Page 1 of 1

NETGEAR / SIERRA MR6400 THREAD

Posted: Tue Jul 26, 2022 4:30 pm
by Rich Hathaway
I did not see this thread anywhere so here it is, a general thread for the MR6400
Please add to this anything about this device you wish.

I just got to have a look at this device today (remotely) it is similar to the M5.
Here are the hardware id's for it

modem
USB\VID_0846&PID_68E2&REV_0504&MI_03
USB\VID_0846&PID_68E2&MI_03

Diag
USB\VID_0846&PID_68E2&REV_0504&MI_02
USB\VID_0846&PID_68E2&MI_02

RNDIS
USB\VID_0846&PID_68E2&REV_0504&MI_00
USB\VID_0846&PID_68E2&MI_00

ADB
USB\VID_0846&PID_68E2&REV_0504&MI_04
USB\VID_0846&PID_68E2&MI_04

USB Composite device
USB\VID_0846&PID_68E2&REV_0504
USB\VID_0846&PID_68E2
============================================
Use the same methods to work on this device that you use for M5
Hopefully, I will get another one of these to spend more time with soon, he
only wanted me to change the root password and hard code TTL for him on it
so thats all I did on this model so far but is very similar to the M5 so the same
things can be done to it.
IMEI, MEID, pESN, TTL, Band Lock, CA manipulation, etc.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Fri Aug 12, 2022 7:10 pm
by Rich Hathaway
MR6400 Partitions by name

mtd0: 00280000 00040000 "sbl"
mtd1: 00280000 00040000 "mibib"
mtd2: 01680000 00040000 "efs2"
mtd3: 001c0000 00040000 "tz"
mtd4: 00100000 00040000 "tz_devcfg"
mtd5: 00180000 00040000 "ddr"
mtd6: 00100000 00040000 "apdp"
mtd7: 00100000 00040000 "xbl_config"
mtd8: 00100000 00040000 "xbl_ramdump"
mtd9: 00100000 00040000 "multi_image"
mtd10: 00100000 00040000 "multi_image_qti"
mtd11: 00100000 00040000 "aop"
mtd12: 00100000 00040000 "qhee"
mtd13: 00100000 00040000 "abl"
mtd14: 00380000 00040000 "uefi"
mtd15: 00180000 00040000 "toolsfv"
mtd16: 00180000 00040000 "loader_sti"
mtd17: 01280000 00040000 "boot"
mtd18: 00100000 00040000 "scrub"
mtd19: 00100000 00040000 "logfs"
mtd20: 08040000 00040000 "modem"
mtd21: 001c0000 00040000 "misc"
mtd22: 00180000 00040000 "devinfo"
mtd23: 00080000 00040000 "recovery"
mtd24: 00080000 00040000 "fota"
mtd25: 00080000 00040000 "recoveryfs"
mtd26: 00100000 00040000 "sec"
mtd27: 00100000 00040000 "ipa_fw"
mtd28: 00100000 00040000 "usb_qti"
mtd29: 12c80000 00040000 "system"
mtd30: 034c0000 00040000 "pad1"
mtd31: 02840000 00040000 "userrw"
mtd32: 03940000 00040000 "hdata"
mtd33: 008c0000 00040000 "cust"
mtd34: 01040000 00040000 "ntgrpersist"
mtd35: 15980000 00040000 "ntgfota"

