Been toying with the entire product line (ER605, ER7206 and ER8411). The root password is generated within init script /etc/init.d/dropbear and is based on the unit's MAC address and the chosen webgui password. It's possible to break root on stock firmware as follows without needing to lift the lid:
-
Do the initial config through the web interface - create a username/password and login - suggest to use admin for username to keep things simple.
-
Enable "Remote assistance" in the System Tools -> Diagnostics -> Remote Assistance menu. This opens up SSH access on the local LAN within iptables.
-
Generate the root password as follows, using the MAC printed on the bottom of the unit:
echo -n "AA:BB:CC:DD:EE:FFusername" | md5sum | cut -b 1-16
e.g. for MAC address A1:B2:C3:D4:E5:F6 and webgui username admin:
echo -n "A1:B2:C3:D4:E5:F6admin" | md5sum | cut -b 1-16
The resulting 16 character string is the root password to use via ssh 