Orbi LBR20 How-To / Megathread

[hazarjast]

October 2022 Update
I loathe boilerplate legalese but it was brought to my attention that someone had copied this tutorial wholesale on another site with only a passing reference to a pseudonym of mine at the very end and no link to this page as the source. Thus, I feel I have to give notice at the beginning of this tutorial to say that if you want to share the info below verbatim I would respectfully ask that you simply provide the hyperlink to this page and leave it at that. With that said, I reserve the right to deny copy/paste republication of this tutorial in whole or in part without my prior written consent. Frankly I feel gross for having to say that as its simply the respectful and moral thing to do, but here we are.

Regarding my reasons for making this statement:
The body of this tutorial is updated periodically to make corrections or provide additional info so I would hate for someone to be working from an deprecated version. I also have a strong personal distaste for others who plagiarize content with mere lip-service to the original author allowing others to assume they created the content themselves. While most of the underlying technical methods published here are not my original creations, it has taken many hours of work to compile and deliver them in a comprehensive, instructional form so to have it all copied and passed off as the work of someone else feels pretty awful. With all that out of the way, please use and enjoy the content provided below. I hope it is helpful to the community.

Introduction
Most likely you've purchased or are considering purchasing an Netgear LBR20 as your primary or secondary source of Internet connectivity and found your way here through an Amazon review, Wireless Haven, or the 5G LTE Hacks Facebook group. Welcome! Here you will find what you are looking for in terms of working with the unit and getting it to run with your provider and plan of choice. This thread will cover:

• How to flash Voxel custom firmware
• Unbricking After a Bad Firmware Flash
• How to get Command Line Access
• How to disable bloatware (Armor/Circle/ReadyCLOUD)
• How to set TTL to keep data use "on-device"
• How to execute AT commands for "magic" etc.
• How to band or cell lock your modem
• How to receive and send SMS
• How to split wifi SSIDs (separate 2.4Ghz and 5Ghz SSIDs)
• How to setup DNSCrypt/stubby/OpenVPN/WireGuard or Something Else
• Using the LBR20 as WAN on another router (DMZ mode and disabling wifi radios)

If you are more of a visual learner, @mellow65 has created a very nice overview video covering most of what is included in this guide (I would still recommend reading through this guide in its entirety for completeness and understanding):



What is Voxel and How Do I install It?
Voxel is custom firmware built from open source parts of Netgear firmware but is wholly separate and not iterative when compared to latest OEM firmware versions. We need it in order to perform things like "magic", TTL modification, and band/cell locking. The latest Voxel can be downloaded here:
https://www.voxel-firmware.com/Download ... 8SF-HW.zip

DISCLAIMER
This guide is provided as a reference only without any warranty expressed or implied. If you brick your device, the author is not responsible. You understand that by flashing your device with third-party firmware you will have voided any warranty or support which you would normally be entitled to from Netgear during their advertised warranty period. Proceed at your own risk!

To install Voxel, first check what firmware you are starting from. If you are on Netgear firmware 2.5.2.20 you can proceed directly to flashing Voxel firmware. If you are on a higher firmware first download 2.5.2.20 from the link below and downgrade to that prior to flashing Voxel:
https://www.downloads.netgear.com/files ... 5.2.20.zip

To install the Netgear 2.5.2.20 firmware, simply extract the .img file from the .zip, then login to the web GUI (usually by browsing to 'http://192.168.1.1') and go to 'Advanced > Administration > Firmware Update > Manual Update > Browse' to select the extracted .img file; click Upload and confirm the update allowing time for the upload/flash/reboot to complete. After the unit comes back online, you need to reset it to factory defaults ('Advanced > Administration > Backup Settings > Erase'). Be aware that you will have to go through the initial setup in the web browser again when performing this step. You can now proceed to install Voxel firmware using the same steps you just used to flash the Netgear firmware.

Unbricking After a Bad Firmware Flash
If you have accidentally bricked your device during firmware flash and it will no longer boot up completely, please refer to the following Netear KBA for recovery instructions. When performing a recovery flash it is recommended to flash back to Netgear stock v2.5.2.20:
https://kb.netgear.com/000059634/How-do ... =000059634

The Netgear KBA requires TFTP. If you don't have TFTP installed on your PC, refer to the following:
https://teckangaroo.com/enable-tftp-windows-10/

NOTE
Be aware there is LTE modem firmware separate from the LBR20 router firmware. As of this writing the current LTE firmware for the LBR20 modem is version A06 which seems to work perfectly stable for me across all US carriers and MVNOs that I have tested. Specifically, older firmware seemed to have some issues with "magic" reverting after being set and not prioritizing B41 on T-Mobile both of which A06 seems to have fixed. The A06 firmware upgrade can be found here (can be flashed from the web gui under 'Advanced > Administration > Firmware Update > LTE Update > Browse'):
https://www.downloads.netgear.com/files ... ge(US).zip

Some LBR20 owners that indicate A06 is not stable for their specific setup and carrier in which case they say that the older A05 firmware works better for them. I have not found this to be the case personally but if you wish to downgrade, Netgear provides the older firmware below for this purpose:
https://www.downloads.netgear.com/files ... ge(US).zip


How to Get Command Line Access
Once Voxel is installed cleanly and you've performed the required factory reset, you will have SSH access. For issuing AT commands in Voxel you simply need to connect to the modem's IP address (192.168.1.1 by default) using Putty or another SSH client and login using user 'root' and the password of the user you have set in the initial configuration (typically the same as the 'admin' password unless you have selected a different username during setup).

How to disable bloatware (Armor/Circle/ReadyCLOUD/AWS IoT)
Even on Voxel by default we still have Netgear bloatware like Armor, Circle, ReadyCLOUD, and AWS IoT. Fortunately, we can disabled these resource hogging features (assuming you don't use them) via the following commands:

Code: Select all

nvram set noarmor=1
nvram set nocircle=1
nvram set nocloud=1
nvram set noaws=1
nvram commit
reboot

Note that AWS IoT is required for using the Netgear mobile app with the device so disabling that would require you to use the web interface only.


Change TTL to Not Use Hotspot
While at the command line via SSH, issue the following command to create the necessary overlay filesystem directories:

Code: Select all

mkdir -p /mnt/circle/overlay/opt/scripts
touch /mnt/circle/overlay/opt/scripts/firewall-start.sh
chmod +x /mnt/circle/overlay/opt/scripts/firewall-start.sh
touch /mnt/circle/overlay/opt/scripts/firewall6-start.sh
chmod +x /mnt/circle/overlay/opt/scripts/firewall6-start.sh

Then create two files under it (using the text editor of your choice like 'nano' or 'vi'): 'firewall-start.sh' and 'firewall6-start.sh' with the contents as follows:

firewall-start.sh

Code: Select all

# IPv4 TTL mod
iptables -w -t mangle -C POSTROUTING -o wwan0 -j TTL --ttl-set 65 > /dev/null 2>&1 || \
iptables -w -t mangle -I POSTROUTING 1 -o wwan0 -j TTL --ttl-set 65

firewall6-start.sh

Code: Select all

# IPv6 TTL mod (prevents leaks not covered by IPv4 rules)
# Sleep added for good measure
sleep 10
ip6tables -w -t mangle -C POSTROUTING -o wwan0 -j HL --hl-set 65 > /dev/null 2>&1 || \
ip6tables -w -t mangle -I POSTROUTING 1 -o wwan0 -j HL --hl-set 65

The above assumes T-Mobile or their MVNOs usage. Due to the network hops specific to your network configuration and/or carrier, you may need to adjust '65' up or down slightly (some say setting '64' directly in the rule is setup/carrier agnostic but that is not my experience). I have found that '66' works best with Visible in most cases. If you've never used nano or vi before then I suggest going through one of the following guides so that you can understand how to use the editor before trying to create files with it:
https://www.howtogeek.com/howto/42980/t ... xt-editor/
https://www.howtogeek.com/102468/a-begi ... s-with-vi/

DISCLAIMER
TTL modification may violate your carrier's ToS. The author of this guide is not responsible if your carrier terminates your service due to TTL modification.


Sending AT Commands to the Modem
Once logged into SSH via Putty you can echo your desired AT commands and pipe to the inbuilt 'microcom' function of BusyBox like so:

Code: Select all

echo -ne "AT+EGMR=1,7,\"010101010101010\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2

(If you want to perform "magic" on your modem the above example is exactly what you would execute; just swap the digits with a valid IMEI. This particular command should be issued only without a SIM inserted.)

