-
Star
(161)
You must be signed in to star a gist -
Fork
(33)
You must be signed in to fork a gist
-
-
Save gabonator/74cdd6ab4f733ff047356198c781f27d to your computer and use it in GitHub Desktop.
| Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root" | |
| 00000000 | |
| 059AnkJ | |
| 4uvdzKqBkj.jg | |
| 7ujMko0admin | |
| 7ujMko0vizxv | |
| 123 | |
| 1111 | |
| 1234 | |
| 1234qwer | |
| 2601hx | |
| 12345 | |
| 54321 | |
| 123456 | |
| 666666 | |
| 888888 | |
| 1111111 | |
| /*6.=_ja | |
| anko | |
| anni2013 | |
| annie2012 | |
| avtech97 | |
| cat1029 | |
| ccadmin | |
| cxlinux | |
| default | |
| dreambox | |
| fxjvt1805 | |
| hdipc%No | |
| hi3518 | |
| hichiphx | |
| hipc3518 | |
| hkipc2016 | |
| hslwificam | |
| ikwb | |
| ipc71a | |
| IPCam@sw | |
| ivdev | |
| juantech | |
| jvbzd | |
| jvtsmart123 | |
| klv123 | |
| klv1234 | |
| meinsm | |
| OxhlwSG8 | |
| pass | |
| password | |
| realtek | |
| root | |
| hi3518 | |
| S2fGqNFs | |
| service | |
| smcadmin | |
| supervisor | |
| support | |
| system | |
| tech | |
| tlJwpbo6 | |
| ubnt | |
| user | |
| vhd1206 | |
| vizxv | |
| xc3511 | |
| xmhdipc | |
| zlxx. | |
| Zte521 |
Hi,
Since the firmware is in an external flash i could patch the inittab file and get a working terminal. I got the idea out of the video i linked above.
This is the line i actually changed:
ttyS1::respawn:-/bin/sh
Since then it's lying around because i have no idea how to continue. (The runtime file would need to be changed or an alternative chipset software used)
I haven't cracked the password yet either, but I haven't gotten around to extracting the FW yet. Would it be possible for you to send it to me? That would help me a lot :) (https://drive.google.com/drive/folders/1q8jVospsmOQUF0f-Y5loyOJjMwOogVA1?usp=sharing)
Ive seen it asked for before here and other places but no answers. Any one can help with: $1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1 ?
L18DAFENSG_AF_V0-A_XAHS-RTMP-H5 V3.3.2.1 build 2024-08-29 14:35:19
Ive tried all the dictionary attacks i could find and my AMD iGPU is now at its limit trying to brute force 8chars, could take me years
somebody knows ? root:$1$RiBtxRAG$PvXy3AX92u.mvo/UwXlTJ0:19404:0:99999:7::: user:$1$ri3K4P4s$ne/es0YuNHyn0rti8KJ2a.:19404:0:99999:7:::
Hi , did you find the password for these ? can you share them if yes . thank you .
$1$ $.MO09JyxBBNd9Xv0pXIqc0
lbtech2002
Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.
Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.I have the same hash on a device. Has anyone cracked it?
I know it's very late, but the password for this hash is yunyi666
root:$1$soidjfoi$9klIbmCLq2JjYwKfEA5rH1:10933:0:99999:7:::
help me with this to crack down anyone
I have the same password in the shadow file. Help please.
is there still a discord?
Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.I have the same hash on a device. Has anyone cracked it?
I know it's very late, but the password for this hash is yunyi666
Oh thanks a lot! You saved me a ton of time!
Hello,
Can you help "decrypt" bellow hash:
root:$1$ouLOV500$zvYRvG33R/lxTS.9Gpz5H1
Model is: DENVER Indoor smart Wi-Fi_IP camera - IIC-172
SoC is: ANYKA AK3918EN080 V200 CDSJ02I22
Thanks in advance!
Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.I have the same hash on a device. Has anyone cracked it?
