I stumbled upon this link today http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/
This is a vulnerability on TP-Link router (which using Zyxel firmware), that anyone can access to the configuration backup page without using any authentication and be able to download the configuration file (file name "rom-0"). Moreover, the configuration file, somehow, contains clear-text username and password.
However, the website the author mentioned that it can decrypt the "rom-0" data is on an external server and it doesn't even have a domain name. To be honest, I don't really trust any website like that.
I started looking for a way to decrypt the file "rom-0" with some keywords that he mentioned in the paper, like "lzs", "zynos", "devttys0.com", ...
I found many links pointing to a website at http://everlost.nl/kender/zyxel/source.zip, which should contain the source code of how to decrypt rom-0 file. Unfortunately, it was down and I can't even find everlost.nl exists.
Further investigation, I found that the previous website was owned by the person named Kender Arg, I then later found his related work about hacking Zyxel gateway at http://www.gnucitizen.org/static/blog/2008/04/hacking_zyxel_gateways_part_2.pdf
and an article about decrypting rom-0 file (which I want) was mirrored at this website
This describes how he is able to understand the "rom-0" file and how he decrypt it. This article also has a link to the source code to decrypt the file, but it links to everlost.nl again which is not currently existed.
Since the implemented one doesn't work, the other way is to backtracking to the source of encryption algorithm as in this paper http://masters.donntu.edu.ua/2003/fvti/boykov/library/lzs.pdf.
Luckily, I found another implementation of LZS decrypter online, so I don't have to read and implement it myself. It's the project called "Zyxel-revert" which is hosted at http://git.kopf-tisch.de/?p=zyxel-revert;a=summary
What I need to do is grab the latest snapshot and compile it then run.
Here is the result
That's what I needed.
I also found that the owner of the page www has wrote a program to automate this, with GUI and source code, called "Huawei-rom-0.exe" (http://www.hakim.ws/huawei/rom-0/)
It works with the sample inside the zip file, but it doesn't work for the rom-0 file I have.
One of my search result links to a file named "ZyXEL-Firmware.exe" (http://linkz.ge/file/342474/ZyXEL-Firmware.exe.html) which does the same things (decrypt .lzs file, and find strings in spt.dat). I tried it with my rom-0 and it crashed. I guess this is using the same engine as in the previous program.
One last thing, I found that this is not the new vulnerability. According to this http://www.hakim.ws/huawei/rom-0/kender.html, Kender has published this since 2008.
And I found that the website/tool named http://www.routerpwn.com which published on 2011 (according to this http://www.hakim.ws/2011/07/routerpwn-un-framework-de-exploitacion-de-routers/) has included this vulnerability.
Sleepya has analyzed the result, and found the specific location for the password for router inside the decompressed file. It's starting at location 0x14 (or 20 in decimal). Therefore, we can use tools like, dd, hexdump, tail to skip the first 20 bytes and get the password which is the first string ending with \0.