TP-Link have a special product range of routers designed for ISP-managed fleets, typically provided as the ISP-supplied router. This includes models like EX230v, VS230v, and EX530v, there may be more too.
It supports remote provisioning/configuring via a protocol called TR-069. The jist of it is, your ISP will host a server, and your router "phones home" to get the latest config.
Usually the Access Control Server (ACS) is baked into the router's firmware, so even a pinhole reset of your router won't give you freedom from their control.
The EX530v has two admin pages. The "admin" page is accessed via $ROUTER_IP, and the "superadmin" page is accessed via $ROUTER_IP/superadmin.
The settings menus available to the "admin" user are configurable by your ISP. As you can imagine, many ISPs restrict the "admin" user's privileges, and lock users out of the "superadmin" page, mostly for their own convenience. For example, my ISP did not expose port forwarding settings.
I expect if you're reading this, you're technical enough to know how to use these poweruser features. You'll know how to do a factory reset if you mess up. You're not who your ISP is worried about.
- If you have access to the admin page, but not the superadmin page, this guide is for you!
- If you have access to the superadmin page, you don't need this guide. (If you want to disable the Access Control Server, skip to I just want to disable my ISP's ACS)
- If you don't have access to the admin or superadmin pages, perhaps try a pinhole factory reset. This should gain you access to the regular admin page.
- If you're trying to get SSH or root terminal access, this guide isn't for you.
The objective of this "jailbreak" is to setup our own locally hosted ACS called GenieACS. We'll use inspect element magic to open the hidden ACS admin page. We'll use GenieACS to provision a new superadmin page password, which will get us the access we want. Once that's done, you can shut down that ACS, you don't need to keep it around.
- GenieACS
- Node.js: 12.3+
- MongoDB: 3.6+
First we'll deploy GenieACS to a device on the router's LAN, I ran it on my laptop that's connected to the router's WiFi.
- Install NodeJS. Currently GenieACS supports 12.3+.
- Start a MongoDB database. Let's just spin up a temporary mongo via docker:
docker run -d -p 27017:27017 --name=mongo-genieacs mongo:8.0 - Open the GenieACS repo's releases here and download the latest
.tgzrelease and extract this to a useful location - Open two terminal windows in the location you extracted GenieACS to. Run the GenieACS CWMP server and Web management UI:
./bin/genieacs-cwmp./bin/genieacs-ui --ui-jwt-secret secret
- Observe the startup logs to ensure there are no errors.
- Open the GenieACS UI via 127.0.0.1:3000 and hit
ABRACADABRA!, thenOpen Sesame!. Login with the default credentials,admin:admin.
- Open the admin page at
$ROUTER_IPand login. - Open inspect element in your browser and open the console. Enter this:
$.loadMain("/cwmp.htm");. This will open the hidden CWMP Settings page. ⚠️ Take a screenshot of all the options here before changing anything, including un-hiding the password fields, you may need to restore these settings back to how they were before!⚠️ - Set the relevant config
- Ensure
CWMPandInformare on - For DataType, uncheck
TR181and checkTR098 - Set
Inform Intervalto something fairly low, like 30 - Set
ACS URLto$SERVER_IP:7547, replacing$SERVER_IPwith the local IP of the device you are hosting the GenieACS server on. - Empty
ACS UsernameandACS Password - Set
Interface used by TR-069 clienttoLAN - Uncheck
Connection Request Authentication - Uncheck
Simple Traversal of UDP over NATs
- Ensure
Your router should be setup to use your GenieACS server.
At this point, click the Devices tab of the GenieACS admin UI. You should see your router. If it is not there, ensure your GenieACS server is accessible and try rebooting the router.
While trying to figure this all out, I frequently found that my router simply stopped making ACS requests sometimes, maybe it's a router bug.
-
Click
Showon your router. -
You should see the
Last informdate being somewhat recent, the device should showOnline now. If you clickSummonand thenCommit, you should see a green result rather than a red one.If it goes red, this probably means the router has registered to the ACS server, but the ACS server can't reach the router. Double check the CWMP Setting
Set Interface used by TR-069 clientis toLAN. -
Under the
All parameterspage, scroll down to find these parameters:InternetGatewayDevice.User.1 InternetGatewayDevice.User.2 -
At the right-side, you should see a 🔄 refresh button. Click this for both
InternetGatewayDevice.User.1andInternetGatewayDevice.User.2, then pressCommitat the top of the page. -
This will load several more parameters:
InternetGatewayDevice.User.1 InternetGatewayDevice.User.1.Enable true InternetGatewayDevice.User.1.Password InternetGatewayDevice.User.1.RemoteAccessCapable true InternetGatewayDevice.User.1.Username admin InternetGatewayDevice.User.2 InternetGatewayDevice.User.2.Enable true InternetGatewayDevice.User.2.Password InternetGatewayDevice.User.2.RemoteAccessCapable true InternetGatewayDevice.User.2.Username user -
The user with
Username adminis the "superadmin" user. The user withUsername useris the "admin" user. -
Click the edit ✏️ symbol on the
Passwordfield for the superadmin user (called Usernameadmin). For me this was theInternetGatewayDevice.User.1.Passwordparameter. -
Enter the password you want for the superadmin page. This must be at least six characters long, including two different types of characters (letters, numbers, or special characters). Press
Queueand thenCommit. -
Try logging into the
$ROUTER_IP/superadminpage, it should work now! (You may need to log out of the regular admin page first.)
-
Stop the GenieACS CWMP server and web management UI.
-
Shut down the local MongoDB server:
docker stop mongo-genieacs docker remove mongo-genieacs -
(OPTIONAL) Manually check for firmware updates on the superadmin page. It's quite likely your router has a firmware update that your ISP has not bothered to provide you.
-
Return to your router's CWMP Settings page. At this point you have two options:
- Turn off the
CWMPandInformsettings and leave your router "unmanaged". - Restore the ISP-supplied settings you previously took a screenshot of. It's quite likely you might not want to do this step. It's possible that the ISP's ACS server will restore the superadmin password back to something unknown and lock you out again. Additionally, it is possible for them to remotely do some pretty scary stuff from their ACS server, so you might prefer not having an ISP backdoor!
- Turn off the
If you already have superuser access and simply want to disable your ISP's ACS, this is super easy. Simply open the $ROUTER_IP/superuser page, click Advanced > System Tools > CWMP Settings and turn off CWMP and Inform at the top of the page.
Hello, thank you very much for the guide. Do you know where I can download the firmware file for the ex530v router? My IPS has blocked the Aginet application, and I am unable to use the application. Unfortunately, I have to manually find and update the firmware file.