Unbricking Hikvision IP Cameras (Repair, Reflash and TFTP Guide)

Great video and write up. I think it’s terrifying that these devices are everywhere. If you were trying to imagine an ideal botnet for internet warfare, you would be hard pressed to come up with a better set of features. China subsidizing device costs only makes them more terrifying. I look forward to the DefCon postmortem lecture about HikVision a few years from now.

PS I’ve been a fan of your content since the old days W. Don’t know why I took so long to join the forums but here I am. Greets from South Africa

4 Likes

What if there are multiple cameras on the network?

Ooof. If I had knew… I bought 6x 5mp brand new HIKVision cameras a few months ago. And they are the DVR type, connected with coaxial cables (I got video baluns for them, so I could also inject POE along with data through one cat5e S/FTP cable). I paid $600 for the whole setup (DVR with cameras, video baluns, 2tb HDD, power bricks, UPS, Pi 4 2gb version with 16gb SD and charger and I had cables laying around). Unfortunately the DVR is not in a separate LAN, it’s on the same ISP router as my RPi that I run Wireguard on to connect to the DVR’s web interface to view the cameras (that LAN will pretty much become a botnet, I do update the Pi every month, so that Ubuntu is up-to-date).

I’m still working on a NAS for off-site backup of the video footage in another thread (related to old spinning rust with 5-6 years of uptime). I could have saved a few bucks and had the cameras on a switch separated from the Internet. Well, at least I slept in peace since I bought them, so the psychic profit and having them early was worth paying a little extra.

Only repair one camera at a time. Use a managed Poe switch to cordon off the other cameras. Or static arp tables.

But what if a customer just buys 2 brand new working cameras and puts them on the same network?

Do the cameras just not work, and then they have to call customer support?

That would be very stupid.

These might be for advanced users only, but still, having devices that don’t work just because you have 2 of them on the same network is stupid.

Greetings,

I am joining in for the bit mentioning “Hacking the hikvision”, I skimmed the guy’s blog post, though a big part of it is over my head, my conclusion is that he DID get a working root shell, and was able to get rid of a hard-coded backdoor login, which opens up the opportunity for all kinds of possibilities. If you say you have contacted the original author of the post, can you please elaborate on where the project met a dead-end? This comes as a huge Christmas present to my (and everybody else’s) desires for a complete open source NVR as I described in this thread (open-sourced cameras with good hardware, Raspberry pi as the NVR).

I have flashed some Xiaomi cameras replacing the bootloader on the chip (involved a bit of soldering work), but they come nowhere near the image and build quality of the units displayed on your video.

The original issue was patched but you can still get back via serial console

Some of those literally just ssh -c /bin/sh

So that runs a shell as an ssh command and good to go.

Great, so what is the issue with their software that makes it harder to load different firmware? If you can get root, and they run Linux, wouldn’t that mean that you can easily build, say, an RTSP server (v4l2rtspserver) and a bunch of other tools to make the camera do just what you want?

I wish I could help somehow

I apologise in advance if this is a dumb question but here goes. I have been looking back through the synology video that goes with the hikvision cameras here and was wondering if I had a nas with 1 eth port could I add one with the USB and still keep them segmented off of my main network?

I have a problem with my NVR after trying to upgrade the firmware. However when i use SADP tool to check my system its showing my IP address as 10.5.33.25 !!!
Does anyone know how I can still use the tftp with that IP address?

i did ask hikvision for a password reset, i can use the xml they sent to reset the password successfully on SADP however literally 5 seconds after i try to make changes via SADP to remove DHCP so i can modify the IP, it says incorrect password.

If anyone has come across this issue or know a fix please let me know.

thank you all.

Looking to buy cameras, so ‘ebay hunter’ here.

Do you all have known compatible (recovered) models to suggest?

It can be super annoying finding the right camera, and the right region, to download the correct version of the firmware.

Yeah, about that…
How the hell does one do that exactly?

I’ve got my hands on some old gear: DS-2CD2520F cameras and DS-7104NI-SL NVR and I can’t wrap my head around it, if I even have any upgrade options…

  • What even are the regions?
    If I start from us[.]hikvision[.]com, UK has no firmware, fw list on the EU site seems completely broken. Are we talking about www[.]hikvisioneurope[.]com/portal ? I see EU/UK here. EU seems to equal NL?

  • How does one find anything?

I am open to getting new gear as well. Let’s say I am looking for a 8-ch NVR. The site lists:

  • DS-7108NI-Q1
  • DS-7108NI-Q1/M
  • DS-7108NI-E1/M
  • DS-7108NI-E1/8P/M

Meanwhile, I can source DS-7108NI-K1/W/M locally.

The fw seems to be grouped by ‘series’ on the latter ‘portal’ which tracks the suffix?

Here are the FW options:

  • Q Series: 7100NI-Q1
  • E Series: 7100NI-E, “7600NI-E1(E2) 7700NI-E4”
  • K Series: 76 NI-K1
  • “Wifi” Series: 7100K1-W-M > 7108NI-E1-V-W (2y.o.)

An now the questions…

  • Which fw fits which device, if any?
  • How significant are the numbers and suffixes?
  • Do they really sell EOL products or products with no fw? Is 2y.o. EOL?
  • ??? Who the hell organizes stuff like this? Are HIKVISION devs even the same species?

hi i updated my cameras firmware via tftp but still cannot reset the password any ideas?

Hi, trying to use that python script I tried it on version 2.7.16 all the way to 3.10 and I keep getting a line error… any suggestions? On the Python version 3.10 I get line error on line 53. Version 2.17 I get line 1 as an error.

