Skip to content

Instantly share code, notes, and snippets.

@gabonator
Last active March 16, 2024 14:45
Show Gist options
  • Save gabonator/74cdd6ab4f733ff047356198c781f27d to your computer and use it in GitHub Desktop.
Save gabonator/74cdd6ab4f733ff047356198c781f27d to your computer and use it in GitHub Desktop.
HiSilicon IP camera root passwords
Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"
00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521
@velikashkin
Copy link

ZOSI C190 SoC HI3518C
root
123456asj

@Alex2610
Copy link

Alex2610 commented Jan 6, 2023

How did you obtain root access?

Serial console, guessed the u-boot password (HI2105CHIP), and changed the boot parameter so that init was /bin/sh instead of linuxrc.

how did you do that?

@chrismclellen
Copy link

chrismclellen commented Jan 6, 2023 via email

@Alex2610
Copy link

Alex2610 commented Jan 6, 2023

the uboot password is HI2105CHIP
but how to init from /bin/sh?

@samueljo555
Copy link

root:$1$7bfnUEjV$3ogadpYTDXtJPV4ubVaGq1:0:0::/root:/bin/sh help, anyone know this hash ?

@andiaa734
Copy link

Hi,

i have this hash: $6CJlS7VEVeK2:0:0:root:/:/bin/sh

maybe someone can decrypt it? It is a ZS-GQ2.
Unfortunately init=/bin/sh is not working.

@27c512
Copy link

27c512 commented May 3, 2023

root:$1$7bfnUEjV$3ogadpYTDXtJPV4ubVaGq1:0:0::/root:/bin/sh help, anyone know this hash ?

Zte521

@samueljo555
Copy link

samueljo555 commented May 3, 2023

Zte521

thank you for your reply
but its not working
the hash for Zte521 -> $1$7bfnUEjV$TQwdIHHH6fM19XYpf0oAB/

@sergiimokin
Copy link

Can you help with this:
root:$1$$.MO09JyxBBNd9Xv0pXIqc0:0:0::/root:/bin/sh
It's from video doorbell Vidiline F-Ip-3704.

Found the same in a doorbell FW of Slinex SL-07 IP Can't crack yet :)

Hello. Can you tell me if you got a password or some other access to Slinex SL-07 IP files?

@TalusL
Copy link

TalusL commented Aug 11, 2023

root:$1$w4uYby9X$MZBZYSSEjhCvwafKv0v2t1:0:0::/root:/bin/sh
Someone help me?

@pergolafabio
Copy link

Guys, i stumbled on this thread, i also have another camera (petfeeder), wiresharked it, and it goes checking also this url:

http://112.124.112.116/Srt_Server/server.php?cmd=ckd&mcode=xxx=&ucode=xxx=&ccode=xxx&lcode=xxx

Is there a way now to retrieve the telnet password by downloading the firmware files on that server?
Its an exploit for the firmware:
https://blog.securityevaluators.com/remotely-exploiting-iot-pet-feeders-21013562aea3

But how to retrieve the current firmware file? I guess you guys have it?

@chrismclellen
Copy link

chrismclellen commented Oct 18, 2023 via email

@pergolafabio
Copy link

huh, what is this?

@chrismclellen
Copy link

chrismclellen commented Oct 18, 2023 via email

@gabonator
Copy link
Author

Here is a translation:

Hello, your mail has been received. You are a bunch of fools. Thank you for patching security holes for us. You just saved us a lot of tester money. Additionally, every time you expose a password, we broadcast new passwords that will be remotely overwritten into the firmware. Do you think we can't understand English?

And thats a great honour for me and this community! Keep doing good work :)

@pergolafabio
Copy link

yeah, already used google translate, but dont get that response? :-)
anyway, can you help me?

@djzoidberg
Copy link

djzoidberg commented Oct 18, 2023

yeah, already used google translate, but dont get that response? :-) anyway, can you help me?

Hello Fabio,
Usually these kind of cameras have a very poor software and security features.
Time ago, I posted some tricks I used to my cameras. Before trying to reverse engineering the firmware did you have look for some web application vulns?

