I tried to download this version of the firmware from the git repository but did not succeed. I got a file of 24kB. (I have an old firmware version nr 19 maybe because I asked for the old software after problems with the IPv6 move). But anyway I don't have IDA, i suppose you can use that at work. I did notice however that the file you mentioned contained many times the string "password" and your com8... password string. Quite nice that you apparently found the exact place where the entered password was compared to the given string.
Strange that the manufacturer just compared plaintext strings. I think I would have used a password file (with encripted passwords) and build that in a rootfs. That's how I have seen it in a logitech webcam. But you can modify this password file and insert your own encripted password or leave it empty.
If you are in with your password (connect while booting) you can start the command line interface: cli.
All kind of things are settable also ssh and telnet server.
Choose the RG menu and look around a bit. There I also found the command admpass. It showed me another password: Egj1nP .
Alter I enabled ssh and telnet the ports were still not available.
Then I entered the Iptables. I am no iptables expert but it was easy to find where the ports 22 and 23 were closed.
Normally the following ports are in use:
80/tcp open http
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
1900/tcp closed upnp
5000/tcp closed upnp
9100/tcp closed jetdirect
If I enable upnp via the web interface port 5000 went open. apparently miniupnpd uses 1900 and 5000 (1900 for streaming and 5000 for port forwarding?)
iptables -L gives you the whole table (a bit to big for here).
I did:
# iptables -L MANAGEMENT_ACL 3
DROP tcp -- anywhere anywhere tcp dpt:ssh
# iptables -R MANAGEMENT_ACL 3 -p tcp --dport 22 -j ACCEPT
And also (if you wish) for port 23. After that port 22 and 23 are open.
I think I started after that utelnetd. Maybe telnetd and dropbear where already running when I enabled them in the cli program.
Now I could quit my boot ssh session and connect anytime.
the password file in /var/tmp contains this:
app:***:0:0
efault Admin:/:/bin/sh
msoadmin:***:0:100:System admin:/:/usr/sbin/login_cli.sh
admin:***:0:101:Customer admin:/:/usr/sbin/login_cli.sh
nobody:***:0:1001:Customer admin:/:/usr/sbin/login_cli.sh
The "***" I entered myself.
I think this file is tarred into /var.tar and committed to nvram. I don't know if this happens automatically or only when you change something in the web interface. Other routers explicitly ask for a save action.
I am still carefull not to reboot the router because I am busy with openvpn for which I would like to add a route to my vpn server. This vpn thing is now more or less working: I can reach all systems (in one network) from all systems (in another network). However there are some systems I can not reach and I can not find the reason (but that is for another forum, I suppose)
Errata: I had to reboot the Hitron and unfortunately the things I changed were gone.
Also I am not able to ssh into the hitron; apparently I did more than I remembered above. Still trying....
Errata: a second iptables entry was necessary:
iptables -I LOCAL_MANAGEMENT_CONTROL 1 -p tcp --dport 22 -j ACCEPT
Errata: my assumption about /var.tar was incorrect. I untarred this file and the password file contained a root entry while later there is no root at all in the passwd file. So maybe this is a boot only "part of the filesystem" file?
So the important question is: how do you prevent an update or remote management. And how can you make changes in RG settings permanent (boot resistant)?