Anybody can guide me?, I’m a noob with Linux. Im trying to follow this Tutorial and have completely hit a wall.

Installed Windows Subsystem for linux, then on it installed Ubuntu 18.04.5 lts. It came with python 3 installed by default. Managed to download the firmware and unzipped. Downloaded the script via the “curl -0” command from the “perma link” of the git hub page, when I tried to run the script with “sudo” command It says command not found

Then I tried used “python 3” command but it would show an error. So went and found a way to install Python 2.7 which in itself was a mission.

Tried to run with the “sudo” command and same error : command not found. went to launch with : python hikvision_tftpd.py , and get and error:

xxxxx@xxxxx:~$ python hikvision_tftpd.py
File “hikvision_tftpd.py”, line 9

^
SyntaxError: invalid syntax

xxxxx@xxxx:~$ python ./hikvision_tftpd_test.py
Traceback (most recent call last):
File “./hikvision_tftpd_test.py”, line 9, in
import hikvision_tftpd
File “/home/xxxxxx/hikvision_tftpd.py”, line 9

^
SyntaxError: invalid syntax

what to do now??

After looking more in the github page found the link to the Python 3 version

1st try to Downlod the file wiht the Curl command using the permalink but that gave the same error as before.
Then I went and clicked on the “raw” option while looking the script and used that link to download the file and went to run it with: python3 hikvision_tftpd.py and now I think got a proper response ( the error is because I havent yet changed the IP)

xxxxx@xxxx:~$ python3 hikvision_tftpd.py
Error: Address 192.0.0.128:9978 not available.

Try running:
linux$ sudo ifconfig eth0:0 192.0.0.128
osx$ sudo ifconfig en0 alias 192.0.0.128 255.255.255.0

(adjust eth0 or en0 to taste. see “ifconfig -a” output)

the test file runs completely now:
read request options: {b’timeout’: b’5’, b’blksize’: b’1468’}
Setting block size to 1468
Serving 1508-byte digicap.dav (block size 1468, 2 blocks)
Tue Dec 6 16:29:38 2022: sending options ack
Tue Dec 6 16:29:38 2022: 1 / 2 [########################## ]
Tue Dec 6 16:29:38 2022: 2 / 2 [#####################################################]
Tue Dec 6 16:29:38 2022: done!
Setting block size to 512
Serving 1508-byte digicap.dav (block size 512, 3 blocks)
.

Ran 10 tests in 0.817s

OK

once at home will try to unbrick my camera.

1 Like

Hello! Normally I would try not to revive a old thread like this, but I suppose it would be better to attach this here than a new one for future visitors, and I’m not sure where else to ask this question that wouldn’t get me the same canned response like a broken record.

I have 4x DS-2CD2342WD-I that I picked up from auction a long time ago and they have sat because I knew that they would take effort to configure, but dang, I was not expecting THIS level of incomprehensible insanity.

Two cameras I was able to activate the “normal” way with SADP, still with extreme annoyance, but I’ll take it. However, the other two are already activated, and obviously I don’t know the password.

The seemingly common approaches I’ve found so far online do not apply to my situation for one reason or another:

  • Cannot use the security code generator or password exploit tools found elsewhere online as the firmware for all cams is 5.5.82 build 190220 (newer builds do not prompt just for the security code when clicking “Forgot password” in SADP).
  • Cannot use the tftp method for the two cameras in question because they are currently using addresses 192.168.254.X where X is 8 or 14. I did try using the script with 192.168.254.128. Nothing different happens when rebooting one device at a time either way, and I did ensure ping connectivity and interface addresses. This is almost certainly a moot method anyway because of the next point.
  • I cannot find the correct firmware that is clearly compatible with type 2CD2XX2 anywhere on the EU portal (what is the NL portal URL I keep hearing about?).
  • Cannot use button reset because there are no buttons anywhere on or inside this model device.
  • Obviously cannot use the newer, official password reset method (emailing Hikvision a recovery file) because these are a auction find.
  • I could go through the rather extreme effort to solder on some leads to get serial TTY out of one, but it is not clear to me what the pathway would be going from shell access → ??? → resetting admin password?

I am at a loss to access those two cameras now, do any of you have ideas?

Note for future visitors going down this infuriating path: once you do get access to the cameras web page, it may tell you the browser is not compatible. But worse so, the majority of the compatible browser guides I’ve found for this case online did not help. The only thing that did work was, regrettably, true IE11, which is a PITA to get working on Win10. (tip: rename folder or delete files in %PROGRAMFILES%\Microsoft\Edge\Application\VERSION\BHO\ to stop redirecting to edge)

1 Like

Is it possible to change the internal model number to match a close model?
For example. The DS-2CD5126G0-IZS is a 2mp unit that I think has the same hardware than the 4mp/8mp and even the 12mp camera on the same lineup.
They all use the same V5.6.12 firmware.
The 2mp cameras are going for around $60 on Ebay and would be fun to convert them to a 8mp or 12mp just for fun.

download the file hikvisionpaswordresethelper.

Download the firmware for your camera, connect the camera to 12 volt adapter, connect a lancable from your computer to your camera, set your lanadaptor in your computer to 192.0.0.128
than make a directory tftp on you cdrive…
download hikvision tftp en put it in the tftp directory.
than put the firmware in the same directory.

start tftp and check that it shows 192.0.0.128
then disconnect the 12volt and directly connect it again.

if the firmware is correct it will load it and you have a working camera again…

questions? [email protected]