Let me explain how and why I became and still are convinced this is an intentional backdoor, and in Hollywood style.
When I found out how to download the clear text user database with login and hashed passwords, I was totally convinced it was simply a bug.
When I then was looking at the password hashes in Gen2 I noticed the well known 48bit hashes, remembered the .js scripts I've been thru earlier, so it was bit strange.
When I checked the same with an Gen3 I saw it was another type of hash, back to .js in that device and found the MD5 generator.
Was thinking "can I use these hashes to login?", started to do some quick and ugly coding for the 48bits, and oh yeah... damn, worked just fine O_o
A bit of research was needed to figure out how the random MD5 was working, used Burp Proxy to see how it looked like for an successful login.
Did manual stuff in Python to see how, with what and if I could generate same result, thinking this can't be like this, and when I did - I stopped all work - left everything on the screen, I could not believe what I've just achieved...
After an hour or two I tried to put that together in my quick and ugly code, with the requests and processing from and back to the device, worked nicely.
Anyhow, the point here is: Think now about a small plugin for your favourite browser (Chrome/Firefox/IE/whatever) that simply do;
1. Download the clear text user database
2. Extract username and hashes
3. Get all details needed to know the encryption type, random key and all needed stuff from remote device
4. Simply login with passing over the 48bit hash, or compute the random MD5 hash
5. Full admin access granted, the plugin don't even need to have a button.
I'm the only one who thinking intentional backdoor? Or Dahua maybe cannot do proper coding?