I don't have NR7101, I have NR5101 (sadly not supported) with S22 serial and I was able to obtain the root/supervisor password using this method. Might or might not work on NR7101
Passwords (encrypted) are stored in
zcfg_config.json file. I didn't have access to this file but I was able to get it using the following procedure. You can connect to FTP using admin user and password and see if the file is already there, if it is skip to decrypt password part.
When you setup a custom Dynamic DNS entry, there is a cron entry created in /var/spool/cron/ddns/root which looks something like this
0 0 * * * /usr/sbin/ez-ipupdate -S userdefined -U URL_UPDATE -h HOST_NAME -u USERNAME:PASSWORD -i wwan0 -t 10
This runs as root user and looks like "URL Update" field is not escaped in any way so we can run any command there
Go to Network Settings -> DNS -> Dynamic DNS
Create a new "DNS user defined" entry and enable it.
Enter something like this in URL Update field:
; cp /data/zcfg_config.json /home/admin/config.json ;
Enter whatever you want in other fields, it doesn't matter. Since this runs every day at midnight we just have to wait a bit. You can change the timezone to something closest to midnight to wait a little bit less.
After midnight, connect to FTP and look for file named config.json. In this file you'll find something like this (just an example, this password is not real):
Go back to DDNS entry you just created and copy/paste the password value into the Password field there. If there are any JSON escaped characters you need to unescape them (remove backslashes). In the above example the text to copy would be
Click Apply and then click the eye icon next to the password field to see your root/supervisor password. After you're done, clear the fields, disable DDNS and reboot your router to remove the generated cron entry.