DISCLAIMER
"Magic" (aka IMEI repair) may violate your carrier's ToS or country's regulatory laws. The author of this guide is not responsible if your carrier terminates your service and/or if you suffer any legal repercussions which may result from the modification of your device's factory-issued IMEI.

There is a specific syntax for echoing commands to microcom:

• The complete command should be enclosed in double quotes.
• The command must be appended with \r\n to allow it to execute.
• Commands which include double quotes must have each double quote commented out using a backslash (\).

If you want to send commands interactively to the modem you can do so by opening a connection with microcom directly to the secondary AT port:

Code: Select all

microcom /dev/ttyUSB3

You can exit the prompt by pressing 'Ctrl+X'.

Not all AT commands are published but all the ones that are can be found the source modem documentation for the EG18NA (the Quectel modem inside the LBR20): https://auroraevernet.ru/upload/iblock/ ... 88bda3.pdf


Band Locking
First, ask yourself why you need to band lock. In most cases you don't need to do this and will really just kneecap yourself from higher speeds. This is because when you band lock you must create a collection of bands to lock and any bands not included will not be used at all. So, if you create a collection (band index) of only one or two bands you will lose carrier aggregation (CA) abilities on any bands not included (assuming the tower allows CA on such bands). If you still believe band locking is what you want to do you can use the spreadsheet provided here to calculate the AT command required to lock your desired bands:
download/file.php?id=1514

Then you can lock the band index you created with the following command (where you replace the X's with the appropriate value from the spreadsheet output):

Code: Select all

echo -ne "AT+QCFG=\"band\",0,XXXXXXXXXX\r\n" | microcom -X -t 1000 /dev/ttyUSB2

Band locks should persist even after a reboot so no real reason to add them in any script to run at startup.

If you messed when defining your band mask or otherwise wish to revert to the original band index that shipped with the unit, you can issue the following command to return to the factory default:

Code: Select all

echo -ne "AT+QCFG=\"band\",0,42000001003300385a\r\n" | microcom -X -t 1000 /dev/ttyUSB2

Cell Locking
As an alternative to band locking, you can lock to a specific cell which, IMHO, is a much more straightforward approach than band locking and will allow you to retain CA abilities without having to guess at the bands. Cell locking requires physical cell ID (PCI) and E-UTRA Absolute Radio Frequency Channel Number (EARFCN) as input values. These can be obtained with LTE info apps on android, field test mode on iOS, on CellMapper, or issuing "servingcell" and "neighbourcell" commands to the modem. For the latter the commands with example output would be:

Code: Select all

echo -ne "AT+QENG=\"servingcell\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2
AT+QENG="servingcell"

+QENG: "servingcell","NOCONN","LTE","FDD",310,260,6C150D,222,1125,2,4,4,A6F7,-81,-8,-54,21,0,90,-

OK

echo -ne "AT+QENG=\"neighbourcell\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2

AT+QENG="servingcell"
+QENG: "neighbourcell intra”,”LTE","FDD",1125,222,-6,-92,-66,0,-,-,-,-,-,-
+QENG: "neighbourcell inter”,”LTE","FDD",39874,312,-6,-92,-66,0,-,-,-,-,-,-

OK

Explanation of example output above:
Serving cell is the primary carrier the modem is already connect to so if you’re already connected to a cell you wish to lock, this will help you obtain the PCI and EARFCN (PCI is “222” and EARFCN is “1125” in sevingcell example above). Neighbour cell can show neighboring cells which can be locked as the primary carrier. The output is a bit different as EARFCN is the first number output by this command and PCI is the second (opposite of how serving cell shows the output). Once you know the EARFCN and PCI you can lock to a cell using the example command below; just replace “1125” with the actual EARFCN and “222” with the actual PCI:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",1,1125,222\r\n" | microcom -X -t 1000 /dev/ttyUSB2

AT+QNWLOCK="common/4g"
+QNWLOCK: "common/4g",1,1125,222

OK

Unfortunately cell locks are not reboot persistent so in order for you to automatically lock a cell after a restart you would need to add the command to a script file using nano or vi text editor which is called on startup:

Code: Select all

touch /mnt/circle/overlay/opt/scripts/celllock_mod
chmod +x /mnt/circle/overlay/opt/scripts/celllock_mod

File content:

Code: Select all

#!/bin/sh

sleep 120
echo -ne "AT+QNWLOCK=\"common/4g\",1,1125,222\r\n" | microcom -X -t 1000 /dev/ttyUSB2 >/dev/null 2>/dev/null

(This script waits 2 minutes for the unit to finish startup sequence, then issues the cell lock command.)

To have the script called on startup we create /etc/rc.local in the overlay filesystem and populate it with our script call:

Code: Select all

mkdir /mnt/circle/overlay/etc
touch /mnt/circle/overlay/etc/rc.local

File content:

Code: Select all

/opt/scripts/celllock_mod

exit 0

If after locking a cell you wish to unlock it without rebooting you can issue the following command:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",0

There is a risk that locking to a cell could cause connectivity issues if the cell is unstable or otherwise offline for some reason (failure, maintenance, etc.). In that case you would need to unlock the cell so that the modem could connect to another. This can be cumbersome to have to do manually. At your own risk you may wish to use a cell locking failsafe script I have created for my own use which I use instead of the 'cellock_mod' script above. The more advanced failsafe script will check internet connectivity four times an hour and lock the desired cell. If the internet is not accessible during a check while the cell is locked it will unlock from the cell in an attempt to restore connectivity. If internet connectivity continues to be impacted, the script will not retry locking the cell until after midnight the next day:
https://github.com/hazarjast/circle_jer ... ailsafe.sh


How To Receive and Send SMS
In Voxel we have 'sms-tool' for receiving text messages (SMS). The usage is quite simple.

To receive SMS:

Code: Select all

root@LBR20:~# sms-tool recv
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
MSG: 0
From: XXXXXXXXXXX
Date/Time: 03/23/22 09:05:47
Test
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
root@LBR20:~#

To send SMS:

Code: Select all

root@LBR20:~# sms-tool send 1XXXXXXXXXX howdy
sms sent sucessfully: 20
root@LBR20:~#

Since I am the USA the number has country code prefix of "1". This would be different depending on the destination number's country. An alternative way to read available SMS is via the web gui under Connection Info (http://<router IP>/lte_info.htm).


How to split wifi SSIDs (separate 2.4Ghz and 5Ghz SSIDs)
Refer to the following and read it entirely all the way until the end of the page:
https://digiex.net/threads/step-by-step ... ter.15648/

To simplify the main CLI commands:

Code: Select all

config set wifison-monitor_stop=1
config set wl_ssid="YOUR SSID 2.4Ghz NAME"
config set wla_ssid="YOUR SSID 5Ghz NAME"
config commit

The commands below check the values have been set as required and apply a reboot when ready:

Code: Select all

config get wifison-monitor_stop
config get wl_ssid
config get wla_ssid
reboot

Of course the above does not include the tweaks performed in the GUI which should be done as well per the OP's instructions.


How to setup DNSCrypt/stubby/OpenVPN/WireGuard or Something Else
For this you can refer to what documentation Voxel provides in the QuickStart.txt included with the firmware .zip:

Code: Select all

Quick Start Guide


(!) IMPORTANT NOTE: it is strongly advised to update to the stock firmware 2.5.2.20
before flashing this version if you are using stock firmware. If you are using Voxel
firmware already no any intermediate flashing is needed.

https://www.downloads.netgear.com/files/GDC/LBR20/LBR20_V2.5.2.20.zip

Warning:

I am not responsible for any damage of your router if you decide to try this custom
firmware. You should do all under your own risk and responsibility. Your router is 
your router and you should understand the risk to brick it.


1. Flashing Voxel’s custom firmware build and rolling back to the stock.

Nothing special. The procedure is similar to flashing downloaded official stock
firmware. In general all your current settings (used in the stock firmware) should be
kept. But it is recommended to make the backup of your current settings before flashing.
Identically you can revert to the stock firmware.


2. Overlay partition on Circle partition.

Original stock firmware uses tmpfs overlay partition (in RAM). So all you changes in
the files/dirs are kept only until next reboot of router/satellite. If you need to keep
your changed/added files you should use /mnt/circle/overlay directory where you should
add your new or modified files keeping the dirtree of Orbi. For example, if you wish to
use your own /etc/dnscrypt-proxy-2.toml just place it into:

/mnt/circle/overlay/etc/dnscrypt-proxy-2.toml


3. Setting up ssh access to the router and satellite.

After flashing and your settings you may need to have SSH access to router. SSH daemon
dropbear in Orbi uses port 22 and accepts root login with your WebGUI password.


