Archer VR1600v – Getting root or super user credentials the easy way

UPDATED: https://www.marcelvarallo.com/?p=1497&preview=true

If you’ve recently acquired NBN broadband in Australia you’ve probably been given an Archer VR1600v router to go with it.  A free router is great and all but sometimes you feel the need to fix what aint broke and voiding the warranty is the only way to scratch that itch.  Fortunately, root (or more precisely super user) credentials are real easy to find out in this case so read on…

 

  1. First things first, open up chrome and login to the router.
  2. Navigate to the Advanced tab and then the USB Sharing menu.
  3. Open chromes page inspector tool by right clicking somewhere on the page and clicking “inspect”.
  4. Next click on the USB Storage Device menu item on the left there.
  5. In the Inspector Tool click on the Network tab across the top and you should see a list of pages and CGI items listed.
  6. See that one labeled CGI followed by a bunch of 5’s ?  Select that one and you should see the contents pop up in the right hand column.  Now scroll down and there it is.
  7. The SU (super user) username and right below it is the password.  See my example image below if you’re lost.

Now go break some stuff!

40 comments on “Archer VR1600v – Getting root or super user credentials the easy wayAdd yours →

  1. I’ve got the v1 modem not v2 but seem to get the su info masked. When try to login with su/yg… Info you note above it doesn’t work. Anyone have a new pass or workaround? Trying to use modem with new provider. Tpg said wasn’t locked but VoIP wouldn’t work.

  2. I’ve got the v1 modem not v2 but seem to get the su info masked. When try to login with su/yg… Info you note above it doesn’t work. Anyone have a new pass or workaround? Gp

    1. Nothing yet unfortunately. I’ve still not managed to get my hands on the new version hardware or the firmware binary.

  3. I have a Huawei HG659 that has finally bitten the dust and was sent a replacement Archer that was V1 so was able to get the su password but it didn’t have any SIP filled out, just called the provider ACS.
    Any suggestions for trying to get the SIP details?

    1. I might have an answer to that. There was a file containing all the sip info on my one. I’ll take a look when I get home.

    2. I should clarify the sip file I saw had sip details for a few carriers in a heap of different countries. But yeah, when I get home from work I’ll find it.

  4. The problem with the new routers that they hand out is that the response is no longer showing the admin username and password. I’ve checked this with wireshark. Its not a browser issue about what version the browser is.

  5. Many thanks to marcel.varallo and others here. I have a VR1600v V1 and the ‘su’ and password worked OK for me.
    I was very pleased to see that it bought up the Telephony section – one part of which is, to me, quite important. The ability to block numbers.
    I’ve been plagued by scam calls about the NBN being available and phone bein cut off. Now I can block those numbers.
    Hooray !!

  6. Hi Marcel and friends. Thank you for these postings.

    I have just got the iiNet V2 of this modem, with firmware 0.1.0.0.9.1 v5006.0 build 190228 rel 72265n

    Using both your method as well asa similar one with Firefox developer tools, I find that both the admin user and password are “starred-out”. User is 2 chars, so probably “su”, but the password is now longer (11 characters).

    Any further info from you would be most appreciated. Cheers, Mick.

    1. I wish I could get hold of a version 2 without having to hunt one down and buy it. I’m keeping an eye open and the moment I can get one I’ll update. But yeah it looks like you’re correct about that being su still. Even getting hold of the firmware file for it would be a massive help. Then I could binwalk it and find the password that way.

      1. I’m having trouble getting a console over the serial header. I’ve connected a buspirate to the port and i think i have tried every uart mode possible and cannot get anything. I have the v2, if anyone could point me in the right direction, that would be awesome. I need to extract my voip creds

          1. Nope, I don’t think that will help unfortunately, but thanks. I’m also with TPG. I would give you my device, but then you might end up with my creds;) haha

        1. Nothing yet I’m afraid. The moment I get my hands on one I’ll be posting some replies here to let you all know. If anyone snags the firmware for it let me know, but otherwise I’ll be prying it out of the hardware when I get my hands on it.

  7. didnt work for me; Note password has 1 extra character

    Firmware Version:0.1.0 0.9.1 v5006.0 Build 190228 Rel.72265n Hardware Version:Archer VR1600v v2 00000000

    serverName=Archer_VR1600v

    rootName=
    rootPwd=
    adminName=**
    adminPwd=***********
    userName=admin
    userPwd=admin
    [error]0

  8. It’s appears that with the FW ver 1.0.0.9.1v5006 Build 190228 the method is no longer valid. Just lists ******* as the user and Trev

    1. Would the nirsoft utility bulletpassview help with the stars perhaps .
      I haven’t tried the program but seen it yesterday while browsing.
      It’s open source freeware

      1. I had the same thought, but it seems it’s masking junk data that’s acting purely as a placeholder. Good idea though. Eventually we’ll turn over the right rock and there’ll be some su creds hiding underneath.

  9. Hey Marcel,
    Im using Chrome 75 on Linux. With a “later” verion of Chrome the instruction have changed a bit
    1. goto 192.168.1.1 and use admin/admin
    2. Right click anywhere and inspect element
    3. On the inspect Element navigate to network –> here is where it gets a bit different
    4 Press CTL R to start recording
    6. NOW… Navigate to Advanced then USB Sharing
    7. Find the element that is NOT CGI with all the 5’s… its actually 5s and 1s
    without the ampersands its CGI?55151155551
    Lo and behold, I have the same su password as you > adminPwd=ygDT92!ez7
    GRI2A

  10. received Archer VR1600v V2 from TPG
    tried your method but……
    all my user name and passwords are all in ****** under chrome’s inspect page
    could you please tell me how to make it display those infos ?

    1. Hmm not sure why they’re masked out for you . Might be new firmware maybe. Try su and ygDT92!ez7 as the user and password.:P.

    2. TPG oh NO,
      Ive got the latest VR1600v and the latest Chrome,
      Have a look at my slightly updated instruction
      GRI2A

    3. TPG oh No,
      Sorry, dont know what to say. On my broser it works fine.
      I am however using Chrome V75.0.3770.90 (Official Build) (64-bit) on Linux… might have something to do with your Chrome version
      GRI2A

  11. This is great, so simple to do (once you know what to look for) are there any ways to enable the hidden features? there are many items that are not visible.

      1. Both user and pass were blank when I looked but that could be a layer above the actual Linux backend. I’ll have a look at the same time I look for the su password on the new version. I’ve just moved house and been issued a new modem which may have the same issue as yours. What did you want to use root for? Maybe I can find another way?

        1. Was the new Modem ver:2.0? I got mine the other day and same prob v2 and cant get su pwd. Having to have the old router with voip hooked up behind to keep my third party voip

          1. Yeah, v2 is the one that people seem to be having trouble with now. I’ve not had a chance to get hold of one to take a crack yet. Will definitely post some replies here when I do

Leave a Reply to Kyle Cancel reply

Your email address will not be published. Required fields are marked *