Archer VR1600v – Getting root or super user credentials the easy way

UPDATED: https://www.marcelvarallo.com/?p=1497&preview=true

If you’re inclined to hardware hackery, see my recent post.

If you’ve recently acquired NBN broadband in Australia you’ve probably been given an Archer VR1600v router to go with it. A free router is great and all but sometimes you feel the need to fix what aint broke and voiding the warranty is the only way to scratch that itch. Fortunately, root (or more precisely super user) credentials are real easy to find out in this case so read on…

  1. First things first, open up chrome and login to the router.
  2. Navigate to the Advanced tab and then the USB Sharing menu.
  3. Open chromes page inspector tool by right clicking somewhere on the page and clicking “inspect”.
  4. Next click on the USB Storage Device menu item on the left there.
  5. In the Inspector Tool click on the Network tab across the top and you should see a list of pages and CGI items listed.
  6. See that one labeled CGI followed by a bunch of 5’s ? Select that one and you should see the contents pop up in the right hand column. Now scroll down and there it is.
  7. The SU (super user) username and right below it is the password. See my example image below if you’re lost.

Now go break some stuff!

91 comments on “Archer VR1600v – Getting root or super user credentials the easy wayAdd yours →

  1. I tried this method with the same model router (ver 2.0) supplied by iiNet just a few weeks ago, and the results are shown in the screenshot at the address below. The adminName and adminPwd values are shown as stars. Marcel, how did you get Chrome to display those values in plain text? Or maybe it can no longer be done because TP-Link has changed the firmware since you did it in March to prevent others doing the same? See screenshot at:
    http://moongazer.zeriha.com/website/files/Archer-Chrome-Inspector.jpg

  2. Hey Guys,

    Just so you know the fight is not over yet, my local member of parliament is back her reply is as follows.

    “As you note, this is a bigger issue. I will forward the information you provided to me in your email of 18 December to our Shadow Minister for Communications as a starting point. There are certainly some questions to be asked regarding privacy and security.

    I will keep you posted on any advice I receive.”

    I would like to compile a list of companies that are providing these modems and supply as much information as to just how compromised these modems are. So if any tech types want to give me some fuel please do.

    Good quality information will give this thing wings.

  3. Ok guys,

    TPG are really playing the game here. I can only take the stand point that they are being deliberately evasive.

    Here is the last msg from them to me.

    I understand that you seek TPG to provide the root/master password for the TPG modem;however,as discussed by our Senior Engineer,we do not have it.As you may already know,our TPG supplied modem has been pre configured and has been tested by our network team to ensure that it meets TPG/NBN criteria for service stability.

    Should you wish to change the admin username and password for added security,you may do so by accessing the GUI of your modem.However,I assure you that TPG is providing you a secured connection.

    Given this situation,if you are not happy with the current level of service,you may look for another provider that can satisfy your needs,and TPG is willing to release you from contractual obligations as a gesture of goodwill.

    Please take time to consider the information that I have presented and let me know how do you wish to proceed with your account.

    How good of them to do so, please excuse me while I go take some fresh air.

  4. Hey guys for those of you more knowledgeable than me.
    Seeing as we have the SU for the V2 is the tplink we have a candidate for perhaps a home brew upgrade?

    Get rid of TPLINK firmware totally?

    If anyone has any links as to how we might be able to go about this would be appreciated.

  5. Ok Guys n Gals,

    After a few weeks of to and fro between Ombudsman and TPG.. TPG win, Ombudsman dept toothless tiger.. Have a read and laugh at the last mail from TPG to me… note that because the SU/Master user login is not mentioned in the user manual, it therefore doesn’t exist!!! There ya go, I spent a few weeks of my life to allegedly have this resolved by being sent a copy of the user manual.
    Maybe its time to go to local member of parliament.
    Someone here isn’t telling the truth.

    ——-

    Note I have I have sent you the modem manual for you to know that there was nowhere in that manual where master password was stated. TPG therefore, is not providing nor supporting such feature.
    Even if you escalate this further with the TIO, they will still refer you back to TPG. It is noteworthy to mentioned that TIO cannot compel providers to impose something not within their capacity.
    At this stage, TPG cannot provide you the master password as we have no records of such. You may use the router provided without setting a master password or you may opt to seek for a different provide who can provide you the master password.

    1. Well that’s complete bollocks and we know it. What user manual did they send you? Anything special or just one we would have seen before?

      1. The password for the V2 modem was uncovered by one of our Telegram memebers.

        I have tested password on a ArcherV2 supplied by internode and westnet and both Su and supplied password work on the units.

