M6 6500-M6 6550 (US) Root - IMEI Restore - TTL Mangle

[organiclatte]

Updates will be made on this gist: https://gist.github.com/carlosalaniz/a0 ... bf78141c8

M6 6500 / M6 6550 (US)
The goal of this document is to make it easy for everyone to unlock their M6 Hotspot routers. I purchased a refurbished M6 router with a version that did not allow to do what I wanted. After several hours of research and experimentation, I was able to get it to work. Here’s what I did:

Before you get started:
You will need:

• A windows machine (to use FDT)
• M6 router (MR6500 or M6550)
• Latest stable M6550 Firmware, In case your router is not unlockable (MR6550-100PAS 12.01.54.00)
• FDT.exe version 4.6.2.0
• AC78x Drivers (optional, but I had to install them)
• Putty

Depending on your version, the unlock process might or might not work. Attempt the unlocking process first, if any of the commands fail, you might want to consider installing a different firmware.

The order of operations is:

1. Firmware flashing (dangerous, only required if the unlock process fails)
2. Unlock process
3. TTL Mangle and Update prevention

Unlock process

1. In your router, make sure you have USB Tethering enabled.
2. Connect the router to your Windows computer via USB.
3. Make sure your router is connected by opening a browser and navigating to your router's config page, usually http://192.168.1.1/.
4. Open Putty and use the following settings to connect to your router:
   • Host Name: 192.168.1.1
   • Port: 5510
   • Connection Type: Telnet
5. On the terminal run

   Code: Select all

   ATI

   . This command will output information about your device.
6. On the terminal run

   Code: Select all

   AT!OPENLOCK?

   . This command will print a challenge.
7. Navigate to https://sierra-keygen.uu.sg/ and use the following to generate a challenge response:
   • Device generation: SDX65
   • Challenge type: OPENLOCK
   • Challenge: The challenge you got from the previous step. ex: 884B78W2BTE2AA2A
8. After you click generate, the website will output a challenge response command. This command looks like

   Code: Select all

   AT!OPENLOCK="6TTD4765F1894F64"

   . Type this command in your terminal.
9. On the terminal run

   Code: Select all

   AT!OPENMEP?

   . This will generate a challenge.
10. Navigate to https://sierra-keygen.uu.sg/ and use the following to generate a challenge response:
    • Device generation: SDX65
    • Challenge type: OPENMEP
    • Challenge: The challenge you got from the previous step. ex: 884B78W2BTE2AA2A
11. After you click generate, the website will output a challenge response command. This command looks like

    Code: Select all

    AT!OPENMEP="C4E48EF7FA4C4C33"

    . Type this command in your terminal.
12. On the terminal run the following:

    • Code: Select all

      AT!TELEN=1

    • Code: Select all

      AT!CUSTOM="RDENABLE",1

    • Code: Select all

      AT!CUSTOM="TELNETENABLE",1

    • Code: Select all

      AT!NVIMEIUNLOCK

13. Navigate to https://carlosalaniz.github.io/imei-encryptor/ and input your IMEI.
14. In the terminal type the command outputted in the previous step. ex.

    Code: Select all

    AT!NVENCRYPTIMEI=00,00,00,00,00,00,00,00

    [/i]
15. Restart the router by running

    Code: Select all

    AT!RESET

TTL Mangle and Update prevention

1. In your router, make sure you have USB Tethering enabled.
2. Connect the router to your Windows computer via USB.
3. Make sure your router is connected by opening a browser and navigating to your router's config page, usually http://192.168.1.1/.
4. Open Putty and use the following settings to connect to your router:
   • Host Name: 192.168.1.1
   • Port: 23
   • Connection Type: Telnet
5. On the terminal run the following:

   Code: Select all

   dx -c Oma.DMAccountServerAddress1 https://no.updateforyou.net:443/junk
     

   Code: Select all

   touch /usr/sbin/set-ttl.sh
   chmod +x /usr/sbin/set-ttl.sh
     

   Code: Select all

   echo '#!/bin/bash' > /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo '# Enable debugging' >> /usr/sbin/set-ttl.sh
   echo 'set -x' >> /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo '# Log output to a file' >> /usr/sbin/set-ttl.sh
   echo 'exec > /var/log/set-ttl.log 2>&1' >> /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo '# Flush mangle table rules for IPv4 and IPv6' >> /usr/sbin/set-ttl.sh
   echo 'iptables -t mangle -F' >> /usr/sbin/set-ttl.sh
   echo 'ip6tables -t mangle -F' >> /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo '# Set TTL for IPv4 on rmnet_data0 interface' >> /usr/sbin/set-ttl.sh
   echo 'ip6tables -t mangle -I POSTROUTING -o rmnet_data0 -j HL --hl-set 64' >> /usr/sbin/set-ttl.sh
   echo 'iptables -t mangle -I POSTROUTING -o rmnet_data0 -j TTL --ttl-set 64' >> /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo 'exit 0' >> /usr/sbin/set-ttl.sh
     

   Code: Select all

   echo '[Unit]' > /etc/systemd/system/set-ttl.service
   echo 'Description=Set TTL in mangle iptables' >> /etc/systemd/system/set-ttl.service
   echo 'After=multi-user.target' >> /etc/systemd/system/set-ttl.service
   echo '' >> /etc/systemd/system/set-ttl.service
   echo '[Service]' >> /etc/systemd/system/set-ttl.service
   echo 'ExecStart=/usr/sbin/set-ttl.sh' >> /etc/systemd/system/set-ttl.service
   echo 'Type=simple' >> /etc/systemd/system/set-ttl.service
   echo '' >> /etc/systemd/system/set-ttl.service
   echo '[Install]' >> /etc/systemd/system/set-ttl.service
   echo 'WantedBy=multi-user.target' >> /etc/systemd/system/set-ttl.service
     

   Code: Select all

   setenforce 0
   
   systemctl daemon-reload
   
   systemctl start set-ttl
   
   systemctl status set-ttl
   
   systemctl enable set-ttl
   
   systemctl list-unit-files | grep ttl
     

Firmware flashing
This is a dangerous process that could remove features, cause malfunction, or even brick your device.

Make sure you have the firmware you want to install as well as fdt.exe in the same folder.

1. Unplug and remove the battery from your device.
2. Press the power button for 8 seconds.
3. While pressing the power button, connect the device to a Windows computer via USB.
4. Keep pressing until the device goes into Downloading software update mode.
5. Open an administrator terminal (cmd or powershell).
6. Navigate to the folder containing fdt.exe and the firmware file you want to flash.
7. Run the following command, where .\MR6550-100APS_23115772_NTGX65_12.01.54.00_00_Generic_01.30_00.secc.cwe is whatever version you want to flash into your device.

   Code: Select all

   .\fdt.exe -f .\MR6550-100APS_23115772_NTGX65_12.01.54.00_00_Generic_01.30_00.secc.cwe
     

8. Wait for the device to finish flashing the firmware.

Sources:
https://wirelessjoint.com/viewtopic.php?p=24271#p24271
https://www.reddit.com/r/Dish5G/comments/13err3x/owning_the_netgear_m6_pro_mr6400/
https://wirelessjoint.com/viewtopic.php?t=4183
https://github.com/developer-of-things/m6restore
https://wirelessjoint.com/viewtopic.php?p=19653#p19653

[dfkinca]

WONDERFUL POST; I LOVE the fact that you put all this information in one place; thank you for having done that!

I understand that you are only sharing what you did (and NOT recommending that others do this), but one minor feedback point:

I think that there are still unresolved issues with the .54 FW that you recommend flashing in your last step (see, e.g.:
1. https://community.netgear.com/t5/Cell-S ... 253#M26616 , and
2. https://community.netgear.com/t5/Cell-S ... 109#M26486 (this issue appears to exist in .47FW as well))
So any firmware flashing of the .54 FW should be done keeping those issues in mind.

