Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3 ... 5

Author Topic: VMG8924-B10A unbranded supervisor password  (Read 4035 times)

manny2003

  • Member
  • **
  • Posts: 37
VMG8924-B10A unbranded supervisor password
« on: January 12, 2017, 10:03:14 AM »

Sorry guys, is there a way to get the supervisor password of a VMG8924-B10A unbranded router?
I would like to be able to login with supervisor but the password is unknown. I think it is an auto generated password maybe on mac or serial... at Zyxel they should have a keygen for this I suppose to recover the password for each unit.

I do not like the idea that I totally own a router that have a supervisor user with a password that I do not know and that someone else do and that I cannot even change.  :no:

Many thanks!
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 38388
  • Penguins CAN fly
    • DSLstats
Re: VMG8924-B10A unbranded supervisor password
« Reply #1 on: January 12, 2017, 10:47:38 AM »

If it's unbranded, you should be able to reset it to the factory defaults - login name = admin, password = 1234. With the device switched on and fully booted, press the reset button at the back and hold it down for 10 seconds or until the PWR/SYS LED starts blinking. Leave it to reboot, then log in again using the default credentials.
Logged
  Eric

rhohne

  • Member
  • **
  • Posts: 71
Re: VMG8924-B10A unbranded supervisor password
« Reply #2 on: January 12, 2017, 11:27:05 AM »

Default username/password combinations are
    admin/1234
    zyuser/1234
    supervisor/zyad1234
Logged

tubaman

  • Member
  • **
  • Posts: 85
Re: VMG8924-B10A unbranded supervisor password
« Reply #3 on: January 12, 2017, 12:44:11 PM »

I'd like to know this too as I have an ex John Lewis 8924 that I don't know the Supervisor password for.
I've unbranded it as much as I can (cleared ROMD) but still have missing features.
The Supervisor user exists as it tells me so if I try to create a new user with that name.
 
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 38388
  • Penguins CAN fly
    • DSLstats
Re: VMG8924-B10A unbranded supervisor password
« Reply #4 on: January 12, 2017, 01:18:28 PM »

The admin login is all you need. If you can log in with this you should be able to load one of the standard firmware versions and reset it to the defaults.

Logged
  Eric

tubaman

  • Member
  • **
  • Posts: 85
Re: VMG8924-B10A unbranded supervisor password
« Reply #5 on: January 12, 2017, 01:23:47 PM »

Thanks Roseway but unfortunately that hasn't worked for me.
I have cleared the ROMD (which got rid of the John Lewis default account settings), reloaded V15 firmware from the Zyxel site and then pin-hole reset.
I still can't login as Supervisor and still have options missing (no VOIP or TR064/069 menus to name two).
 :(
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #6 on: January 12, 2017, 02:22:56 PM »

If it's unbranded, you should be able to reset it to the factory defaults - login name = admin, password = 1234. With the device switched on and fully booted, press the reset button at the back and hold it down for 10 seconds or until the PWR/SYS LED starts blinking. Leave it to reboot, then log in again using the default credentials.

Thank you roseway, but unfortunately there is a difference between the 2 users. supervisor is a sort of root user in the system. It can access through the GUI a screen where it can enable or disabled the access to the various menu items of the GUI, also for admin users. Some menu are hidden by default to the admin too.
Furthermore the supervisor user has a longer list of CLI command and can enter in shell mode with the command "sh" without session timeout. It is the user that run all the processes on the router and that has access to all the system resources as a root user.
It is used in case the router it is property of the ISP to let them have a super-admin role.

