Hunting for Zyxel rom-0 file decrypter

I stumbled upon this link today
This is a vulnerability on TP-Link router (which using Zyxel firmware), that anyone can access to the configuration backup page without using any authentication and be able to download the configuration file (file name "rom-0"). Moreover, the configuration file, somehow, contains clear-text username and password.

However, the website the author mentioned that it can decrypt the "rom-0" data is on an external server and it doesn't even have a domain name. To be honest, I don't really trust any website like that.

I started looking for a way to decrypt the file "rom-0" with some keywords that he mentioned in the paper, like "lzs", "zynos", "", ...

I found many links pointing to a website at, which should contain the source code of how to decrypt rom-0 file. Unfortunately, it was down and I can't even find exists.

Further investigation, I found that the previous website was owned by the person named Kender Arg, I then later found his related work about hacking Zyxel gateway at

and an article about decrypting rom-0 file (which I want) was mirrored at this website

This describes how he is able to understand the "rom-0" file and how he decrypt it. This article also has a link to the source code to decrypt the file, but it links to again which is not currently existed.

Since the implemented one doesn't work, the other way is to backtracking to the source of encryption algorithm as in this paper

Luckily, I found another implementation of LZS decrypter online, so I don't have to read and implement it myself. It's the project called "Zyxel-revert" which is hosted at;a=summary

What I need to do is grab the latest snapshot and compile it then run.

Here is the result
 At the end of the decompressing process, it crashed, but anyway the result is still readable and enough for me.

That's what I needed.

I also found that the owner of the page www has wrote a program to automate this, with GUI and source code, called "Huawei-rom-0.exe" (
It works with the sample inside the zip file, but it doesn't work for the rom-0 file I have.

One of my search result links to a file named "ZyXEL-Firmware.exe" ( which does the same things (decrypt .lzs file, and find strings in spt.dat). I tried it with my rom-0 and it crashed. I guess this is using the same engine as in the previous program.

One last thing, I found that this is not the new vulnerability. According to this, Kender has published this since 2008.
And I found that the website/tool named which published on 2011 (according to this has included this vulnerability.

Update 2013-01-20:
Sleepya has analyzed the result, and found the specific location for the password for router inside the decompressed file. It's starting at location 0x14 (or 20 in decimal). Therefore, we can use tools like, dd, hexdump, tail to skip the first 20 bytes and get the password which is the first string ending with \0.


  1. same for me.
    extract rom-0 with online tool now out of service

  2. It worked!!!!

  3. url ""
    not download
    help me

  4. i cant run the makefile. it says [event.o] Error 1

  5. it says
    Index was out of range. Must be non-negative and less than the size of the collection.
    Parameter name: index

  6. I have a copy of that source file previously on if you want.

  7. This blog is so nice to me. I will continue to come here again and again. Visit my link as well. Good luck obat aborsi cara menggugurkan kandungan cara menggugurkan kandungan obat aborsi obat telat datang bulan jual obat aborsi obat penggugur kandungan tanda tanda kehamilan