Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
HiSilicon IP camera root passwords
Login Password
root xmhdipc
root klv123
root xc3511
root 123456
root jvbzd
default OxhlwSG8
defaul tlJwpbo6
defaul S2fGqNFs
root hi3518
@dc-admin

This comment has been minimized.

Copy link

dc-admin commented Jul 16, 2016

Hi! May be exists another telnet accounts? For my cam on Hi3518E all account failed. Thanks.

@bakroistvan

This comment has been minimized.

Copy link

bakroistvan commented Aug 1, 2016

@OctopusKat

This comment has been minimized.

Copy link

OctopusKat commented Sep 4, 2016

root:$1$MoCJ1nRA$NfsI1wlYcWoF5MbU4t3Og0:0:0::/root:/bin/sh
root:ivdev

More information coming soon!

@ghost

This comment has been minimized.

Copy link

ghost commented Oct 2, 2016

Mirai

@mmintas

This comment has been minimized.

Copy link

mmintas commented Oct 2, 2016

Do you have any more info about this camera with root:ivdev?
I have the same one with 6100e(100万e) v3.08R08.20150129.89 firmware - the software redirects to http://server2.hd1000.net:82/
I need info how to grab rtsp and jpg from this camera (rtsp://ipadd:554 works but only main stream)

@mpl1337

This comment has been minimized.

Copy link

mpl1337 commented Oct 3, 2016

Hey.

I Have a HI3516 cam
this one http://www.ebay.com/itm/351414907283?euid=e6a88781c0824cf0b2ee238edfdd7114&cp=1

Device ID: IPCAM
Device Type: C6F0SgZ3N0P0L0
Network connection: LAN
Current Client: 0
Software Version: V6.1.1.4.1-20160204
Webware Version: V1.0.1

all this passwords are not working.

IPCamera login: root<\r><\n>
Password: <\r><\n>
Login incorrect<\r><\n>

i have only serial access. Telnet is disabled

Nmap
Scanning 192.168.178.58 [1000 ports]
Discovered open port 8080/tcp on 192.168.178.58
Discovered open port 80/tcp on 192.168.178.58
Discovered open port 1935/tcp on 192.168.178.58
Discovered open port 1024/tcp on 192.168.178.58

do you have a idea how to enable telnet or get the shadow file?

or is the a way to flash a other firmware?

i only want to disbaled or remove the "Backdoors"

@cybermaus

This comment has been minimized.

Copy link

cybermaus commented Dec 3, 2016

@mmintas

for the 6100e(100万e) v3.08R08.20150129.89 camera:

onvif link http://192.168.20.115:20020/onvif/device_service
Main 1280x720 rtsp://admin:pwd@192.168.190.204/0
Sub 640x480 rtsp://admin:pwd@192.168.190.204/1

Also mmintas, thanks for the firmware link, was able to upgrade my camera from v3.00R04.20141118.89 to v3.00R04.20150129.89
Not that I noticed any improvements in the new firmware.

@OctopusKat

This comment has been minimized.

Copy link

OctopusKat commented Jul 11, 2017

root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh
xmhdipc as password on this model:

dvrHelper

ID: 8043420004048425
product type: 50H10L
product: HI3518E_50H10L_S39
forward video chip: OV9712
DSP chip: HI3518E
LIBDVR: Complied at Oct 22 2014 09:50:09 SVN:887
dvrHelper version: Sep 22 2014
LIBDVR : Get xmauto Fialed ,xmauto = 1

     "Name" : "admin",
     "Password" : "tlJwpbo6",

     "Name" : "default",
     "Password" : "OxhlwSG8",
@OctopusKat

This comment has been minimized.

Copy link

OctopusKat commented Jul 13, 2017

Welcome to Monitor Tech.

@denysvitali

This comment has been minimized.

Copy link

denysvitali commented Aug 31, 2017

Add:

root annie2012
@BASM

This comment has been minimized.

Copy link

BASM commented Oct 24, 2017

My IP cam HI3518 have telnet access, but I can't brute password, can any help me?

root:GIgEh3ZZNHRh2:0:0::/root:/bin/sh

@vertesmark

This comment has been minimized.

Copy link

vertesmark commented Nov 16, 2017

I have a similar camera: TH38J
hi3518ev200 based 2Mpixel
Processor : ARM926EJ-S rev 5 (v5l)
telnet (port:23) is open
password is: "hdipc%No" - took quite a few days with hashcat.
Filmware update is here (I extracted squashfs from filmware, got root hash from this way http://www.tpsee.com/deviceupdate/95-1.html)

@BASM

This comment has been minimized.

Copy link

BASM commented Nov 28, 2017

For my cam password: IPCam@sw

@V33RU

This comment has been minimized.

Copy link

V33RU commented Dec 11, 2017

can anyone help me to crack this hash
$1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/

@cri

This comment has been minimized.

Copy link

cri commented Jun 9, 2018

Hi all!

root:ipc71a

Is there anyone who knows how to avoid the system to rewrite default settings (including the pwd) after every reboot?

