Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
HiSilicon IP camera root passwords
Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"
00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521
@dc-admin

This comment has been minimized.

Copy link

@dc-admin dc-admin commented Jul 16, 2016

Hi! May be exists another telnet accounts? For my cam on Hi3518E all account failed. Thanks.

@bakroistvan

This comment has been minimized.

Copy link

@bakroistvan bakroistvan commented Aug 1, 2016

@OctopusKat

This comment has been minimized.

Copy link

@OctopusKat OctopusKat commented Sep 4, 2016

root:$1$MoCJ1nRA$NfsI1wlYcWoF5MbU4t3Og0:0:0::/root:/bin/sh
root:ivdev

More information coming soon!

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Oct 2, 2016

Mirai

@mmintas

This comment has been minimized.

Copy link

@mmintas mmintas commented Oct 2, 2016

Do you have any more info about this camera with root:ivdev?
I have the same one with 6100e(100万e) v3.08R08.20150129.89 firmware - the software redirects to http://server2.hd1000.net:82/
I need info how to grab rtsp and jpg from this camera (rtsp://ipadd:554 works but only main stream)

@mpl1337

This comment has been minimized.

Copy link

@mpl1337 mpl1337 commented Oct 3, 2016

Hey.

I Have a HI3516 cam
this one http://www.ebay.com/itm/351414907283?euid=e6a88781c0824cf0b2ee238edfdd7114&cp=1

Device ID: IPCAM
Device Type: C6F0SgZ3N0P0L0
Network connection: LAN
Current Client: 0
Software Version: V6.1.1.4.1-20160204
Webware Version: V1.0.1

all this passwords are not working.

IPCamera login: root<\r><\n>
Password: <\r><\n>
Login incorrect<\r><\n>

i have only serial access. Telnet is disabled

Nmap
Scanning 192.168.178.58 [1000 ports]
Discovered open port 8080/tcp on 192.168.178.58
Discovered open port 80/tcp on 192.168.178.58
Discovered open port 1935/tcp on 192.168.178.58
Discovered open port 1024/tcp on 192.168.178.58

do you have a idea how to enable telnet or get the shadow file?

or is the a way to flash a other firmware?

i only want to disbaled or remove the "Backdoors"

@cybermaus

This comment has been minimized.

Copy link

@cybermaus cybermaus commented Dec 3, 2016

@mmintas

for the 6100e(100万e) v3.08R08.20150129.89 camera:

onvif link http://192.168.20.115:20020/onvif/device_service
Main 1280x720 rtsp://admin:pwd@192.168.190.204/0
Sub 640x480 rtsp://admin:pwd@192.168.190.204/1

Also mmintas, thanks for the firmware link, was able to upgrade my camera from v3.00R04.20141118.89 to v3.00R04.20150129.89
Not that I noticed any improvements in the new firmware.

@OctopusKat

This comment has been minimized.

Copy link

@OctopusKat OctopusKat commented Jul 11, 2017

root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh
xmhdipc as password on this model:

dvrHelper

ID: 8043420004048425
product type: 50H10L
product: HI3518E_50H10L_S39
forward video chip: OV9712
DSP chip: HI3518E
LIBDVR: Complied at Oct 22 2014 09:50:09 SVN:887
dvrHelper version: Sep 22 2014
LIBDVR : Get xmauto Fialed ,xmauto = 1

     "Name" : "admin",
     "Password" : "tlJwpbo6",

     "Name" : "default",
     "Password" : "OxhlwSG8",
@OctopusKat

This comment has been minimized.

Copy link

@OctopusKat OctopusKat commented Jul 13, 2017

Welcome to Monitor Tech.

@denysvitali

This comment has been minimized.

Copy link

@denysvitali denysvitali commented Aug 31, 2017

Add:

root annie2012
@BASM

This comment has been minimized.

Copy link

@BASM BASM commented Oct 24, 2017

My IP cam HI3518 have telnet access, but I can't brute password, can any help me?

root:GIgEh3ZZNHRh2:0:0::/root:/bin/sh

@vertesmark

This comment has been minimized.

Copy link

@vertesmark vertesmark commented Nov 16, 2017

I have a similar camera: TH38J
hi3518ev200 based 2Mpixel
Processor : ARM926EJ-S rev 5 (v5l)
telnet (port:23) is open
password is: "hdipc%No" - took quite a few days with hashcat.
Filmware update is here (I extracted squashfs from filmware, got root hash from this way http://www.tpsee.com/deviceupdate/95-1.html)

@BASM

This comment has been minimized.

