Jump to content
gilesjuk

CNM Secure Primus (8ch) password

Recommended Posts

Hi all,

 

I bought a CNM Secure CCTV system in Dec 2011 and used it for a while. But then decided it didn't do what I wanted, so took it down.

 

I want to sell it on to my father but when I came to check it was still working the other day I couldn't remember any of the passwords.

 

I've emailed CNM Secure and Think CCTV where I bought it and neither have responded. This strikes me as very poor customer service and they have lot any future sale from me.

 

I see that Maplins will send you a generated master code if you bought your DVR from them, but I didn't sadly.

 

Does anyone know how I can reset this system to factory state? Looking at the unit it seems all the configuration information is stored in flash memory, so removing the coin cell and blanking the hard disk hasn't helped at all.

 

I can provide proof of purchase if needed, I'm not selling on some hooky gear.

 

Cheers.

Share this post


Link to post
Share on other sites

Answering my own question (just shows you have to do things yourself usually).

 

I managed to get the /etc/passwd file from this DVR, it's web interface is flawed in that you can grab most things from the filesystem by using relative paths.

 

So I managed to grab the root password, ran through John the Ripper and got the root password (I won't post it here)

 

In the /mnt/mtd/Config folder is two password files Account1 and Account2 (which I suppose it a backup).

 

For resetting the admin password I used SED to substitute the password I had used for a blank one.

 

eg.

 

Make a backup:

 

cp Account1 Account1-

cp Account2 Account2-

 

sed /s/oldhashedpassword/tlJwpbo6 Account1

sed /s/oldhashedpassword/tlJwpbo6 Account2

 

Resulting structure:

 

"Group" : "admin",

"Memo" : "admin 's account",

"Name" : "admin",

"Password" : "tlJwpbo6",

"Reserved" : true,

"Sharable" : true

 

Reboot and you can log in with blank password again.

 

(I'm no hacker, but this was a bit too easy).

Share this post


Link to post
Share on other sites

Hello my friend, I'm from mexico and having similar issue, buy this used dvr on internet and the owner can't remember the password, I realized I could login as guest but can't do many things, one of the things I can do however is download a backup of the configuration, in those files it comes the hash i suppose for the accounts, I tried changing the files and uploading again but didn't work, could you help me telling me how you did to get the passwd file using the web interface pls?

 

Thank you very much for your assistance, this is what my config file shows:

 

"Group" : "admin",

"Memo" : "admin 's account",

"Name" : "admin",

"Password" : "1OAZMJJt", <----- I guess this is some kind of hash from the current admin password

"Reserved" : true,

"Sharable" : true

},

{

"AuthorityList" : [

"Monitor_01",

"Monitor_02",

"Monitor_03",

"Monitor_04",

"Replay_01",

"Replay_02",

"Replay_03",

"Replay_04"

],

"Group" : "user",

"Memo" : "guest 's account",

"Name" : "guest",

"Password" : "tlJwpbo6", <------- I found your post looking for this hash on google which now I know is for a blank password

"Reserved" : true,

"Sharable" : true

Share this post


Link to post
Share on other sites

I have the CNM Secure 4 port 500gb model (All very generic far eastern electronics - not even a model number bought from CPC/Farnell in 2011.), and the Admin password had reset itself for some unknown reason.

Having lost the manual, I tried all the usual suspects:

000000

111111

519070

020818

ecdGqv

12888

I tried the number generators from https://dl.dropboxusercontent.com/u/5005588/dvr-pass.zip without success, and even tried Telnet to "root" using password xc35111 and none worked.

In the end, guessing the password 888888 worked for me.

One thing I did learn, removing the "BIOS" battery just resets the system clock, not the Admin password.

 

One other thing, note when connecting remotely to this model that the username is case sensitive as well as the password, and you must also open the ports 5000, 5001 and 6003 (For mobile phone access) in the router firewall services.

 

Hope this helps someone.

 

John T.

Share this post


Link to post
Share on other sites

I found an easyer step to set lJwpbo6 hash again mv Account2 Account1

and reboot sometimes Account2 is stay on default settings.

Share this post


Link to post
Share on other sites

My frien show me the easyes way to set tlJwpbo6 aganin

 

 

sed -i s/oldhashedpassword/tlJwpbo6/Account1

Share this post


Link to post
Share on other sites
Answering my own question (just shows you have to do things yourself usually).

 

I managed to get the /etc/passwd file from this DVR, it's web interface is flawed in that you can grab most things from the filesystem by using relative paths.

 

So I managed to grab the root password, ran through John the Ripper and got the root password (I won't post it here)

 

In the /mnt/mtd/Config folder is two password files Account1 and Account2 (which I suppose it a backup).

 

For resetting the admin password I used SED to substitute the password I had used for a blank one.

 

eg.

 

Make a backup:

 

cp Account1 Account1-

cp Account2 Account2-

 

sed /s/oldhashedpassword/tlJwpbo6 Account1

sed /s/oldhashedpassword/tlJwpbo6 Account2

 

Resulting structure:

 

"Group" : "admin",

"Memo" : "admin 's account",

"Name" : "admin",

"Password" : "tlJwpbo6",

"Reserved" : true,

"Sharable" : true

 

Reboot and you can log in with blank password again.

 

(I'm no hacker, but this was a bit too easy).

 

 

Hi mate

Do you think you could walk me through this process?

I am also locked out of mine.

Thanks

Mike

Share this post


Link to post
Share on other sites

Big Problem here

 

cameras (Hi3516 Hi3518 etc) and NVR working with xmeye app (or vmeye) from HiSilicon have no option to reset admin's password:

 

There is problem that telnet is disabled. I have UART cable connected, but this can't help because you can get command prompt only for uboot, not later for linux.

 

I also have firmware dump readed with flash chip reader. I unpacked firmware with binwalk, and I found Account1 and Account2 files, and I see hash of password, but what's next? Is it known what hash type this is so I can use brute force?

 

thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×