HiSilicon IP camera root passwords

password.txt

Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"

00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521

Please, help!
root:$1$$BZofx4soyTd/5HrIQGP5L/:0:0::/root:/bin/sh
camera ip-225-v1
Hi3518E RBCV100
sensor imx225

Here is the password - fxjvt1805 (TNX @metsys1 !)

More information - http://openipc.org

need help!!
root:$1$abcdefg$7Ul1XQk3sLRYEGBjGrT9Q/:0:0:root:/:/bin/sh
camera V380pro HD dome camera
SoC: ANYKA AK3918EN080 (QFPL80)

root:esPcWTdhAJX8o:0:0::/root:/bin/sh password need pon., 18 paź 2021 o 06:32 edesd ***@***.***> napisał(a):

…

***@***.**** commented on this gist. ------------------------------ Hey guys.... tried the above list but didn't work for me. Need help to crack this one: root:$1$abcdefg$7Ul1XQk3sLRYEGBjGrT9Q/:0:0:root:/:/bin/sh Its v380 pro camera named HD Dome Camera with no specific model number Anyka Linux Kernel Version: 2.5.02 (ANYKA CPU AK3918) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/74cdd6ab4f733ff047356198c781f27d#gistcomment-3930601>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKBBFNS6OVL773WIB3STN43UHOPPVANCNFSM4HJBUS4Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Hello guys,
I have an IP camera sv3c (don't waste your money on this sh*t).
I found telnet opened on port 8357 and from HTTP GUI I'm injecting some commands in the filed "ftp password" and I'm forcing the cam to upload something.
On FTP server I can see the auths failed with the first line of the output of the command. For istance, setting up as ftp password $(cat+/etc/passwd) I see something like that:
root:7wtxBdUGBnuoY:0:0::/root:/b/tmpfs/snap_tmpfs/20211009/IMG001/IMG_chn0_TIMER_MNG_20211009200938_001.jpg

I've tried a lot of passwords with hydra, including all passwords decoded in this post.
My first idea was to open a reverse shell or injecting commands to change the password $(echo+"root:root"|chpasswd) but it seems that doesn't work.
Have you some way to decode this hash or any other suggestion?

EDIT 1:
I've found also this:
/etc/passwd-
root:$1$d3VPdE0x$Ztn09cyReJy5Pyn

EDIT 2:
Found by myseft, root password is: runtop10

Guys, please keep this discussion tidy and productive. If you are asking for help, do not forget to share the precise model of your device. Instead of adding more posts, please consider editing your initial post and add missing info or your findings. This thread is growing quickly and it is getting a bit messy. Thanks everyone for sharing their work and for helping the community! For more complex reverse engineering projects consider pasting here links to your gists.

productid=C6F0SeZ3N0P0L0
Hisilicon_v100
Machine: hi3518
chip: hi3518ev100 / 3518ev100 / hi3518e v100 / 3518e v100 / hi35xx-18ev100
sold in latin america, branded as: brand: Philco model: CSIP01
access can be used using usb-ttl (not enabled telnet by default)

root:$1$tiaLlxGM$byeTUfQgqyET5asfwwNjg0:16199:0:99999:7:::
admin:$1$rHWQwR5V$i4FVDvwhuzau8msvAfHEt.:16199:0:99999:7:::

hichiphx (root)
2601hx (admin)

@DarkNekoRockman @sdamasoc @teranus
Have anyone got the password for this hash: $1$JYFTech$dt2mZnCIdoFSWAog1s
My camera is an AdvancedHome LC-1286:
https://advancedhome.net/camara-para-exteriores-con-movimiento/

Help pls!!!
in /etc/passwd found this
admin:$1$yi$FS7W5j1RJmbRHDe0El/zX/:0:0:root:/:/bin/psh
CAMERA:HIK DS2NETH3_1007_MUL,ID:0x0960,version:V2.00,BUILD20180918

Hello, maybe there is possibility to crack this hash:
root:$1$ZebZnWdY$QZ1Aa.7hwBshCS5k40MUE1:0:0::/root:/bin/sh
i got it from a firmware tried to do on my own computer with john but it haven't found anything, running almost for three days.
there is listed password in onlinehashcrack but it is wrong.
my System info:
Model: XVRDA3116HDB
S/N: 9781623416236

Apexis camera's UART and telnet
User: root
password: apix

$1$yq01TaSp$lkN/azu3IxE97owy27pve.

I have hashcat running for several days now without luck. I have, however, broken into the camera and obtained root access. I don't need the root password but I'd like to know what it is for curiosity's sake.

