Skip to content

Instantly share code, notes, and snippets.

@gabonator
Last active March 31, 2025 22:28
Show Gist options
  • Save gabonator/74cdd6ab4f733ff047356198c781f27d to your computer and use it in GitHub Desktop.
Save gabonator/74cdd6ab4f733ff047356198c781f27d to your computer and use it in GitHub Desktop.
HiSilicon IP camera root passwords
Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"
00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521
@Osirismix
Copy link

Osirismix commented May 20, 2024

@Arnaud30 hey. Found the way to reset the password by IPWizardIII. So i figure it out and the camera goes to it's owner =D But i'm realy curious about tinkering and everything else so i think i'll do it with another camera, cause i have several of them with same defect, they just start restarting and it can go for hours? and i just want to know what's happening with them. and i hope you can help me with it. if there is some DM not to flood here we can go there thumb up

@sperglord8008s
Copy link

Neye3C camera: laohuqian
JVT camera: fxsdk+(camera password),fxjvt1805. Need open telnet port first(open telnet port firmware)
hankvision(blue GUI PTZ camera): HI2105CHIP
Xiongmai device:
root xmhdipc
root klv123
root xc3511
root 123456
root jvbzd
root hi3518
topsee(u-boot password): hdipc%No
RT-IPC: cat1029

@Dobie007
Copy link

Dobie007 commented Jun 23, 2024

I've got a Tuya TCP Smart cam here for which i would like to have the password:
shadow says:
root:$1$dVhFuDGx$YrOKRgTcjTCqEK75.z277/:15874:0:99999:7:::
It shows "Lobster" and
Linux version 3.10.27 (canjian@ubuntu) (gcc version 4.8.5 20150209 (prerelease) (Realtek RSDK-4.8.5p1 Build 2521) ) #1 PREEMPT Fri Dec 7 15:51:19 CST 2018

@EEtinkerer
Copy link

EEtinkerer commented Jun 25, 2024

somebody knows ?user:$1$ri3K4P4s$ne/es0YuNHyn0rti8KJ2a.:19404:0:99999:7:::

user:user123456

@xeroski
Copy link

xeroski commented Jun 28, 2024

Hi. Need help with smart cam:
root:$1$1m7mklzD$Hu1Z3GPZPUhpuiOBql3v7/:0:0:root:/:/bin/sh

@RenaKunisaki
Copy link

How are you recovering u-boot passwords? I have the ROM dump but don't know what to look for. I assume it's a hash stored somewhere?

@themactep
Copy link

@RenaKunisaki, it depends on the u-boot. older uboot can have in plain text as it is just a sequence of keys. newer one will have it hashed and scattered. Often times, you can skip the password altogether shorting pins on the flash chip during boot.

@Dobie007
Copy link

Dobie007 commented Jul 2, 2024

Here is a video series showing what to do to get the hash out - but it didn't help me further than what you can read above.
https://www.youtube.com/watch?v=LgurdIN1KW0
Editing the inittab file worked, but then i still haven't figured out what to do to get rid of the cloud..
It's as if i've got the hood of my car open but have no clue what all the stuff in there is..

@themactep
Copy link

themactep commented Jul 2, 2024

What camera is that? What SoC? We develop thingino - an open firmware for Ingenic cameras.

@Dobie007
Copy link

Dobie007 commented Jul 2, 2024

The one i have:
DRAM:Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02 64 MiB @ 1066 MHz
SF: Detected GD25Q128C with page size 256 Bytes, erase size 64 KiB, total 16 MiB

@themactep
Copy link

@Dobie007 I think we are hijacking the comments here. Come to our server, we'll talk about the camera there. https://discord.com/invite/snQwdVhh

@abdberkana
Copy link

can somebody help me with this password retrieved from camera : root:XT5eZpUYaEB4c:0:0::/root:/bin/sh

@L4ky
Copy link

L4ky commented Aug 6, 2024

I have this user but I don't know the password. Could you help me?

root:8dxMkZjXi01sk:0:0::/root:/bin/sh

ipc@hs66

A guy cracked it yesterday in 16 minutes using hashcat on 14 x RTX 4090 ( Yes, you read it right ).

@gfarcas
Copy link

gfarcas commented Aug 13, 2024

I'm trying to repurpose a PNI camera that seems to be using the Hope chips. I have dumped the eeprom and found references to hi3518 drivers and the following user hash
root:$1$b/rCFZCG$fSXVN88aYy/g3LUhsGNU01
I've also found a _passwd file that had root:ab8nBoH3mb8.g, for which the password was already posted here helpme (I suppose it's for uboot?)

Can someone help me with the hash above?

I have other routes to try yet, after I put the eeprom back on the board I want to check also the serial console, my aim is to redirect/start a rtsp stream to use the camera with frigate.

