HiSilicon IP camera root passwords

password.txt

Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"

00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521

root:$1$soidjfoi$9klIbmCLq2JjYwKfEA5rH1:10933:0:99999:7:::
help me with this to crack down anyone

I have the same password in the shadow file. Help please.

Hey there... I'm also searching for this one.Did you find it somewhere? Can you please help me?

There is a chance you guys can find password for your hashes bruteforcing, but it will hardly work without spending days on it.
I tried a lot of different masks and lenght, been bruteforcing (with 3060ti overclocked) my hash for days with no luck.
You could be luckier then me,but I find it kinda hard.
I wrote an article (still in progress),if you want more info,look here,it's my public repo about my hacking journey.

https://github.com/Lawliet95/ANYKA-Tuya-Hacking-Journey-AK3918v200EN080-v200

@Lawliet95 thats impressive! Love it how you documented every step. I am just wondering why you skipped the most interesting part - how you patched the passwd file. I have much more sensitive stuff here and it has only been taken down only once so far :)

How do you get the hashes from your cameras?
I'm trying to connect to the Smtsec sip-k678k5 camera (Hi3519DV500 platform) via uart, I can see the early stage of bootlog. It does not provide a shell. Instead, when the bootlog is finished, unreadable garbage starts flooding into the terminal (in fact, it's a stream of some kind of binary data, but not uart anymore).
In addition, at the very beginning of the bootlog there is a line "Hit any key to stop autoboot: 0", but no matter how much I tried, I couldn't stop the boot by pressing the keys.

In my case, I read the eeprom using a ch341a programmer, but converted it to 3.3V logic. The circuit can be found on the Internet.

root:$6$irz0foQV6Kxty5hg$.MzoV6.uhkvkLr5fdFdnpyvXxOGgtBk9mE2cOExIKUpQ5LFNv75KZsJ8wWMCqFF6KBbwUNth5iDYnlIu7lzAz1:0:0::/root:/bin/sh

admin:$6$TuOWEAC6TFpXobx6$2v3QocoxOx699V6OMl1V/ntkvspzoDuHYgPoFLKUJTLiiw52zl.usuoDCEdTajOs4HErNB2PO4/8vEQ2GWYGs1:0:0:Linux User,,,:/home:/bin/sh

AI said it's SHA‑512‑crypt.

Upd.
Unsuccessful attempt to brute root hash:

1. All passwords above.
2. ?a?a?a?a -i --increment-min=1 --increment-max=4 (all possible combinations from 1 to 4 characters)
3. --custom-charset1=?l?d ?1?1?1?1?1 (5 characters, [a-z,0-9])
4. ?d?d?d?d?d?d (6 characters, [0-9])