@JanLoebel

This comment has been minimized.

Copy link

JanLoebel commented Jun 20, 2018

I've wrote something about the Hikam S6 (based on HI3518E):

https://gist.github.com/JanLoebel/b5dafcda555323785d32ccb7d643dbcd

@BlueskyCan

This comment has been minimized.

Copy link

BlueskyCan commented Jun 22, 2018

can anyone pls help me to crack this hash?
$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0

@hotair1983

This comment has been minimized.

Copy link

hotair1983 commented Aug 3, 2018

root pass need to my old camera

root:$1$asdjwjam$DOS2FrIr2xujxIGDVSjd21:13792:0:::::

@hotair1983

This comment has been minimized.

Copy link

hotair1983 commented Aug 3, 2018

@BlueskyCan

hslwificam

@bolbers

This comment has been minimized.

Copy link

bolbers commented Aug 30, 2018

time2 MP12 HD Cam:

root:$1$hDwZFK2z$NLzmlcsiUw2zAe8ol1EcI0:0:0::/root:/bin/sh

C:\john180j1w\run>john.exe Time2_china_cam.pwd
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 SSSE3 12x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hipc3518         (root)
1g 4:14:59:27 DONE 3/3 (2018-08-19 06:23) 0.000002g/s 56859p/s 56859c/s 56859C/s hipc32sr..hipc3560

hipc3518 (root)

@tohax

This comment has been minimized.

Copy link

tohax commented Sep 18, 2018

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

@dam2k

This comment has been minimized.

Copy link

dam2k commented Sep 24, 2018

revotech cam: 1080p root:ipc71a

@mutilator

This comment has been minimized.

Copy link

mutilator commented Oct 11, 2018

Fredi Wireless spy camera
/etc/shadow
root:FCb/N1tGGXtP6:10957:0:99999:7:::

Decoded Password: 059AnkJ

@L4ky

This comment has been minimized.

Copy link

L4ky commented Oct 20, 2018

revotech cam: 1080p root:ipc71a

Thank you!
Do you have strange traffic going outside from camera? Did you find something interesting?

@yuriizubkov

This comment has been minimized.

Copy link

yuriizubkov commented Nov 4, 2018

Fredi Wireless spy camera
/etc/shadow
root:FCb/N1tGGXtP6:10957:0:99999:7:::

Decoded Password: 059AnkJ

Petwant PF-103 pet smart feeder - same DES hash and password. Thanks!

@cribskip

This comment has been minimized.

Copy link

cribskip commented Nov 8, 2018

root:anni2013

@piotrsedrowski

This comment has been minimized.

Copy link

piotrsedrowski commented Nov 15, 2018

Hi,
can anyone help me with this hash:
root:$1$k1wheY2.$XCelh0nbndpez5N/ER6A00:0:0::/root:/bin/sh

@ale-trevizoli

This comment has been minimized.

Copy link

ale-trevizoli commented Dec 29, 2018

Anyone can help me? It's HEROSPEED FIRMWARE (herospeed.net)
on simple open firmware on Notepad I found this

qqqq
qqqq
qqqq
qqqq
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /dev tmpfs defaults 0 0
tmpfs /tmp tmpfs defaults 0 0
#!/bin/sh
cd /opt/app/bin
./AVServer &
sleep 5
./SystemServer &
sleep 4
./boa -c /opt/app/config &
sleep 8
./DeviceSearch &
sleep 3
./WatchDog &
./HWatchDog &
/opt/Main &
#!/bin/sh
value=1

eval $(/bin/grep app /var/update)
var=$(echo "$app")

eval $(/bin/grep config /var/update)
var_c=$(echo "$config")

eval $(/bin/grep Main /var/update)
var_Main=$(echo "$Main")

eval $(/bin/grep LongseMiniServer /var/update)
var_Mini=$(echo "$LongseMiniServer")

if [ -f "/opt/Main.bak" ];then
echo "Main app will upgrade"
rm -f /opt/Main
mv /opt/Main.bak /opt/Main
chmod 755 /opt/Main
fi

if [ -f "/opt/LongseMiniServer.bak" ];then
echo "LongseMiniServer app will upgrade"
rm -f /opt/LongseMiniServer
mv /opt/LongseMiniServer.bak /opt/LongseMiniServer
chmod 755 /opt/LongseMiniServer
fi

mount -t jffs2 /dev/mtdblock3 /opt/app/
if [ 0 -eq $? ] && [ ! -L /opt/app/www/snap.jpg ] ; then
ln -s /dev/snap.jpg /opt/app/www/snap.jpg
fi

if [ -f "/opt/app/bin/TelnetSwitch" ];then
cp /opt/app/bin/TelnetSwitch /opt/TelnetSwitch
fi

if [[ $var -eq $value && $var_c -eq $value ]];then
echo "longse app mtd is OK!!"
ifconfig eth0 192.168.1.168 netmask 255.255.255.0
cd /opt/app/ko
./load3516d -i -sensor imx291 -osmem 64
/etc/init.d/startapp
else
echo "longse app mtd is not ok!!"
ifconfig eth0 192.168.1.168 netmask 255.255.255.0
sleep 1
/opt/Main &
/opt/LongseMiniServer &
fi
/opt/TelnetSwitch &

exit

root:7PJZu5rjtntsk:0:0::/root:/bin/sh
root:8QYQ7w7.s1xXM:0:0::/root:/bin/sh

@helivander

This comment has been minimized.

