HiSilicon IP camera root passwords

password.txt

Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"

00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521

Neye3C camera: laohuqian
JVT camera: fxsdk+(camera password)，fxjvt1805. Need open telnet port first（open telnet port firmware）
hankvision(blue GUI PTZ camera): HI2105CHIP
Xiongmai device:
root xmhdipc
root klv123
root xc3511
root 123456
root jvbzd
root hi3518
topsee(u-boot password): hdipc%No
RT-IPC: cat1029

I've got a Tuya TCP Smart cam here for which i would like to have the password:
shadow says:
root:$1$dVhFuDGx$YrOKRgTcjTCqEK75.z277/:15874:0:99999:7:::
It shows "Lobster" and
Linux version 3.10.27 (canjian@ubuntu) (gcc version 4.8.5 20150209 (prerelease) (Realtek RSDK-4.8.5p1 Build 2521) ) #1 PREEMPT Fri Dec 7 15:51:19 CST 2018

somebody knows ?user:$1$ri3K4P4s$ne/es0YuNHyn0rti8KJ2a.:19404:0:99999:7:::

user:user123456

Hi. Need help with smart cam:
root:$1$1m7mklzD$Hu1Z3GPZPUhpuiOBql3v7/:0:0:root:/:/bin/sh

How are you recovering u-boot passwords? I have the ROM dump but don't know what to look for. I assume it's a hash stored somewhere?

@RenaKunisaki, it depends on the u-boot. older uboot can have in plain text as it is just a sequence of keys. newer one will have it hashed and scattered. Often times, you can skip the password altogether shorting pins on the flash chip during boot.

Here is a video series showing what to do to get the hash out - but it didn't help me further than what you can read above.
https://www.youtube.com/watch?v=LgurdIN1KW0
Editing the inittab file worked, but then i still haven't figured out what to do to get rid of the cloud..
It's as if i've got the hood of my car open but have no clue what all the stuff in there is..

What camera is that? What SoC? We develop thingino - an open firmware for Ingenic cameras.

The one i have:
DRAM:Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02 64 MiB @ 1066 MHz
SF: Detected GD25Q128C with page size 256 Bytes, erase size 64 KiB, total 16 MiB

@Dobie007 I think we are hijacking the comments here. Come to our server, we'll talk about the camera there. https://discord.com/invite/snQwdVhh

can somebody help me with this password retrieved from camera : root:XT5eZpUYaEB4c:0:0::/root:/bin/sh

I have this user but I don't know the password. Could you help me?

root:8dxMkZjXi01sk:0:0::/root:/bin/sh

ipc@hs66

A guy cracked it yesterday in 16 minutes using hashcat on 14 x RTX 4090 ( Yes, you read it right ).

I'm trying to repurpose a PNI camera that seems to be using the Hope chips. I have dumped the eeprom and found references to hi3518 drivers and the following user hash
root:$1$b/rCFZCG$fSXVN88aYy/g3LUhsGNU01
I've also found a _passwd file that had root:ab8nBoH3mb8.g, for which the password was already posted here helpme (I suppose it's for uboot?)

Can someone help me with the hash above?

I have other routes to try yet, after I put the eeprom back on the board I want to check also the serial console, my aim is to redirect/start a rtsp stream to use the camera with frigate.

Hi, can someone help on this one from an image of a SOOCOO S300 Action cam that is not supported anymore:
root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh

il s'agit de la chaîne MD5crypt pour un mot de passe vide avec un sel vide :

crypt.crypt('', '$1$$')
'$1$$qRPK7m23GJusamGpoGLby/'

Thanks! - I didn't realize!

Hi all, please help me to decrypt the password of telnet bvt user

bvt:$1$6LM5P7B4$z6ZaflT5B2h6spyn02CZw0:0:0:bvt:/home:/bin/sh

Tuya/Aldi cam, would like to have the password.
AK3918EN080 V300S (Anyka).
cat shadow:
root:$1$1m7mklzD$Hu1Z3GPZPUhpuiOBql3v7/:0:0:root:/:/bin/sh

Thanks in advance.

Hi all. Can you help me to determine what type of crypto algorithm give hash like this: oEP0ZGfC
and this:
root:8/3DL08/eA4ic:0:0:root:/:/bin/sh

Thank you.

Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)?
root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::

Thank you for help.

Can you help me decrypt this hash?

root:$6$CSBi5eyWVF/TR7$fuOZRy2hvs6qUMkth6Om65nlLhIO23dT5mW.Uctswf3x0PyQI2DjvofdNWRfTcvW8eElhu1xmzVTKCbdosLTX1:15069:0:99999:7:::

root:$1$soidjfoi$9klIbmCLq2JjYwKfEA5rH1:10933:0:99999:7:::

help me with this to crack down anyone

Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::

Thank you for help.

I have the same hash on a device. Has anyone cracked it?

Can anyone help me crack this? I successfully pulled the passwd file off the memory chip for my camera a Project Nursery camera, but I can't figure out hashcat to get the password from the hash. The passwd file contains one line:
root:$1$2bIsCaZh$4rPJIavm2oheHsh3.eORn.:0:0::/root:/bin/sh I guess my main question is what part of that to isolate in a text file to run hashcat on and how do I tell what kind of hash it is (md5... etc)?

i need help with this hash. root:$6$wyzecamv2$hvp6M6S2JI7vyyHfEDPWCYJ8N2r5B4ZzS8uZYwyMkoWyg90sCJzupBGD57CObtKonld0Yvr2B/ejt4l4/jryi.:0:0:root:/:/bin/sh . I tried using hashid with no luck . Is it a good hash?

I've got a Tuya TCP Smart cam here for which i would like to have the password: shadow says: root:$1$dVhFuDGx$YrOKRgTcjTCqEK75.z277/:15874:0:99999:7::: It shows "Lobster" and Linux version 3.10.27 (canjian@ubuntu) (gcc version 4.8.5 20150209 (prerelease) (Realtek RSDK-4.8.5p1 Build 2521) ) #1 PREEMPT Fri Dec 7 15:51:19 CST 2018

@Dobie007 Hi, I have the same camera, were you able to crack the password?

Hi,
Since the firmware is in an external flash i could patch the inittab file and get a working terminal. I got the idea out of the video i linked above.
This is the line i actually changed:
ttyS1::respawn:-/bin/sh

Since then it's lying around because i have no idea how to continue. (The runtime file would need to be changed or an alternative chipset software used)

I haven't cracked the password yet either, but I haven't gotten around to extracting the FW yet. Would it be possible for you to send it to me? That would help me a lot :) (https://drive.google.com/drive/folders/1q8jVospsmOQUF0f-Y5loyOJjMwOogVA1?usp=sharing)

Ive seen it asked for before here and other places but no answers. Any one can help with: $1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1 ?

L18DAFENSG_AF_V0-A_XAHS-RTMP-H5 V3.3.2.1 build 2024-08-29 14:35:19

Ive tried all the dictionary attacks i could find and my AMD iGPU is now at its limit trying to brute force 8chars, could take me years

somebody knows ? root:$1$RiBtxRAG$PvXy3AX92u.mvo/UwXlTJ0:19404:0:99999:7::: user:$1$ri3K4P4s$ne/es0YuNHyn0rti8KJ2a.:19404:0:99999:7:::

Hi , did you find the password for these ? can you share them if yes . thank you .