          1. Looking into it now for you. I have the method, but I’m asking permission to share. alternatively if you join the Telegram group you can scroll through and see where one of the guys details it.

        1. This was the response from Internode technical support who suggested I look at this. Pretty pointless if you ask me.

          ***Begin Quote***
          Hi
          This is what we have discussed about those feature you are looking with out TP-LINK Archer VR1600v modem, unfortunately Back up and Restore is not included on this modem though call blocking feature is available.

          You link rely on this link: https://setuprouter.com/router/tp-link/archer-vr1600v/manual-2515.pdf

          If you have other queries don’t hesitate to call us back here, or you can reply on this email thread

          Thank you
          ***END QUOTE***

          Makes you laugh.

          1. These companies are almost like petrol stations they all seem to raise their prices at exactly the same time and price.

            The answer you got is pretty much the same as TPG heres the manual lol..

            Laughable

    2. actually, looking at that reply they’ve just said “Nah there isn’t one in the manual” But we didn’t ask about one being in the manual. We asked about the undocumented one that’s on the router.

    3. Somewhat conversely, if you (or anyone) does manage to obtain it and change it, TPG may be liable for any damages caused to you as a result, since they are clearly expressing they have no knowledge of it, which is either incompetence or negligence I suppose.

        1. Seriously, its standard security practice to change passwords every now and then, so as to prevent cyber attacks. My V2 Archer is legitimately set to DMZ, so only I could update the password I guess, but I can’t since I’m not given it in the first place. Since the (it seems) generic password is now available (as posted in another post above), all of TPG’s customers with this modem are now compromised, which could be a considerable number of residential users in a country, opening the country up to cyber attack en masse… or am I just whistling dixie?

          1. Arguably, all of this crap is backdoored to hell by agencies with acronyms so it was never really safe to start off with. But yeah, sharing passwords across multiple bits of CPE means that once 1 customer is compromised, then all of them are. I liked it better when you could buy something (software or hardware) and you owned it, so nothing changed unless you made the change. vendors pushing out updates is the bane of my existance.

          2. That was one of my arguments with the Ombudsman’s office, let me tell you that THEY DO NOT CARE.

            It’s staffed by people who haven’t got a clue what a modem is, I asked one of the staffers there, and have you checked your modem, the reply was. Ohhh I don’t know anything about them my brother does it all for me.

            So they are the people looking after our interests….

            how safe do you feel……………..

        2. After you use the superuser and PWD to access all of the settings, can the modem be made to work with other ISPs? IE, Aussie Broadband
          with superuser access, can the update be made to proceed manually?

          1. While I was in provisioning stage, moving from a very slow TPG ADSL service to Internode NBN, the supplied Archer which we’ve all been trying to argue has a SU password was able to be configured to use my old ADSL service, so based on that it would be safe to say the modem could be used on another service, however each modem is encoded to seek the credentials from the network. You would have to know your NBN credentials and service type and how it is connected and any particulars like VLANs used.

          2. Well the issues isn’t so much anymore configuring the modem to user other providers, its been shown that it can be done.
            The issue now is we have the SU login and pwd for the V2, but you can’t for now change the SU login and pwd its either hardcoded or a method for changing it hasn’t appeared as yet.
            Your modem is still vulnerable..

    4. Lots of unanswered questions here.
      How much control do we have after entering the superuser password.
      Can the password be changed?
      Is there a way to download the firmware to the PC, so that it can be uploaded to the modem at a later stage?
      Can I use the voip details from the archer on another modem, IE, a billion modem?

      1. From what I understand, yes if you have voip details you can use another modem. One of the guys here has said as much in a previous thread.
        ATM there is no way to change the SU login and pwd, no one has as yet found a way to do it. Though there have been threads on the web about users changing the SU login and pwd for other TPLINK modems which also have a back door using telnet.
        Once you log into your modem with SU, you have pretty much full access to the modem, as a suggestion you should switch of CWMP which will/should prevent auto updates.
        So far your modem it would be fair to say is totally unsecured due to the fact that you cannot change the SU.
        The only way to currently secure it is to either 1 use it in bridge mode and have it live behind another modem or put it behind a firewall. There are plenty of articles on how to go about that on the web.
        The thing that you need to check with your Billion, I used to have one of those prior to NBN is to check to make sure that it also doesn’t have a backdoor SU login pwd.
        A college of mine has a Netgear voip modem and currently he is not getting a straight answer from Netgear if there is or isn’t one.

