I was working on this exact project, bur ran out of knowledge. I want to reverse engineer the default password generator. For the Zyxel EMG2926 typically used by videotron in quebec. I want a simple keygen that you feed it's WAN's Mac address and it prints the default password. I have a bunch of zyxel router default ssid/password/wan mac datas if it can help anyone. I ended up bricking a router trying to extract it's firmware. Got stuck there in my project and was hoping this forum thread would get revived.