Copy link

@BASM BASM commented Nov 28, 2017

For my cam password: IPCam@sw

@V33RU

This comment has been minimized.

Copy link

@V33RU V33RU commented Dec 11, 2017

can anyone help me to crack this hash
$1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/

@cri

This comment has been minimized.

Copy link

@cri cri commented Jun 9, 2018

Hi all!

root:ipc71a

Is there anyone who knows how to avoid the system to rewrite default settings (including the pwd) after every reboot?

@JanLoebel

This comment has been minimized.

Copy link

@JanLoebel JanLoebel commented Jun 20, 2018

I've wrote something about the Hikam S6 (based on HI3518E):

https://gist.github.com/JanLoebel/b5dafcda555323785d32ccb7d643dbcd

@devdbell

This comment has been minimized.

Copy link

@devdbell devdbell commented Jun 22, 2018

can anyone pls help me to crack this hash?
$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0

@hotair1983

This comment has been minimized.

Copy link

@hotair1983 hotair1983 commented Aug 3, 2018

root pass need to my old camera

root:$1$asdjwjam$DOS2FrIr2xujxIGDVSjd21:13792:0:::::

@hotair1983

This comment has been minimized.

Copy link

@hotair1983 hotair1983 commented Aug 3, 2018

@BlueskyCan

hslwificam

@bolbers

This comment has been minimized.

Copy link

@bolbers bolbers commented Aug 30, 2018

time2 MP12 HD Cam:

root:$1$hDwZFK2z$NLzmlcsiUw2zAe8ol1EcI0:0:0::/root:/bin/sh

C:\john180j1w\run>john.exe Time2_china_cam.pwd
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 SSSE3 12x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hipc3518         (root)
1g 4:14:59:27 DONE 3/3 (2018-08-19 06:23) 0.000002g/s 56859p/s 56859c/s 56859C/s hipc32sr..hipc3560

hipc3518 (root)

@tohax

This comment has been minimized.

Copy link

@tohax tohax commented Sep 18, 2018

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

@dam2k

This comment has been minimized.

Copy link

@dam2k dam2k commented Sep 24, 2018

revotech cam: 1080p root:ipc71a

@mutilator

This comment has been minimized.

Copy link

@mutilator mutilator commented Oct 11, 2018

Fredi Wireless spy camera
/etc/shadow
root:FCb/N1tGGXtP6:10957:0:99999:7:::

Decoded Password: 059AnkJ

@L4ky

This comment has been minimized.

Copy link

@L4ky L4ky commented Oct 20, 2018

revotech cam: 1080p root:ipc71a

Thank you!
Do you have strange traffic going outside from camera? Did you find something interesting?

@yuriizubkov

This comment has been minimized.

Copy link

@yuriizubkov yuriizubkov commented Nov 4, 2018

Fredi Wireless spy camera
/etc/shadow
root:FCb/N1tGGXtP6:10957:0:99999:7:::

Decoded Password: 059AnkJ

Petwant PF-103 pet smart feeder - same DES hash and password. Thanks!

@cribskip

This comment has been minimized.

Copy link

@cribskip cribskip commented Nov 8, 2018

root:anni2013

@piotrsedrowski

This comment has been minimized.

Copy link

@piotrsedrowski piotrsedrowski commented Nov 15, 2018

Hi,
can anyone help me with this hash:
root:$1$k1wheY2.$XCelh0nbndpez5N/ER6A00:0:0::/root:/bin/sh

@ale-trevizoli

This comment has been minimized.

Copy link

@ale-trevizoli ale-trevizoli commented Dec 29, 2018

Anyone can help me? It's HEROSPEED FIRMWARE (herospeed.net)
on simple open firmware on Notepad I found this

qqqq
qqqq
qqqq
qqqq
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /dev tmpfs defaults 0 0
tmpfs /tmp tmpfs defaults 0 0
#!/bin/sh
cd /opt/app/bin
./AVServer &
sleep 5
./SystemServer &
sleep 4
./boa -c /opt/app/config &
sleep 8
./DeviceSearch &
sleep 3
./WatchDog &
./HWatchDog &
/opt/Main &
#!/bin/sh
value=1

eval $(/bin/grep app /var/update)
var=$(echo "$app")

