Grabbed the config.bin off my ISP-provided ZTE F670L, decrypted it in about 5 minutes. The "encryption" key is just the serial number base concatenated with the byte-reversed MAC address... both printed on the sticker.
Inside: GPON credentials, TR-069 ACS config, VoIP SIP keys, and a hidden super admin account with full privileges. The password was in HaveIBeenPwned.
Used zte-config-utility. Steps are in the gist.
up-n-atom 1 days ago [-]
it’s a commonality. we discover the same over and over on the 8311 discord at pon.wiki. often the result of disclosure is a firmware update that removes the ability to create a configuration backup and restore.
Rendered at 09:46:38 GMT+0000 (UTC) with Wasmer Edge.
Inside: GPON credentials, TR-069 ACS config, VoIP SIP keys, and a hidden super admin account with full privileges. The password was in HaveIBeenPwned.
Used zte-config-utility. Steps are in the gist.