4. Open your own firewall ports.

If you need to make several ports accessible from WAN then create the text file 
/mnt/circle/overlay/etc/netwall.conf with ports you need to open. Example of this file:
    ------------------------------------------------------------------------
    ACCEPT		net	  fw		tcp	22,8443
    ACCEPT		net	  fw		udp	1194
    ------------------------------------------------------------------------
(to open TCP ports 22 and 8443 and UDP port 1194).

NOTE: this file should contain LF symbol at the end of last line (press ENTER key in
your text editor).

Additionally you can use your own custom scripts to add your own iptables rules. These 
scripts should be named firewall-start.sh (IPv4), /opt/scripts/firewall6-start.sh (IPv6)
and be placed in the:

/mnt/circle/overlay/opt/scripts/

directory, i.e. 

/mnt/circle/overlay/opt/scripts/firewall-start.sh 
/mnt/circle/overlay/opt/scripts/firewall6-start.sh

with 755 permission attributes (i.e. executable).


5. Enable DNSCtypt Proxy-2 or stubby.

To enable DNSCrypt Proxy-2 run from telnet console the commands:

    nvram set dnscrypt2=1
    nvram commit
    reboot

To enable stubby run from telnet console the commands:

    nvram set stubby=1
    nvram commit
    reboot

If both DNSCrypt Proxy-2 and stubby are enabled, only stubby will be used.
To disable DNSCrypt Proxy-2 or/and stubby set them to "0" by nvram.


6. Disable Armor (BitDefender) and Circle update startup.

To disable Armor update daemon run from telnet console the command:

    nvram set noarmor=1
    nvram commit
    reboot

To disable Circle update daemon run from telnet console the command:

    nvram set nocircle=1
    nvram commit
    reboot


7. Disable ReadyCLOUD (XAgent/XCloud).

To disable ReadyCLOUD update daemon run from telnet console the command:

    nvram set nocloud=1
    nvram commit
    reboot

8. Disable Amazon Alexa (AWS-IoT).

To disable AWS-IoT daemon run from telnet console the command:

    nvram set noaws=1
    nvram commit
    reboot

9. WireGuard client.

To start its using you should

(1). Prepare the text file in Unix format (https://en.wikipedia.org/wiki/Text_file#Unix_text_files)
with name wireguard.conf defining the following values: EndPoint, LocalIP, PrivateKey, 
PublicKey and Port of you WireGuard client config from WG provider.

Example:
------------------------- cut here ---------------------------------------
EndPoint="wireguard.5july.net"
LocalIP="10.0.xxx.xxx/24"
PrivateKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
PublicKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
Port="48574"
------------------------- cut here ---------------------------------------

NOTE: no spaces before/after "=" symbol in example above.
NOTE: the name of the file wireguard.conf is lowercase.
NOTE: optional line could be added if your providers requires that:

PresharedKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="

(2) Place this wireguard.conf file to /mnt/circle/overlay/etc/ directory. I.e. 

/mnt/circle/overlay/etc/wireguard.conf

(3) Enter by ssh/telnet to your router (LBR20) and set the nvram variable wg-client
to 1

nvram set wg-client=1
nvram commit

(4) Reboot your router.

NOTE: to disable WireGuard client starting just set wg-client to "0" and reboot
the router.


10. OpenVPN client.

Important: only TUN clients are supported

To install OpenVPN client: just create /mnt/circle/overlay/etc/openvpn/config/client
directory and put your *.ovpn file (and CA/CERT/KEY if any). 
See "Overlay partition on Circle partition".

You can start/stop OpenVPN client manually from telnet console for testing:

    /etc/init.d/openvpn-client start

or 

    /etc/init.d/openvpn-client stop

to stop it. Log file for OpenVPN client is /var/log/openvpn-client.log, check it if you
have problems.

NOTE: you can add your own delay for starting OpenVPN client after reboot by the 
command from telnet:

    nvram set vpn_client_delay=120
    nvram commit

(to set 120 sec. delay)


11. Mounting a CIFS Share.

It is possible to mount remote network share using the Common Internet File System (CIFS).

Example how to mount CIFS Share:

mkdir /mnt/share
mount.cifs //192.168.1.100/DiskC /mnt/share -o user=username,iocharset=utf8,vers=3.02


12. SMS Tool utility.

The utility 'sms-tool' is included into firmware. It allows to deal with SMS messages
from the command line (ssh/telnet).

Its usage:

usage: [options] send phoneNumber message
       [options] recv
       [options] delete msg_index | all
       [options] status
       [options] ussd code
       [options] at command
options:
        -b <baudrate> (default: 115200)
        -d <tty device> (default: /dev/ttyUSB2)
        -D debug (for ussd)
        -f <date/time format> (for sms/recv)
        -j json output (for sms/recv)
        -R use raw input (for ussd)
        -r use raw output (for ussd and sms/recv)
        -s <preferred storage> (for sms/recv/status)

And see:

http://<router IP>/lte_info.htm

to read your SMS messages in WebGUI.

Voxel

Using the LBR20 as WAN on another router (DMZ mode and disabling wifi radios)
If you only intend to use the LBR20 for the modem and wish to use it as WAN on another router you should disable routing functions like the LAN DHCP server, change the LBR20 IP to use an address that does not conflict with the address range your other router is already using, and utilize the DMZ functionality.

To disable the DHCP server in the web gui go to "Advanced > Setup > LAN Setup" and un-check the option for "Use Router as DHCP Server". Click Apply.

To change the IP address of the LBR20 so that it does not conflict with the IP range of your other router, in the web gui go to "Advanced > Setup > LAN Setup" and change the IP address from the default (usually '192.168.1.1') to another range such as '192.168.115.1'. Click Apply.

To set the DMZ address (the static address which will be set for the WAN on your other router) in the web gui go to 'Advanced > Setup > WAN Setup' and select the "Default DMZ Server" option then enter the desired IP address (ex. 192.168.115.2). Click Apply.

NOTE
Once you disabled DHCP and change the IP address of the LBR20 you will no longer be able to connect to it automatically from your PC. In order to connect to it directly you would need to set your PC's IP address manually (statically) to an address within the new IP range of the router. Example: If the LBR20's IP address is set to '192.168.115.1' you would set your PC's IP address to something like '192.168.115.5' in order to access the LBR20 web gui or SSH to it directly. If you are unfamiliar with how to statically assign your PC's IP address you can refer to a guide like the one below:
https://pureinfotech.com/set-static-ip- ... indows-10/

Once your LBR20 has been set to use an IP outside of the range of your other router, has had DHCP disabled, and the DMZ IP configured, you can go to your other router's WAN configuration page and select the 'Static' address option and enter the DMZ IP you designated in the DMZ page of the LBR20. If need to access the LBR20 web gui from a PC connected to the LAN of the other router, you would use the DMZ IP you configured for it (ex. 'http://192.168.115.2'). Some routers' firewall may block access between the LAN and WAN by default so be aware you may need to create a firewall rule to allow LAN clients on the other router to access the WAN IP address of your LBR20.

If you wish to disable wifi completely on the LBR20 when using it with another router you can simply issue 'wifi down' interactively at the SSH prompt. Conversely, if you wanted to create a script that disables wifi after every reboot, you could do so by creating a script file such as '/mnt/circle/overlay/opt/scripts/wifi_down.sh' with the following content:

Code: Select all

#!/bin/sh

sleep 120
wifi down >/dev/null 2>/dev/null

The above waits for 2 minutes to make sure all services on the LBR20 have loaded after reboot then issues 'wifi down' in background (redirecting output to 'null' so it doesn't echo to the console for any logged in root user who may have connected via SSH) which deactivates the wifi radios. Once the script is created do not forget to make it executable (chmod +x /mnt/circle/overlay/opt/scripts/wifi_down.sh) and make it execute at startup by adding a call to it in '/mnt/circle/overlay/etc/rc.local'.

--------------------------------------------------------------------------------------------------------------------------------------------------------

Looking for the original, rambling OP with all its associated errata? That can be found here (just don't actually use it for anything beyond your general knowledge): viewtopic.php?p=24108#p24108

[brad2388]

Debating on one of these. But we have a grandfathered whole home plan.

It wont work in my em7511. Wondering if this plan will work in this device?

