Jump to content
CBX

Hikvision default password

Recommended Posts

Hi all

Edit: try this tool - https://www.cctvforum.com/hikvision-password-reset/

I've been playing with the mechanism by which you can reset your password to the default if you get locked out. Apparently Hikvision provide a free service by which you can email them with your serial number, and they will respond with a secure code you can use with a tool to reset remotely.

 

I've figured out a way to send this code remotely using the command line.

 

Or you can use a tool on the camera via telnet, though of course if you have access to telnet you probably don't need the password resetting:

 

# resetPasswd
Device Serial No.:DS-2CD2732F-IS20121226CCCH546641810
Current Date     :20140223

# resetPasswd xxxxxxxxxx
Invalid secure code.

# resetPasswd Re9rSR9rzd
Default password of 'admin' restored.
 

 

 

This code is date dependant and the camera will accept the code for today or yesterday.

 

I've written my own secure code generator just for fun though I can only test with my 2 cameras.

 

Example generating codes for next 4 days, and sending todays remotely using the command line:

 

root@rl70:~# for DATE in 20140222 20140223 20140224 20140225; do 
 ./gen_hik_secure_code.php --serial=DS-2CD2732F-IS20121226CCCH546641810"$DATE"
done

Serial is: DS-2CD2732F-IS20121226CCCH54664181020140222
Secure Code = Re9rSR9rzd

Serial is: DS-2CD2732F-IS20121226CCCH54664181020140223
Secure Code = qee9zdzdRe

Serial is: DS-2CD2732F-IS20121226CCCH54664181020140224
Secure Code = SrzqzqRzqd

Serial is: DS-2CD2732F-IS20121226CCCH54664181020140225
Secure Code = zrqzrRSdz

root@rl70:~# echo -n -e '\x00\x00\x00\x1a\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x0e'qee9zdzdRe | nc 192.168.0.201 7001
Default password of 'admin' restored.
 

 

As far as I know, you can't do this with access to port 80 only so this shouldn't be a risk of people gaining access remotely unless they have access to port 7001 and others of your camera which I wouldn't advise.

 

I won't be publishing my secure code generator as this would be irresponsible, but I thought it would be interesting to explore to understand the security aspects of the camera better.

Share this post


Link to post
Share on other sites

Dahua does something similar, and someone posted the algorithm a while back. I don't know if they still use the same setup or not, but it's a handy thing to know, since Dahua's support is not so good.

Share this post


Link to post
Share on other sites
Dahua does something similar, and someone posted the algorithm a while back. I don't know if they still use the same setup or not, but it's a handy thing to know, since Dahua's support is not so good.

 

Did a search and if we're talking about a constant multiplied by some date fields I have to say that's pretty poor security. At least Hikvision actually use the serial so the unlock code is tied to your device as well as the date - and this doesn't work via an exposed tcp 80 port. The algo is also more complex (though obviously breakable).

Share this post


Link to post
Share on other sites
Did a search and if we're talking about a constant multiplied by some date fields I have to say that's pretty poor security. At least Hikvision actually use the serial so the unlock code is tied to your device as well as the date - and this doesn't work via an exposed tcp 80 port. The algo is also more complex (though obviously breakable).

 

If I am not wrong, the codes for Dahua only worked when used locally; with a mouse and monitor connected to the DVR. They can not be used over network.

 

Can we see gen_hik_secure_code.php, or we better not ask?

Share this post


Link to post
Share on other sites
If I am not wrong, the codes for Dahua only worked when used locally; with a mouse and monitor connected to the DVR. They can not be used over network.

 

Can we see gen_hik_secure_code.php, or we better not ask?

 

If that's true then fair enough. Actually I wouldn't expect a code needed for that at all if you need to have physical access to that device.

 

The Hikvision one is much more of an issue as tcp 7001, ONVIF, SDK port, sadp can all be used to reset the password if I am not mistaken.

 

You can ask, but I've already said I won't publish It might be misused by people to get access to cameras that aren't theirs. I don't think Hikvision perform any checks when you ask for a code - but that's their responsiblity not mine.

Share this post


Link to post
Share on other sites

I've realised my code only works for serial numbers which have an odd number of characters. I'm not sure if Hikvision cams only have an odd length?

 

Does anyone have an even length serial number?

Share this post


Link to post
Share on other sites
I've realised my code only works for serial numbers which have an odd number of characters. I'm not sure if Hikvision cams only have an odd length?

 

Does anyone have an even length serial number?