and its mounts
ubi0:rootfs / ubifs rw,seclabel,relatime,bulk_read,assert=read-only,ubi=0,vol=0 0 0
devtmpfs /dev devtmpfs rw,seclabel,relatime,size=310108k,nr_inodes=77527,mode=755 0 0
sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,mode=755 0 0
tmpfs /sys/fs/cgroup tmpfs ro,seclabel,nosuid,nodev,noexec,mode=755 0 0
cgroup2 /sys/fs/cgroup/unified cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime,nsdelegate 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,seclabel,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,seclabel,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,seclabel,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
cgroup /sys/fs/cgroup/debug cgroup rw,seclabel,nosuid,nodev,noexec,relatime,debug 0 0
tmpfs /var/volatile tmpfs rw,rootcontext=system_u:object_r:var_t:s0,seclabel,relatime 0 0
ubi0:systemrw /systemrw ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read,assert=read-
only,ubi=0,vol=3 0 0
debugfs /sys/kernel/debug debugfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev 0 0
ubi0:systemrw /etc/data/mobileap_cfg.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_
read,assert=read-only,ubi=0,vol=3 0 0
/dev/ubi1_0 /firmware ubifs rw,context=system_u:object_r:firmware_t:s0,relatime,bulk_read,assert=read-only,ubi=1,vol=0 0
0
ubi0:persist /persist ubifs rw,rootcontext=system_u:object_r:persist_t:s0,seclabel,relatime,bulk_read,assert=read-only,u
bi=0,vol=4 0 0
ubi0:systemrw /etc/data/mobileap_firewall.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,
bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:usrfs /data ubifs rw,rootcontext=system_u:object_r:data_t:s0,seclabel,relatime,bulk_read,assert=read-only,ubi=0,vol
=1 0 0
ubi0:systemrw /etc/data/wlan_cfg.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read
,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/ipa_config.txt ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_re
ad,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/l2tp_cfg.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read
,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/ipa/IPACM_cfg.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk
_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/dhcp_hosts ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read,a
ssert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/hosts ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read,assert
=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/usb/boot_hsusb_comp ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_re
ad,assert=read-only,ubi=0,vol=3 0 0
ubi3:hdata /mnt/hdata ubifs ro,sync,rootcontext=system_u:object_r:mnt_t:s0,seclabel,relatime,bulk_read,assert=read-only,
ubi=3,vol=0 0 0
ubi0:systemrw /etc/adb_devid ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read,assert=
read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/usb/softap_w_dun ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_
read,assert=read-only,ubi=0,vol=3 0 0
ubi2:userrw /mnt/userrw ubifs rw,sync,rootcontext=system_u:object_r:mnt_t:s0,seclabel,relatime,bulk_read,assert=read-onl
y,ubi=2,vol=0 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
diag /dev/ffs-diag functionfs rw,relatime 0 0
tracefs /sys/kernel/debug/tracing tracefs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
ubi0:cachefs /cache ubifs rw,rootcontext=system_u:object_r:cache_t:s0,seclabel,relatime,bulk_read,assert=read-only,ubi=0
,vol=2 0 0
ubi0:systemrw /etc/misc/wifi/WCNSS_qcom_cfg.ini ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatim
e,bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/hostapd-wlan1.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatim
e,bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/hostapd-wlan2.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatim
e,bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/hostapd.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk
_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/sta_mode_hostapd.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,rela
time,bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/wpa_supplicant.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relati
me,bulk_read,assert=read-only,ubi=0,vol=3 0 0
/

The real ports can be enabled by the same means as the M1,M2,M5
the 68E2 PID works to enable all ports.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Wed Jan 18, 2023 10:34 am
by greekgod1820
Hey Rich, with it being so similar thoughts on flashing MR6150 firmware to it since I hear the MR6400 Dish firmware is so buggy?

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Wed Jan 18, 2023 12:08 pm
by Rich Hathaway
They have hardware differences so not advisable, besides, where would you get the firmware? I do not have it and have not made any for it as I don't have this device yet.

All the work I have done on it has been done remotely by pulling its comports over to my pc from a friend that has one.
But to make firmware the device needs to be local to me.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Wed Jan 18, 2023 1:36 pm
by greekgod1820
My bad I got very exited when I seen Firmware under the download section for both on Netgear.com. Turns out they both just take you to release notes :(. Disappointed to hear on the hardware differences with such similar band offerings. Hopefully they fix the slacked Dish firmware for the 6400 then.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Mon Mar 20, 2023 8:46 am
by Rich Hathaway
Be careful
updating these devices beyond 10.01.41.02
If you do The new update locks the device's MEP and breaks the coding for the challenge request so one cannot correctly pass the MEP or CMD challenge without downgrading back to the previous version. the OPENLOCK challenge algorithm for some reason remains intact after updating.
I can say that downgrading back to 10.01.41.02 is possible and does work to correct it but still, as with loading any firmware, there is some risk involved in doing so.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Sat Apr 01, 2023 9:58 am
by Xerxes
This firmware seems to ignore any band locking with custom bands if it even remotely sees a signal from n71.

Any progress on the MR6400 firmware? Hoping to get around this annoyance.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Sat Apr 01, 2023 10:00 am
by Xerxes
I've tried all of these with no luck. If it sees even a faint signal, it ignores whichever of these are selected and locks onto "NR5G N71":

AT!BAND=04, "LTE Only", 0, 0000A1003300385F, 42, 0, 0
AT!BAND=05, "B66+B71", 0, 0, 42, 0, 0, 0
AT!BAND=06, "LTE+5G+No71", 0, 0000A1003300385F, 42, 0000810031002812, 1002
AT!BAND=07, "B2+B66+No71", 0, 2, 2, 0, 0, 0

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Tue Apr 11, 2023 8:02 am
by Siangko89
Do you means I need to download this AC34xUIPT2Drivers.exe into pc then run with MR6450?

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Tue Apr 11, 2023 8:46 am
by Rich Hathaway
No, you need to load firmware version 10.01.41.02 or earlier before the openlock challenge can work

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Tue Apr 11, 2023 9:38 pm
by Siangko89
Where can I get this fimware?
Modem needs to be bootload mode?

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Wed Apr 12, 2023 7:46 am
by Rich Hathaway
For MR6450 you will have to look around for it, I do not have it for 6450.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Mon Oct 23, 2023 3:09 am
by ColoradoMurf
I have had this hotspot for awhile now( almost a year I think) and need some guidance. My entire network (phones, gateways, switches, modems, routers, attached devices and more) were hacked earlier this year. This hotspot has been a lifesaver in getting connected to the Internet and trying to repair the damage. My questions are:

1) Is there a way to fully wipe this device to make sure no persistent alterations are left? (Like dfu for iPhone for example) Does applying firmware, fully wipe device?