        1. Thank you for this info.
          and sorry for the newby questions.
          Is there any way I can obtain the firmware binary file and download it to my desktop, or back up the existing firmware and configuration files?
          For example, suppose an update to the firmware comes through where there are changes to the voip settings and the old settings don’t work any more.
          All the internode help desk techies, at least, those who have been on the job for more than 4 years know all too well about the botched update that broke things for net gear users, and one even expressed concerns off the record that he felt very iffy about the update process given what happened with netgear.

  6. Just as a by the by have gone to the Telco Ombudsman, TPG have been in contact their complaints resolution center. Spoke to someone today, they were going to call back I expected today which didn’t happen.

    Lets see where this ends up, so far its a flat denial that an SU login pwd exists.. in actual fact they go so far as to not knowing what an SU login pwd is.. seriously…

    Mind you conflict resolution center admit to not being technically apt, so need to consult with tech dept..

  7. Its funny I just had a run in with TPG, I asked them directly to give me the SU login and PWD. They deny that they have any such login pwd details and said TPLINK would have it and try them.
    I called and spoke to TPLINK Malaysia, they say there is no such thing as a superuser login/pwd and to check with TPG ping pong nice game they play.
    I’ve reported it to the telco ombudsman they have taken up the case and TPG have 10 days in which to give me a better answer. Will let you all know.
    TPG are in contravention of our privacy laws, by not disclosing which 3rd party if any has a backdoor login/pwd to our modems.

    They don’t lease the modems to us they sell us a service and sell the modems.

    1. That’s hilarious!!!! Please let us know what happens. I mean we have direct evidence that they have several backdoors in plus the Super user.

    2. iinet (recently acquired by TPG) put the “security” reason forward for not disclosing such information, and I imagine that this will be the final analysis for anyone connecting to the NBN.

  8. I don’t like to jump the gun here, however I have managed to extract my NBN VOIP ISP settings using the “Quick Setup” function which for the normal “admin” account is not visible until you unhide the CSS code.

    Once you get the tab “Quick Setup” running, it sits along side “Basic” and “Advanced” up the top you can attempt to complete the setup and go along the way until you get to the VOIP part, low and behold, there you are, your VOIP settings are staring you in your face, in which you will take note of all your settings and VOIP password. Then cancel Quick Setup as you would have not had to make and changes, just view and reveal the information you need.

    Using OsX I downloaded from the app store https://apps.apple.com/au/app/telephone/id406825478?mt=12
    Punched in the settings I extracted from the modem and all working from my desktop now.

      1. Is there any way to send me a message directly. We can’t have this information easily available. Just to add. I am using a V2 router with internode. Since TPG and internode are basically the same RSP in the back end, they utilise the same equipment.

    1. Will need to know how to switch off remote update to the router, else this CSS exploit will be removed I guess in the near future, and passwords changed, etc.

      1. My latest post mentions some usernames for a service that enables updates from ISP. Disable port 7547 basically I think. Or turn off ACS or cwmp if I remember rightly

        1. Haha you guys. I’d love to be able to provide a better private channel but I’m not really geared towards that due to my low page hit count. Direct email to me is just my name (like the website) @ me dot com. But I also see all these comments obviously and if you don’t get a response on my email just ping me here and I’ll check me spam folder.

          1. Yep, i also joined the telegram chat, but I cannot post… Please change the permissions so that we can actually talk to each other. hahaha… I have the v2 here and it’s on the verge of being cracked. Let’s work together on this thing!

    2. Thanks Luc – you’re an absolute legend! Your method worked and I was able to get access to the VoIP details – cheers!

      (My approach had been to retrieve these details via the CWMP service, but your method is much simpler!)

  9. I’ve got the v1 modem not v2 but seem to get the su info masked. When try to login with su/yg… Info you note above it doesn’t work. Anyone have a new pass or workaround? Trying to use modem with new provider. Tpg said wasn’t locked but VoIP wouldn’t work.

  10. I’ve got the v1 modem not v2 but seem to get the su info masked. When try to login with su/yg… Info you note above it doesn’t work. Anyone have a new pass or workaround? Gp

    1. Nothing yet unfortunately. I’ve still not managed to get my hands on the new version hardware or the firmware binary.

  11. I have a Huawei HG659 that has finally bitten the dust and was sent a replacement Archer that was V1 so was able to get the su password but it didn’t have any SIP filled out, just called the provider ACS.
    Any suggestions for trying to get the SIP details?

    1. I might have an answer to that. There was a file containing all the sip info on my one. I’ll take a look when I get home.

    2. I should clarify the sip file I saw had sip details for a few carriers in a heap of different countries. But yeah, when I get home from work I’ll find it.

  12. The problem with the new routers that they hand out is that the response is no longer showing the admin username and password. I’ve checked this with wireshark. Its not a browser issue about what version the browser is.