Default username/password combinations are
    admin/1234
    zyuser/1234
    supervisor/zyad1234

Thank you rhohne, you are right! I always used the zyad1234 initially but then at a certain point in the firmware releases cycle they changed this. They did it because people was complaining about the fact that superuser existence is not declared on the manual and in any case the password is not officially distributed. This way the admin tends to ignore its existence and to leave open a possible security breach. In order to keep this user as a Zyxel or ISP privilege they keep it hidden but from a certain version of the firmware the password is now generated through a kind of algorithm that Zyxel can use to find the password of a certain unit (I think based on the serial number).
In fact I was no more able to login with supervisor for the last year after firmware updates.
The superuser password is not restored after a factory reset (it should be stored elsewhere than the standard config and admin user password). This is what I have experienced personally and I have asked many times the Zyxel support regarding this credentials. I asked if it was possible to have them since I am the owner of my unbranded router, but they replied this was not possible due to internal policy. I did not see the point since if the password is unique per unit there would no security issue in giving me my router password. I asked then if they could at least assure me that the password was at least effectively unique and they told me that it is set by the ISP or if unbranded random generated, so yes.
I gave up and stop to use the supervisor user, but I have now received a new unit and wanted to run some CLI command I cannot use with simple admin and for this reason I was asking here if someone knows something about the supervisor password.

In a incredibly stupid way, I did not test the good old zyad1234 on this new router... and I should have do it because... IT WORKS!
So... do not know what to think about the Zyxel support's version about the random generated password and the security reason to have it random, do not know why the first router has lost the default superuser password that I was not able to reset neither with the factory rear button procedure... but at least on this new unit I can access as supervisor. Shame on me for not having tried this default password before on the new router!  :blush:


« Last Edit: January 12, 2017, 03:37:04 PM by manny2003 »
Logged

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #7 on: January 12, 2017, 02:39:48 PM »

Thanks Roseway but unfortunately that hasn't worked for me.
I have cleared the ROMD (which got rid of the John Lewis default account settings), reloaded V15 firmware from the Zyxel site and then pin-hole reset.
I still can't login as Supervisor and still have options missing (no VOIP or TR064/069 menus to name two).
 :(

As I said in previous post the credential for superuser do not seems to be reset via the factory reset procedure.
You can try to hack the config file in order to enable some menu items you do not actually see.
Save you config via the backup procedure in the GUI of your router then open the .conf file and search the string "<Name>Administrator</Name>". You should see immediately over a <Privilege> key in xml format. I copy paste mine, where all the menu items should be enabled. Try to replace yours with mine, I did this way in order to enabled some features that was disabled since I lost my superuser access on an old router and it worked.

<Privilege>broadband,wireless,homeNetworking,routing,qos,nat,dns,igmpSetting,vlangroup,intfGrp,usbService,powerManagement,firewall,macFilter,parentalControl,schedulerRule,certificates,ipsecVPN,pptpVPN,sip,phone,callRule,callHistory,lineTest,log,trafficStatus,voipStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,3gStatistics,system,userAccount,remoteMGMT,tr069Client,tr064,snmp,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,wizard</Privilege>

I do not see any danger in trying this, configuration can always be reset via the factory restore, but please do it on your own responsibility  :-[
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 2523
Re: VMG8924-B10A unbranded supervisor password
« Reply #8 on: January 12, 2017, 03:20:26 PM »

I've just tried this supervisor on my 8924 and it works. One difference is that with the supervisor under Maintenance/System there is a romd option screen where you can clear and save configuration to romd. Also as has been said the available screens can be set via an option on the initial screen called Login Privilege and there is indeed very little that the admin user does not have, romd being one and that cannot be added. Next I'll see what happens on my F1000/8324 and see if it works.

Stuart
« Last Edit: January 12, 2017, 03:29:49 PM by broadstairs »
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:ZyXEL VMG8924-B10A

broadstairs

  • Kitizen
  • ****
  • Posts: 2523
Re: VMG8924-B10A unbranded supervisor password
« Reply #9 on: January 12, 2017, 03:31:26 PM »

Just tested the F1000 which is running V15 f/w and the supervisor p/w works OK. The romd option is not there on the 8324 with supervisor login but everything else is and login privilege works as well for setting admin and user screens.