eval $(/bin/grep config /var/update)
var_c=$(echo "$config")

eval $(/bin/grep Main /var/update)
var_Main=$(echo "$Main")

eval $(/bin/grep LongseMiniServer /var/update)
var_Mini=$(echo "$LongseMiniServer")

if [ -f "/opt/Main.bak" ];then
echo "Main app will upgrade"
rm -f /opt/Main
mv /opt/Main.bak /opt/Main
chmod 755 /opt/Main
fi

if [ -f "/opt/LongseMiniServer.bak" ];then
echo "LongseMiniServer app will upgrade"
rm -f /opt/LongseMiniServer
mv /opt/LongseMiniServer.bak /opt/LongseMiniServer
chmod 755 /opt/LongseMiniServer
fi

mount -t jffs2 /dev/mtdblock3 /opt/app/
if [ 0 -eq $? ] && [ ! -L /opt/app/www/snap.jpg ] ; then
ln -s /dev/snap.jpg /opt/app/www/snap.jpg
fi

if [ -f "/opt/app/bin/TelnetSwitch" ];then
cp /opt/app/bin/TelnetSwitch /opt/TelnetSwitch
fi

if [[ $var -eq $value && $var_c -eq $value ]];then
echo "longse app mtd is OK!!"
ifconfig eth0 192.168.1.168 netmask 255.255.255.0
cd /opt/app/ko
./load3516d -i -sensor imx291 -osmem 64
/etc/init.d/startapp
else
echo "longse app mtd is not ok!!"
ifconfig eth0 192.168.1.168 netmask 255.255.255.0
sleep 1
/opt/Main &
/opt/LongseMiniServer &
fi
/opt/TelnetSwitch &

exit

root:7PJZu5rjtntsk:0:0::/root:/bin/sh
root:8QYQ7w7.s1xXM:0:0::/root:/bin/sh

@helivander

This comment has been minimized.

Copy link

@helivander helivander commented Jan 17, 2019

help-me to decode:
root:hbJdVywKWttVM:12430:0:99999:7:::

link from the firmware:
http://www.herospeed.net/en/index.php?m=content&c=index&a=lists&catid=12

@suprememoocow

This comment has been minimized.

Copy link

@suprememoocow suprememoocow commented Mar 3, 2019

My cheap Chinese ip camera:

Username: default
Password: none (not even prompted!)

🙀 😱

@cilynx

This comment has been minimized.

Copy link

@cilynx cilynx commented Mar 7, 2019

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

@tohax -- I haven't been able to crack it, but I did find a different way to root a camera with that same hash. Chances are fair it'll work on your camera as well.

@matiaspl

This comment has been minimized.

Copy link

@matiaspl matiaspl commented Apr 29, 2019

I have a Hi3521 device (console output here) that I was able to make a flash dump and hash extraction. U-boot is password protected. Hashcat gave me almost nothing (it decrypted the previous password from passwd- file, but not the current). Maybe someone might have a clue how to break in - I only have serial console, the box doesn't have any usb, ethernet or wifi.
root:4uvdzKqBkj.jg

@RomanGlova

This comment has been minimized.

Copy link

@RomanGlova RomanGlova commented May 2, 2019

Have same hash as tohax and cilynx, will try to put it on hashcat on my VC

@hotair1983

This comment has been minimized.

Copy link

@hotair1983 hotair1983 commented Jun 9, 2019

root pass need to NVR ZMODO ZP-NE14-S
root:$1$$6EWLm0KIyyVuSwSFNbVyS/:0:0::/root:/bin/sh

@mariarti

This comment has been minimized.

Copy link

@mariarti mariarti commented Jun 11, 2019

Please, help!
root:$1$$BZofx4soyTd/5HrIQGP5L/:0:0::/root:/bin/sh
camera ip-225-v1
Hi3518E RBCV100
sensor imx225
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
554/tcp open rtsp
2000/tcp open cisco-sccp
5000/tcp open upnp
8000/tcp open http-alt
7654/tcp open unknown
7655/tcp open unknown
24102/tcp open unknown
34567/tcp open dhanalakshmi

@ZigFisher

This comment has been minimized.

Copy link

@ZigFisher ZigFisher commented Jun 30, 2019

Please, help!
root:$1$$BZofx4soyTd/5HrIQGP5L/:0:0::/root:/bin/sh
camera ip-225-v1
Hi3518E RBCV100
sensor imx225

Here is the password - fxjvt1805 (TNX @metsys1 !)

