Jump to content
matcunni

Chinese Hi3520D - Admin account lost (?) + Possible solutions

Recommended Posts

Hello! I am extremely frustrated with my uncle's NVR so I will try to post a "failed" walkthrough of what I've done (for future generations with this problem (?)) and some questions just in case it's not a loss cause as I've already concluded (being very new to this space)..

The NVR is Chinese generic. The board model is Hi3520D_V318_0408

711865057_WhatsAppImage2019-05-21at18_14_59.thumb.jpg.337850583c66cd045f1eceb58183fca3.jpg

 

The problem is not the usual "Lost admin password" but "Lost admin account"

I don't know how did my uncle to delete the administrator account and, of course, he doesn't know either.

The thing is that there's nothing in the user field, and there isn't any way of writing something there.

If you click the arrow next to the user field, nothing happens (I've read somewhere of people who got gibberish users after a firmware update, and the solution was selecting those users nevertheless and entering the default password, but in my case the user list is empty)

You can do absolutely nothing without logging in.  Any menu option you click brings the login promt to the screen.

I've already tried 4 different "master reset" software found as Hi3520D solution. But having no user, none of them worked.

534646792_WhatsAppImage2019-05-21at18_15_09.thumb.jpg.2ed945bdeeacca27722ddfc8ab3036b0.jpg

I've searched as good as I could a way to hard reset this board, but I couldn't find any, neither could find a pair of pins who looked like they could be bridged to achieve this.

According to my uncle, the default user when he accesed directly from the NVR was "system" and the default password was empty. No user with no password doesn't work.

I've tried several default passwords from the NVR interface 

I've tried to acces the system from the web interface with a lot of the common default combinations, but I just keep getting login failed.

I found a document called HiSilicon DVR hack where someone exposes a list of vulnerabilities of this chipset family

With that guide I've run a full scan with NMAP and found this:

nmap.PNG.b8cd175d29505c2435cde3b40dcc668a.PNG

 

I've tried to access by telnet with user root, pass xc3511 as they do in that thread with no success.

I've downloaded a linux distro (Kali linux), and run a telnet attack with THC HYDRA and a dictionary of default telnet user/passwords that I found in github, plus some user/password combinations that I found in my way.

passcomb.txt

I've tried another attack like that but with "brutus" and the web HTTP interface, with default users and passwords I found for NVR systems and IP cameras.

I've tried an exploit I found for NVR web interfaces that uses a curl command and a cookie to bypass the authentication page.

None of them worked.

Well, I think I'm not forgetting anything. If someone has another idea I'm all ears.

B plan:

I started looking for another board to replace the one that I have. I've found one that's has the same chipset  and looks like it could work.

3.PNG.11ee30234d1a38c7571e0bfdeadbaafe.PNG

But The one I have has a little wifi board attached with an antenna.

Is it possible to connect just the wifi board that I have to a board like the one I pasted above? Or do I need a board that has some firmware including a wifi antenna? or necessarily do I need a board which comes with a wifi antenna?

Please any help/comment would be really appreciated.

Matt

Share this post


Link to post
Share on other sites

Hi. Like Larry says. Is it going to be cost effective?  Nvrs from any manufacturer are cheap now 

the other problem is not knowing we’re your data is going with the no name brands. Some ISPs are now starting to block China connections. 

Buy a brand name and then have tech support 

Share this post


Link to post
Share on other sites
6 hours ago, larry said:

How much is that board and the necessary extra parts verses buying a new NVR?

Hi, that board costs 18USD including shipping to my country.

The cheapest generic NVR without brand, nor cameras (in my country) costs 75USD. I'm not considering buying a full system abroad because importation taxes and shipping starts to matter when size and value increases.

Buying a complete new system is what I'm trying to avoid.

Thanks for answering both

Share this post


Link to post
Share on other sites

Hi,

I had the same concern as you. Can you try  name: Admin  pass: 222222222222 (not in telnet but in the normal administration console)?


 

Share this post


Link to post
Share on other sites

I actually did some work on one of these devices for a friend. I took a dump of the firmware from my live device, and did some digging, and here's what I found:

There are two sets of firmware for the `K9604-W`/`NVR0408`. I have a `JUAN` system. Since I don't have the other type of device, I can't test the other firmware. Here's an undocumented reset I found for the `JUAN` firmware.
Using a USB flash drive, create a text file called `restore_factory_config_is_dangerous` on the flash drive (no extension).
You have two options here depending on what you want to do.

  • Open that text file, and put `2012` as the only text in it (no new line) if you want to restore the factory config.
  • Open that text file, and put `2017` as the only text in it (no new line) if you want to restore the factory config, and reset the user database to the initial state.

Reboot the device. Before the firmware loads the UI, it should wipe the data necessary to restore the configs/users, then reboot.

Make sure you unplug the USB after the reboot. This is because it expects the `dvr_app` to be located on the flash drive (which it won't be), so the UI and such will be broken.

More information about how I came upon this can be found on my blog at RandomCPU Night Owl DVR Reset

Edited by DeathCamel57
USB removal step added

Share this post


Link to post
Share on other sites
On 7/11/2019 at 9:29 PM, Drikafer said:

EXACTLY same situation here. Chipset Hi3520D.
Trying to discover telnet pass...

The telnet password is likely `j1/_7sxw` (without the backticks). This is a fairly common password for devices created by JUAN.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×