How did you obtain root access?

Serial console, guessed the u-boot password (HI2105CHIP), and changed the boot parameter so that init was /bin/sh instead of linuxrc.

Can you turn on telnet?
I want to remote camera but cant start telnet or ssh

Using the chi print screen endpoint, I was able to turn on telnet. Never cracked it. I lost interest. I'm making a chrome plugin for hi3516 type embedded web server now. Beta version makes the video canvas full screen, centers the camera view to mouse click coordinates, and allows PTZ command via keyboard. The last one kicks ass. Future work includes macro buttons - for all the "set 64", "call 55" horse shit. It's in the chrome extension store, if anyone's interested. - POS IP Camera

…

On Sun, Mar 13, 2022, 10:53 PM hoanglv0203 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ $1$yq01TaSp$lkN/azu3IxE97owy27pve. I have hashcat running for several days now without luck. I have, however, broken into the camera and obtained root access. I don't need the root password but I'd like to know what it is for curiosity's sake. How did you obtain root access? Serial console, guessed the u-boot password (HI2105CHIP), and changed the boot parameter so that init was /bin/sh instead of linuxrc. Can you turn on telnet? I want to remote camera but cant start telnet or ssh — Reply to this email directly, view it on GitHub <https://gist.github.com/74cdd6ab4f733ff047356198c781f27d#gistcomment-4096741>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFPXRVPWP75PXZF74VJDOGTU73A43ANCNFSM4HJBUS4Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you commented.Message ID: ***@***.***>

Using the chi print screen endpoint, I was able to turn on telnet. Never cracked it. I lost interest. I'm making a chrome plugin for hi3516 type embedded web server now. Beta version makes the video canvas full screen, centers the camera view to mouse click coordinates, and allows PTZ command via keyboard. The last one kicks ass. Future work includes macro buttons - for all the "set 64", "call 55" horse shit. It's in the chrome extension store, if anyone's interested. - POS IP Camera
…
On Sun, Mar 13, 2022, 10:53 PM hoanglv0203 @.> wrote: @.* commented on this gist. ------------------------------ $1$yq01TaSp$lkN/azu3IxE97owy27pve. I have hashcat running for several days now without luck. I have, however, broken into the camera and obtained root access. I don't need the root password but I'd like to know what it is for curiosity's sake. How did you obtain root access? Serial console, guessed the u-boot password (HI2105CHIP), and changed the boot parameter so that init was /bin/sh instead of linuxrc. Can you turn on telnet? I want to remote camera but cant start telnet or ssh — Reply to this email directly, view it on GitHub https://gist.github.com/74cdd6ab4f733ff047356198c781f27d#gistcomment-4096741, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFPXRVPWP75PXZF74VJDOGTU73A43ANCNFSM4HJBUS4Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you commented.Message ID: @.***>

--> "Using the chi print screen endpoint, I was able to turn on telnet" ?
Can u help me detail it? and info of telnet when u start service

Haha, sorry. Fat fingered that. The CGI printscreen command is what I was trying to say. " Hidden Telnet FunctionalityTelnet is not enabled by default on the device. However, if an authenticated user visits */web/cgi-bin/hi3510/printscreenrequest.cgi* then telnetd starts up. " https://www.tenable.com/security/research/tra-2017-33

…

On Sun, Mar 13, 2022, 11:44 PM hoanglv0203 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Using the chi print screen endpoint, I was able to turn on telnet. Never cracked it. I lost interest. I'm making a chrome plugin for hi3516 type embedded web server now. Beta version makes the video canvas full screen, centers the camera view to mouse click coordinates, and allows PTZ command via keyboard. The last one kicks ass. Future work includes macro buttons - for all the "set 64", "call 55" horse shit. It's in the chrome extension store, if anyone's interested. - POS IP Camera … <#m_6883477080417054952_> On Sun, Mar 13, 2022, 10:53 PM hoanglv0203 *@*.*> wrote: @.** commented on this gist. ------------------------------ $1$yq01TaSp$lkN/azu3IxE97owy27pve. I have hashcat running for several days now without luck. I have, however, broken into the camera and obtained root access. I don't need the root password but I'd like to know what it is for curiosity's sake. How did you obtain root access? Serial console, guessed the u-boot password (HI2105CHIP), and changed the boot parameter so that init was /bin/sh instead of linuxrc. Can you turn on telnet? I want to remote camera but cant start telnet or ssh — Reply to this email directly, view it on GitHub https://gist.github.com/74cdd6ab4f733ff047356198c781f27d#gistcomment-4096741, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFPXRVPWP75PXZF74VJDOGTU73A43ANCNFSM4HJBUS4Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you commented.Message ID: *@*.***> --> "Using the chi print screen endpoint, I was able to turn on telnet" ? Can u help me detail it? and info of telnet when u start service — Reply to this email directly, view it on GitHub <https://gist.github.com/74cdd6ab4f733ff047356198c781f27d#gistcomment-4096778>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFPXRVOQZ6GWVRP4HQCGFODU73G4PANCNFSM4HJBUS4Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you commented.Message ID: ***@***.***>