More information - http://openipc.org

@phineasthecat

This comment has been minimized.

Copy link

@phineasthecat phineasthecat commented Jul 1, 2019

PTZ Optics ZCAM-VL:
Hi3516
root:vhd1206
default:vhd1206

@ReRandom

This comment has been minimized.

Copy link

@ReRandom ReRandom commented Jul 25, 2019

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

I have a camera with the same password. After receiving the memory dump, I was able to find the password for u-boot. It is: HI2105CHIP

@HclX

This comment has been minimized.

Copy link

@HclX HclX commented Aug 2, 2019

Can I get help with this hash:

root:$1$h.WNWVcj$I16bljj/Jcbxh/oQGCmVg.:0:0:99999:7:::

@MyCodeRocks

This comment has been minimized.

Copy link

@MyCodeRocks MyCodeRocks commented Sep 23, 2019

Also been using hashcat and john running for over two days and no log not sure if I am using the wrong sequence with Hashcat been using ?1?d with ?1?1?1?1?1?1

but this hash seems to be more complicated than a simple DES encrypt:
Hash:
root:Uu1Kq8MmXhxqA:0:0::/root:/bin/sh
This is for Hi3518 fish eye camera. (VR CAM) All the default wordlists for ip Cams have not worked either.

Can anyone help with either the right sequence to use in HashCat or running the has for me?

@inspectorelectro

This comment has been minimized.

Copy link

@inspectorelectro inspectorelectro commented Sep 28, 2019

Hi all..
Can anybody help me with pass for my camera?

root:Sd5ZXUyhT8kwQ:0:0::/root:/bin/sh

@inspectorelectro

This comment has been minimized.

Copy link

@inspectorelectro inspectorelectro commented Sep 29, 2019

Anybody????

@ajo-1

This comment has been minimized.

Copy link

@ajo-1 ajo-1 commented Dec 4, 2019

root:yE7gW4O0CSXXg:0:0::/root:/bin/sh

does anyone know the password?

@Brontus63

This comment has been minimized.

Copy link

@Brontus63 Brontus63 commented Dec 5, 2019

root:yE7gW4O0CSXXg:0:0::/root:/bin/sh

cxlinux

@sebastiannowicki

This comment has been minimized.

Copy link

@sebastiannowicki sebastiannowicki commented Dec 14, 2019

Hi,
can anyone help me with this hash:
root:$1$k1wheY2.$XCelh0nbndpez5N/ER6A00:0:0::/root:/bin/sh

Both hashcat and john output this:
root::0:0::/root:/bin/sh

So looks like this is blank root password (no password. just hit enter)

@HclX

This comment has been minimized.

Copy link

@HclX HclX commented Dec 15, 2019

root:$1$rmxcrLSF$Pbx3DU0y7W0eKIpAMRX351:17870:0:99999:7:::

@ZigFisher

This comment has been minimized.

Copy link

@ZigFisher ZigFisher commented Dec 27, 2019

Hello friends
Here's another u-boot password to the collection of HI3518EV200 board - hw-wenzi

More information - http://openipc.org

@MyCodeRocks

This comment has been minimized.

Copy link

@MyCodeRocks MyCodeRocks commented Dec 27, 2019

Can you post for which hash?

@ZigFisher

This comment has been minimized.

Copy link

@ZigFisher ZigFisher commented Dec 27, 2019

Can you post for which hash?

This is a U-Boot password, not a system password. He is in the open.

@dreamstarer

This comment has been minimized.

Copy link

@dreamstarer dreamstarer commented Apr 22, 2020

Can anyone help with root password for 8ch NVR Harex (Jovision)? Tried only "l u d" up to 6 symbols with hashcat, but I don't have resources for 7+ length guessing.

root:$1$y5hskMvE$Pdm4AgjJjNL5Uk08vgH/h0:0:0::/root:/bin/sh

@lcharles123

This comment has been minimized.

Copy link

@lcharles123 lcharles123 commented May 4, 2020

HD-IPC
the robot like cam
image: https://i.imgur.com/EZv0qmU.jpg
app LiveYes (implementation of CID system of athome like cam)
SoC: FH8810
Defaults:
app password: CID:123
web interface: admin:123456
telnet: root:123

@paus56

This comment has been minimized.