I know it's very late, but the password for this hash is yunyi666
I have the same hash in shadow file,but the pwd doesn't seem to be that one.
How you found this? It should be md5crypt.
Using john:
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware]
└─$ mkdir try
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware]
└─$ cd try
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ touch root.hash
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ echo '$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1' > root.hash
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ cat root.hash
$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ touch wordlist.txt
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ echo 'yunyi666' > wordlist.txt
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ john --wordlist=./wordlist.txt --format=md5crypt --fork=4 root.hash
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Node numbers 1-4 of 4 (fork)
4 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s
3 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s
2 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s
Press 'q' or Ctrl-C to abort, almost any other key for status
1: Warning: Only 1 candidate left, minimum 24 needed for performance.
1 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 50.00p/s 50.00c/s 50.00C/s yunyi666
Waiting for 3 children to terminate
Session completed.
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ john --show --format=md5crypt root.hash
0 password hashes cracked, 1 left
Has someone cracked it? I tried to use hashcat with mask: 8 letters,only numbers and lowercase character,but after 3 days it couldn't find the pwd.
Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.I have the same hash on a device. Has anyone cracked it?
I know it's very late, but the password for this hash is yunyi666
I have the same hash in shadow file,but the pwd doesn't seem to be that one. How you found this? It should be md5crypt. Using john:
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware] └─$ mkdir try ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware] └─$ cd try ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ touch root.hash ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ echo '$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1' > root.hash ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ cat root.hash $1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1 ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ touch wordlist.txt ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ echo 'yunyi666' > wordlist.txt ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ john --wordlist=./wordlist.txt --format=md5crypt --fork=4 root.hash Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Node numbers 1-4 of 4 (fork) 4 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s 3 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s 2 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s Press 'q' or Ctrl-C to abort, almost any other key for status 1: Warning: Only 1 candidate left, minimum 24 needed for performance. 1 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 50.00p/s 50.00c/s 50.00C/s yunyi666 Waiting for 3 children to terminate Session completed. ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ john --show --format=md5crypt root.hash 0 password hashes cracked, 1 leftHas someone cracked it? I tried to use hashcat with mask: 8 letters,only numbers and lowercase character,but after 3 days it couldn't find the pwd.
It is not clear md5. It is modified version.
Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.I have the same hash on a device. Has anyone cracked it?
I know it's very late, but the password for this hash is yunyi666
I have the same hash in shadow file,but the pwd doesn't seem to be that one. How you found this? It should be md5crypt. Using john:
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware] └─$ mkdir try ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware] └─$ cd try ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ touch root.hash ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ echo '$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1' > root.hash ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ cat root.hash $1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1 ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ touch wordlist.txt ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ echo 'yunyi666' > wordlist.txt ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ john --wordlist=./wordlist.txt --format=md5crypt --fork=4 root.hash Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Node numbers 1-4 of 4 (fork) 4 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s 3 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s 2 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s Press 'q' or Ctrl-C to abort, almost any other key for status 1: Warning: Only 1 candidate left, minimum 24 needed for performance. 1 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 50.00p/s 50.00c/s 50.00C/s yunyi666 Waiting for 3 children to terminate Session completed. ┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try] └─$ john --show --format=md5crypt root.hash 0 password hashes cracked, 1 leftHas someone cracked it? I tried to use hashcat with mask: 8 letters,only numbers and lowercase character,but after 3 days it couldn't find the pwd.
It is not clear md5. It is modified version.
Can you tell me more about this?
Btw I can't access U-Boot either.
On my camera looks like u-boot disables prompt until kernel is loaded.
My only one way is to modify firmware,change shadow pwd and flash it back so I can login as root
Btw I can't access U-Boot either. On my camera looks like u-boot disables prompt until kernel is loaded. My only one way is to modify firmware,change shadow pwd and flash it back so I can login as root
As i remember, hashing algorithm in some library modified by vendor, so you must make hash with same algorithm and write hash in shadow pwd. Than system can compare hash from pass you entered with hash in shadow pwd.
