question

I have compared the Remote Console source code between 2.66 and 2.85.

File `/var/www/venus/index.php`:

In 2.66, the salt for password hashing was derived as

$identifier = @file_get_contents('/data/venus/unique-id');

In 2.85:

// The salt is derived from the unique-id of the Venus device, since the unique-id,
// turned out to be not unique by mistake at times, it was replaced by something with
// was unique. As a consequence the salt changed and hence it is no longer possible
// to authenticate. So pass the salt, instead of the unique-id.
function getSalt() {
    $fh = fopen("/data/conf/vncpassword.txt", "r");
    if (!$fh)
        return "";
    $salt = fread($fh, 29);
    fclose($fh);

    // NOTE: be strict about the format, to prevent accidentally leaking secrets if
    // a different format is used e.g.
    if (!preg_match('/^\$2a\$08\$[A-Za-z0-9+\\.]{22}$/', $salt))
        return "";

    return $salt;
}

and then:

var salt = '<?= getSalt(); ?>';

The result in my web browser is empty string. Why? Where would the `/data/conf/vncpassword.txt` file come from? Upgrading firmware is not supposed to overwrite the `/data` directory, and I am not sure 2.66 maintained this file.

So, this is just mind-boggling. How is it even supposed to work?

UPDATE:

I have now resolved the issue by performing factory reset. The password has gone (like all the other settings I had).

Booooo to the developers who overlooked how old password/salt is to be carried over on firmware upgrades.