Adventures in Hikvision

A while back, I was given someone's retired Hikvision NVR. Opening it up, there werea bunch of SATA ports, and a circuit board. The PSU is connecting to the board with a 20 (or maybe 24) pin standard-looking motherboard power supply. It's a 2U rackmount. So far, it seems similar enough to a proper server.

Booting it up, I had to deal with the password, after which I reset the device. Fun fact, it ONLY uses a mouse as input. The only way to input text is via the on-screen keyboard. WHY?? Anyway, I found the IP address and tried to log in to the web portal. That would have been great, except for the part where it requires an Internet Explorer plugin...

Cut to me spinning up my 12-year-old iMac to run a Windows VM on, since that's the newest Intel Mac that I had access to at 3am. So turns out that the the NVR (technically mine is labelled a DVR whatever) has Telnet. Unfortunately, the option to turn it on in the settings on the latest firmware for the device does not work. You can click it, but it does nothing and goes back to being disabled if you leave and reenter the settings panel.

After installing the IE11 plugin and opening the web view, there's no telnet option... unless... fucking hell. They've hidden it in the HTML with a CSS class to hide it. removing that CSS class shows the telnet button. I click it aaaaand it doesn't work. Why in the hell??

Anyway, some forum reading later, I make the descision to attempt a firmware downgrade. Turns out, you can get old firmwares on the Hikvision Europe portal. I find a spreadsheet that includes my model number (DS-7316HIHQ-SH) in the "Technical Materials » 03 DVR » 00 Product Firmware" section, where it says to go to the "Temp" folder. Going there, I see 2 folders and a .zip file. The folders reference firmware versions higher than my device uses, so I go with the zip file instead. The zip file is an entire major version lower than my current version, so I think "bingo!", though I doubt that it will actually let me downgrade, since I read on the forums that Hikvision blocks that.

One transfer to my iMac Windows 10 VM later, I had it uploading to the web portal, and it... worked??? It actually uploaded with no issues, and rebooted the device. A moment later, the device displayed a new splash screen. Woohoo! It asked for a username and password, though it wouldn't let me input a username, only a password, and the whole display was really dim. I entered my password and it told me that the device was now activated. Great!

It dumped me onto the camera feed viewing screen, at least that's what it was supposed to be. In reality, it was black. Trying to open the settings menu prompts me for the username and password, but I can't enter a user. Entering the password does nothing, since no user is selected. Ughhhh. Time to try the web portal I guess.

One nmap later and it looks like the NVR isn't even initializing itself on the network. I also try using a USB-Ethernet adapter, but that doesn't work either. Welp, not all stories have a happy ending, I guess. Maybe some day I'll see if someone is willing to give me flash chip dumps or something and I can reflash the storage, but honestly that seems like too much work for what it's worth. If I were to actually make a security network, I would be using 100% IP cameras. This model can only connect to 2 IP cameras simultaneously, with the other inputs being 16 analog inputs. I was hoping to turn it into some other device, or just poke around on telnet, but not all tinkering has a happy ending. Unfortunately, there's no way to update the firmware over USB without logging in on the GUI, so this is it for now.