Recovering password from 16CH NVR based on HI3536

Recently I was asked for help with recovering forgotten password on 16CH IP DVR device, it had no brand name, but after opening it there was HI3536 name printer on motherboard.

NVR (source: amazon.pl)

After attempts to simple guess the password by the owner failed, I’ve searched for some known (master) passwords but none of that worked as well. Some devices have override (master) passwords that allows to unlock them in such cases when password was forgotten.

Next step would be to try to look for open ports and services running on device. Most likely it would be possible to exploit one of them.

But this time I’ve decided to try something else and I’ve looked around the motherboard and found EEPROM chip that got my attention.

Similar board (source: alibaba.com)

I suspected it could be used as main memory for device since there were no other chip that could act as flash memory on motherboard.

It turned out I was right, after de-soldering it and reading it’s content using CH134a programmer I’ve looked over hexdump of it and some data started to appear.

Next I used binwalk to analyse it’s content. Immediately kernel and rootfs were found. After extracting them I’ve looked over for some clues, where passwords could be stored.

In result it turned out user password is stored in .sqlite3 file on some other partition.

To be continued …