Btw I can't access U-Boot either. On my camera looks like u-boot disables prompt until kernel is loaded. My only one way is to modify firmware,change shadow pwd and flash it back so I can login as root
As i remember, hashing algorithm in some library modified by vendor, so you must make hash with same algorithm and write hash in shadow pwd. Than system can compare hash from pass you entered with hash in shadow pwd.
Yeah that was kinda clear from your last message. I tried the password “yunyi666” (a guy here said was that one)to auth to device and it doesn’t work.
What you mean with “libraries modified by the vendor”?
Are there some libraries with source?
Hi. Ho, there is no source of libraries. You only can extract file from firmware and make reverse engineering with Ghidra or IDA Pro.
You can try to find some more info in telegram group "OpenIPC User"
++Update:
There you go @chrismclellen 😘
@foxyc btw there was no custom algorithm. That was md5crypt
Sorry, I must have confused this camera with another one that used modified base64.
I am working on a camera with the root hash $1$lPbKHYLS$r6JMTEm949/hCMv85Fsx9/ anyone been able to crack it?
Technaxx TX-61 (FI9803W board from Foscam with Hi3518CV100 SoC)
root / ak47agai
worked for me
root:$1$soidjfoi$9klIbmCLq2JjYwKfEA5rH1:10933:0:99999:7:::
help me with this to crack down anyoneI have the same password in the shadow file. Help please.
Hey there... I'm also searching for this one.Did you find it somewhere? Can you please help me?
There is a chance you guys can find password for your hashes bruteforcing, but it will hardly work without spending days on it.
I tried a lot of different masks and lenght, been bruteforcing (with 3060ti overclocked) my hash for days with no luck.
You could be luckier then me,but I find it kinda hard.
I wrote an article (still in progress),if you want more info,look here,it's my public repo about my hacking journey.
https://github.com/Lawliet95/ANYKA-Tuya-Hacking-Journey-AK3918v200EN080-v200
@Lawliet95 thats impressive! Love it how you documented every step. I am just wondering why you skipped the most interesting part - how you patched the passwd file. I have much more sensitive stuff here and it has only been taken down only once so far :)
How do you get the hashes from your cameras?
I'm trying to connect to the Smtsec sip-k678k5 camera (Hi3519DV500 platform) via uart, I can see the early stage of bootlog. It does not provide a shell. Instead, when the bootlog is finished, unreadable garbage starts flooding into the terminal (in fact, it's a stream of some kind of binary data, but not uart anymore).
In addition, at the very beginning of the bootlog there is a line "Hit any key to stop autoboot: 0", but no matter how much I tried, I couldn't stop the boot by pressing the keys.
In my case, I read the eeprom using a ch341a programmer, but converted it to 3.3V logic. The circuit can be found on the Internet.
root:$6$irz0foQV6Kxty5hg$.MzoV6.uhkvkLr5fdFdnpyvXxOGgtBk9mE2cOExIKUpQ5LFNv75KZsJ8wWMCqFF6KBbwUNth5iDYnlIu7lzAz1:0:0::/root:/bin/sh
admin:$6$TuOWEAC6TFpXobx6$2v3QocoxOx699V6OMl1V/ntkvspzoDuHYgPoFLKUJTLiiw52zl.usuoDCEdTajOs4HErNB2PO4/8vEQ2GWYGs1:0:0:Linux User,,,:/home:/bin/sh
AI said it's SHA‑512‑crypt.
Upd.
Unsuccessful attempt to brute root hash:
- All passwords above.
- ?a?a?a?a -i --increment-min=1 --increment-max=4 (all possible combinations from 1 to 4 characters)
- --custom-charset1=?l?d ?1?1?1?1?1 (5 characters, [a-z,0-9])
- ?d?d?d?d?d?d (6 characters, [0-9])
@Dobie007 Hi, I have the same camera, were you able to crack the password?