Some More Fiddling with the Archer VR1600v

So I still haven’t got hold of a v2 device, but here you go.  You may as well have all the interesting bits I found so you can try what I may have missed.

usb3g -password appears to be..

username=WAP@CINGULAR.COM
password=CINGULAR1

This was a great find!…

telnetUsername=TPG@telnet
telnetPassword=TPG@tp-link_2017

I have no idea why this keeps showing up….

I would never set something like this.

password=abcd1990

Here’s that Super User password…

adminName=su
adminPwd=ygDT92!ez7

 

And it appears CWMP is turned on…so that’s interesting…

username=tpg_acs@tpg_acs
password=tpg_acs

URL=https://tplink-tpgfttbacs.tpg.com.au:7547/acs
username=TPGACSuser
password=TPGACSpass
periodicInformEnable=1
periodicInformInterval=72000
periodicInformTime=2019-10-26T10:19:38
parameterKey=
X_TP_ConnReqPort=7547
X_TP_connReqPath=/tr069
connectionRequestURL=http://10.215.5.155:7547/tr069
connectionRequestUsername=TPGCPEuser
connectionRequestPassword=TPGCPEpass

54 comments on “Some More Fiddling with the Archer VR1600vAdd yours →

      1. I’ve just moved and switched over to TPG, and it seems the old Archer 1600 is not being provisioned any more. In future TPG will be supplying the new TPLINK VX420-G2v. I used to have this hack on an old iinet (huwaei) connection and I was counting on doing this again. DAMN! Anyone got any ideas where to start with this fresh round of TPG hardware? – before I connect for the first time it might also be a good time for those who know more than me to take a look?

        1. can you tell TPG you have an existing VR1600 and want to use that? I assume they’d possibly try to flash it with latest firmware, once it’s working / connected you could then flash it with the above version and switch off CWMP so they can’t change it again

          1. I’ve had them provision a line without a modem and they’ve agreed. I’ve also just let them supply a modem then swapped it out with my own. They don’t seem to worry if they can’t push updates and I’ve never been contacted to remedy locking them out.

  1. I have 2 Vr1600V.
    Unit 1: is unlocked from my service provider (lizzy) V1 hardware.
    Firmware Version:2.1.0 0.9.1 v5006.0 Build 180828 Rel.34451n

    Unit 2: Tpg bought from ebay so called unlocked. V2 hardware.
    Firmware Version:0.1.0 0.9.1 v5006.0 Build 190228 Rel.72265n.
    Lucky password listed here works as it only shows ********** via method described.

    I have had both working with Lizzy and AussieBB. FTTN and VOIP.

    There are differences on firmware side.
    V1 has no guest WIFI but does have an extra 2 WIFI SSID for each band IE 6 in total.

    TPG unit only has main and guest wifi for each band.

    VOIP setup for ‘phone number’ field cannot accept text in V1 so requires a different setup. (frustrating). V2 or tpg firmware can.

    V1 only can enter in password, no option for user. I assume it to be fixed to admin.

    Both have been reliable and wifi suitable for our large house tho en-suit toilet is a bit patchy..

    Anyone know difference between V1 and V2 ????

  2. I have 2 Vr1600V.
    Unit 1: is unlocked from my service provider (lizzy) V1 hardware.
    Firmware Version:2.1.0 0.9.1 v5006.0 Build 180828 Rel.34451n

    Unit 2: Tpg bought from ebay so called unlocked. V2 hardware.
    Firmware Version:0.1.0 0.9.1 v5006.0 Build 190228 Rel.72265n.
    Lucky password listed here works as it only shows ********** via method described.

    I have had both working with Lizzy and AussieBB. FTTN and VOIP.

    There are differences on firmware side.
    V1 has no guest WIFI but does have an extra 2 WIFI SSID for each band IE 6 in total.

    TPG unit only has main and guest wifi for each band.

    VOIP setup for ‘phone number’ field cannot accept text in V1 so requires a different setup. V2 or tpg firmware can.

    V1 only can enter in password, no option for user. I assume it to be fixed to admin.

    Both have been reliable and wifi suitable for our large house tho en-suit toilet is a bit patchy..

