Jump to content
SergeiF

Dahua IPC-HFW4300S telnet password (not vizxv)

Recommended Posts

Hello there,

 

Does anybody know telnet password for Dahua IPC-HFW4300S?

It is not root/vizxv, even though md5crypt appears to be so in /etc/passwd.

I took firmware image and dug around, but could not find anything other vizxv.

The hash in /etc/passwd (from firmware image):

$1$jSqQv.uP$jgz4lwEx2pnDh4QwXkh06/:vizxv

 

If anyone interested this is how I extracted this hash (and cracked the password):

http://sergei.nz/extracting-password-from-dahua-firmware-image/

http://sergei.nz/exploring-dahua-firmware/

 

But for all these efforts it looks like the telnet is not accepting vizxv.

I looked at strings on telnetd on the firmware and it references to /mnt/mtd/Config/passwd which is not on firmware....

 

Regards.

 

Sergei.

Share this post


Link to post
Share on other sites

Here's a link to a post with the newer version. Not sure if it still works, though:

viewtopic.php?p=253713#p253713

 

From that post:

Long story short as in my case with login 'admin' and password 'admin' my telnet login is like this:

login: admin

password: 7ujMko0admin

So the prefix '7ujMko0' is the important part here.

Older ones use xc3511

Share this post


Link to post
Share on other sites

Good work on tearing it apart. Getting from bin to the img files is easy enough, I just used WinRAR and it gave me those files. What's interesting is the bin file I have which is the latest for my ipc-hfw2100 has the img files with cramfs vs ubis and I noticed Hikvision going this route on newer cameras, probably because cramfs is a read only file system, less tampering. Maybe the firmware file you have is older and it really is that old password.

 

Do you think if you made a change, say to a menu or something, use the cramfs tools or ubifs, you can build a firmware file that will load into the camera? Would be cool to have a script that does what you did but extracts everything out into a file system that you can edit. Then a script that puts it all back. Seems like you are 90% there.

Share this post


Link to post
Share on other sites

Can you post where to get that release. I can only find slightly newer and slightly order but nothing from 6-13-2014. Once we have firmware, we may be able to get that password for you.

Share this post


Link to post
Share on other sites

 

Interesting enough I found the 7ujMko0 string hardcoded in telnetd binary on the firmware.

I have just tried telnet admin/7ujMko0admin and root/7ujMko0admin with no luck.

I will try to reset password to admin, to see if that makes any difference...

 

Share this post


Link to post
Share on other sites

 

Yay, I am in, after resetting to admin it worked.

I should try the following combination: admin/7ujMko0{new_password} as I assume it expects 7ujMko0 appended to the password...

 

Update: it worked!

 

Share this post


Link to post
Share on other sites

Yes, that worked - the bit after 7ujMko0 is the current pwd. Furthermore, the userid and current password can be any existing userid. I think it must be a admin id to login though! It is good to know that you still have to know the password to can access and that it is not 'wide-open'

thx

Share this post


Link to post
Share on other sites
Interesting enough I found the 7ujMko0 string hardcoded in telnetd binary on the firmware.

I have just tried telnet admin/7ujMko0admin and root/7ujMko0admin with no luck.

I will try to reset password to admin, to see if that makes any difference...

 

Sergie, I got the latest firmware for my Dahua camera, an old ipc-hfw2100, firmware from April 2014. Loaded on the cameras fine. In Linux I did a unzip on the bin file, created the following files -

  • dm365_ubl_boot_16M_norflash.bin.img
    dm365_ubl_boot_16M_spiflash.bin.img
    kernel-x.cramfs.img
    pd-x.cramfs.img
    romfs-x.cramfs.img
    user-x.cramfs.img
    web-x.cramfs.img

The interesting thing is they have cramfs in the file name instead of ubifs like you found. I did a binwalk -e on the romfs one and it create a directory with a file 40.cramfs. I did a mount on it, mount -t cramfs -o loop 40.cramfs /mnt/romfs.

 

The root Linux directories are there, bin, dev, etc, home, mnt, proc, sbin..... just like you got from ubis but cramfs may be easier since I just mounted it.

 

The password prefix is in the bin/busybox. In a hex dump, it's next to the word Password: so somewhat identifiable. My educated guess is that it's in telnetd. Doing a ps shows /utils/telnetd but that's a link to /bin/busybox.

Share this post


Link to post
Share on other sites

You can probably put in your own telnetd in that file, remove the symbolic link to busybox, recreate the cramfs file, zip it back together and do a firmware update to make telnet behave as normal in terms of password, using the standard password.

Share this post


Link to post
Share on other sites

You'll probably have problems with space - the apps in busybox are 'lite' versions which give some but not all functionality of the originals. As it is now, if you just changed the admin pwd from its default you'd be ok - at least your better off than having a fixed pwd like vizxv

Share this post


Link to post
Share on other sites

Hi people, I'm new here.

 

Thank you in advance for all the documentation

 

I had a problem with the login. My colleague tried 3 times a wrong password, by misstyping a capital letter, and now it shows a message saying that the account is blocked

I would like to reboot it, but the camera is in a place not so easy to access so It would be great if I could access through telnet and reboot it. I've read that you can access using a prefix plus the password. I tried it but I get the message "User or Password Invalid, Remain 1 Retry Times". Is the prefix the same for all models of cameras? What do you recommend apart from physically unplugging it?

 

the model is DH-SD59230S-HN

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×