[hazarjast]

Any plan will work with the LBR20 assuming you configure it to be compatible. Read between the lines in my "Sending AT Commands to the Modem" section and check for spelling typos. That's all I will say here. Feel free to DM (hazarjast at proton mail dot com) if you need clarification.

[brad2388]

Any plan will work with the LBR20 assuming you configure it to be compatible. Read between the lines in my "Sending AT Commands to the Modem" section and check for spelling typos. That's all I will say here. Feel free to DM (hazarjast at proton mail dot com) if you need clarification.

Emailed

[hazarjast]

Emailed

I replied to your email. Please let me know if you didn't get my reply for some reason.

[hazarjast]

OP updated with some info on locking specific cell IDs (i.e. specific towers) using AT+QNWLOCK syntax.

[hazarjast]

OP updated with my findings surrounding an "expiring" carrier aggregation quirk observed on T-Mobile and my subsequent workaround.

[ssnacks]

Great work. Another option if you don't want to be dependent on external DNS to keep the firmware from being updated is to add an entry for devcom.up.netgear.com to /etc/hosts. I confirmed that gives me back a "Service unreachable" when I attempt to update.

Code: Select all

echo "127.0.0.1 devcom.up.netgear.com" >> /etc/hosts

[hazarjast]

Yes, hosts file entry works great too; I should have mentioned this method as well. Thanks for sharing it!

I didn't really delve into it here but I like controlling all DNS queries from the device for other reasons as well such as blocking telemetry connections back to netgear and their partners. NextDNS provides stats down to the client level of what gets blocked so it's fun to see what calls are being made

[cabegol]

I'm sorry for the very ignorant question, can somebody help me with the first steps to create the ttl_mod file? Thank you!

[USMCDoc]

Hello gang,
Ive been a lurker on this sub for the past few months so still trying to learn. Ive been using the lbr20 on att with no problems until recently so I made the switch to tmobile through nolimitdata. So far no success with this sim. I started my research last night on using telnet/putty. Would any of you be willing to point me in a direction that might get this to work? I appreciate all of the knowledge you have shared on this sub. Thanks!

[brandorc]

Thanks so much for all the useful information - this thread is great! Apologies for my ignorance, but would it be possible for someone to post a walk through for a newby in creating these mod script files to edit the ttl? I'm able to make it into putty, but I'm just absolutely lost on how to actually create these scripts. Thanks so much for any help! You guys rock!

[Dr-BroadBand]

Take a look on No Limit Data, support page. At the FAQ

If you are still have a problem contact them, E-Mail.

I was helping a friend a few weeks ago can got a response with in 30min on a weekend!

https://www.nolimitdata.net/contato-1

[brandorc]

Thanks @hazarjast for all the awesome info! This thread is great! Could someone help a noob out; I've tried a few different routes and have fallen down the google rabbit hole trying to learn iptable commands - I can't for the life of me figure out how to create the ttl_mod script file. Could some wise modder post a short walkthru of commands to get the ttl settings to persist on the LBR20? Thanks everyone!

[USMCDoc]

I contacted nolimitdata, and I agree so far customer service hase been great. Responded very quickly unfortunately they said that I am the first person they know of who is using this router.

[Dr-BroadBand]

Yep you are on the bleeding edge with this router.
Is there any way to test the SIM in another Device?

iPad maybe or a phone

May try to do a factory reset of the LBR20 with the SIM out.

[USMCDoc]

Sim works great in other device. Ill try a factory reset again. I'll keep toying with it tonight. Im determined to make this work. Ill be sure to update here if I have any findings.

[Dr-BroadBand]

From the manual
Many SIM cards require a Personal Identification Number (PIN). Without the PIN, your router might not be able to connect to the mobile broadband network. If you do not know your PIN, contact your LTE provider.

[Dr-BroadBand]

Found this clue

Re: Orbi LBR20 with T-Mobile issues
I am using the Orbi LBR20 with T-Mobile. What I had to do was connect to the admin console advanced internet setup
(http://orbilogin.com/adv_index.htm) and ensure the following:

Network mode: Automatic (4G or 3G)
PDP Type: PDP-IPv4v6

The setup 'wizard' had set it to just PDP-IPv4 which resulted in a connected status, but no actual Internet access.

Also what firmware are we working with ..

[umbighouse]

Thanks @hazarjast for all the awesome info! This thread is great! Could someone help a noob out; I've tried a few different routes and have fallen down the google rabbit hole trying to learn iptable commands - I can't for the life of me figure out how to create the ttl_mod script file. Could some wise modder post a short walkthru of commands to get the ttl settings to persist on the LBR20? Thanks everyone!

+1 for me too. I'd like to get the ttl_mod script file setup and running too.

[hazarjast]

I'm sorry for the very ignorant question, can somebody help me with the first steps to create the ttl_mod file? Thank you!

The code is provided in the OP inside the code block with the "iptables" commands. Please let me know if you are still unclear on any point.

[hazarjast]

Hello gang,
Ive been a lurker on this sub for the past few months so still trying to learn. Ive been using the lbr20 on att with no problems until recently so I made the switch to tmobile through nolimitdata. So far no success with this sim. I started my research last night on using telnet/putty. Would any of you be willing to point me in a direction that might get this to work? I appreciate all of the knowledge you have shared on this sub. Thanks!

Sorry for the late reply to this; I have not been on this thread in awhile. "nolimitdata" looks like some unauthorized reseller of T-Mobile consumer plans (usually One or Magenta phone or tablet lines). SIM from such plans will only work in a device with an IMEI TAC that identifies it as a phone or tablet (depending on the what it is provisioned for). Given the LBR20 has a TAC that identifies it as a data only device T-Mobile likely blocks it from connecting.

The workaround for this is not hard on Quectel modems like the one inside the LBR20 but I will not explain any further here as the workaround actions could a legal quagmire depending on your country's laws that deal with making modifications to RF equipment serial numbers. There is a very obvious clue in one of the code blocks of the OP though, if you should choose to pursue this further.

[hazarjast]

Thanks so much for all the useful information - this thread is great! Apologies for my ignorance, but would it be possible for someone to post a walk through for a newby in creating these mod script files to edit the ttl? I'm able to make it into putty, but I'm just absolutely lost on how to actually create these scripts. Thanks so much for any help! You guys rock!

The script code you are looking for is in the code block with the "iptables" commands in the OP. Please let me know if you are unclear on some point regarding this. You will have to use the text editor 'vi' to create/edit the mod script once you have telnetted into the device. I will not cover 'vi' usage here but there are plenty of guides/tutorials on this that can be found with a simple google or youtube search.

[hazarjast]

+1 for me too. I'd like to get the ttl_mod script file setup and running too.

The code for this is in the OP; second code block with 'iptables' commands in it. Please let me know if you are unclear on any point. If you are not familiar with creating and editing text files under Linux I would suggest looking up a tutorial on the 'vi' text editor (which is what you would use to create/populate the mod script file on the LBR20 once you telnet into it).

[hazarjast]

Since I had a couple queries on interpreting the +QENG output for 'servingcell' and 'neighbourcell' when preparing to lock a specific cell site, I will post a consolidated copy of my replies here for the benefit of the whole class

In general, most of the AT command output definitions can be found in the Quectel documentation for the EG18 modem below (this is the modem inside the LBR20; pg. 79 provides details surrounding +QENG 'servingcell' output):
https://www.quectel.com/UploadImage/Dow ... l_V1.0.pdf

Be aware that some AT commands are undocumented in the product-specific manual, such as +QNWLOCK, as they are considered "engineering" or "unfinished" commands not for use by end users. But still we can find info on them and their syntax in Quectel forums etc. via references to sister products (in this case the EG12):
https://forums.quectel.com/t/eg12-and-f ... ature/4619

Let us take some example output from +QENG 'servingcell':

Code: Select all

+QENG: "servingcell","NOCONN","LTE","FDD",310,260,6C150D,222,1125,2,4,4,A6F7,-81,-8,-54,21,0,90,-

Applying the EG18 'servingcell' legend to the example output above reveals the following details about the currently connected cell:

MCC = 310
MNC = 260
CELLID = 6C150D (note that this is a hexadecimal value; decimal value used on cellmapper etc. would be "7083277")
PCID = 222
EARFCN = 1125
FREQ_BAND_IND = 2
UL_BANDWIDTH = 4 (0 = 1.4 MHz 1 = 3 MHz 2 = 5 MHz 3 = 10 MHz 4 = 15 MHz 5 = 20 MHz)
DL_BANDWIDTH = 4 (0 = 1.4 MHz 1 = 3 MHz 2 = 5 MHz 3 = 10 MHz 4 = 15 MHz 5 = 20 MHz)
TAC = A6F7 (I believe this is a hex value as well; decimal value would be "42743")
RSRP = -81 [dB]
RSRQ = -8 [dB]
RSSI = -54 [dB]
SINR = 21 [dB]
CQI = 0
TX_POWER = 90 [dBm]
SRXLEV = - [dB]

If you use +QNWLOCK on the Orbi to lock to a specific cell (tower) I have found it is not persistent across reboots (i.e. no need for a factory reset to clear the setting). Thus, in my setup, my bootstrapper script executes it after each restart because I want it to lock the same cell each and every time when the device is rebooted.

