If you can save the router's configuration in a file, it may be possible to deduce the password from there. It sounds as if you've already done this and come up against an MD5 encrypted password. MD5 can be brute forced, especially if poorly salted, though this is not easy.

I'd file this in the 'too much trouble' bin, especially as this is not a function the ISP supports on this router. The ISP appears to reserve remote access for their own use and could push out another firmware update that changes the password or removes all http remote access, leaving only TR-069 or similar.

As others have said, I'd go with some way of establishing a VPN connection and accessing the router from the LAN. The other alternative, if it is within the ISP terms and conditions, is to replace the router with a privately purchased router that has the necessary functions.

In reply to a post by David_W:

if it is within the ISP terms and conditions, is to replace the router with a privately purchased router that has the necessary functions.

You may use any suitable router on Orange; just have the BrightBox available in case Supports wants it for diagnostics.

Think only Sky prohibits other routers, but some have bypassed that

In reply to a post by XRaySpeX:

You may use any suitable router on Orange; just have the BrightBox available in case Supports wants it for diagnostics.

In that case, if I was the original poster, I'd install my own router with remote management and VPN capabilities, so that I could connect to the local network remotely to provide support. The BrightBox can go in the drawer in case it is needed, and as an emergency replacement for a broken router.

I found the 32 hex hash and converted to #AK1234. That was actually in the global.js code anyway. Although I have tried it, it doesn't work. It does something strange with a "urn" number on the address bar. Every time you log into the router a random number is generated and added to the end of the url. I think it uses this number combined with the #AK1234. When you click "Go" a file called hiddenPage.exe runs from the router, but just redirects back to the password page. So annoying, I know it's trivial but I like the router a lot, apart from the lack of the feature that is being blocked.

Grrrrrrrr

The latest list of hidden pages on the latest EE Firmware are as follows
(PP) = Password Protected (See Here).

Factory Defaults
http://192.168.1.1/u132xzp32aai.htm

ADSL / Ethernet (PP)
http://192.168.1.1/wa223acc15ld.htm

Parameters (PP)
http://192.168.1.1/xc324m12sdlo.htm

TR69 module (PP)
http://192.168.1.1/yds32u872vld.htm

Remote Management (PP)
http://192.168.1.1/z983erv3210ba.htm

The new page at wa223acc15ld.htm seems to duplicate other settings page so I am not sure why it exists.

Clickable:

In reply to a post by Mike_Williams:

Factory Defaults
http://192.168.1.1/u132xzp32aai.htm

ADSL / Ethernet (PP)
http://192.168.1.1/wa223acc15ld.htm

Parameters (PP)
http://192.168.1.1/xc324m12sdlo.htm

TR69 module (PP)
http://192.168.1.1/yds32u872vld.htm

Remote Management (PP)
http://192.168.1.1/z983erv3210ba.htm

The new page at wa223acc15ld.htm seems to duplicate other settings page so I am not sure why it exists.

In reply to a post by Mike_Williams:

The new page at wa223acc15ld.htm seems to duplicate other settings page so I am not sure why it exists.

Ditto the one at xc324m12sdlo.htm, which duplicates standard GUI's Broadband Settings / ADSL Mode.