Other than this very minor nit of mine, FANTASTIC POST!

[dfkinca]

Two more minor nits/comments/questions re: your MANGLE process/terminal commands:

1. What is the directory where you choose to save your 'script.sh'? (You may be missing a 'cd' command at the beginning of your provided sequence of commands, unless you save it in the home directory)

[EDIT START]
I think I figured out the answer to my question:
You may need the following additional command (right after your 'chmod +x /usr/sbin/set-ttl.sh' command):
cd /usr/sbin
Also, where you reference as part of your 'echo . . .' commands the file 'script.sh', each of those references likely needs to be changed to 'set-ttl.sh'
[EDIT STOP]

2. When setting the TTL via the MANGLE terminal command, (a) I have had to play around with either TTL=65 (Verizon) or TTL=64 (T-Mobile) to get working TTL mod (depends on the cellular carrier), and (b) to avoid any issues with potential different name of internet interface, I have used "rmnet_data+" instead of "rmnet_data0"

[EDIT: Pointed out potential needed correction in Q.1, above]

[organiclatte]

Two more minor nits/comments/questions re: your MANGLE process/terminal commands:

1. What is the directory where you choose to save your 'script.sh'? (You may be missing a 'cd' command at the beginning of your provided sequence of commands, unless you save it in the home directory)

[EDIT START]
I think I figured out the answer to my question:
You may need the following additional command (right after your 'chmod +x /usr/sbin/set-ttl.sh' command):
cd /usr/sbin
Also, where you reference as part of your 'echo . . .' commands the file 'script.sh', each of those references likely needs to be changed to 'set-ttl.sh'
[EDIT STOP]

2. When setting the TTL via the MANGLE terminal command, (a) I have had to play around with either TTL=65 (Verizon) or TTL=64 (T-Mobile) to get working TTL mod (depends on the cellular carrier), and (b) to avoid any issues with potential different name of internet interface, I have used "rmnet_data+" instead of "rmnet_data0"

[EDIT: Pointed out potential needed correction in Q.1, above]

Thanks!! I've updated the post as well as the gist to reflect the correct commands. As for the version, I'm thinking about maybe adding a link to the post with all the different version so people can pick, I've been daily driving .54 without issues so far on TMO, but mostly LTE sadly I don't think there's a public way yet to enable all bands. I think rich figured it out but haven't seen any posts about it.

I would love to know how to fully flash FW into these devices. I would also like to learn how unpack and mess around with FW. I'm a software developer, but very rarely get to work at this low level.

[Rich Hathaway]

I would love to know how to fully flash FW into these devices.

That wont happen until a loader is leaked/found and patched for these chips, the best you can do now is to build your firm
for each partition and load via fastboot.
I can verify you can erase all parts via fb and load them back successfully with proper built parts.

I would also like to learn how unpack and mess around with FW. I'm a software developer, but very rarely get to work at this low level.

Not sure I would call this low level....
unpacking manually is kind of a headache although it is pretty easy to split the spk or cwe
This is what you get when you split the spk or cwe

12.01.47 unpacked.png

it is more difficult to further break it down from here

[organiclatte]

Is there a guide, sources for me to learn how to do this? If the FW can be patched via fastboot a web patcher for these should not be hard to make leveraging webUSB and fastboot.js

Are you planning to releasing your 6500 version for 6550? One of the main issues with these cheap 6550 that are floating around is the lack of bands which to my understanding are not present in the FW, am I correct?

I would love to know how to fully flash FW into these devices.

That wont happen until a loader is leaked/found and patched for these chips, the best you can do now is to build your firm
for each partition and load via fastboot.
I can verify you can erase all parts via fb and load them back successfully with proper built parts.

I would also like to learn how unpack and mess around with FW. I'm a software developer, but very rarely get to work at this low level.

Not sure I would call this low level....
unpacking manually is kind of a headache although it is pretty easy to split the spk or cwe
This is what you get when you split the spk or cwe

12.01.47 unpacked.png

it is more difficult to further break it down from here