Some More Fiddling with the Archer VR1600v

So I still haven’t got hold of a v2 device, but here you go.  You may as well have all the interesting bits I found so you can try what I may have missed.

usb3g -password appears to be..

username=WAP@CINGULAR.COM
password=CINGULAR1

This was a great find!…

telnetUsername=TPG@telnet
telnetPassword=TPG@tp-link_2017

I have no idea why this keeps showing up….

I would never set something like this.

password=abcd1990

Here’s that Super User password…

adminName=su
adminPwd=ygDT92!ez7

 

And it appears CWMP is turned on…so that’s interesting…

username=tpg_acs@tpg_acs
password=tpg_acs

URL=https://tplink-tpgfttbacs.tpg.com.au:7547/acs
username=TPGACSuser
password=TPGACSpass
periodicInformEnable=1
periodicInformInterval=72000
periodicInformTime=2019-10-26T10:19:38
parameterKey=
X_TP_ConnReqPort=7547
X_TP_connReqPath=/tr069
connectionRequestURL=http://10.215.5.155:7547/tr069
connectionRequestUsername=TPGCPEuser
connectionRequestPassword=TPGCPEpass

21 comments on “Some More Fiddling with the Archer VR1600vAdd yours →

  1. Hi.
    I’ve just made a worrying discovery.
    In the call log, when you turn off call logging, all it seems to do is hide the logs from view.
    I made a quick phone call and then re-enabled call logging, and the entry was displayed.
    I need to look into this further.
    Perhaps I needed to reboot the router after changing the setting so that it would stick.

  2. Its frustrating having a router doing shit that isn’t logged and so can’t be diagnosed.

    Any suggestions on a router with similar capabilities that is more open?

  3. @VC – thank you SO much, you’re a lifesaver! I’m working on a mate’s VR1600V remotely (he’s in Brisbane, I’m in the UK) and he’s been having constant problems where the entire bank of ethernet ports either drops out entirely or most of the ports stop working, this at least let me get into the modem’s under-config and see what TPG hide from us. For their part they’ve been woeful, they tried to demand he BUY a new router and this is his second device (same problems with the first).

  4. The Archer VR1600V software is licensed under the GPL. This can be used to compel TPG to release the source behind their modifications, if anyone wants to use the legal system to chase TPG for information.

    1. I am able to log in as super user after I followed the instructions herein. Can ISP change that password, presumably saved in MY ROUTER without my knowing it any time they like?

      I was able to view the SU password before, but it’s now not visible when I repeated the procedure. Luckily I jotted it down and put it away.
      However I noted a new password (ygDT92!ez7) posted in this thread – probably for later routers. I guess every now and then, TP-link installed a new password for a batch of modems.

      1. Yep. They can push updates out whenever they feel necessary. Somewhere in one of my posts I dumped a bunch of passwords. One of them is used to remotely push changes to the router such as firmware or even just config without the router arguing.

        I guess take note of your router firmware version and write it on some masking tape then stick it to the router so you don’t lose it.

        We have some users actively pushing to get the providers to disclose the su password and do something about people being able to hack it as easily as we did.

  5. Tested it again and the password above let me in.
    Even though it didn’t earlier. Finger problems perhaps.
    Attempting to change it so I don’t have this hassle again.
    Yes it is the V2 model of the 1600

    Any hacks or updates available?

    1. Nothing new unfortunately. As it stands, it’s locked down to being an inflexible and insecure bit of equipment. Everyone’s pretty much buying 3rd party gear because any payoff unlocking this thing wouldn’t be worth the effort.

      1. One thing I can’t work out is, when I got the modem and connected it to my computer, leaving the NBN part disconnected, it didn’t show my username and password, instead in it’s place was the username tpg_acs@tpg_acs
        Then when it was connected I refreshed the page, clicked on network-Ewan, myactual username is displayed.
        So is there any way to get into the router and see the actual username before you connect it to the NBN? IE, when first taken out of the box, or after a factory reset?
        I thought that the username and password were contained in the NBN box in the house, but it’s obviously not, because I tried hooking up another TPLink modem and a different username and password came up, so my question is where in the router are the credentials stored? which settings are changed by the provisioning team before the router is sent out to you?

        1. got the answer from a very friendly and helpful internode techie (kudos to you, buddy) the router sends its mac address (not the MAC address of your network card) to the ACS server, then the user configuration for that MAC address is sent back to the router.

  6. I am working from home and I had to buy a TP-Link router from a 3rd party vendor because my tpg huawei hg659 router is dying and I have tried for 3 days to chat/call TPG support team but they are too busy (due to the COVID-19 virus) and I could not get through. The router is: https://www.tp-link.com/au/home-networking/dsl-modem-router/archer-vr600v/
    I was able to configure the internet on it but unable to get VOIP to work. I know that TPG have VIOP configuration locked down.
    I am connected using HFC NBN. Can someone help me please? or direct me to someone who can help (other than TPG)? Thanks

    1. I have internet + home phone package so I dont know if any of the settings would be of use to you. But logging in with su shows me the :
      Registar Address
      Auth ID & PW
      Registrar Port, SIP Proxy & port, outbound proxy and port.

      1. Hey mate, thanks a lot for this.

        Would you mind sharing details how you were able to extract this for future if TPG changes the password again?

        I have been trying to crack the password for some time now but no luck up till now haha

  7. I was able to get into telnet on port 2323 with the telnet username and password above but it is a locked down CLI config tool that doesnt allow user or password changes. 😦

Leave a Reply

Your email address will not be published. Required fields are marked *