/web/cgi-bin/hi3510/printscreenrequest.cgi

Thank you so much @chrismclellen
May be firmware version of my camera cant start telnet service (device type C6F0SoZ3N0PdL2)
This is log on cam when i visits /web/cgi-bin/hi3510/printscreenrequest.cgi in web browser:
SendMediaDataThread: client shutdown(cntindex=3,cntip=192.168.137.1,sock=59)!***
SendMediaDataThread(exit): cntindex=3,cntip=192.168.137.1,websocket=1,avchn=1,sock=59,maxframelen=330k
HI_Media_LiveStreamUnRegisterMediaLink: index=3,ip=192.168.137.1,type=http,avchn=1,onlinenum=0
/bin/sh: telnetd: not found

Guys, I've been burgled.. and when I went to review my footage found I could not log in. I did some work about 3 years ago to try to remove back doors (unsuccessful, but have changed the host name), ended up keeping my cctv off my network, but it seem my extensive notes don't help me log in, and I'm on day 4 of trying to crack it on my own.

Details: Kare H.264 Digital Video Recorder. Telnet backdoor wide open gives root access. There appears to be no shadow file.
[root@LocalMerton /etc]$ cat /etc/passwd
root:absxcfbgXtb3o:0:0:root:/:/bin/sh
[root@LocalMerton /etc]$ cat /etc/passwd-
root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

Situation is GUI will only present admin as a user name. I've been round /bin/login with every permutation I can find with no luck.

/mnt/mtd/config contains
Account2 file which (it used to contain Account1 also but I removed it following possibly bad advice)
"Group" : "admin",
"Memo" : "admin 's account",
"Name" : "admin",
"NoMD5" : null,
"Password" : "ybdoKg52",
"Reserved" : true,
"Sharable" : true

but if I try to passwd admin I get no such user....

all 'superadmin' password calculators based on date and time exhausted... as am I. I have much more intel than the above all saved in text file, which I could easily share if anyone would be so immensely kind as to help me wrestle with getting access to my security footage? sorry for posting here... having no joy on discord servers.

Guys, I've been burgled.. and when I went to review my footage found I could not log in. I did some work about 3 years ago to try to remove back doors (unsuccessful, but have changed the host name), ended up keeping my cctv off my network, but it seem my extensive notes don't help me log in, and I'm on day 4 of trying to crack it on my own.

Details: Kare H.264 Digital Video Recorder. Telnet backdoor wide open gives root access. There appears to be no shadow file. [root@LocalMerton /etc]$ cat /etc/passwd root:absxcfbgXtb3o:0:0:root:/:/bin/sh [root@LocalMerton /etc]$ cat /etc/passwd- root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

absxcfbgXtb3o:xc3511

ab8nBoH3mb8.g:helpme

Guys, I've been burgled.. and when I went to review my footage found I could not log in. I did some work about 3 years ago to try to remove back doors (unsuccessful, but have changed the host name), ended up keeping my cctv off my network, but it seem my extensive notes don't help me log in, and I'm on day 4 of trying to crack it on my own.
Details: Kare H.264 Digital Video Recorder. Telnet backdoor wide open gives root access. There appears to be no shadow file. [root@LocalMerton /etc]$ cat /etc/passwd root:absxcfbgXtb3o:0:0:root:/:/bin/sh [root@LocalMerton /etc]$ cat /etc/passwd- root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

absxcfbgXtb3o:xc3511

ab8nBoH3mb8.g:helpme

Sl1cks010 first of all THANK YOU for trying to help me, it is really appreciated. Secondly sorry for slow acknowledgement, due to a bereavement.. and finally are those unames and passwords, or hashes or how should I proceed with them? Because the GUI is such a clumsy way of entering credentials, what I have tried so far is running /etc/Sofia which is effectively their cctv application but once it is running it gives me a quick way to enter usernames and passwords. I tried both your replies with account username 'admin' without success, then I tried using the part between the ** as username and the part before the colon as password without success. If you read this and are able to help further, you can reach me on cctvhelpme@gmail.com and thank you again.

