NETGEAR / SIERRA MR6400 THREAD

Post Reply
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

I did not see this thread anywhere so here it is, a general thread for the MR6400
Please add to this anything about this device you wish.

I just got to have a look at this device today (remotely) it is similar to the M5.
Here are the hardware id's for it

modem
USB\VID_0846&PID_68E2&REV_0504&MI_03
USB\VID_0846&PID_68E2&MI_03

Diag
USB\VID_0846&PID_68E2&REV_0504&MI_02
USB\VID_0846&PID_68E2&MI_02

RNDIS
USB\VID_0846&PID_68E2&REV_0504&MI_00
USB\VID_0846&PID_68E2&MI_00

ADB
USB\VID_0846&PID_68E2&REV_0504&MI_04
USB\VID_0846&PID_68E2&MI_04

USB Composite device
USB\VID_0846&PID_68E2&REV_0504
USB\VID_0846&PID_68E2
============================================
Use the same methods to work on this device that you use for M5
Hopefully, I will get another one of these to spend more time with soon, he
only wanted me to change the root password and hard code TTL for him on it
so thats all I did on this model so far but is very similar to the M5 so the same
things can be done to it.
IMEI, MEID, pESN, TTL, Band Lock, CA manipulation, etc.
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

MR6400 Partitions by name

mtd0: 00280000 00040000 "sbl"
mtd1: 00280000 00040000 "mibib"
mtd2: 01680000 00040000 "efs2"
mtd3: 001c0000 00040000 "tz"
mtd4: 00100000 00040000 "tz_devcfg"
mtd5: 00180000 00040000 "ddr"
mtd6: 00100000 00040000 "apdp"
mtd7: 00100000 00040000 "xbl_config"
mtd8: 00100000 00040000 "xbl_ramdump"
mtd9: 00100000 00040000 "multi_image"
mtd10: 00100000 00040000 "multi_image_qti"
mtd11: 00100000 00040000 "aop"
mtd12: 00100000 00040000 "qhee"
mtd13: 00100000 00040000 "abl"
mtd14: 00380000 00040000 "uefi"
mtd15: 00180000 00040000 "toolsfv"
mtd16: 00180000 00040000 "loader_sti"
mtd17: 01280000 00040000 "boot"
mtd18: 00100000 00040000 "scrub"
mtd19: 00100000 00040000 "logfs"
mtd20: 08040000 00040000 "modem"
mtd21: 001c0000 00040000 "misc"
mtd22: 00180000 00040000 "devinfo"
mtd23: 00080000 00040000 "recovery"
mtd24: 00080000 00040000 "fota"
mtd25: 00080000 00040000 "recoveryfs"
mtd26: 00100000 00040000 "sec"
mtd27: 00100000 00040000 "ipa_fw"
mtd28: 00100000 00040000 "usb_qti"
mtd29: 12c80000 00040000 "system"
mtd30: 034c0000 00040000 "pad1"
mtd31: 02840000 00040000 "userrw"
mtd32: 03940000 00040000 "hdata"
mtd33: 008c0000 00040000 "cust"
mtd34: 01040000 00040000 "ntgrpersist"
mtd35: 15980000 00040000 "ntgfota"

