Archer VR1600v – Getting root or super user credentials the easy way


If you’re inclined to hardware hackery, see my recent post.

If you’ve recently acquired NBN broadband in Australia you’ve probably been given an Archer VR1600v router to go with it. A free router is great and all but sometimes you feel the need to fix what aint broke and voiding the warranty is the only way to scratch that itch. Fortunately, root (or more precisely super user) credentials are real easy to find out in this case so read on…

  1. First things first, open up chrome and login to the router.
  2. Navigate to the Advanced tab and then the USB Sharing menu.
  3. Open chromes page inspector tool by right clicking somewhere on the page and clicking “inspect”.
  4. Next click on the USB Storage Device menu item on the left there.
  5. In the Inspector Tool click on the Network tab across the top and you should see a list of pages and CGI items listed.
  6. See that one labeled CGI followed by a bunch of 5’s ? Select that one and you should see the contents pop up in the right hand column. Now scroll down and there it is.
  7. The SU (super user) username and right below it is the password. See my example image below if you’re lost.

Now go break some stuff!

60 comments on “Archer VR1600v – Getting root or super user credentials the easy wayAdd yours →

  1. Just as a by the by have gone to the Telco Ombudsman, TPG have been in contact their complaints resolution center. Spoke to someone today, they were going to call back I expected today which didn’t happen.

    Lets see where this ends up, so far its a flat denial that an SU login pwd exists.. in actual fact they go so far as to not knowing what an SU login pwd is.. seriously…

    Mind you conflict resolution center admit to not being technically apt, so need to consult with tech dept..

  2. Its funny I just had a run in with TPG, I asked them directly to give me the SU login and PWD. They deny that they have any such login pwd details and said TPLINK would have it and try them.
    I called and spoke to TPLINK Malaysia, they say there is no such thing as a superuser login/pwd and to check with TPG ping pong nice game they play.
    I’ve reported it to the telco ombudsman they have taken up the case and TPG have 10 days in which to give me a better answer. Will let you all know.
    TPG are in contravention of our privacy laws, by not disclosing which 3rd party if any has a backdoor login/pwd to our modems.

    They don’t lease the modems to us they sell us a service and sell the modems.

    1. That’s hilarious!!!! Please let us know what happens. I mean we have direct evidence that they have several backdoors in plus the Super user.

    2. iinet (recently acquired by TPG) put the “security” reason forward for not disclosing such information, and I imagine that this will be the final analysis for anyone connecting to the NBN.

  3. I don’t like to jump the gun here, however I have managed to extract my NBN VOIP ISP settings using the “Quick Setup” function which for the normal “admin” account is not visible until you unhide the CSS code.

    Once you get the tab “Quick Setup” running, it sits along side “Basic” and “Advanced” up the top you can attempt to complete the setup and go along the way until you get to the VOIP part, low and behold, there you are, your VOIP settings are staring you in your face, in which you will take note of all your settings and VOIP password. Then cancel Quick Setup as you would have not had to make and changes, just view and reveal the information you need.

    Using OsX I downloaded from the app store
    Punched in the settings I extracted from the modem and all working from my desktop now.

      1. Is there any way to send me a message directly. We can’t have this information easily available. Just to add. I am using a V2 router with internode. Since TPG and internode are basically the same RSP in the back end, they utilise the same equipment.

    1. Will need to know how to switch off remote update to the router, else this CSS exploit will be removed I guess in the near future, and passwords changed, etc.

      1. My latest post mentions some usernames for a service that enables updates from ISP. Disable port 7547 basically I think. Or turn off ACS or cwmp if I remember rightly

        1. Haha you guys. I’d love to be able to provide a better private channel but I’m not really geared towards that due to my low page hit count. Direct email to me is just my name (like the website) @ me dot com. But I also see all these comments obviously and if you don’t get a response on my email just ping me here and I’ll check me spam folder.

          1. Yep, i also joined the telegram chat, but I cannot post… Please change the permissions so that we can actually talk to each other. hahaha… I have the v2 here and it’s on the verge of being cracked. Let’s work together on this thing!

    2. Thanks Luc – you’re an absolute legend! Your method worked and I was able to get access to the VoIP details – cheers!

      (My approach had been to retrieve these details via the CWMP service, but your method is much simpler!)

  4. I’ve got the v1 modem not v2 but seem to get the su info masked. When try to login with su/yg… Info you note above it doesn’t work. Anyone have a new pass or workaround? Trying to use modem with new provider. Tpg said wasn’t locked but VoIP wouldn’t work.

  5. I’ve got the v1 modem not v2 but seem to get the su info masked. When try to login with su/yg… Info you note above it doesn’t work. Anyone have a new pass or workaround? Gp

    1. Nothing yet unfortunately. I’ve still not managed to get my hands on the new version hardware or the firmware binary.

  6. I have a Huawei HG659 that has finally bitten the dust and was sent a replacement Archer that was V1 so was able to get the su password but it didn’t have any SIP filled out, just called the provider ACS.
    Any suggestions for trying to get the SIP details?