  13. Many thanks to marcel.varallo and others here. I have a VR1600v V1 and the ‘su’ and password worked OK for me.
    I was very pleased to see that it bought up the Telephony section – one part of which is, to me, quite important. The ability to block numbers.
    I’ve been plagued by scam calls about the NBN being available and phone bein cut off. Now I can block those numbers.
    Hooray !!

  14. Hi Marcel and friends. Thank you for these postings.

    I have just got the iiNet V2 of this modem, with firmware 0.1.0.0.9.1 v5006.0 build 190228 rel 72265n

    Using both your method as well asa similar one with Firefox developer tools, I find that both the admin user and password are “starred-out”. User is 2 chars, so probably “su”, but the password is now longer (11 characters).

    Any further info from you would be most appreciated. Cheers, Mick.

    1. I wish I could get hold of a version 2 without having to hunt one down and buy it. I’m keeping an eye open and the moment I can get one I’ll update. But yeah it looks like you’re correct about that being su still. Even getting hold of the firmware file for it would be a massive help. Then I could binwalk it and find the password that way.

      1. I’m having trouble getting a console over the serial header. I’ve connected a buspirate to the port and i think i have tried every uart mode possible and cannot get anything. I have the v2, if anyone could point me in the right direction, that would be awesome. I need to extract my voip creds

          1. Nope, I don’t think that will help unfortunately, but thanks. I’m also with TPG. I would give you my device, but then you might end up with my creds;) haha

        1. Nothing yet I’m afraid. The moment I get my hands on one I’ll be posting some replies here to let you all know. If anyone snags the firmware for it let me know, but otherwise I’ll be prying it out of the hardware when I get my hands on it.

  15. didnt work for me; Note password has 1 extra character

    Firmware Version:0.1.0 0.9.1 v5006.0 Build 190228 Rel.72265n Hardware Version:Archer VR1600v v2 00000000

    serverName=Archer_VR1600v

    rootName=
    rootPwd=
    adminName=**
    adminPwd=***********
    userName=admin
    userPwd=admin
    [error]0

  16. It’s appears that with the FW ver 1.0.0.9.1v5006 Build 190228 the method is no longer valid. Just lists ******* as the user and Trev

    1. Would the nirsoft utility bulletpassview help with the stars perhaps .
      I haven’t tried the program but seen it yesterday while browsing.
      It’s open source freeware

      1. I had the same thought, but it seems it’s masking junk data that’s acting purely as a placeholder. Good idea though. Eventually we’ll turn over the right rock and there’ll be some su creds hiding underneath.

  17. Hey Marcel,
    Im using Chrome 75 on Linux. With a “later” verion of Chrome the instruction have changed a bit
    1. goto 192.168.1.1 and use admin/admin
    2. Right click anywhere and inspect element
    3. On the inspect Element navigate to network –> here is where it gets a bit different
    4 Press CTL R to start recording
    6. NOW… Navigate to Advanced then USB Sharing
    7. Find the element that is NOT CGI with all the 5’s… its actually 5s and 1s
    without the ampersands its CGI?55151155551
    Lo and behold, I have the same su password as you > adminPwd=ygDT92!ez7
    GRI2A

  18. received Archer VR1600v V2 from TPG
    tried your method but……
    all my user name and passwords are all in ****** under chrome’s inspect page
    could you please tell me how to make it display those infos ?

    1. Hmm not sure why they’re masked out for you . Might be new firmware maybe. Try su and ygDT92!ez7 as the user and password.:P.

    2. TPG oh NO,
      Ive got the latest VR1600v and the latest Chrome,
      Have a look at my slightly updated instruction
      GRI2A

    3. TPG oh No,
      Sorry, dont know what to say. On my broser it works fine.
      I am however using Chrome V75.0.3770.90 (Official Build) (64-bit) on Linux… might have something to do with your Chrome version
      GRI2A

  19. This is great, so simple to do (once you know what to look for) are there any ways to enable the hidden features? there are many items that are not visible.

      1. Both user and pass were blank when I looked but that could be a layer above the actual Linux backend. I’ll have a look at the same time I look for the su password on the new version. I’ve just moved house and been issued a new modem which may have the same issue as yours. What did you want to use root for? Maybe I can find another way?

        1. Was the new Modem ver:2.0? I got mine the other day and same prob v2 and cant get su pwd. Having to have the old router with voip hooked up behind to keep my third party voip

          1. Yeah, v2 is the one that people seem to be having trouble with now. I’ve not had a chance to get hold of one to take a crack yet. Will definitely post some replies here when I do

Leave a Reply to Aaron Cancel reply

Your email address will not be published. Required fields are marked *