMko0 string hardcoded in telnetd binary on the firmware.
I have just tried telnet admin/7ujMko0admin and root/7ujMko0admin with no luck.
I will try to reset password to admin, to see if that makes any difference...


Sergie, I got the latest firmware for my Dahua camera, an old ipc-hfw2100, firmware from April 2014. Loaded on the cameras fine. In Linux I did a unzip on the bin file, created the following files -
    dm365_ubl_boot_16M_norflash.bin.img
    dm365_ubl_boot_16M_spiflash.bin.img
    kernel-x.cramfs.img
    pd-x.cramfs.img
    romfs-x.cramfs.img
    user-x.cramfs.img
    web-x.cramfs.img
The interesting thing is they have cramfs in the file name instead of ubifs like you found. I did a binwalk -e on the romfs one and it create a directory with a file 40.cramfs. I did a mount on it, mount -t cramfs -o loop 40.cramfs /mnt/romfs.

The root Linux directories are there, bin, dev, etc, home, mnt, proc, sbin..... just like you got from ubis but cramfs may be easier since I just mounted it.

The password prefix is in the bin/busybox. In a hex dump, it's next to the word Password: so somewhat identifiable. My educated guess is that it's in telnetd. Doing a ps shows /utils/telnetd but that's a link to /bin/busybox.

_________________
For network camera articles and reviews, visit my blog at
http://www.NetworkCameraCritic.com


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sun Jan 18, 2015 4:54 pm 
Registered User

Joined: Jan 2013
Posts: 43

Offline
I think that the files you see in /bin like telnet all point back to busybox


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sun Jan 18, 2015 8:05 pm 
Registered User

Joined: Nov 2009
Posts: 3863
Location: So Cal

Offline
You can probably put in your own telnetd in that file, remove the symbolic link to busybox, recreate the cramfs file, zip it back together and do a firmware update to make telnet behave as normal in terms of password, using the standard password.

_________________
For network camera articles and reviews, visit my blog at
http://www.NetworkCameraCritic.com


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Sun Jan 18, 2015 9:35 pm 
Registered User

Joined: Jan 2013
Posts: 43

Offline
You'll probably have problems with space - the apps in busybox are 'lite' versions which give some but not all functionality of the originals. As it is now, if you just changed the admin pwd from its default you'd be ok - at least your better off than having a fixed pwd like vizxv


Top
 Profile  
Reply with quote  

  
 Post subject: Re: Dahua IPC-HFW4300S telnet password (not vizxv)
PostPosted: Mon Mar 14, 2016 12:46 pm 
Registered User

Joined: Mar 2016
Posts: 1

Offline
Hi people, I'm new here.

Thank you in advance for all the documentation

I had a problem with the login. My colleague tried 3 times a wrong password, by misstyping a capital letter, and now it shows a message saying that the account is blocked :(
I would like to reboot it, but the camera is in a place not so easy to access so It would be great if I could access through telnet and reboot it. I've read that you can access using a prefix plus the password. I tried it but I get the message "User or Password Invalid, Remain 1 Retry Times". Is the prefix the same for all models of cameras? What do you recommend apart from physically unplugging it?

the model is DH-SD59230S-HN


Top
 Profile  
Reply with quote  

Display posts from previous:  Sort by  
Reply to topic  [ 14 posts ] 


Who is online

Users browsing this forum: Google Adsense [Bot] and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

It is currently Sun Mar 26, 2017 7:36 pm

The contents of this webpage are copyright © 2003-2016 CCTVForum.com. All Rights Reserved.