Some More Fiddling with the Archer VR1600v

So I still haven’t got hold of a v2 device, but here you go.  You may as well have all the interesting bits I found so you can try what I may have missed.

usb3g -password appears to be..


This was a great find!…


I have no idea why this keeps showing up….

I would never set something like this.


Here’s that Super User password…



And it appears CWMP is turned on…so that’s interesting…



24 comments on “Some More Fiddling with the Archer VR1600vAdd yours →

  1. I think the su password to the Archer V2 got changed as mine got a new firmware this morning from my ISP, does anyone know the new su password, I’ve tried both on this site already.

  2. I’ve just received a replacement to my V2 replacement.
    On arrival nbn-voice has not worked out of the box…. again.
    Does anyone know if its possible to SU any settings from my old V2 Archer, which eventually did get nbn-voice to work and transpose them over to the new V2?

  3. Hi.
    I’ve just made a worrying discovery.
    In the call log, when you turn off call logging, all it seems to do is hide the logs from view.
    I made a quick phone call and then re-enabled call logging, and the entry was displayed.
    I need to look into this further.
    Perhaps I needed to reboot the router after changing the setting so that it would stick.

  4. Its frustrating having a router doing shit that isn’t logged and so can’t be diagnosed.

    Any suggestions on a router with similar capabilities that is more open?

  5. @VC – thank you SO much, you’re a lifesaver! I’m working on a mate’s VR1600V remotely (he’s in Brisbane, I’m in the UK) and he’s been having constant problems where the entire bank of ethernet ports either drops out entirely or most of the ports stop working, this at least let me get into the modem’s under-config and see what TPG hide from us. For their part they’ve been woeful, they tried to demand he BUY a new router and this is his second device (same problems with the first).

  6. The Archer VR1600V software is licensed under the GPL. This can be used to compel TPG to release the source behind their modifications, if anyone wants to use the legal system to chase TPG for information.

    1. I am able to log in as super user after I followed the instructions herein. Can ISP change that password, presumably saved in MY ROUTER without my knowing it any time they like?

      I was able to view the SU password before, but it’s now not visible when I repeated the procedure. Luckily I jotted it down and put it away.
      However I noted a new password (ygDT92!ez7) posted in this thread – probably for later routers. I guess every now and then, TP-link installed a new password for a batch of modems.

      1. Yep. They can push updates out whenever they feel necessary. Somewhere in one of my posts I dumped a bunch of passwords. One of them is used to remotely push changes to the router such as firmware or even just config without the router arguing.

        I guess take note of your router firmware version and write it on some masking tape then stick it to the router so you don’t lose it.

        We have some users actively pushing to get the providers to disclose the su password and do something about people being able to hack it as easily as we did.

  7. Tested it again and the password above let me in.
    Even though it didn’t earlier. Finger problems perhaps.
    Attempting to change it so I don’t have this hassle again.
    Yes it is the V2 model of the 1600

    Any hacks or updates available?

    1. Nothing new unfortunately. As it stands, it’s locked down to being an inflexible and insecure bit of equipment. Everyone’s pretty much buying 3rd party gear because any payoff unlocking this thing wouldn’t be worth the effort.

      1. One thing I can’t work out is, when I got the modem and connected it to my computer, leaving the NBN part disconnected, it didn’t show my username and password, instead in it’s place was the username tpg_acs@tpg_acs
        Then when it was connected I refreshed the page, clicked on network-Ewan, myactual username is displayed.
        So is there any way to get into the router and see the actual username before you connect it to the NBN? IE, when first taken out of the box, or after a factory reset?
        I thought that the username and password were contained in the NBN box in the house, but it’s obviously not, because I tried hooking up another TPLink modem and a different username and password came up, so my question is where in the router are the credentials stored? which settings are changed by the provisioning team before the router is sent out to you?

        1. got the answer from a very friendly and helpful internode techie (kudos to you, buddy) the router sends its mac address (not the MAC address of your network card) to the ACS server, then the user configuration for that MAC address is sent back to the router.

  8. I am working from home and I had to buy a TP-Link router from a 3rd party vendor because my tpg huawei hg659 router is dying and I have tried for 3 days to chat/call TPG support team but they are too busy (due to the COVID-19 virus) and I could not get through. The router is:
    I was able to configure the internet on it but unable to get VOIP to work. I know that TPG have VIOP configuration locked down.
    I am connected using HFC NBN. Can someone help me please? or direct me to someone who can help (other than TPG)? Thanks

    1. I have internet + home phone package so I dont know if any of the settings would be of use to you. But logging in with su shows me the :
      Registar Address
      Auth ID & PW
      Registrar Port, SIP Proxy & port, outbound proxy and port.

      1. Hey mate, thanks a lot for this.

        Would you mind sharing details how you were able to extract this for future if TPG changes the password again?

        I have been trying to crack the password for some time now but no luck up till now haha

      2. Hi

        It appears that they have changed the su password again (0ct 2020). Any idea on how to find out the new one? Conversely, how does one get access to previous firmware versions?

  9. I was able to get into telnet on port 2323 with the telnet username and password above but it is a locked down CLI config tool that doesnt allow user or password changes. 😦

Leave a Reply

Your email address will not be published. Required fields are marked *