Stuart
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:ZyXEL VMG8924-B10A

broadstairs

  • Kitizen
  • ****
  • Posts: 2523
Re: VMG8924-B10A unbranded supervisor password
« Reply #10 on: January 12, 2017, 03:47:45 PM »

Interestingly I just tried clearing the romd from telnet and then did a restoredefault and now I am unable to login with the supervisor and zyad1234, it says either username or password is invalid. admin still works and prompts for p/w change from the default of 1234 but no supervisor access. This is an ex EIRCOM F1000.

Not too bothered as I only keep it as a backup but would be good to get supervisor login working again.

Stuart
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:ZyXEL VMG8924-B10A

tubaman

  • Member
  • **
  • Posts: 85
Re: VMG8924-B10A unbranded supervisor password
« Reply #11 on: January 12, 2017, 04:16:45 PM »

manny2003,

Thanks - I'll give that a go when I have a few minutes spare - it should be safe enough and it wouldn't be the end of the world if I bricked it.

broadstairs,

That's very interesting and suggests that the Supervisor credentials are held in romd.
Do you have a saved config file that you can reload as it'd be good to see if that restores access.
 :)
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #12 on: January 12, 2017, 04:27:46 PM »

As far as I know regarding the supervisor password it is not in fact, as I have previously stated, into the .conf file we can backup. It is just a supposition, but it seems like the zyad1234 is working on my new router because it comes with an older firmware release (before the pwd was changed to something unique per unit) and I have not made any factory reset after the firmware update.

On my older router this was the case and I was locked out from the supervisor account. It seems like there is a procedure that generate and change the supervisor password if you make a factory reset on a more recent firmware, but that this procedure is not run if you just update the firmware.
In any case I do not like this fact. I am the owner of my router and I am locked out, but instead people at Zyxel or whoever could understand how to recover this password can access to my router because there is a secret supervisor user with a password I cannot change.  :(
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 2523
Re: VMG8924-B10A unbranded supervisor password
« Reply #13 on: January 12, 2017, 04:38:48 PM »

This is only an issue if the access is available from the WAN, however we dont know if there is a back door which they can use. However there are no open ports on my 8924. Interestingly my 8924 is an original Zyxel ie. not ISP provided and has been reset a number of times although not since I installed V15 f/w on it.

The F1000 is obviously ISP originally supplied. Since it is only a backup I can play with it to see if I can guess the password. I did try the serial number but it's not that.

On the basis the password is on a per unit basis then ZyXEL are only likely to be able to access it if they have the physical device unless it is related to the serial number which is the only thing they would have knowledge of.

Stuart
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:ZyXEL VMG8924-B10A

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #14 on: January 12, 2017, 04:58:34 PM »

Yes broadstairs, it is only an issue if you have WAN remote access enabled, and this is the reply the Zyxel gave me, but what if you need to have it enabled? I would like to have the possibility to remotely connect to my router and be confident at the same time that I am the only person who can access the router. I do not suspect about any interest from the Zyxel support to access someone's else router for fun, but from a security point of view (and imagine on an enterprise perspective) this is not really acceptable.

zyad1234 that I am not aware of and that I cannot even imagine I have to change is a security flaw.
On the other hand a random generated password that only Zyxel know is better, but why should I accept that Zyxel can have access to my router without my permission?
They accessed my router for assistance reason once, and now knowing the serial and the IP they can log in whenever they want, without giving me the chance to lock them out in other way than by removing the remote access (that I would like to use for myself). Maybe this would not be a concern in the 99% of the cases, but I find this a little unfair as a security principle.

Regarding your unbranded router, I had my supervisor password lost after resetting to factory, but only when this was firstly done on a firmware version greater than 10 or 11 I think.
I suppose the serial is taken into consideration but only for generating a password from it. Only someone that had experience in reverse engineering the firmware could confirm how this is handled.
Logged
Pages: [1] 2 3 ... 5