Copy link

@paus56 paus56 commented Jul 16, 2020

can anyone pls help me to crack this hash?
root:$1$WhMKHafk$SS6nPXGF4ErcQn6z3wMd8/:0:0::/root:/bin/sh

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Jul 18, 2020

can anyone pls help me to crack this hash?
root:$1$WhMKHafk$SS6nPXGF4ErcQn6z3wMd8/:0:0::/root:/bin/sh

$1$WhMKHafk$SS6nPXGF4ErcQn6z3wMd8/:1234qwer
root:1234qwer

@Phantomn

This comment has been minimized.

Copy link

@Phantomn Phantomn commented Jul 21, 2020

root:$1$$5g0YQT0RMSzcGI5qmCiAy.:0:0::/root:/bin/sh
please crack this hash

@danny02craciunel

This comment has been minimized.

Copy link

@danny02craciunel danny02craciunel commented Jul 22, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

@Phantomn

This comment has been minimized.

Copy link

@Phantomn Phantomn commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

it is DES(Unix)

@Phantomn

This comment has been minimized.

Copy link

@Phantomn Phantomn commented Jul 28, 2020

root:$1$$5g0YQT0RMSzcGI5qmCiAy.:0:0::/root:/bin/sh
please crack this hash

root:jvtsmart123

@MyCodeRocks

This comment has been minimized.

Copy link

@MyCodeRocks MyCodeRocks commented Jul 28, 2020

Can anyone crack this
root:Uu1Kq8MmXhxqA:0:0::/root:/bin/sh

@danny02craciunel

This comment has been minimized.

Copy link

@danny02craciunel danny02craciunel commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

it is DES(Unix)

Yes, it’s des. I’ve been using John the ripper for about a week, no result yet. If anybody has a better solution or a powerful pc, I would be grateful for any help 😁

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

it is DES(Unix)

Yes, it’s des. I’ve been using John the ripper for about a week, no result yet. If anybody has a better solution or a powerful pc, I would be grateful for any help grin

what device/source is it from? any details?

@danny02craciunel

This comment has been minimized.

Copy link

@danny02craciunel danny02craciunel commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

it is DES(Unix)

Yes, it’s des. I’ve been using John the ripper for about a week, no result yet. If anybody has a better solution or a powerful pc, I would be grateful for any help grin

what device/source is it from? any details?

It’s from topsee (or tpsee) TH38M/M2 IPC firmware upgrade package_V2.5.2.42.
It can be downloaded from here http://120.25.235.239/deviceupdate/95-1.html

@sebastiannowicki

This comment has been minimized.

Copy link

@sebastiannowicki sebastiannowicki commented Jul 28, 2020

Can you help with this:
root:$1$$.MO09JyxBBNd9Xv0pXIqc0:0:0::/root:/bin/sh

It's from video doorbell Vidiline F-Ip-3704.

@sebastiannowicki

This comment has been minimized.

Copy link

@sebastiannowicki sebastiannowicki commented Jul 28, 2020

@sesse: This video door bell is based on Hi3518.

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Jul 28, 2020

Hi everyone,

I believe this file is about Hi3518 based devices (typically video encoders), not a password cracking service for any random devices you may have lying about :-) Correct me if I'm wrong.

@sesse:
Correct, Hence me asking for details, since there seems to be multiple hashes being posted. ( Not like I should have to explain)
Are you telling users not to crack hashes in these comments?
Are you the owner, moderator, authority here?
Fact is, cracked hashes are being shared here for these Hi3518 based devices, you even shared your "cracked hash"
This was started like 4 years ago, you piped in about a month ago.

@gabonator

This comment has been minimized.

Copy link
Owner Author

@gabonator gabonator commented Jul 28, 2020

Hi everyone,
I believe this file is about Hi3518 based devices (typically video encoders), not a password cracking service for any random devices you may have lying about :-) Correct me if I'm wrong.

@sesse:
Correct, Hence me asking for details, since there seems to be multiple hashes being posted. ( Not like I should have to explain)
Are you telling users not to crack hashes in these comments?
Are you the owner, moderator, authority here?
Fact is, cracked hashes are being shared here for these Hi3518 based devices, you even shared your "cracked hash"
This was started like 4 years ago, you piped in about a month ago.