@Dobie007
Copy link

Dobie007 commented Oct 6, 2024

Hi, can someone help on this one from an image of a SOOCOO S300 Action cam that is not supported anymore:
root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh

@Arnaud30
Copy link

Arnaud30 commented Oct 6, 2024

il s'agit de la chaîne MD5crypt pour un mot de passe vide avec un sel vide :

crypt.crypt('', '$1$$')
'$1$$qRPK7m23GJusamGpoGLby/'

@Dobie007
Copy link

Dobie007 commented Oct 6, 2024

Thanks! - I didn't realize!

@imgege
Copy link

imgege commented Oct 10, 2024

Hi all, please help me to decrypt the password of telnet bvt user

bvt:$1$6LM5P7B4$z6ZaflT5B2h6spyn02CZw0:0:0:bvt:/home:/bin/sh

@smsilv
Copy link

smsilv commented Oct 23, 2024

Tuya/Aldi cam, would like to have the password.
AK3918EN080 V300S (Anyka).
cat shadow:
root:$1$1m7mklzD$Hu1Z3GPZPUhpuiOBql3v7/:0:0:root:/:/bin/sh

Thanks in advance.

@foxyc
Copy link

foxyc commented Oct 29, 2024

Hi all. Can you help me to determine what type of crypto algorithm give hash like this: oEP0ZGfC
and this:
root:8/3DL08/eA4ic:0:0:root:/:/bin/sh

Thank you.

@jason73cz
Copy link

Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)?
root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::

Thank you for help.

@Phantomn
Copy link

Can you help me decrypt this hash?

root:$6$CSBi5eyWVF/TR7$fuOZRy2hvs6qUMkth6Om65nlLhIO23dT5mW.Uctswf3x0PyQI2DjvofdNWRfTcvW8eElhu1xmzVTKCbdosLTX1:15069:0:99999:7:::

@ShravanSinghRathore
Copy link

root:$1$soidjfoi$9klIbmCLq2JjYwKfEA5rH1:10933:0:99999:7:::

help me with this to crack down anyone

@ZervoTheProtogen
Copy link

Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::

Thank you for help.

I have the same hash on a device. Has anyone cracked it?

@rryanc83
Copy link

Can anyone help me crack this? I successfully pulled the passwd file off the memory chip for my camera a Project Nursery camera, but I can't figure out hashcat to get the password from the hash. The passwd file contains one line:
root:$1$2bIsCaZh$4rPJIavm2oheHsh3.eORn.:0:0::/root:/bin/sh I guess my main question is what part of that to isolate in a text file to run hashcat on and how do I tell what kind of hash it is (md5... etc)?

@megadon1
Copy link

i need help with this hash. root:$6$wyzecamv2$hvp6M6S2JI7vyyHfEDPWCYJ8N2r5B4ZzS8uZYwyMkoWyg90sCJzupBGD57CObtKonld0Yvr2B/ejt4l4/jryi.:0:0:root:/:/bin/sh . I tried using hashid with no luck . Is it a good hash?

@f-gabel
Copy link

f-gabel commented Feb 15, 2025

I've got a Tuya TCP Smart cam here for which i would like to have the password: shadow says: root:$1$dVhFuDGx$YrOKRgTcjTCqEK75.z277/:15874:0:99999:7::: It shows "Lobster" and Linux version 3.10.27 (canjian@ubuntu) (gcc version 4.8.5 20150209 (prerelease) (Realtek RSDK-4.8.5p1 Build 2521) ) #1 PREEMPT Fri Dec 7 15:51:19 CST 2018

@Dobie007 Hi, I have the same camera, were you able to crack the password?

@Dobie007
Copy link

Hi,
Since the firmware is in an external flash i could patch the inittab file and get a working terminal. I got the idea out of the video i linked above.
This is the line i actually changed:
ttyS1::respawn:-/bin/sh

Since then it's lying around because i have no idea how to continue. (The runtime file would need to be changed or an alternative chipset software used)

@f-gabel
Copy link

f-gabel commented Feb 19, 2025

I haven't cracked the password yet either, but I haven't gotten around to extracting the FW yet. Would it be possible for you to send it to me? That would help me a lot :) (https://drive.google.com/drive/folders/1q8jVospsmOQUF0f-Y5loyOJjMwOogVA1?usp=sharing)

@derzahla
Copy link

derzahla commented Mar 31, 2025

Ive seen it asked for before here and other places but no answers. Any one can help with: $1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1 ?

L18DAFENSG_AF_V0-A_XAHS-RTMP-H5 V3.3.2.1 build 2024-08-29 14:35:19

Ive tried all the dictionary attacks i could find and my AMD iGPU is now at its limit trying to brute force 8chars, could take me years

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment