alt.hn

4/17/2026 at 12:05:24 PM

Decrypting my ISP's ZTE F670L router config in 5 minutes

https://gist.github.com/notvcto/feb25027bdcbd3dba0ee5e572d8b5303

by notvcto

4/17/2026 at 12:05:24 PM

Grabbed the config.bin off my ISP-provided ZTE F670L, decrypted it in about 5 minutes. The "encryption" key is just the serial number base concatenated with the byte-reversed MAC address... both printed on the sticker.

Inside: GPON credentials, TR-069 ACS config, VoIP SIP keys, and a hidden super admin account with full privileges. The password was in HaveIBeenPwned.

Used zte-config-utility. Steps are in the gist.

by notvcto

4/18/2026 at 1:30:13 AM

it’s a commonality. we discover the same over and over on the 8311 discord at pon.wiki. often the result of disclosure is a firmware update that removes the ability to create a configuration backup and restore.

by up-n-atom