Hello guys, the idea behind this gist was to collect all known passwords for hisilicon based cameras (or other linux based cameras). Feel free to post your hashes here in this discussion, one day I will go through all your comments and collect new login/password pairs. Maybe I will create some spreadsheet on google docs... Or is there any volunteer who would like to take care of this? It seems there are also clever guys with ability to transform the hashes back to passwords, so thank you for contributing... And please dont forget to post also the name/model/manufacturer of your camera with your hashes. Have fun with hacking your cameras!

@deskjet482

This comment has been minimized.

Copy link

@deskjet482 deskjet482 commented Aug 29, 2020

hi3516d IPD-D53Y0701-BS

root:$1$EnVGPLqH$Jwh/FgaqrrHwHsmzHibnc1:0:0::/root:/bin/sh

root:hkipc2016

@hotair1983

This comment has been minimized.

Copy link

@hotair1983 hotair1983 commented Aug 29, 2020

Help:
root:X.pOwnufFAWYQ:0:0:root:/:/bin/sh
camera CPU XM530
Hardware: XM530_R80X20-PQ_8M

Password: ccadmin

@xenoxaos

This comment has been minimized.

Copy link

@xenoxaos xenoxaos commented Sep 14, 2020

hi3516d IPD-D53Y0701-BS

root:$1$EnVGPLqH$Jwh/FgaqrrHwHsmzHibnc1:0:0::/root:/bin/sh

root:hkipc2016

Thanks, I hadn't gotten that far cracking this one. I ended up just backdooring the cam and adding my own /mnt/flash/tmp/script/preRUN.sh that opened up a telnetd with no login to run on boot.

@dahook

This comment has been minimized.

Copy link

@dahook dahook commented Oct 27, 2020

Since I've been struggling with cracking this I thought I'd share :-)

Several internet sources states that the the password for a03e3thxwWU0g is "juantech" which is incorrect. The correct password is "/*6.=_ja".

i.e root:/*6.=_ja

root:a03e3thxwWU0g:0:0::/root:/bin/sh

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Oct 27, 2020

Since I've been struggling with cracking this I thought I'd share :-)

Several internet sources states that the the password for a03e3thxwWU0g is "juantech" which is incorrect. The correct password is "/*6.=_ja".

i.e root:/*6.=_ja

root:a03e3thxwWU0g:0:0::/root:/bin/sh

nice find, thanks for sharing!
i've never come across any with that, but google sure does return the results you speak of

@dahook

This comment has been minimized.

Copy link

@dahook dahook commented Oct 27, 2020

Since I've been struggling with cracking this I thought I'd share :-)
Several internet sources states that the the password for a03e3thxwWU0g is "juantech" which is incorrect. The correct password is "/*6.=_ja".
i.e root:/*6.=_ja
root:a03e3thxwWU0g:0:0::/root:/bin/sh

nice find, thanks for sharing!
i've never come across any with that, but google sure does return the results you speak of

It's from a Hi3516C-based IP-camera. China no-name with the JUAN-based software, product number PE-3020-W5. Mine is one of those that sends e-mails with jpegs attached to lawishere@yeah.net so I thought I'd entertain myself with writing a new firmware. Starting with a basic RTSP-server and see were it goes from there :-)

@mr-petz

This comment has been minimized.

Copy link

@mr-petz mr-petz commented Oct 29, 2020

Hi,
can anyone pls help me to crack this hash?
root:$1$$8LecoU88mCXdvZAqbWZnn0:0:0::/root:/bin/sh

It's from a Hi3518-based IP-DoorBell.

@sperglord8008s

This comment has been minimized.

Copy link

@sperglord8008s sperglord8008s commented Oct 30, 2020

Try this list with if you cant find your password

00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521

@mr-petz

This comment has been minimized.

Copy link

@mr-petz mr-petz commented Oct 31, 2020

Thank you. I've tried the list, but no password works.
root:$1$$8LecoU88mCXdvZAqbWZnn0:0:0::/root:/bin/sh

@sperglord8008s

This comment has been minimized.

Copy link

@sperglord8008s sperglord8008s commented Nov 2, 2020

Thank you. I've tried the list, but no password works.
root:$1$$8LecoU88mCXdvZAqbWZnn0:0:0::/root:/bin/sh

Your hash is missing a salt > $1 = md5crypt , It should be format in this way

000000$1$22222222$3333333333333

0000=Account
$1=Cipher Format
$2=Salt
$3=Hash

Example "root:$1$EnVGPLqH$Jwh/FgaqrrHwHsmzHibnc1"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.