root:$1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1:0:0:root:/root:/bin/sh
CAMERA MC500L MSC316DM IMX335

Copy&paste found password in my onlinehashcrack account, as people are still using it :)
this way it is easier to find by search engines

$1$qFa2kfke$vJob19l64Q6n8FvP8/kvJ0 | wabjtam
LHjQopX4yjf1Q | ls123
$1$yi$MiivC6pLdwS0zp0pa0cUq1 | qw1234qw
$1$ZebZnWdY$QZ1Aa.7hwBshCS5k40MUE1 | xc12345
$1$$z2VkRbfNoE/xHLBj8i2cv. | ftp
$1$MoCJ1nRA$NfsI1wlYcWoF5MbU4t3Og0 | ivdev
$1$$enWsv2cbxPCrd0WeXUXtX0 | nobody
7wtxBdUGBnuoY | runtop10
9B60FC59706134759DBCAEA58CAF9068 | Fireitup

Copy&paste found password in my onlinehashcrack account, as people are still using it :)

https://www.onlinehashcrack.com/7byl08adoe
Status NOT FOUND :/

it was a temporary problem, it is working again
and someone submitted a password that was cracked, but longer than 8 characters, so if you want to know it, you will have to pay or try to hack it yourself :)

root:$1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m.:0:0::/root:/bin/sh/etc # part
Please help me

U-Boot 2013.10.0-AK_V3.0.07 (Nov 10 2020 - 21:53:40)
arm-anykav200-linux-uclibcgnueabi-gcc.br_real (anyka (gcc-4.8.5 + binutils-2.24 + ulcibc-0.9.33.2)(20170223)) 4.8.5
GNU ld (GNU Binutils) 2.24

anyka$printenv
baudrate=115200
board=ak3918ev300
bootargs=console=ttySAK0,115200n8 root=/dev/mtdblock2 rootfstype=squashfs init=/sbin/init mem=64M memsize=64M mtdparts=spi0.0:212K(uboot),1452K(kernel),896K(rootfs),512K(config),5120K(data)
bootcmd=sf probe 0:0 20000000 0; sf read 0x82208000 0x35000 0x16b000; bootm 0x82208000
/mnt/flash/productinfo # cat deviceid.txt
DEVICEID V6202IR-F37/mnt/flash/productinfo

root:$1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m.:0:0::/root:/bin/sh/etc # part Please help me
there is some hints on google: https://www.google.com/search?q=uQ4Pr+QjJQ+0JUZI0w4m

Dear i already googled but didn't any thing if you kindly tell me thanks

Dear i already googled but didn't any thing if you kindly tell me thanks

try root:hkipc2016

I tried all above password via hash software using word list

I have a cheapo ASTR AS-IPHMT2-241I camera. It has two users:
root : $1$$Dg.cUjtWGTIVkuFS0ZYbN1 : fx1805
admin : $1$$qZV4X6DTqMHUDIyZG.8PH.
The admin hash is still being cracked.
Might be the same for the other IPHMT2 models.

root:xt5USRjG7rEDE:0:0::/root:/bin/sh password j1/_7sxw
xt5USRjG7rEDE:j1/_7sxw
Smartwares CIP-39218AT
Great thanks for help @dimerr

ZOSI C190 SoC HI3518C
root
123456asj

How did you obtain root access?

Serial console, guessed the u-boot password (HI2105CHIP), and changed the boot parameter so that init was /bin/sh instead of linuxrc.

how did you do that?

I'm not sure how he did it. But I assume it involved connecting wires to the circuit board and connecting via USB in order to interface the chip. I was able to access uboot by doing this, but no password I used would work. And it was a fragile mess, so I put it all back together and said fuck it.

…

On Fri, Jan 6, 2023, 2:52 PM Alex2610 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ How did you obtain root access? Serial console, guessed the u-boot password (HI2105CHIP), and changed the boot parameter so that init was /bin/sh instead of linuxrc. how did you do that? — Reply to this email directly, view it on GitHub <https://gist.github.com/74cdd6ab4f733ff047356198c781f27d#gistcomment-4427395> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFPXRVL24DXWUBBRGUQKVQTWRCHZLBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVAZTMOBWGQ4DANNHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

the uboot password is HI2105CHIP
but how to init from /bin/sh?