Be aware that "neighbourcell" output fields and format differs so be careful when using it to obtain any reference CELLID and PCID because they may appear in a different order or format (hex vs. decimal etc.). Legend for "neighbourcell" output can be found on page 80 of the EG18 PDF I linked to above.


Hope this expanded detail was helpful to folks.

[hazarjast]

Updated the 'ttl_mod' script in the OP to use better logic and cover IPv6 as well since that seems to be required by some setups as well. Shout-out of thanks to Mr. Josh B. for inspiring the update.

[hazarjast]

Several important updates have been made to the OP. Most notable: further simplification of the 'ttl_mod' script, a thorough fleshing-out of the 'bootstrap' method/script for clarity, and a change in execution method which now uses crontab for calling 'ttl_mod' (and any other scripts) at precise, scheduled intervals.

I can also confirm that all mods work on the US Cellular SKU of the LBR20 (LBR20-1USNAS) running on the latest available USCC firmware (2.5.3.4).
(Funny enough the person who allowed me to test this device had it setup and running on both AT&T and T-Mobile at different times without issue so if you find one of these models on eBay for cheaper than the non-USCC ones, it seems to work on other carriers just fine)

Thanks to the patient folks who have let me run wild as Dr. Frankenstein inside their Orbis to hone and further perfect the mods exhibited in this tutorial thread; I hope it serves as a help for many LBR20 owners to come.

[moonbrushed]

Hi guys,

I have a LBR20 (European model) - and am attempting to get it connected to mobile broadband via Vodafone UK. I have tried x3 different SIMs in the LBR20 and so far have been unable to get the device connected. The device status simply reads "disconnected". Two of these SIMs are from phones and another from a battery powered mobile hotspot device (data only). Signal is great in the location I am trying this in. My nearest cell mast is transmitting on band 20, which the European model should support.

As far as anyone can tell at Vodafone, my APN settings etc are OK..
APN: wap.vodafone.co.uk
Username and Password: wap
Authentication: tried both 'none' and 'pap'
PDP-IP: have tried both: v4, v4v6
Have also tried lots of other combinations.

Vodafone support have confirmed that my account/SIMs are not locked in any way - and there is no reason why they should not work in the LBR20 - but do acknowledge that there are some reports online of people being unable to connect via this device on other networks too.

Netgear are zero help. Vodafone insist there is no problem with my SIMs/account.

Can anyone shed any light on this for me? From reading around, I wonder if my SIMs are not provisioned for use in the router - in which case, is there a way to fix this? Vodafone (at higher levels) may be aware of this limitation, but low level support insist everything is fine.

Would really appreciate any help anyone can offer!
David

[Username]

@hazerjast, thank you for taking the time to document these tips. It is by far the best and most accurate information I have come across.

I have LBR20 router. I set it up with a SimpleMobile sim (T-Mobile). It worked great, immediately. I was setting this up for my Parents who have no internet. So after I set it up at my home, I drove 20 miles to their home and plugged it in and while wifi came up correctly, the mobile would not connect. I factory reset it and set it up again but from my parent's house, it would never make a mobile connection to get internet.

I took it home, plugged it in, and it worked again without me touching anything.

I think some of the tips here may be relevant to my situation, but I'm not sure entirely. I know how to telnet in and all that and I have a technical background.

One tip that I implemented since following this thread is to change setting from IP4 to the IP4v6 setting. I wonder if that will be enough to try again, but I haven't driven over to my parents yet to try it cuz I'm thinking there may be more I need to check.

I this caused simply by connecting to a different cell tower? and is there a specific tip here that I should look at with respect to this issue?

Thank you again.

[moonbrushed]

I tried this last night - took the LBR20 to a place where it would need to connect to a different tower...just in case my connection problems were related to my local tower. Unfortunately, same problem...status reads disconnected.

[outrage18]

Great stuff here Hazerjast. Good of you to take the time to document and help others. Could you please confirm that this LTE router supports Verizon and Sprint in addition to T-Mobile and AT&T? Thanks!

[hazarjast]

Hi guys,

I have a LBR20 (European model) - and am attempting to get it connected to mobile broadband via Vodafone UK. I have tried x3 different SIMs in the LBR20 and so far have been unable to get the device connected. The device status simply reads "disconnected". Two of these SIMs are from phones and another from a battery powered mobile hotspot device (data only). Signal is great in the location I am trying this in. My nearest cell mast is transmitting on band 20, which the European model should support.

As far as anyone can tell at Vodafone, my APN settings etc are OK..
APN: wap.vodafone.co.uk
Username and Password: wap
Authentication: tried both 'none' and 'pap'
PDP-IP: have tried both: v4, v4v6
Have also tried lots of other combinations.

Vodafone support have confirmed that my account/SIMs are not locked in any way - and there is no reason why they should not work in the LBR20 - but do acknowledge that there are some reports online of people being unable to connect via this device on other networks too.

Netgear are zero help. Vodafone insist there is no problem with my SIMs/account.

Can anyone shed any light on this for me? From reading around, I wonder if my SIMs are not provisioned for use in the router - in which case, is there a way to fix this? Vodafone (at higher levels) may be aware of this limitation, but low level support insist everything is fine.

Would really appreciate any help anyone can offer!
David

I believe we chatted over email but for the benefit of others in your situation it seems that your carriers are checking IMEI so, unless you are comfortable modifying that identifier on your device there is not much that can be done.

[hazarjast]

@hazerjast, thank you for taking the time to document these tips. It is by far the best and most accurate information I have come across.

I have LBR20 router. I set it up with a SimpleMobile sim (T-Mobile). It worked great, immediately. I was setting this up for my Parents who have no internet. So after I set it up at my home, I drove 20 miles to their home and plugged it in and while wifi came up correctly, the mobile would not connect. I factory reset it and set it up again but from my parent's house, it would never make a mobile connection to get internet.

I took it home, plugged it in, and it worked again without me touching anything.

I think some of the tips here may be relevant to my situation, but I'm not sure entirely. I know how to telnet in and all that and I have a technical background.

One tip that I implemented since following this thread is to change setting from IP4 to the IP4v6 setting. I wonder if that will be enough to try again, but I haven't driven over to my parents yet to try it cuz I'm thinking there may be more I need to check.

I this caused simply by connecting to a different cell tower? and is there a specific tip here that I should look at with respect to this issue?

Thank you again.

SimpleMobile is an MVNO and as such may not have roaming agreements with every tower that a first party customer of T-Mobile would have. If there was some issue with device configuration you should see the issue no matter the specific tower as long as the carrier is the same and supported on that tower by the underlying operator.

[hazarjast]

I tried this last night - took the LBR20 to a place where it would need to connect to a different tower...just in case my connection problems were related to my local tower. Unfortunately, same problem...status reads disconnected.

Yeah likely the carriers don’t want this device on the plans which you are trying to use it on, unfortunately.

[hazarjast]

Great stuff here Hazerjast. Good of you to take the time to document and help others. Could you please confirm that this LTE router supports Verizon and Sprint in addition to T-Mobile and AT&T? Thanks!

Many people use the LBR20 with VZW and Visible unofficially utilizing some the useful commands referenced. Sprint is a dead entity at this point. Legacy band 41 is being repurposed by T-Mobile for 5G so many legacy Sprint handsets are now running on T-Mobile LTE bands. Right when the merger completed I had the LBR20 running on a sprint iPad SIM and it connected to LTE B41 but I have not tried in awhile to see if it would still connect on that band. So, I guess what I am trying to say is, when it comes to usage with legacy sprint plans, your mileage may vary depending on how they are repurposing legacy sprint spectrum in your particular area.

[hazarjast]

Just as a heads up to anyone contacting me for LBR20 help: life is pretty busy at the moment so it may be awhile before I see and/or respond to your messages. Not trying to ignore anyone but have to keep my priorities in order. Thanks for understanding!

[Username]

SimpleMobile is an MVNO and as such may not have roaming agreements with every tower that a first party customer of T-Mobile would have. If there was some issue with device configuration you should see the issue no matter the specific tower as long as the carrier is the same and supported on that tower by the underlying operator.

Thank you for your reply. My personal mobile phone sim is also a SimpleMobile, and it works when I go to my parents home....which is the source of my confusion . I haven't tried my personal sim into the LBR20 yet, that might be an interesting test but that prolly won't help me understand the issue with the current sim. Per your advice, I may end up trying a first-party sim instead of simplemobile.

[pakoss]

hi, I write from Italy. forgive me my grammatical errors ... I just bought netgear orbi lbr20, I wanted to understand if it is possible to select the bands manually, I decide which bands to aggregate. thanks

[hazarjast]

hi, I write from Italy. forgive me my grammatical errors ... I just bought netgear orbi lbr20, I wanted to understand if it is possible to select the bands manually, I decide which bands to aggregate. thanks

Ciao! No apologies necessary

Yes, this modem can lock bands or an index of bands. Check page 36 of the manual here for AT+QCFG="band" command and its syntax:
https://www.quectel.com/UploadImage/Dow ... l_V1.0.pdf

Another helpful thread can be found here:
https://wirelessjoint.com/viewtopic.php?t=674

[shyrik25]

Hi

Sorry if this is of topic. How to make the LBR20 automatically reboot when LTE the Internet Connection is lost. The openwrt on the LBR20 is older and does not have LEDE or LUCI for GUI. I would like to run a watchcat, but don't see it in openwrt with telnet. If I understand correctly then I need to bootsrap a watchcat script to the LBR20. I'm not sure how to do that.

Thank you for your help.

[Username]

Thank you for your reply. My personal mobile phone sim is also a SimpleMobile, and it works when I go to my parents home....which is the source of my confusion . I haven't tried my personal sim into the LBR20 yet, that might be an interesting test but that prolly won't help me understand the issue with the current sim. Per your advice, I may end up trying a first-party sim instead of simplemobile.

I tried one more MVNO sim - this time from US Mobile (which had even more data per month than SimpleMobile).

This time the sim worked both at my house, and at my parents house which is 20 miles away. It worked like a charm. Now my parents have internet and are also an echo dot instead of a computer.

I'm not really sure why US Mobile worked but the SimpleMobile did not (recall that the SimpleMobile worked at my house but not theirs). That pretty much ends my issue for now. Thanks for this site, and this thread. Good stuff here.

[das1996]

I must be missing something. I can't get anything under /mnt/ntgr/armor, or /mnt/ntgr/armor/etc, or cd /mnt/ntgr/armor/etc/init.d/ to persist between reboots. Tried the 2.5.2.20 and 2.5.3.4 uscc fw on the unit. Completed initial config, even put a sim in it. After every reboot, anything I add is gone.

Any suggestions? Thanks!

[outrage18]

das1996,
Persists fine on 2.5.2.20 so long as you don't upgrade to 2.5.3.4. BTW, I learned the hard way -- new fw loses telnet option from the debug page and when I downgraded back to 2,.5.2.20, the changes (which used to persist) no longer survive reboot.

[das1996]

Mine was on 2.5.3.4 at some point... Auto updated I believe. Any way to undo whatever 2.5.3.4 so 2.5.2.20 works like before?

[outrage18]

Not within my capabilities, if at all. Not sure you were auto upgraded to 2.6.3.50; for the time being, Netgear does not seem to be auto updating beyond 2.5.2.20. My effort to try and get changes on the armor directory to survive a reboot included reverting to both 2.5.2.20 and 2.5.1.18 as well as hard reset. Nothing I did worked

[hazarjast]

Not within my capabilities, if at all. Not sure you were auto upgraded to 2.6.3.50; for the time being, Netgear does not seem to be auto updating beyond 2.5.2.20. My effort to try and get changes on the armor directory to survive a reboot included reverting to both 2.5.2.20 and 2.5.1.18 as well as hard reset. Nothing I did worked

There are clues to resolve here:
https://hackingthenetgearorbi.wordpress ... this-time/

As the blog above shows, not all free space on Orbi devices have been partitioned for use with overly-fs so in the newer firmware for LBR20 it should still be possible to partition some space that survives a reboot. Plus, you have to think, Armor (BitDefender) receives updates which need to be loaded at reboot so they are being stored somewhere in a persistent manner.

I got a fleaBay deal on a used LBR20 which will allow me to have a 'dev' unit to play around with while my daily driver stays safely on older firmware but my day job is very demanding at the moment so it may be some time before I get a chance to work a fully functioning solution for folks on newer firmware. For telnet access, there's no way that Netgear would permanently lock their support staff out of that, it's just harder to get to now most likely. Something like this should make it accessible:

https://github.com/insanid/NetgearTelnetEnable

As an aside, I also have SSH fully working on the LBR20 2.5.2.20 firmware which is much nicer than telnet (no timeouts, weird formatting on the command line, putty window resizing issues, etc. that are seen when using telnet). Once I get the persistent storage issue sorted on the newer firmware I'll add instructions on adding SSH as well

[mtnchar]

Thank you for all your help hazarjast. The orbi has greatly improved speed vs the old mofi and helped make the internet far more usable at my location. I took your advice and blocked all the auto-update features, although it seems to know about the LTE firmware despite my efforts.

Now my Orbi wants to do a LTE modem firmware upgrade, of course couldn't find anything about this upgrade on the netgear website. They never actually note what this upgrades supposedly fix.

I have noted they appear to be blowing out the LBR20s, there is probably a newer (and less adaptable) model coming out.

Anyone try this new LTE firmware PAR01A06M4G

US Cellular has a link about it, but few real details.

https://www.uscellular.com/content/dam/ ... Router.pdf

[shinesmart]

Got everything working on the 2.5.3.4 version. After doing the TTL mod via telnet, I’m consistently getting 60/30 with Visible sim and the scripts are surviving reboots. Much thanks hazerjast for this tutorial. LBR20 seems like the best tri-band lte router once you get the TTL mod working. Let me know if I can help with in any way.

Cheers

[hazarjast]

Thank you for all your help hazarjast. The orbi has greatly improved speed vs the old mofi and helped make the internet far more usable at my location. I took your advice and blocked all the auto-update features, although it seems to know about the LTE firmware despite my efforts.

Now my Orbi wants to do a LTE modem firmware upgrade, of course couldn't find anything about this upgrade on the netgear website. They never actually note what this upgrades supposedly fix.

I have noted they appear to be blowing out the LBR20s, there is probably a newer (and less adaptable) model coming out.

Anyone try this new LTE firmware PAR01A06M4G

US Cellular has a link about it, but few real details.

https://www.uscellular.com/content/dam/ ... Router.pdf

The new LTE firmware is fine to upgrade to without changing anything that allows the mods to be persistent. It is the newer *router* firmware that changes the '/mnt/ntgr/...' filesystem, not the LTE firmware. I have successfully tested LTE firmware A06 on router v2.5.2.20. In fact, if you're on A05 or older LTE firmware and use a T-Mobile/Sprint plan (or MVNO/reseller of theirs) I would highly recommend upgrading as it seems this allows the modem to connect to B41 where available. On A05 I could not get the modem to pick up on B41. In general A06 seems to be more stable on T-Mobile as well; I have not tested A06 with VZW or ATT yet.

If you are currently using /etc/hosts or DNS entries to block the netgear firmware sites as I have and do not want to risk unblocking them to upgrade the LTE firmware I have a mirror of A06 here which can be uploaded and applied manually from the 'LTE Firmware' page in the web gui:

https://drive.google.com/file/d/1N-EgRx ... sp=sharing

Also, for anyone who wanted to downgrade back to router firmware v2.5.2.20, I have a mirror of that as well in case Netgear removes it at some point:
https://drive.google.com/file/d/1Tc09ja ... sp=sharing

[hazarjast]

Updated the OP over the course of yesterday and today with router firmware v2.6.3.50 discovery information and an updated way to add reboot-persistent config leveraging the Circle functionality/filesystem.

[das1996]

Thanks for the circlejerk update. Figures this is needed with a netgear product.

[egauk]

Thank you for all the hard work putting this together! I am encountering an error when executing the powershell command.

Code: Select all

PS D:\circle_jerk-main> powershell -noprofile -executionpolicy bypass -file .\deploy_circle_jerk.ps1
Enter the router's 'admin' password: *********
EnableTelnet : Could not enable telnet!
At D:\circle_jerk-main\deploy_circle_jerk.ps1:136 char:3
+   EnableTelnet
+   ~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,EnableTelnet

-I am running in an elevated PS window
-I can run telnet-enable2.exe standalone and it works fine
-I have disabled Defender real-time scanning (no other AV is installed)
-I have disabled Windows Firewall

Is anyone else running into the issue?

[alamont]

Hi all, first time writing into this forum. I am thinking of getting an LBR20 because it looks like a great way to get a CAT 18 modem for the price. But I wanted to know what the circle_jerk script allows. I'm in fairly rural Washington and need to setup very directional MIMO antennas. The antenna placement will likely need to be precise as the signal is next to nothing out here. MOFI4500 and GoldenOrb DIY units appear to allow lots of signal strength/quality monitoring as well as band locking, etc. Does this script allow access to these types of features on the LBR20?

[das1996]

Gave it a try with the 2.5 and 2.6 firmwares. Files get copied but doesn't look like it's run after a reboot. No ssh access.

Enabled first the bottom option, then top.. Still no go.

https://i.imgur.com/eawssir.png

[hazarjast]

Gave it a try with the 2.5 and 2.6 firmwares. Files get copied but doesn't look like it's run after a reboot. No ssh access.

Enabled first the bottom option, then top.. Still no go.

https://i.imgur.com/eawssir.png

Something is different about your unit's firmware. Need to know the specific model number and firmware release number as I do not have this "smart" parental control option, only a single slider is available to me. I am using 2.6.3.50 downloaded from here:
https://www.downloads.netgear.com/files ... 6.3.50.zip

[das1996]

US market, I let it do the firmware auto update. Says V2.6.3.50 in the top right corner. Sticker on bottom says LBR20

I can try reflashing with the direct link from netgear and do a factory reset.

[hazarjast]

I can try reflashing with the direct link from netgear and do a factory reset.

Yes, I would recommend doing that. It is possible if you had updated/downgraded firmware before that it changed the Circle installation in some way. If all else fails you can still use 'telnet-enable2.exe' from the package to enable telnet on the unit and explore what may be the cause of the Circle differences.

When you say 'US' market and that the label reads LBR20 this does not mean much unfortunately since there are at least two SKUs that match this description: the retail model and US Cellular both. There is also an NA model for Canada that I came across.

[das1996]

Did factory reset, single slider now but it's still not working.

Once i'm in the shell, what should I be looking for to make sure the right files/settings are there for the bootstrap/hook to take place?

Trying to follow your code. For one, after completion, file

root@LBR20:/# ls -l /var/tftpd-hpa/circle_jerk.zip
-rwxrwxrwx 1 root root 156826 Mar 8 20:00 /var/tftpd-hpa/circle_jerk.zip

Still exists, yet code has an rm command to remove it.

[hazarjast]

Thank you for all the hard work putting this together! I am encountering an error when executing the powershell command.

Code: Select all

PS D:\circle_jerk-main> powershell -noprofile -executionpolicy bypass -file .\deploy_circle_jerk.ps1
Enter the router's 'admin' password: *********
EnableTelnet : Could not enable telnet!
At D:\circle_jerk-main\deploy_circle_jerk.ps1:136 char:3
+   EnableTelnet
+   ~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,EnableTelnet

-I am running in an elevated PS window
-I can run telnet-enable2.exe standalone and it works fine
-I have disabled Defender real-time scanning (no other AV is installed)
-I have disabled Windows Firewall

Is anyone else running into the issue?

Could have to do with your network adapter configuration and not being able to pull the correct IP or MAC automatically. Try populating the function’s IP and MAC variables manually to see if that helps.

[hazarjast]

Did factory reset, single slider now but it's still not working.

Once i'm in the shell, what should I be looking for to make sure the right files/settings are there for the bootstrap/hook to take place?

Trying to follow your code. For one, after completion, file

root@LBR20:/# ls -l /var/tftpd-hpa/circle_jerk.zip
-rwxrwxrwx 1 root root 156826 Mar 8 20:00 /var/tftpd-hpa/circle_jerk.zip

Still exists, yet code has an rm command to remove it.

If I had to guess the firmware updates before this one altered some circle files. If the zip extracted properly everything should be under “/mnt/circle/mods” which is where you can look for and launch the scripts manually.

[das1996]

Ok.. Progress.

Factory reset once on 2.6.3.50 fw. Did initial config then applied the mod.

Toggle circle on (now 1 slider). THEN, REBOOT!! This was key.

I only have cricket here which doesn't appear to throttle, regardless of ttl, so can't check it.

However, should the ttl value be 64, not 65. 65 Is usually for the client devices (so leaving phone it's 64). In this case, the mangling is done on the device connected directly to the network¿?

[egauk]

Could have to do with your network adapter configuration and not being able to pull the correct IP or MAC automatically. Try populating the function’s IP and MAC variables manually to see if that helps.

That was it. I disabled all other network adapters on my Windows 10 PC and the script shows it completed. However, /mnt/circle/mods/ does not exist.

Code: Select all

PS D:\circle_jerk-main> powershell -noprofile -executionpolicy bypass -file .\deploy_circle_jerk.ps1
Enter the router's 'admin' password: *********
Connecting to 192.168.1.1 on port 23
Connected and running command...
Connecting to 192.168.1.1 on port 23
Connected and running command...
Circle has been modded! Now you must login to your router and enable Circle (under 'Parental Controls' menu item) then click 'Apply'.
Once Circle has been enabled, you can then SSH into your router at 192.168.1.1 with username 'root' and the following password

[hazarjast]

Ok.. Progress.

Factory reset once on 2.6.3.50 fw. Did initial config then applied the mod.

Toggle circle on (now 1 slider). THEN, REBOOT!! This was key.

I only have cricket here which doesn't appear to throttle, regardless of ttl, so can't check it.

However, should the ttl value be 64, not 65. 65 Is usually for the client devices (so leaving phone it's 64). In this case, the mangling is done on the device connected directly to the network¿?

Glad it worked. Not sure why a reboot was necessary as my tests with clean reset worked without reboot but I can add that as something to try for others in troubleshooting.

For TTL most folks would use mangle on the router to avoid having to set on each client device for carrier plans that differentiate on-device data from tether traffic using TTL. On the router it is set to mangle outgoing packets to 65 because on WAN exit it decrements to 64 which is the desired value once the traffic is on the carrier network. Some LAN setups may require adjusting this value but in most cases you wouldn’t want it to mangle to a value of 64 because it would then decrement and arrive with a value of 63.

[hazarjast]

Hi all, first time writing into this forum. I am thinking of getting an LBR20 because it looks like a great way to get a CAT 18 modem for the price. But I wanted to know what the circle_jerk script allows. I'm in fairly rural Washington and need to setup very directional MIMO antennas. The antenna placement will likely need to be precise as the signal is next to nothing out here. MOFI4500 and GoldenOrb DIY units appear to allow lots of signal strength/quality monitoring as well as band locking, etc. Does this script allow access to these types of features on the LBR20?

Signal strength is a feature available “out of the box”, just go to advanced page in GUI and click on “connection status”. Yes, you can lock band and/or cell but my scripts only include an example of cell locking. Cell or band locking can be accomplished at boot by creating and adding the necessary minicom AT commands to the “run_once” script which will execute once after startup. In the OP I dig into cell locking a bit but not band index creation but I think I have linked here somewhere in my replies to other threads that cover Quectel band locking steps in more detail.

So in short, yes band locking is possible but you’ll need to add the desired AT commands to the appropriate script. My mod does not do this for you it is simply a framework to enable reboot persistent configuration changes.

[hazarjast]

That was it. I disabled all other network adapters on my Windows 10 PC and the script shows it completed. However, /mnt/circle/mods/ does not exist.

Code: Select all

PS D:\circle_jerk-main> powershell -noprofile -executionpolicy bypass -file .\deploy_circle_jerk.ps1
Enter the router's 'admin' password: *********
Connecting to 192.168.1.1 on port 23
Connected and running command...
Connecting to 192.168.1.1 on port 23
Connected and running command...
Circle has been modded! Now you must login to your router and enable Circle (under 'Parental Controls' menu item) then click 'Apply'.
Once Circle has been enabled, you can then SSH into your router at 192.168.1.1 with username 'root' and the following password

I do not see that TFTP was executed to upload the .zip because it should produce some output that says “[x] bytes were transferred in [x] seconds” or something similar. Check that ‘/var/tftpd-hpa/circle_jerk.zip‘ exists and shows proper file size or if it is zero. If zero in size this confirms file didn’t transfer and you will need to execute TFTP command manually to see what it shows:

Code: Select all

TFTP -i [ip of LBR20] PUT circle_jerk.zip

[egauk]

I do not see that TFTP was executed to upload the .zip because it should produce some output that says “[x] bytes were transferred in [x] seconds” or something similar. Check that ‘/var/tftpd-hpa/circle_jerk.zip‘ exists and shows proper file size or if it is zero. If zero in size this confirms file didn’t transfer and you will need to execute TFTP command manually to see what it shows:

Code: Select all

TFTP -i [ip of LBR20] PUT circle_jerk.zip

Rookie mistake, the Windows Firewall re-enabled itself blocking TFTP. All is well now!

[das1996]

Glad it worked. Not sure why a reboot was necessary as my tests with clean reset worked without reboot but I can add that as something to try for others in troubleshooting.

For TTL most folks would use mangle on the router to avoid having to set on each client device for carrier plans that differentiate on-device data from tether traffic using TTL. On the router it is set to mangle outgoing packets to 65 because on WAN exit it decrements to 64 which is the desired value once the traffic is on the carrier network. Some LAN setups may require adjusting this value but in most cases you wouldn’t want it to mangle to a value of 64 because it would then decrement and arrive with a value of 63.

Thanks for clarifying. I was under the impression when set to 65, 65 is what exits the router. That is, this value already included the decrement.

I have a freedompop sim I will test with later. At one time that imposed the ttl limit too. Being att based, it may yield the same result as cricket. However, it's still best to have the ttl adjusted just to give them one less factor to consider if flagging the account for unauthorized tethering, esp on unlimited accounts.

BTW, for what it's worth to others, I did the whole thing in a windows VM. Turned off all the defender crap and let it go. When done just restored the snapshot made previously.

[hazarjast]

Rookie mistake, the Windows Firewall re-enabled itself blocking TFTP. All is well now!

Fantastic! Glad to hear that is all it was. I had the same issue when creating/testing the script

I have gone back and updated the OP with troubleshooting suggestions based on the feedback I have received from everyone thus far. I have also added manual deployment instructions under the troubleshooting steps for those that need it. Hope these additions are useful to folks.

[hazarjast]

Thanks for clarifying. I was under the impression when set to 65, 65 is what exits the router. That is, this value already included the decrement.

I have a freedompop sim I will test with later. At one time that imposed the ttl limit too. Being att based, it may yield the same result as cricket. However, it's still best to have the ttl adjusted just to give them one less factor to consider if flagging the account for unauthorized tethering, esp on unlimited accounts.

BTW, for what it's worth to others, I did the whole thing in a windows VM. Turned off all the defender crap and let it go. When done just restored the snapshot made previously.

No problem, it was good you brought it up as hopefully the discussion will benefit others' understanding on the 'how' and 'why' of the TTL mangle piece.

I agree; I prefer to use TTL mangle no matter the carrier or plan just to be sure the traffic looks as close to 'on-device' traffic as possible.

Appreciate your sharing that you used a VM; this is a safe approach. I really dislike that bits of the auto-deployment need any Defender disablement or exclusions added but I know that technical ability varies here so I attempted to balance security awareness along with ease of use. I have appended the manual deployment instructions in the OP to call out the fact that the use of the precompiled 'telnet-enable2.exe' (which windows falsely flags as malicious) is not really required and linked to its source Python script which can be used instead if desired.

[egauk]

Would you mind sharing how you configured NextDNS to work on your Orbi? I see from the original post this is being used by modifying resolve.conf

[das1996]

@hazarjast Of course we give thanks to you and the folk(s) that deciphered telnet-enable, which without none of this would be possible (on later fw's) and this circle jerk would just result in no satisfaction

[hazarjast]

Would you mind sharing how you configured NextDNS to work on your Orbi? I see from the original post this is being used by modifying resolve.conf

I run the NextDNS CLI daemon on my upstream PFSense firewall which has a WAN rule that allows incoming traffic from the Orbi (WAN) to the LAN IP of the PFSense which the CLI listens on (port 53). On the Orbi I am just overwriting '/etc/resolv.conf' with "nameserver [PFSense_IP]" so that it uses NextDNS for all its local DNS queries.

[hazarjast]

@hazarjast Of course we give thanks to you and the folk(s) that deciphered telnet-enable, which without none of this would be possible (on later fw's) and this circle jerk would just result in no satisfaction

Only credit I will take is for buying Bjoern a pizza and providing him with 'telnetenable' binary. All true reversing credit goes to him. Certainly circle jerk would be immensely frustrating without a proper way to enable telnet, lol.

That being said, for folks who don't mid disassembling their LBR20 to get to UART pins, they can always call telnet daemon to run manually (even if Netgear changes Blowfish algo again in the next firmware) but I realize tearing down such an expensive device to access serial console is daunting/undesirable for many which is why I reached out for professional reversing help

[das1996]

^^This one was a dev unit too. Way over priced if I had to buy it retail.

Given you're using this in front of pfsense, have you explored ways of passing on the public ip directly to the the pfsense wan. In part to avoid double nat, but also to just use this as an LTE<>ethernet bridge?

For use as a self contained router, i'd love to see an asusmerlin fw implementation (like xwrt does for r7000). I don't know what it is about netgear fw, but it seems overly bloated, slow, lacking features. Reasonably good hardware, crap software. These days I've stopped recommending netgear products to those that ask because of these shortcomings. I've got a rt68u and r7000 (with xwrt) used as ap's around the house. Surprisingly the wifi is still very good on these with current fw (600-700 mbps down, 500mbps up with an ax200 client). My main firewall is a sophos utm instance. I may switch to pfsense some day but this is already configured and complicated enough. Not motivated to reinvent the wheel at this time.

[hazarjast]

^^This one was a dev unit too. Way over priced if I had to buy it retail.

Given you're using this in front of pfsense, have you explored ways of passing on the public ip directly to the the pfsense wan. In part to avoid double nat, but also to just use this as an LTE<>ethernet bridge?

For use as a self contained router, i'd love to see an asusmerlin fw implementation (like xwrt does for r7000). I don't know what it is about netgear fw, but it seems overly bloated, slow, lacking features. Reasonably good hardware, crap software. These days I've stopped recommending netgear products to those that ask because of these shortcomings. I've got a rt68u and r7000 (with xwrt) used as ap's around the house. Surprisingly the wifi is still very good on these with current fw (600-700 mbps down, 500mbps up with an ax200 client). My main firewall is a sophos utm instance. I may switch to pfsense some day but this is already configured and complicated enough. Not motivated to reinvent the wheel at this time.

For most US carrier plans, the IPv4 that the WWAN (modem) interface pulls is CGNAT'ed and/or in a range not publicly routable anyways so "passing it on" / bridging it doesn't really achieve anything useful for the purposes of avoiding NAT and giving LAN devices a usable public IP. On the IPv6 side, carriers typically are giving you a /64 address space which RFC standards prevent from being further subdivided without major hacks making that address also useless or at least difficult to use in a bridged manner. My public IP needs are met by running a VPN server on a VPS with a client connection back on PFSense. The VPN client interface is then used as another WAN gateway. From there I use policy based routes and 1:1 NAT mappings to provide a true public IP to the devices on my network which require one while routing everything else directly out of the normal cellular connection WAN (split tunnel routing).

I had already reached out to Voxel to add LBR20 support to his existing (and excellent) Orbi firmware but he doesn't seem to have interest in the effort or time to pursue it at the moment. Recently I've offered to ship him my 'dev' unit as a test bed if this would influence his decision or not. Have not heard anything back at this time though. Like most of us he has a demanding day job and router firmware is just a hobby for him. The reason that Netgear firmware is based on old OpenWRT releases and is of generally bad quality is simply because Netgear doesn't write any of the custom code in it. Their firmware is contracted out wholsale to Delta Electronics (formerly Delta Networks Inc.) which uses old toolchains to compile their firmware (not optimized for the target hardware) and further subcontracts different model firmware or firmware components out to other contract developers who don't seem to share a common code repository (ex. security vulnerabilities fixed on Orbi are still present in Nighthawk or vice versa).

Completely understand about not wanting to go through and make changes to a working setup. I am the same way at the moment as my VPN runs on OpenVPN and I would like to upgrade to PFSense 2.5 with WireGuard. Just haven't wanted or been able to take the time to dig into making the change. I figure I will let people work the bugs out of 2.5 for me and wait on the first patch before updating.