  3. Very frustrating, but I’m afraid I can confirm that TPG and iinet have changed the su password with a recent firmware update (and now the interface loads and logs-in slow as mud even on standard admin). I can no longer get into super user settings. Looks like they quickly caught onto our hacking ways. Perhaps theres a way to decrypt the firmware similar to like what’s outlined in this guide: https://github.com/mattimustang/optus-sagemcom-fast-3864-hacks/
    for those with keen interest my hard/firm details as of writing are as follows: Firmware Version:0.1.0 0.9.1 v5006.0 Build 200810 Rel.53181n Hardware Version:Archer VR1600v v2 00000000

    1. I’d love to help, but my problem is getting a hold of the right hardware version so I can capture a transfer and binwalk it

      1. FYI TPG have just moved to a new platform now: (TP-Link VX420-G2v)
        I have a new unit. Would you like to take a look to see how to keep thisd hack going into the future?

    2. Please provide the su password for
      Firmware Version:0.1.0 0.9.1 v5006.0 Build 200810 Rel.53181n Hardware Version:Archer VR1600v v2 00000000

  4. So I got the replacement-replacement V2 Modem approx 3 .5weeks ago.
    It has been running rock solid since.
    For the first 5 days it wasn’t connecting to nbn-voice. Once TPG sorted it out on there end I made sure to turn off CWMP.

    This means I am currently running this firmware:
    Firmware Version:0.1.0 0.9.1 v5006.0 Build 190228 Rel.72265n Hardware Version:Archer VR1600v v2 00000000

    It also means I still have SU access to the router with the old password.

    I don’t intend on turning CWMP back on unless there is an issue with the router.

    Upstream Downstream
    Current Rate (kbps) 22600 55405
    Max Rate (kbps) 26379 57711
    SNR Margin (dB) 9 6.8
    Line Attenuation (dB) 31.6 16.4
    Errors (pkts) 0 0

    As you can tell I’m only a 50/20 plan, I’m on pair-gains and the node is 800metres away. So those figures are alright considering.
    I did have to re-wire and shorten all the original phone cabling in the roof to get those speeds though, but a little dust and cobwebs never hurt anyone. The asbestos on the other hand….

    1. So somehow even without CWMP enabled, TPG managed to push through updates and borked my SuperUser privileges and access.
      Can no longer login with old su passwords and Console Inspection shows ‘********’.
      Short of re-flashing the firmware and losing my massive amount of settings in the process, this wont be happening any time soon.

      Frack you TPG.

  5. I think the su password to the Archer V2 got changed as mine got a new firmware this morning from my ISP, does anyone know the new su password, I’ve tried both on this site already.

      1. Hi guys, best I can do is check my setup on Monday and let you know. Though I’m not sure if it’s changed or mine nor can I remember which version I have now.

        1. Hi.
          Yep, the password on mine has changed as well. Darn nuisance really, because now I can’t access my call longs and call blocking features.
          In fact, if we ring them and tell them that this is why we need the superuser password, they may feel more inclined to tell us what it is.
          Certainly the call log argument is a pretty sound one.
          BTW, I’ve been trying to email you for months now, but either wordpress isn’t playing nice with internode, or my email addie has ended up in your spamlist file.
          Can you please check if things are OK on your end?
          Cheers.
          I’m the guy with the email address that ends with sent dot com.
          Thanks.

          1. Not yet. That’s been more out of lack of equipment and time these days. I’ve moved house and everything is still in boxes too. Sorry I don’t have good news for you yet.

  6. I’ve just received a replacement to my V2 replacement.
    On arrival nbn-voice has not worked out of the box…. again.
    Does anyone know if its possible to SU any settings from my old V2 Archer, which eventually did get nbn-voice to work and transpose them over to the new V2?

  7. Hi.
    I’ve just made a worrying discovery.
    In the call log, when you turn off call logging, all it seems to do is hide the logs from view.
    I made a quick phone call and then re-enabled call logging, and the entry was displayed.
    I need to look into this further.
    Perhaps I needed to reboot the router after changing the setting so that it would stick.

  8. Its frustrating having a router doing shit that isn’t logged and so can’t be diagnosed.

    Any suggestions on a router with similar capabilities that is more open?

      1. Or if you had gone with the more expensive option (Telstra), you would have received a vcnt-a_telstra
        router that is already running OpenWRT Champagne (18.1.c). Though the flip side to that is that almost nobody has been able to use their VoIP details on another device.