Copy link

helivander commented Jan 17, 2019

help-me to decode:
root:hbJdVywKWttVM:12430:0:99999:7:::

link from the firmware:
http://www.herospeed.net/en/index.php?m=content&c=index&a=lists&catid=12

@suprememoocow

This comment has been minimized.

Copy link

suprememoocow commented Mar 3, 2019

My cheap Chinese ip camera:

Username: default
Password: none (not even prompted!)

🙀 😱

@cilynx

This comment has been minimized.

Copy link

cilynx commented Mar 7, 2019

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

@tohax -- I haven't been able to crack it, but I did find a different way to root a camera with that same hash. Chances are fair it'll work on your camera as well.

@matiaspl

This comment has been minimized.

Copy link

matiaspl commented Apr 29, 2019

I have a Hi3521 device (console output here) that I was able to make a flash dump and hash extraction. U-boot is password protected. Hashcat gave me almost nothing (it decrypted the previous password from passwd- file, but not the current). Maybe someone might have a clue how to break in - I only have serial console, the box doesn't have any usb, ethernet or wifi.
root:4uvdzKqBkj.jg

@RomanGlova

This comment has been minimized.

Copy link

RomanGlova commented May 2, 2019

Have same hash as tohax and cilynx, will try to put it on hashcat on my VC

@hotair1983

This comment has been minimized.

Copy link

hotair1983 commented Jun 9, 2019

root pass need to NVR ZMODO ZP-NE14-S
root:$1$$6EWLm0KIyyVuSwSFNbVyS/:0:0::/root:/bin/sh

@mariarti

This comment has been minimized.

Copy link

mariarti commented Jun 11, 2019

Please, help!
root:$1$$BZofx4soyTd/5HrIQGP5L/:0:0::/root:/bin/sh
camera ip-225-v1
Hi3518E RBCV100
sensor imx225
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
554/tcp open rtsp
2000/tcp open cisco-sccp
5000/tcp open upnp
8000/tcp open http-alt
7654/tcp open unknown
7655/tcp open unknown
24102/tcp open unknown
34567/tcp open dhanalakshmi

@ZigFisher

This comment has been minimized.

Copy link

ZigFisher commented Jun 30, 2019

Please, help!
root:$1$$BZofx4soyTd/5HrIQGP5L/:0:0::/root:/bin/sh
camera ip-225-v1
Hi3518E RBCV100
sensor imx225

Here is the password - fxjvt1805 (TNX @metsys1 !)

More information - http://openipc.org

@phineasthecat

This comment has been minimized.

Copy link

phineasthecat commented Jul 1, 2019

PTZ Optics ZCAM-VL:
Hi3516
root:vhd1206
default:vhd1206

@ReRandom

This comment has been minimized.

Copy link

ReRandom commented Jul 25, 2019

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

I have a camera with the same password. After receiving the memory dump, I was able to find the password for u-boot. It is: HI2105CHIP

@HclX

This comment has been minimized.

Copy link

HclX commented Aug 2, 2019

Can I get help with this hash:

root:$1$h.WNWVcj$I16bljj/Jcbxh/oQGCmVg.:0:0:99999:7:::

@MyCodeRocks

This comment has been minimized.

Copy link

MyCodeRocks commented Sep 23, 2019

Also been using hashcat and john running for over two days and no log not sure if I am using the wrong sequence with Hashcat been using ?1?d with ?1?1?1?1?1?1

but this hash seems to be more complicated than a simple DES encrypt:
Hash:
root:Uu1Kq8MmXhxqA:0:0::/root:/bin/sh
This is for Hi3518 fish eye camera. (VR CAM) All the default wordlists for ip Cams have not worked either.

Can anyone help with either the right sequence to use in HashCat or running the has for me?

@inspectorelectro

This comment has been minimized.

Copy link

inspectorelectro commented Sep 28, 2019

Hi all..
Can anybody help me with pass for my camera?

root:Sd5ZXUyhT8kwQ:0:0::/root:/bin/sh

@inspectorelectro

This comment has been minimized.

Copy link

inspectorelectro commented Sep 29, 2019

Anybody????

@ajo-1

This comment has been minimized.

Copy link

ajo-1 commented Dec 4, 2019

root:yE7gW4O0CSXXg:0:0::/root:/bin/sh

does anyone know the password?

@Brontus63

This comment has been minimized.

Copy link

Brontus63 commented Dec 5, 2019

root:yE7gW4O0CSXXg:0:0::/root:/bin/sh

cxlinux

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.