and its mounts
ubi0:rootfs / ubifs rw,seclabel,relatime,bulk_read,assert=read-only,ubi=0,vol=0 0 0
devtmpfs /dev devtmpfs rw,seclabel,relatime,size=310108k,nr_inodes=77527,mode=755 0 0
sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,mode=755 0 0
tmpfs /sys/fs/cgroup tmpfs ro,seclabel,nosuid,nodev,noexec,mode=755 0 0
cgroup2 /sys/fs/cgroup/unified cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime,nsdelegate 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,seclabel,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,seclabel,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,seclabel,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
cgroup /sys/fs/cgroup/debug cgroup rw,seclabel,nosuid,nodev,noexec,relatime,debug 0 0
tmpfs /var/volatile tmpfs rw,rootcontext=system_u:object_r:var_t:s0,seclabel,relatime 0 0
ubi0:systemrw /systemrw ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read,assert=read-
only,ubi=0,vol=3 0 0
debugfs /sys/kernel/debug debugfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev 0 0
ubi0:systemrw /etc/data/mobileap_cfg.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_
read,assert=read-only,ubi=0,vol=3 0 0
/dev/ubi1_0 /firmware ubifs rw,context=system_u:object_r:firmware_t:s0,relatime,bulk_read,assert=read-only,ubi=1,vol=0 0
0
ubi0:persist /persist ubifs rw,rootcontext=system_u:object_r:persist_t:s0,seclabel,relatime,bulk_read,assert=read-only,u
bi=0,vol=4 0 0
ubi0:systemrw /etc/data/mobileap_firewall.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,
bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:usrfs /data ubifs rw,rootcontext=system_u:object_r:data_t:s0,seclabel,relatime,bulk_read,assert=read-only,ubi=0,vol
=1 0 0
ubi0:systemrw /etc/data/wlan_cfg.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read
,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/ipa_config.txt ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_re
ad,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/l2tp_cfg.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read
,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/ipa/IPACM_cfg.xml ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk
_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/dhcp_hosts ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read,a
ssert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/hosts ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read,assert
=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/usb/boot_hsusb_comp ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_re
ad,assert=read-only,ubi=0,vol=3 0 0
ubi3:hdata /mnt/hdata ubifs ro,sync,rootcontext=system_u:object_r:mnt_t:s0,seclabel,relatime,bulk_read,assert=read-only,
ubi=3,vol=0 0 0
ubi0:systemrw /etc/adb_devid ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_read,assert=
read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/data/usb/softap_w_dun ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk_
read,assert=read-only,ubi=0,vol=3 0 0
ubi2:userrw /mnt/userrw ubifs rw,sync,rootcontext=system_u:object_r:mnt_t:s0,seclabel,relatime,bulk_read,assert=read-onl
y,ubi=2,vol=0 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
diag /dev/ffs-diag functionfs rw,relatime 0 0
tracefs /sys/kernel/debug/tracing tracefs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
ubi0:cachefs /cache ubifs rw,rootcontext=system_u:object_r:cache_t:s0,seclabel,relatime,bulk_read,assert=read-only,ubi=0
,vol=2 0 0
ubi0:systemrw /etc/misc/wifi/WCNSS_qcom_cfg.ini ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatim
e,bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/hostapd-wlan1.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatim
e,bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/hostapd-wlan2.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatim
e,bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/hostapd.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relatime,bulk
_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/sta_mode_hostapd.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,rela
time,bulk_read,assert=read-only,ubi=0,vol=3 0 0
ubi0:systemrw /etc/misc/wifi/wpa_supplicant.conf ubifs rw,rootcontext=system_u:object_r:system_data_t:s0,seclabel,relati
me,bulk_read,assert=read-only,ubi=0,vol=3 0 0
/

The real ports can be enabled by the same means as the M1,M2,M5
the 68E2 PID works to enable all ports.
greekgod1820
Posts: 3
Joined: Wed Jul 03, 2019 9:37 am
Has thanked: 1 time
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by greekgod1820 »

Hey Rich, with it being so similar thoughts on flashing MR6150 firmware to it since I hear the MR6400 Dish firmware is so buggy?
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

They have hardware differences so not advisable, besides, where would you get the firmware? I do not have it and have not made any for it as I don't have this device yet.

All the work I have done on it has been done remotely by pulling its comports over to my pc from a friend that has one.
But to make firmware the device needs to be local to me.
greekgod1820
Posts: 3
Joined: Wed Jul 03, 2019 9:37 am
Has thanked: 1 time
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by greekgod1820 »

My bad I got very exited when I seen Firmware under the download section for both on Netgear.com. Turns out they both just take you to release notes :(. Disappointed to hear on the hardware differences with such similar band offerings. Hopefully they fix the slacked Dish firmware for the 6400 then.
You do not have the required permissions to view the files attached to this post.
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

Be careful
updating these devices beyond 10.01.41.02
If you do The new update locks the device's MEP and breaks the coding for the challenge request so one cannot correctly pass the MEP or CMD challenge without downgrading back to the previous version. the OPENLOCK challenge algorithm for some reason remains intact after updating.
I can say that downgrading back to 10.01.41.02 is possible and does work to correct it but still, as with loading any firmware, there is some risk involved in doing so.
Xerxes
Posts: 8
Joined: Sun Jan 16, 2022 11:47 pm
Has thanked: 0
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Xerxes »

This firmware seems to ignore any band locking with custom bands if it even remotely sees a signal from n71.

Any progress on the MR6400 firmware? Hoping to get around this annoyance.
Xerxes
Posts: 8
Joined: Sun Jan 16, 2022 11:47 pm
Has thanked: 0
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Xerxes »

I've tried all of these with no luck. If it sees even a faint signal, it ignores whichever of these are selected and locks onto "NR5G N71":

AT!BAND=04, "LTE Only", 0, 0000A1003300385F, 42, 0, 0
AT!BAND=05, "B66+B71", 0, 0, 42, 0, 0, 0
AT!BAND=06, "LTE+5G+No71", 0, 0000A1003300385F, 42, 0000810031002812, 1002
AT!BAND=07, "B2+B66+No71", 0, 2, 2, 0, 0, 0
Siangko89
Posts: 4
Joined: Mon Apr 10, 2023 11:18 pm
Has thanked: 0
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Siangko89 »

Do you means I need to download this AC34xUIPT2Drivers.exe into pc then run with MR6450?
You do not have the required permissions to view the files attached to this post.
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

No, you need to load firmware version 10.01.41.02 or earlier before the openlock challenge can work
Siangko89
Posts: 4
Joined: Mon Apr 10, 2023 11:18 pm
Has thanked: 0
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Siangko89 »

Where can I get this fimware?
Modem needs to be bootload mode?
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

For MR6450 you will have to look around for it, I do not have it for 6450.
ColoradoMurf
Posts: 2
Joined: Mon Oct 23, 2023 2:45 am
Has thanked: 1 time
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by ColoradoMurf »

I have had this hotspot for awhile now( almost a year I think) and need some guidance. My entire network (phones, gateways, switches, modems, routers, attached devices and more) were hacked earlier this year. This hotspot has been a lifesaver in getting connected to the Internet and trying to repair the damage. My questions are:

1) Is there a way to fully wipe this device to make sure no persistent alterations are left? (Like dfu for iPhone for example) Does applying firmware, fully wipe device?

