CBX 0 Posted February 23, 2014 Hi all Edit: try this tool - https://www.cctvforum.com/hikvision-password-reset/ I've been playing with the mechanism by which you can reset your password to the default if you get locked out. Apparently Hikvision provide a free service by which you can email them with your serial number, and they will respond with a secure code you can use with a tool to reset remotely. I've figured out a way to send this code remotely using the command line. Or you can use a tool on the camera via telnet, though of course if you have access to telnet you probably don't need the password resetting: # resetPasswd Device Serial No.:DS-2CD2732F-IS20121226CCCH546641810 Current Date :20140223 # resetPasswd xxxxxxxxxx Invalid secure code. # resetPasswd Re9rSR9rzd Default password of 'admin' restored. This code is date dependant and the camera will accept the code for today or yesterday. I've written my own secure code generator just for fun though I can only test with my 2 cameras. Example generating codes for next 4 days, and sending todays remotely using the command line: root@rl70:~# for DATE in 20140222 20140223 20140224 20140225; do ./gen_hik_secure_code.php --serial=DS-2CD2732F-IS20121226CCCH546641810"$DATE" done Serial is: DS-2CD2732F-IS20121226CCCH54664181020140222 Secure Code = Re9rSR9rzd Serial is: DS-2CD2732F-IS20121226CCCH54664181020140223 Secure Code = qee9zdzdRe Serial is: DS-2CD2732F-IS20121226CCCH54664181020140224 Secure Code = SrzqzqRzqd Serial is: DS-2CD2732F-IS20121226CCCH54664181020140225 Secure Code = zrqzrRSdz root@rl70:~# echo -n -e '\x00\x00\x00\x1a\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x0e'qee9zdzdRe | nc 192.168.0.201 7001 Default password of 'admin' restored. As far as I know, you can't do this with access to port 80 only so this shouldn't be a risk of people gaining access remotely unless they have access to port 7001 and others of your camera which I wouldn't advise. I won't be publishing my secure code generator as this would be irresponsible, but I thought it would be interesting to explore to understand the security aspects of the camera better. Share this post Link to post Share on other sites
CBX 0 Posted February 24, 2014 Youtube vid of official reset procedure: Share this post Link to post Share on other sites
MaxIcon 0 Posted February 24, 2014 Dahua does something similar, and someone posted the algorithm a while back. I don't know if they still use the same setup or not, but it's a handy thing to know, since Dahua's support is not so good. Share this post Link to post Share on other sites
CBX 0 Posted February 25, 2014 Dahua does something similar, and someone posted the algorithm a while back. I don't know if they still use the same setup or not, but it's a handy thing to know, since Dahua's support is not so good. Did a search and if we're talking about a constant multiplied by some date fields I have to say that's pretty poor security. At least Hikvision actually use the serial so the unlock code is tied to your device as well as the date - and this doesn't work via an exposed tcp 80 port. The algo is also more complex (though obviously breakable). Share this post Link to post Share on other sites
JoeyJoey 0 Posted February 25, 2014 Are you saying that you can create the unlock codes? Share this post Link to post Share on other sites
CBX 0 Posted February 25, 2014 Are you saying that you can create the unlock codes? Yes. Share this post Link to post Share on other sites
MikesCams 0 Posted February 25, 2014 Great information, thanks for sharing. Share this post Link to post Share on other sites
Securame 0 Posted February 25, 2014 Did a search and if we're talking about a constant multiplied by some date fields I have to say that's pretty poor security. At least Hikvision actually use the serial so the unlock code is tied to your device as well as the date - and this doesn't work via an exposed tcp 80 port. The algo is also more complex (though obviously breakable). If I am not wrong, the codes for Dahua only worked when used locally; with a mouse and monitor connected to the DVR. They can not be used over network. Can we see gen_hik_secure_code.php, or we better not ask? Share this post Link to post Share on other sites
CBX 0 Posted February 26, 2014 If I am not wrong, the codes for Dahua only worked when used locally; with a mouse and monitor connected to the DVR. They can not be used over network. Can we see gen_hik_secure_code.php, or we better not ask? If that's true then fair enough. Actually I wouldn't expect a code needed for that at all if you need to have physical access to that device. The Hikvision one is much more of an issue as tcp 7001, ONVIF, SDK port, sadp can all be used to reset the password if I am not mistaken. You can ask, but I've already said I won't publish It might be misused by people to get access to cameras that aren't theirs. I don't think Hikvision perform any checks when you ask for a code - but that's their responsiblity not mine. Share this post Link to post Share on other sites
CBX 0 Posted March 4, 2014 I've realised my code only works for serial numbers which have an odd number of characters. I'm not sure if Hikvision cams only have an odd length? Does anyone have an even length serial number? Share this post Link to post Share on other sites
