HiSilicon IP camera root passwords

password.txt

Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"

00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521

Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.

Hi everybody. Can you help me decrypt shadow on AK3918EN080 V200 (Anyka)? root:$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1:0:0:99999:7:::
Thank you for help.

I have the same hash on a device. Has anyone cracked it?

I know it's very late, but the password for this hash is yunyi666

I have the same hash in shadow file,but the pwd doesn't seem to be that one. How you found this? It should be md5crypt. Using john:

┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware]
└─$ mkdir try 
                                                                                                                                                     
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware]
└─$ cd try  
 
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ touch root.hash  

┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ echo '$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1' > root.hash
                                                                                                                                          
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ cat root.hash
$1$6AHjBnTn$LvoexcPTiWwZP5fLfCGdv1

┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ touch wordlist.txt             
                                                                                                                                                          
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ echo 'yunyi666' > wordlist.txt                       
                                                                                                                                          
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ john --wordlist=./wordlist.txt --format=md5crypt --fork=4 root.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Node numbers 1-4 of 4 (fork)
4 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s
3 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s
2 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 0p/s 0c/s 0C/s
Press 'q' or Ctrl-C to abort, almost any other key for status
1: Warning: Only 1 candidate left, minimum 24 needed for performance.
1 0g 0:00:00:00 DONE (2025-10-05 11:00) 0g/s 50.00p/s 50.00c/s 50.00C/s yunyi666
Waiting for 3 children to terminate
Session completed. 
                                                                                                                                          
┌──(stagnola㉿kali)-[~/Scrivania/dump_firmware/try]
└─$ john --show --format=md5crypt root.hash                       
0 password hashes cracked, 1 left

Has someone cracked it? I tried to use hashcat with mask: 8 letters,only numbers and lowercase character,but after 3 days it couldn't find the pwd.

It is not clear md5. It is modified version.

Can you tell me more about this?

Btw I can't access U-Boot either.
On my camera looks like u-boot disables prompt until kernel is loaded.
My only one way is to modify firmware,change shadow pwd and flash it back so I can login as root

Btw I can't access U-Boot either. On my camera looks like u-boot disables prompt until kernel is loaded. My only one way is to modify firmware,change shadow pwd and flash it back so I can login as root

As i remember, hashing algorithm in some library modified by vendor, so you must make hash with same algorithm and write hash in shadow pwd. Than system can compare hash from pass you entered with hash in shadow pwd.

Btw I can't access U-Boot either. On my camera looks like u-boot disables prompt until kernel is loaded. My only one way is to modify firmware,change shadow pwd and flash it back so I can login as root

As i remember, hashing algorithm in some library modified by vendor, so you must make hash with same algorithm and write hash in shadow pwd. Than system can compare hash from pass you entered with hash in shadow pwd.

Yeah that was kinda clear from your last message. I tried the password “yunyi666” (a guy here said was that one)to auth to device and it doesn’t work.
What you mean with “libraries modified by the vendor”?
Are there some libraries with source?

Hi. Ho, there is no source of libraries. You only can extract file from firmware and make reverse engineering with Ghidra or IDA Pro.

You can try to find some more info in telegram group "OpenIPC User"

++Update:

There you go @chrismclellen 😘

@foxyc btw there was no custom algorithm. That was md5crypt

What did I miss?

…

On Thu, Oct 9, 2025 at 2:46 PM Lawliet95 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ ++Update: There you go @chrismclellen <https://github.com/chrismclellen> 😘 image.png (view on web) <https://gist.github.com/user-attachments/assets/933f7492-1166-47b4-aa3c-cb65da813879> — Reply to this email directly, view it on GitHub <https://gist.github.com/gabonator/74cdd6ab4f733ff047356198c781f27d#gistcomment-5794947> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFPXRVNMIHJLYJ66SU4JBX33W3CRJBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGM3DQNRUHAYDLKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJSGE3DGMJTGAYKI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF> . You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

++Update:

There you go @chrismclellen 😘

@foxyc btw there was no custom algorithm. That was md5crypt

Sorry, I must have confused this camera with another one that used modified base64.

I am working on a camera with the root hash $1$lPbKHYLS$r6JMTEm949/hCMv85Fsx9/ anyone been able to crack it?

Technaxx TX-61 (FI9803W board from Foscam with Hi3518CV100 SoC)
root / ak47agai
worked for me

root:$1$soidjfoi$9klIbmCLq2JjYwKfEA5rH1:10933:0:99999:7:::
help me with this to crack down anyone

I have the same password in the shadow file. Help please.

Hey there... I'm also searching for this one.Did you find it somewhere? Can you please help me?

There is a chance you guys can find password for your hashes bruteforcing, but it will hardly work without spending days on it.
I tried a lot of different masks and lenght, been bruteforcing (with 3060ti overclocked) my hash for days with no luck.
You could be luckier then me,but I find it kinda hard.
I wrote an article (still in progress),if you want more info,look here,it's my public repo about my hacking journey.

https://github.com/Lawliet95/ANYKA-Tuya-Hacking-Journey-AK3918v200EN080-v200

@Lawliet95 thats impressive! Love it how you documented every step. I am just wondering why you skipped the most interesting part - how you patched the passwd file. I have much more sensitive stuff here and it has only been taken down only once so far :)

How do you get the hashes from your cameras?
I'm trying to connect to the Smtsec sip-k678k5 camera (Hi3519DV500 platform) via uart, I can see the early stage of bootlog. It does not provide a shell. Instead, when the bootlog is finished, unreadable garbage starts flooding into the terminal (in fact, it's a stream of some kind of binary data, but not uart anymore).
In addition, at the very beginning of the bootlog there is a line "Hit any key to stop autoboot: 0", but no matter how much I tried, I couldn't stop the boot by pressing the keys.

In my case, I read the eeprom using a ch341a programmer, but converted it to 3.3V logic. The circuit can be found on the Internet.

root:$6$irz0foQV6Kxty5hg$.MzoV6.uhkvkLr5fdFdnpyvXxOGgtBk9mE2cOExIKUpQ5LFNv75KZsJ8wWMCqFF6KBbwUNth5iDYnlIu7lzAz1:0:0::/root:/bin/sh

admin:$6$TuOWEAC6TFpXobx6$2v3QocoxOx699V6OMl1V/ntkvspzoDuHYgPoFLKUJTLiiw52zl.usuoDCEdTajOs4HErNB2PO4/8vEQ2GWYGs1:0:0:Linux User,,,:/home:/bin/sh

AI said it's SHA‑512‑crypt.

Upd.
Unsuccessful attempt to brute root hash:

1. All passwords above.
2. ?a?a?a?a -i --increment-min=1 --increment-max=4 (all possible combinations from 1 to 4 characters)
3. --custom-charset1=?l?d ?1?1?1?1?1 (5 characters, [a-z,0-9])
4. ?d?d?d?d?d?d (6 characters, [0-9])