There is also a hidden way to enable SSH (even after EE disabled it), Alcatel or EE have developed a button trigger that will enable the dropbear service.
If you hold the WPS button for 15 seconds or more and then release it, this triggers the following code:
#!/bin/sh
logger the button was $BUTTON and the action was $ACTION the time is $SEEN
if [ "$BUTTON" = "wps" -a "$ACTION" = "released" -a "$SEEN" -ge 15 ];then
logger enable dropbear the time is $SEEN
uci set dropbear.@dropbear[0].enable='1'
/etc/init.d/dropbear start
fi
This is present in /etc/hotplug.d/button/buttons on the router filesystem.
Someone goofed on the uci set, because uci commit is never called, but it starts the dropbear service anyway, so SSH access restored! You can then setup pub key authentication and disable the password auth option so the SSH access is secure.
The original report picked up hard coded sshpass commands that pointed at the modem side of the router (192.168.225.1), that too also have the same root password, although changing that is probably a bit riskier, given the binary has hardcoded references to it. You can however secure the router SSH without breaking anything.
Although the router modem has always been able to be accessed via SSH (still is), but instead of using the 192.168.225.1 IP, you'd use the IPv4 address assigned as displayed in web interface, usually 19.x.x.x something.