Securame 0 Posted March 4, 2014 I've realised my code only works for serial numbers which have an odd number of characters. I'm not sure if Hikvision cams only have an odd length? Does anyone have an even length serial number? As of now, Hikvision serial numbers are 9 digits long. I guess that sooner or later they will have to change that, when they run out of numbers... Share this post Link to post Share on other sites
CBX 0 Posted March 4, 2014 As of now, Hikvision serial numbers are 9 digits long. I guess that sooner or later they will have to change that, when they run out of numbers... Sorry for the confusion - I meant the entire device string length. E.g: DS-2CD2732F-IS20121226CCCH546641810 is 33 characters long. Share this post Link to post Share on other sites
Securame 0 Posted March 4, 2014 Mmmh good question then. The s/n on that string is just 546641810. I never bothered checking how many characters the full string has, but the first one I just checked is 40 (a DVR). DVR7208HWI-SH0820130330AAWR---s/n---WCVU Share this post Link to post Share on other sites
CBX 0 Posted March 4, 2014 Mmmh good question then. The s/n on that string is just 546641810. I never bothered checking how many characters the full string has, but the first one I just checked is 40 (a DVR). DVR7208HWI-SH0820130330AAWR---s/n---WCVU Thanks for checking that. Do you know if the unlock for a DVR is the same mechanism? The odd length device string might be IPcams only? Share this post Link to post Share on other sites
Securame 0 Posted March 4, 2014 The odd length device string might be IPcams only? DS-2CD8153F-E20110629BBWR---s/n--- Nope, that one is also 34 characters, so not all IP cams have odd length. Share this post Link to post Share on other sites
CBX 0 Posted March 4, 2014 Bummer. OK thanks - means I have to figure out the algo abit more to work with even numbered strings Share this post Link to post Share on other sites
CBX 0 Posted March 7, 2014 The odd length device string might be IPcams only? DS-2CD8153F-E20110629BBWR---s/n--- Nope, that one is also 34 characters, so not all IP cams have odd length. Thanks for the help MindTwist. Finally had a chance to look at this and code adjusted to work with even length device strings (had to add a digit to mine to test!) No idea if this works for DVR stuff or not as don't have one. If anyone wants to know if this is the same algo or not, but all means PM me your full device string and I'll PM you back the secure code to test. Share this post Link to post Share on other sites
CBX 0 Posted March 7, 2014 Actually if you are concerned about PM'ing me your full serial - feel free to exclude the last 2 digits, and I'll generate 100 combinations and you can just pick yours without me knowing which it is. Share this post Link to post Share on other sites
Securame 0 Posted March 7, 2014 Actually if you are concerned about PM'ing me your full serial - feel free to exclude the last 2 digits, and I'll generate 100 combinations and you can just pick yours without me knowing which it is. No problem on sending a serial, you have a PM. I will check if the code is right. Share this post Link to post Share on other sites
CBX 0 Posted March 7, 2014 No problem on sending a serial, you have a PM. I will check if the code is right. Cheers. I've been looking at the code for the DVR control app as I don't have one to test. Looks like the gen code is indeed different, but I think I can figure it out without debugging on the device. I'll send a code based on the IPcam algo which should be wrong and a code based on what i think the DVR app expects. We'll see if it works Share this post Link to post Share on other sites
Securame 0 Posted March 7, 2014 No problem on sending a serial, you have a PM. I will check if the code is right. Cheers. I've been looking at the code for the DVR control app as I don't have one to test. Looks like the gen code is indeed different, but I think I can figure it out without debugging on the device. I'll send a code based on the IPcam algo which should be wrong and a code based on what i think the DVR app expects. We'll see if it works The serial I sent you belongs to a IPC. If you also need DVR, NVR, other IPCs, let me know. Share this post Link to post Share on other sites
CBX 0 Posted March 7, 2014 The serial I sent you belongs to a IPC. If you also need DVR, NVR, other IPCs, let me know. If you don't mind testing the codes generated, then I'd like a DVR and NVR serial please. The code I sent was assuming an IP cam, but now I've started to actually code a generation algo, it looks like the DVR and IPcam algos are the same (though they don't look like it when looking at the ASM). Hopefully the one I sent you worked. Thanks Share this post Link to post Share on other sites
robbyclark 0 Posted May 10, 2014 siknit said: FOR ALL .Users can dowload reset tool from ... That link doesn't work. The wordpress site the file is hosted on has its permissions setup in a way that blocks the file being downloaded. It probably something to do with WP-Filebase, I have PM'd siknit to see if they can help/provide another link to the file. Share this post Link to post Share on other sites
CBX 0 Posted May 12, 2014 Just to be clear, that link and poster have no connection to, or endorsement from me. That's not saying it is or isn't legit - just nothing to do with me. Share this post Link to post Share on other sites
ride525 0 Posted May 14, 2014 So does this mean if someone gets locked out of their Lorex, Swan, or Hikvision NVR, maybe forgot their password, that a "secure code" could be generated to get back in? Share this post Link to post Share on other sites