@pergolafabio
Copy link

Yeah, I did, I use localtuya to control the device locally, the only thing I'm missing is the video feed...
I checked also tuya iot/API, but my device doesnt expose an rtsp/hls stream to cloud..

Also its based on webrtc and mqtt secure...
Also sniffed the smartlife/tuya app for https traffic, but there is nothing for the video, only was able to sniff the DP points for device control, like feed

So last resort is to gain telnet to it, and maybe enable the local rtsp port, the only open ports are 23 and 6668 for localtuya

@Joostvc123
Copy link

Joostvc123 commented Nov 7, 2023

Could anyone help me with cracking the following hash I received from my Foscam camera:
root:LOra.53O7nLVQ:0:0::/root:/bin/sh

I am not sure if it is crackable using John The Ripper and how to configure it.

Unfortunately vulns are not working and also the uboot init=/bin/sh is doing nothing.

EDIT:
Cracked it: ak47agai (using the following command john --format=crypt hashes.txt)

@vertesmark
Copy link

My (old as 2017) Hisilicone (generic_ONVIF) - bought on eBay years ago.
I realized that the telnet port is open - so in no way one should expose this little thing to the internet ;-)
I have found a new filmware version, which I upgraded
...and decoded, extracted /etc/passwd, which is a one-liner:
"root:0.IQvJd8bXSWU:0:0::/root:/bin/sh"
with john (I think) I brute-force decoded the password in 1-2 computers within few days.
My password is "hdipc%No".
Voilá

@Phantomn
Copy link

Phantomn commented Dec 19, 2023

hidden:$1$Qtj8cUMZ$4JhtiYFzOpCzWNI.7433u/:10957:0:99999:7:::
xpeed:$1$$5ICya/hNOkPC33NssbPbs1:10933:0:99999:7:::

@themactep
Copy link

themactep commented Jan 2, 2024

$1$$5ICya/hNOkPC33NssbPbs1

@first!

@Arnaud30
Copy link

Arnaud30 commented Feb 5, 2024

Hi guys,
root:$1$rXUUrUvP$nwGw3hD5lodZU10IC57Ey0:10933:0:99999:7:::
Someone help me?

@27c512
Copy link

27c512 commented Feb 6, 2024

Hi guys, root:$1$rXUUrUvP$nwGw3hD5lodZU10IC57Ey0:10933:0:99999:7::: Someone help me?

!@#$qwer

@Arnaud30
Copy link

Arnaud30 commented Feb 7, 2024

you are the best !!! !!!!!! Oh my god ! I don't know how it's possible !!!!!

@Arnaud30
Copy link

Arnaud30 commented Feb 7, 2024

No kidding ! can you explain or is it a well kept secret?

@Arnaud30
Copy link

Arnaud30 commented Feb 7, 2024

another try ?

root:$6$wyzecamv3$8gyTEsAkm1d7wh12Eup5MMcxQwuA1n1FsRtQLUW8dZGo1b1pGRJgtSieTI02VPeFP9f4DodbIt2ePOLzwP0WI0:0:0:99999:7:::

@vertesmark
Copy link

No kidding ! can you explain or is it a well kept secret?

A: It is well documented how linux hash its passwords, just google it: linux password hash algorithm.
How can you "decoce"? You cannot. Hashing is a one-way algorithm.

Q: ...but hey! Look at above, someone did it.
A: We try to find a password, hash it and comepare the result with the original hash.
No other way exist. When you try hundred-thousands passwords/minute, this is called brute-force.

@espetoet
Copy link

espetoet commented Mar 9, 2024

I have this user but I don't know the password. Could you help me?

root:8dxMkZjXi01sk:0:0::/root:/bin/sh

@EEtinkerer
Copy link

EEtinkerer commented Mar 16, 2024

Hi guys, root:$1$rXUUrUvP$nwGw3hD5lodZU10IC57Ey0:10933:0:99999:7::: Someone help me?

!@#$qwer

firmware dated 01 2024, anyka v200
root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1

could you check this one out too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment