prevent Mr5100 from updating firmware

Topics for Netgear Nighthawks MRxxxx Series Hotspots
Post Reply
noise_maker
Posts: 12
Joined: Mon Feb 21, 2022 9:54 am
Has thanked: 3 times
Been thanked: 1 time

prevent Mr5100 from updating firmware

Post by noise_maker »

Is there a known way on the MR5100 to prevent the firmware from updating?. There seems to be allot more info about the M1s vs the M5s on this stuff.

I read a few places that the M1s don't do a full firmware load when they update - not sure if the M5s are the same or not. I am running 2 of these in a load balanced scenario. To get that to work i had to modify some things like the birdge0 mac and some static routes (as well as more standard changes like IMEI etc) . if the firmware is patched updated like the M1s then it would likely not be an issue. If it does a full load (or i get unlucky and they way I am doing my changes gets stepped on in an update) then what i have done to them could get wiped. Just trying to prevent that. I have had to do this with other devices in the past because they were full load firmwares, just not sure how these M5s work

I have spent a few hours poking around on them and i haven't found anything reasonable like a DNS name or IP i could block or a FOTA service i could disable, or a config file i could change etc. I have looked at just about every xml or conf file looking for clues but just haven't seen any yet.

On the M1s some people claim that without a battery in them it wont update or changing to a unbranded firmware (which i think would be much harder on the M5s with the secure boot it has and besides i haven't seen them posted anywhere) .


for me these are US att branded mr5100s that I am running one with a TMobile home sim and one with a sprint sim. Not sure if it matters... i know some devices wont pull updates if they are not on their "home" network

any pointers would be very much appreciated
User avatar
Rich Hathaway
Posts: 542
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 8 times
Been thanked: 186 times

Re: prevent Mr5100 from updating firmware

Post by Rich Hathaway »

Any device can update if on a carrier that supports the particular device and the device passes the carriers integrity check, and they can full update both sides of the device (OS2 and linux)
it depends on what the carrier is sending to that model at that time, having said that full updates are not anything they normally do because it is very expensive to push that much data to millions of devices unless it is "worth it" for them to do that for some reason, bad firmware or something wrong with the previous version that cant be corrected by a small security update which is usually what they push.
you can see in the picture below of the MR5100 system partition/file that it has auto provisioning to read from the inserted sim and load/use the appropriate apn
M5 FOTA_2.PNG
And you can see this device also has FOTA enabled for tmobile and sprint
M5 FOTA_2.PNG
Sorry to be so winded, in short you can disable FOTA via the apn's
You do not have the required permissions to view the files attached to this post.
noise_maker
Posts: 12
Joined: Mon Feb 21, 2022 9:54 am
Has thanked: 3 times
Been thanked: 1 time

Re: prevent Mr5100 from updating firmware

Post by noise_maker »

this is interesting... i would never have though those would be baked into the APNs like that. The last devices i messed with where franklin t9s and FOTA was just a service that runs that you could disable but you could also change the URL or simply block the DNS query for it.

ill need to look into the APNs more. Given APNs are user settable it just seems odd that it would be baked in there . i mean for both of my sims i had to add the correct APNs (even though there are many) . It has to have something to do with the network selection.

I appreciate the info and will dig more

I was able to sort out via netstat that both Tmo and sprint sims anyway go to mobile-166-216-149-131.mycingular.net on https when you tell them to check for updates manually. If you go to that in a browser and tell it to ignore the cert it redirects you to xdme.wireless.att.com
and you get this device protection control site from ATT. If you NSlookup xdme.wireless.att.com you find it has a Cname of xdme.mobile.att.net an a A record of mobile-166-216-149-133.mycingular.net

Im going to block those 3 names and the IP for now and see what happens when it lets me check manually again. I found a file yesterday that seems like it had something to do with last check date... ill have to see if I can force it

Appreciate the insight
User avatar
Rich Hathaway
Posts: 542
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 8 times
Been thanked: 186 times

Re: prevent Mr5100 from updating firmware

Post by Rich Hathaway »

noise_maker wrote: Thu Mar 03, 2022 7:37 pm i mean for both of my sims i had to add the correct APNs (even though there are many) . It has to have something to do with the network selection.
You may have an early build on yours that does not allow for auto apn, or perhaps your device is not unlocked? the later builds do and it will see the mnc/mcc on the sim and then set the apn accordingly.
noise_maker
Posts: 12
Joined: Mon Feb 21, 2022 9:54 am
Has thanked: 3 times
Been thanked: 1 time

Re: prevent Mr5100 from updating firmware

Post by noise_maker »

Both of mine are unlocked. one via ATT the other i had to use bigunlocker

When the sim was put it and the unlock code entered, each one auto identified the network as the proper carrier (Sprint on one, T-Mobile on the other) It populated a ton of APNs related to the appropriate carrier. One got a about 15 T-Mobile and related APNs and the other 10 sprint ones but the APNs i need in both cases were not there. I had to add the ones I am using. Tmobile home & Calyx/Sprint are both supposed to be locked to their hardware - I'm not surprised the tmobile home APN wasn't there but i am kind of surprised the sprint one was not.

One of them is HW version 1.0 with firmware NTGX55_12.03.06.00 (2021/02/11) and the other is Hardware version 1.1 with firmware NTGX55_10.29.10.00 (2020/11/17)

It seems though the Firmware check - at least when i manually do it reaches out to that address on https. I am blocked HTTPS initiating form the device via IPtables as well as blocking all destination ports on current IP of where is it reaching out to. I have that run on boot. I also put a name resolution block into /etc/hosts and have that verify and repopulate as necessary on every boot as well.

I locked one of mine down that way and the other i left open so i can test the difference and make sure its working properly but I think this will do it in terms of preventing it from calling home for updates.
User avatar
Rich Hathaway
Posts: 542
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 8 times
Been thanked: 186 times

Re: prevent Mr5100 from updating firmware

Post by Rich Hathaway »

You might check it periodically as the device can and will query the network periodically for apn values, your sim card also has some say about what to use, this file on the sim card is called ACL.EF or APN Control List it works with the device and tells it which apn to use from the available APN's or if a satifactory APN is not found it will/can pull a Carrier provided APN, I think you can disable that though in the sim card, it not one of the crypted items (only data passwords and the imei are)and should have read/write by default. You can look for the ACL file within the UST file and set it to Disabled, you will need a sim to usb adapter to do it on a pc.
There may be some AT commands for your modem to read and write it but I am not sure what they are.
noise_maker
Posts: 12
Joined: Mon Feb 21, 2022 9:54 am
Has thanked: 3 times
Been thanked: 1 time

Re: prevent Mr5100 from updating firmware

Post by noise_maker »

this is what I have working on mine right now until i can sort out some of the other things suggested in this thread. I have this run on startup every time. I did have iptables blocks as well but given the IPs could change and i wasn't comfortable blocking all outbound 80/443 in aggerate if fell like this is a better solution, as low rent as it is....

just sharing incase anyone else wants this

# block firmware update
#block in hosts files
for file in /etc/hosts /etc/data/hosts /etc/avahi/hosts /mnt/userrw/etc/dnsmasq.hosts; do if [[ $(cat $file|grep -c xdme) -eq 0 ]] ; then echo 127.0.0.9 xdme.mobile.att.net xdme.wireless.att.com>>$file; fi ;done
#add block to DNS server
for host in mobile.att.net wireless.att.com ; do if [[ $(cat /mnt/userrw/etc/dnsmasq.conf|grep -c $host) -eq 0 ]] ;then echo address=/$host/127.0.0.9>>/mnt/userrw/etc/dnsmasq.conf; fi ;done
#resetart DNS server
DNS_CMD=$(ps | grep -F dnsmasq | grep -F -v grep |grep -F root|cut -c 22-1000)
kill $(cat /var/run/data/dnsmasq.pid); $DNS_CMD
w1lliam
Posts: 30
Joined: Tue Jul 12, 2022 7:26 pm
Has thanked: 4 times
Been thanked: 7 times

Re: prevent Mr5100 from updating firmware

Post by w1lliam »

noise_maker wrote: Thu Mar 03, 2022 8:01 am Is there a known way on the MR5100 to prevent the firmware from updating?. There seems to be allot more info about the M1s vs the M5s on this stuff.

I read a few places that the M1s don't do a full firmware load when they update - not sure if the M5s are the same or not. I am running 2 of these in a load balanced scenario. To get that to work i had to modify some things like the birdge0 mac and some static routes (as well as more standard changes like IMEI etc) . if the firmware is patched updated like the M1s then it would likely not be an issue. If it does a full load (or i get unlucky and they way I am doing my changes gets stepped on in an update) then what i have done to them could get wiped. Just trying to prevent that. I have had to do this with other devices in the past because they were full load firmwares, just not sure how these M5s work

I have spent a few hours poking around on them and i haven't found anything reasonable like a DNS name or IP i could block or a FOTA service i could disable, or a config file i could change etc. I have looked at just about every xml or conf file looking for clues but just haven't seen any yet.

On the M1s some people claim that without a battery in them it wont update or changing to a unbranded firmware (which i think would be much harder on the M5s with the secure boot it has and besides i haven't seen them posted anywhere) .


for me these are US att branded mr5100s that I am running one with a TMobile home sim and one with a sprint sim. Not sure if it matters... i know some devices wont pull updates if they are not on their "home" network

any pointers would be very much appreciated
Try the tool from tinyurl.com/mrCONFIGTools, with -nofota option
Post Reply

Return to “Nighthawks MR1100 - MR5200 (M1...M5...)”