@Lawliet95 thats impressive! Love it how you documented every step. I am just wondering why you skipped the most interesting part - how you patched the passwd file. I have much more sensitive stuff here and it has only been taken down only once so far :)

How do you get the hashes from your cameras?
I'm trying to connect to the Smtsec sip-k678k5 camera (Hi3519DV500 platform) via uart, I can see the early stage of bootlog. It does not provide a shell. Instead, when the bootlog is finished, unreadable garbage starts flooding into the terminal (in fact, it's a stream of some kind of binary data, but not uart anymore).
In addition, at the very beginning of the bootlog there is a line "Hit any key to stop autoboot: 0", but no matter how much I tried, I couldn't stop the boot by pressing the keys.

In my case, I read the eeprom using a ch341a programmer, but converted it to 3.3V logic. The circuit can be found on the Internet.

root:$6$irz0foQV6Kxty5hg$.MzoV6.uhkvkLr5fdFdnpyvXxOGgtBk9mE2cOExIKUpQ5LFNv75KZsJ8wWMCqFF6KBbwUNth5iDYnlIu7lzAz1:0:0::/root:/bin/sh

admin:$6$TuOWEAC6TFpXobx6$2v3QocoxOx699V6OMl1V/ntkvspzoDuHYgPoFLKUJTLiiw52zl.usuoDCEdTajOs4HErNB2PO4/8vEQ2GWYGs1:0:0:Linux User,,,:/home:/bin/sh

AI said it's SHA‑512‑crypt.

Upd.
Unsuccessful attempt to brute root hash:

1. All passwords above.
2. ?a?a?a?a -i --increment-min=1 --increment-max=4 (all possible combinations from 1 to 4 characters)
3. --custom-charset1=?l?d ?1?1?1?1?1 (5 characters, [a-z,0-9])
4. ?d?d?d?d?d?d (6 characters, [0-9])

hik Device Model
I have a DS-2CD1043G0-IUF device. How can I find the root password?

Ive seen it asked for before here and other places but no answers. Any one can help with: $1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1 ?

L18DAFENSG_AF_V0-A_XAHS-RTMP-H5 V3.3.2.1 build 2024-08-29 14:35:19

Ive tried all the dictionary attacks i could find and my AMD iGPU is now at its limit trying to brute force 8chars, could take me years

i know this is a old thread but did u find anything out.... would love a litle more control over this camera

Ive seen it asked for before here and other places but no answers. Any one can help with: $1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1 ?
L18DAFENSG_AF_V0-A_XAHS-RTMP-H5 V3.3.2.1 build 2024-08-29 14:35:19
Ive tried all the dictionary attacks i could find and my AMD iGPU is now at its limit trying to brute force 8chars, could take me years

i know this is a old thread but did u find anything out.... would love a litle more control over this camera

Hey, I just found this thread too. I have an IP camera, ssc335 soc, planning to put openipc on it since its supported but was curious what the hash might be. When I extracted with binwalk this has was located in /etc/passwd_sys

somebody knows ? root:$1$RiBtxRAG$PvXy3AX92u.mvo/UwXlTJ0:19404:0:99999:7::: user:$1$ri3K4P4s$ne/es0YuNHyn0rti8KJ2a.:19404:0:99999:7:::

For anyone searching for this hash (it's the first hit on Google), the password is:

helloQN