2) Is telnet access available remotely via Wan by default ?

I am currently using 10.01.41.02 after downgrading the firmware via instructions here and on other sites. And have turned off auto update at one point. I have reapplied the firmware many times and done factory resets too many times to count and am still concerned about it being compromised based on observations from my mobile devices that had persistent alterations on the file level. The actors were able to obtain IMEI and Sim info from all mobile devices including this one.

Thanks in advance. If this needs to be in a new post, I will be more than happy to do so.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Mon Oct 23, 2023 9:37 am
by Rich Hathaway
dfu= device firmware update, it is the same as download mode that these Sierra devices use(your 6400 is a Sierra device)
9008 mode is the mode known as emergency and is the mode made for wiping/writing from 0 to the end 7ff if it is a 4k system or 1000 if it is a 2k system, your 6400 is a 4k system so 0 to 7ff, however, to use this mode you need either a signed factory loader or a correctly patched loader or if you have a firehose loader some access can had in this manner.
loading a spk like you have been does not wipe or write any of the personal "stuff" in this device, it does not touch EFS or the NV which is where most of that is, those spk's can range from small updates to full updates which still do not touch those parts, they need to loaded separately.
but tell me why you think your devices were hacked, this is not something people with those skills look for because there is no money in it, what would they do with your imei or sim info, it is worthless, they look for credit card info and social security numbers, things that have value and can sold and resold like this.

Yes, telnet if it is enabled on your device can be used remotely. but to do that someone would have had to inject a vnd and script to install it and grant access on your pc, this cannot be done via Linux or Debian it must be Windows, or be in range of your wifi for an extended period of time, so that leads back to my question if they have access to your pc why would anyone want to do all the extra work to try and get your imei and sim info that are worthless when likely your cc and social info are on your pc where they would already have to access first, anyway telnet is easily disabled on these just make a rule to disallow traffic on port 5510 and 23 in the admin page or in the device itself.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Wed Oct 25, 2023 2:59 pm
by ColoradoMurf
Thank you for your response Rich! When it comes to the firmware updates (spk), that's what I figured. Especially after going in and looking at logs via root telnet. There are many reasons why I know I was hacked and had persistent threats over the the last 6 months. 1) I managed to get a lot of the modules they were using because of pure luck of disabling one of my servers to refurbish it. 2) I have way too many logs and screenshots of what was (and is) happening. I have Unifi UDM Pro SE as my gateway (with dual WAN input from different providers), a couple level 2 and 3 switches, U6 enterprise AP and a couple servers (esxi and prox). These things all use to drive multiple computers (Windows, Mac, Lunux) and probably over 75+ IoT devices and "smart" devices. The original issue is tied back to Malware on laptop via WhatsApp data transfer software I believe, but still researching with authorities. First infected of mine was a pixel 6 pro and iphone 13 pro (that I noticed). Then weeks of compromising other devices on the network. By the time I noticed the alerts, it was too late. I can share more privately if you want. When it comes to motive, they were able to get close to 130k from credit and bank accounts. Luckily that has almost all been resolved. The other part is the parent company of mine was compromised by ALPHV earlier this year by ransomware. Not sure the final resolution of that. Still trying to figure out if my stuff was related, caused by or caused. Now with the persistent threat aspect, I started using the hotspot a lot because I thought it would be safer than my other providers because it was unknown to them at the time. The issue(s) I still see on cell and hotspot. 1) Random reboots and "updates". 2) Browser error messages about insecure site (SSL) 3) Long loading times for sites. Usually if I reset the APN and Wifi/BT settings on the devices, it corrects the issue for a little bit. I have looked at way too many PCAP logs and noticed a lot of random UDP ports open that contained tunnels. Also various things like hidden services / scheduled tasks on windows. Tons of errors on iphone / ios for various items like siri, network stack etc. I honestly am a novice when it comes to networking. I have been on the software side for 20+ years. I have learned tons throughout this but it also has driven me crazy. I have looked at boot scripts, iptables, routes and a million other things but feel like it just makes me crazier hah. Oh and when it comes to IMEI, Phone and Serial, they were able to register my devices with both Apple and Google as MDM (Enterprise accounts) using that information and Device ID's. There is a 6 page thread on Apple Community called "MDM on personal iPhone - Businesses, unauthorized developer activity HELP!" that outlines what I and other have been dealing with. Sorry for the book :( I will end on this:

1) Do you have any advice on things to look for and/or do to be sure that the device is ok.

Re: NETGEAR / SIERRA MR6400 THREAD

Posted: Mon Oct 30, 2023 10:06 am
by Rich Hathaway
ColoradoMurf wrote: Wed Oct 25, 2023 2:59 pm
1) Do you have any advice on things to look for and/or do to be sure that the device is ok.
Well you could wipe it and reload it, then everything on it before would be gone but you would have to have firmware for it and a way to load it