 

As of now, Hikvision serial numbers are 9 digits long. I guess that sooner or later they will have to change that, when they run out of numbers...

Share this post


Link to post
Share on other sites
As of now, Hikvision serial numbers are 9 digits long. I guess that sooner or later they will have to change that, when they run out of numbers...

 

Sorry for the confusion - I meant the entire device string length. E.g:

 

DS-2CD2732F-IS20121226CCCH546641810

 

is 33 characters long.

Share this post


Link to post
Share on other sites

Mmmh good question then. The s/n on that string is just 546641810.

 

I never bothered checking how many characters the full string has, but the first one I just checked is 40 (a DVR).

DVR7208HWI-SH0820130330AAWR---s/n---WCVU

Share this post


Link to post
Share on other sites
Mmmh good question then. The s/n on that string is just 546641810.

 

I never bothered checking how many characters the full string has, but the first one I just checked is 40 (a DVR).

DVR7208HWI-SH0820130330AAWR---s/n---WCVU

 

Thanks for checking that. Do you know if the unlock for a DVR is the same mechanism?

 

The odd length device string might be IPcams only?

Share this post


Link to post
Share on other sites
The odd length device string might be IPcams only?

 

DS-2CD8153F-E20110629BBWR---s/n---

Nope, that one is also 34 characters, so not all IP cams have odd length.

Share this post


Link to post
Share on other sites

Bummer.

 

OK thanks - means I have to figure out the algo abit more to work with even numbered strings

Share this post


Link to post
Share on other sites
The odd length device string might be IPcams only?

 

DS-2CD8153F-E20110629BBWR---s/n---

Nope, that one is also 34 characters, so not all IP cams have odd length.

 

Thanks for the help MindTwist. Finally had a chance to look at this and code adjusted to work with even length device strings (had to add a digit to mine to test!)

 

No idea if this works for DVR stuff or not as don't have one. If anyone wants to know if this is the same algo or not, but all means PM me your full device string and I'll PM you back the secure code to test.

Share this post


Link to post
Share on other sites

Actually if you are concerned about PM'ing me your full serial - feel free to exclude the last 2 digits, and I'll generate 100 combinations and you can just pick yours without me knowing which it is.

Share this post


Link to post
Share on other sites
Actually if you are concerned about PM'ing me your full serial - feel free to exclude the last 2 digits, and I'll generate 100 combinations and you can just pick yours without me knowing which it is.

 

No problem on sending a serial, you have a PM. I will check if the code is right.

Share this post


Link to post
Share on other sites
No problem on sending a serial, you have a PM. I will check if the code is right.

 

Cheers.

 

I've been looking at the code for the DVR control app as I don't have one to test. Looks like the gen code is indeed different, but I think I can figure it out without debugging on the device.

 

I'll send a code based on the IPcam algo which should be wrong and a code based on what i think the DVR app expects. We'll see if it works

Share this post


Link to post
Share on other sites
No problem on sending a serial, you have a PM. I will check if the code is right.

 

Cheers.

 

I've been looking at the code for the DVR control app as I don't have one to test. Looks like the gen code is indeed different, but I think I can figure it out without debugging on the device.

 

I'll send a code based on the IPcam algo which should be wrong and a code based on what i think the DVR app expects. We'll see if it works

 

The serial I sent you belongs to a IPC. If you also need DVR, NVR, other IPCs, let me know.

Share this post


Link to post
Share on other sites
The serial I sent you belongs to a IPC. If you also need DVR, NVR, other IPCs, let me know.

 

If you don't mind testing the codes generated, then I'd like a DVR and NVR serial please.

 

The code I sent was assuming an IP cam, but now I've started to actually code a generation algo, it looks like the DVR and IPcam algos are the same (though they don't look like it when looking at the ASM). Hopefully the one I sent you worked.

 

Thanks

Share this post


Link to post
Share on other sites
siknit said:
FOR ALL .Users can dowload reset tool from ...

 

That link doesn't work. The wordpress site the file is hosted on has its permissions setup in a way that blocks the file being downloaded. It probably something to do with WP-Filebase, I have PM'd siknit to see if they can help/provide another link to the file.

Share this post


Link to post
Share on other sites

Just to be clear, that link and poster have no connection to, or endorsement from me.

 

That's not saying it is or isn't legit - just nothing to do with me.

Share this post


Link to post
Share on other sites

So does this mean if someone gets locked out of their Lorex, Swan, or Hikvision NVR, maybe forgot

their password, that a "secure code" could be generated to get back in?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×