    1. I might have an answer to that. There was a file containing all the sip info on my one. I’ll take a look when I get home.

    2. I should clarify the sip file I saw had sip details for a few carriers in a heap of different countries. But yeah, when I get home from work I’ll find it.

  7. The problem with the new routers that they hand out is that the response is no longer showing the admin username and password. I’ve checked this with wireshark. Its not a browser issue about what version the browser is.

  8. Many thanks to marcel.varallo and others here. I have a VR1600v V1 and the ‘su’ and password worked OK for me.
    I was very pleased to see that it bought up the Telephony section – one part of which is, to me, quite important. The ability to block numbers.
    I’ve been plagued by scam calls about the NBN being available and phone bein cut off. Now I can block those numbers.
    Hooray !!

  9. Hi Marcel and friends. Thank you for these postings.

    I have just got the iiNet V2 of this modem, with firmware v5006.0 build 190228 rel 72265n

    Using both your method as well asa similar one with Firefox developer tools, I find that both the admin user and password are “starred-out”. User is 2 chars, so probably “su”, but the password is now longer (11 characters).

    Any further info from you would be most appreciated. Cheers, Mick.

    1. I wish I could get hold of a version 2 without having to hunt one down and buy it. I’m keeping an eye open and the moment I can get one I’ll update. But yeah it looks like you’re correct about that being su still. Even getting hold of the firmware file for it would be a massive help. Then I could binwalk it and find the password that way.

      1. I’m having trouble getting a console over the serial header. I’ve connected a buspirate to the port and i think i have tried every uart mode possible and cannot get anything. I have the v2, if anyone could point me in the right direction, that would be awesome. I need to extract my voip creds

          1. Nope, I don’t think that will help unfortunately, but thanks. I’m also with TPG. I would give you my device, but then you might end up with my creds;) haha

        1. Nothing yet I’m afraid. The moment I get my hands on one I’ll be posting some replies here to let you all know. If anyone snags the firmware for it let me know, but otherwise I’ll be prying it out of the hardware when I get my hands on it.

  10. didnt work for me; Note password has 1 extra character

    Firmware Version:0.1.0 0.9.1 v5006.0 Build 190228 Rel.72265n Hardware Version:Archer VR1600v v2 00000000



  11. It’s appears that with the FW ver Build 190228 the method is no longer valid. Just lists ******* as the user and Trev

    1. Would the nirsoft utility bulletpassview help with the stars perhaps .
      I haven’t tried the program but seen it yesterday while browsing.
      It’s open source freeware

      1. I had the same thought, but it seems it’s masking junk data that’s acting purely as a placeholder. Good idea though. Eventually we’ll turn over the right rock and there’ll be some su creds hiding underneath.

  12. Hey Marcel,
    Im using Chrome 75 on Linux. With a “later” verion of Chrome the instruction have changed a bit
    1. goto and use admin/admin
    2. Right click anywhere and inspect element
    3. On the inspect Element navigate to network –> here is where it gets a bit different
    4 Press CTL R to start recording
    6. NOW… Navigate to Advanced then USB Sharing
    7. Find the element that is NOT CGI with all the 5’s… its actually 5s and 1s
    without the ampersands its CGI?55151155551
    Lo and behold, I have the same su password as you > adminPwd=ygDT92!ez7

  13. received Archer VR1600v V2 from TPG
    tried your method but……
    all my user name and passwords are all in ****** under chrome’s inspect page
    could you please tell me how to make it display those infos ?

    1. Hmm not sure why they’re masked out for you . Might be new firmware maybe. Try su and ygDT92!ez7 as the user and password.:P.

    2. TPG oh NO,
      Ive got the latest VR1600v and the latest Chrome,
      Have a look at my slightly updated instruction

    3. TPG oh No,
      Sorry, dont know what to say. On my broser it works fine.
      I am however using Chrome V75.0.3770.90 (Official Build) (64-bit) on Linux… might have something to do with your Chrome version

  14. This is great, so simple to do (once you know what to look for) are there any ways to enable the hidden features? there are many items that are not visible.

      1. Both user and pass were blank when I looked but that could be a layer above the actual Linux backend. I’ll have a look at the same time I look for the su password on the new version. I’ve just moved house and been issued a new modem which may have the same issue as yours. What did you want to use root for? Maybe I can find another way?

        1. Was the new Modem ver:2.0? I got mine the other day and same prob v2 and cant get su pwd. Having to have the old router with voip hooked up behind to keep my third party voip

          1. Yeah, v2 is the one that people seem to be having trouble with now. I’ve not had a chance to get hold of one to take a crack yet. Will definitely post some replies here when I do

Leave a Reply

Your email address will not be published. Required fields are marked *