  9. @VC – thank you SO much, you’re a lifesaver! I’m working on a mate’s VR1600V remotely (he’s in Brisbane, I’m in the UK) and he’s been having constant problems where the entire bank of ethernet ports either drops out entirely or most of the ports stop working, this at least let me get into the modem’s under-config and see what TPG hide from us. For their part they’ve been woeful, they tried to demand he BUY a new router and this is his second device (same problems with the first).

  10. The Archer VR1600V software is licensed under the GPL. This can be used to compel TPG to release the source behind their modifications, if anyone wants to use the legal system to chase TPG for information.

    1. I am able to log in as super user after I followed the instructions herein. Can ISP change that password, presumably saved in MY ROUTER without my knowing it any time they like?

      I was able to view the SU password before, but it’s now not visible when I repeated the procedure. Luckily I jotted it down and put it away.
      However I noted a new password (ygDT92!ez7) posted in this thread – probably for later routers. I guess every now and then, TP-link installed a new password for a batch of modems.

      1. Yep. They can push updates out whenever they feel necessary. Somewhere in one of my posts I dumped a bunch of passwords. One of them is used to remotely push changes to the router such as firmware or even just config without the router arguing.

        I guess take note of your router firmware version and write it on some masking tape then stick it to the router so you don’t lose it.

        We have some users actively pushing to get the providers to disclose the su password and do something about people being able to hack it as easily as we did.

  11. Tested it again and the password above let me in.
    Even though it didn’t earlier. Finger problems perhaps.
    Attempting to change it so I don’t have this hassle again.
    Yes it is the V2 model of the 1600

    Any hacks or updates available?

    1. Nothing new unfortunately. As it stands, it’s locked down to being an inflexible and insecure bit of equipment. Everyone’s pretty much buying 3rd party gear because any payoff unlocking this thing wouldn’t be worth the effort.

      1. One thing I can’t work out is, when I got the modem and connected it to my computer, leaving the NBN part disconnected, it didn’t show my username and password, instead in it’s place was the username tpg_acs@tpg_acs
        Then when it was connected I refreshed the page, clicked on network-Ewan, myactual username is displayed.
        So is there any way to get into the router and see the actual username before you connect it to the NBN? IE, when first taken out of the box, or after a factory reset?
        I thought that the username and password were contained in the NBN box in the house, but it’s obviously not, because I tried hooking up another TPLink modem and a different username and password came up, so my question is where in the router are the credentials stored? which settings are changed by the provisioning team before the router is sent out to you?

        1. got the answer from a very friendly and helpful internode techie (kudos to you, buddy) the router sends its mac address (not the MAC address of your network card) to the ACS server, then the user configuration for that MAC address is sent back to the router.

  12. I am working from home and I had to buy a TP-Link router from a 3rd party vendor because my tpg huawei hg659 router is dying and I have tried for 3 days to chat/call TPG support team but they are too busy (due to the COVID-19 virus) and I could not get through. The router is: https://www.tp-link.com/au/home-networking/dsl-modem-router/archer-vr600v/
    I was able to configure the internet on it but unable to get VOIP to work. I know that TPG have VIOP configuration locked down.
    I am connected using HFC NBN. Can someone help me please? or direct me to someone who can help (other than TPG)? Thanks

    1. I have internet + home phone package so I dont know if any of the settings would be of use to you. But logging in with su shows me the :
      Registar Address
      Auth ID & PW
      Registrar Port, SIP Proxy & port, outbound proxy and port.

      1. Hey mate, thanks a lot for this.

        Would you mind sharing details how you were able to extract this for future if TPG changes the password again?

        I have been trying to crack the password for some time now but no luck up till now haha

      2. Hi

        It appears that they have changed the su password again (0ct 2020). Any idea on how to find out the new one? Conversely, how does one get access to previous firmware versions?

          1. hi all,

            FYI – it’s 8/12/2020 and su has stopped working with Vexy and ygDT on this firmware.

            Firmware Version:0.1.0 0.9.1 v5006.0 Build 200810 Rel.53181n Hardware Version:Archer VR1600v v2

  13. I was able to get into telnet on port 2323 with the telnet username and password above but it is a locked down CLI config tool that doesnt allow user or password changes. 😦

Leave a Reply to Dan Cancel reply

Your email address will not be published. Required fields are marked *