2) Is telnet access available remotely via Wan by default ?

I am currently using 10.01.41.02 after downgrading the firmware via instructions here and on other sites. And have turned off auto update at one point. I have reapplied the firmware many times and done factory resets too many times to count and am still concerned about it being compromised based on observations from my mobile devices that had persistent alterations on the file level. The actors were able to obtain IMEI and Sim info from all mobile devices including this one.

Thanks in advance. If this needs to be in a new post, I will be more than happy to do so.
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

dfu= device firmware update, it is the same as download mode that these Sierra devices use(your 6400 is a Sierra device)
9008 mode is the mode known as emergency and is the mode made for wiping/writing from 0 to the end 7ff if it is a 4k system or 1000 if it is a 2k system, your 6400 is a 4k system so 0 to 7ff, however, to use this mode you need either a signed factory loader or a correctly patched loader or if you have a firehose loader some access can had in this manner.
loading a spk like you have been does not wipe or write any of the personal "stuff" in this device, it does not touch EFS or the NV which is where most of that is, those spk's can range from small updates to full updates which still do not touch those parts, they need to loaded separately.
but tell me why you think your devices were hacked, this is not something people with those skills look for because there is no money in it, what would they do with your imei or sim info, it is worthless, they look for credit card info and social security numbers, things that have value and can sold and resold like this.

Yes, telnet if it is enabled on your device can be used remotely. but to do that someone would have had to inject a vnd and script to install it and grant access on your pc, this cannot be done via Linux or Debian it must be Windows, or be in range of your wifi for an extended period of time, so that leads back to my question if they have access to your pc why would anyone want to do all the extra work to try and get your imei and sim info that are worthless when likely your cc and social info are on your pc where they would already have to access first, anyway telnet is easily disabled on these just make a rule to disallow traffic on port 5510 and 23 in the admin page or in the device itself.
ColoradoMurf
Posts: 2
Joined: Mon Oct 23, 2023 2:45 am
Has thanked: 1 time
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by ColoradoMurf »

Thank you for your response Rich! When it comes to the firmware updates (spk), that's what I figured. Especially after going in and looking at logs via root telnet. There are many reasons why I know I was hacked and had persistent threats over the the last 6 months. 1) I managed to get a lot of the modules they were using because of pure luck of disabling one of my servers to refurbish it. 2) I have way too many logs and screenshots of what was (and is) happening. I have Unifi UDM Pro SE as my gateway (with dual WAN input from different providers), a couple level 2 and 3 switches, U6 enterprise AP and a couple servers (esxi and prox). These things all use to drive multiple computers (Windows, Mac, Lunux) and probably over 75+ IoT devices and "smart" devices. The original issue is tied back to Malware on laptop via WhatsApp data transfer software I believe, but still researching with authorities. First infected of mine was a pixel 6 pro and iphone 13 pro (that I noticed). Then weeks of compromising other devices on the network. By the time I noticed the alerts, it was too late. I can share more privately if you want. When it comes to motive, they were able to get close to 130k from credit and bank accounts. Luckily that has almost all been resolved. The other part is the parent company of mine was compromised by ALPHV earlier this year by ransomware. Not sure the final resolution of that. Still trying to figure out if my stuff was related, caused by or caused. Now with the persistent threat aspect, I started using the hotspot a lot because I thought it would be safer than my other providers because it was unknown to them at the time. The issue(s) I still see on cell and hotspot. 1) Random reboots and "updates". 2) Browser error messages about insecure site (SSL) 3) Long loading times for sites. Usually if I reset the APN and Wifi/BT settings on the devices, it corrects the issue for a little bit. I have looked at way too many PCAP logs and noticed a lot of random UDP ports open that contained tunnels. Also various things like hidden services / scheduled tasks on windows. Tons of errors on iphone / ios for various items like siri, network stack etc. I honestly am a novice when it comes to networking. I have been on the software side for 20+ years. I have learned tons throughout this but it also has driven me crazy. I have looked at boot scripts, iptables, routes and a million other things but feel like it just makes me crazier hah. Oh and when it comes to IMEI, Phone and Serial, they were able to register my devices with both Apple and Google as MDM (Enterprise accounts) using that information and Device ID's. There is a 6 page thread on Apple Community called "MDM on personal iPhone - Businesses, unauthorized developer activity HELP!" that outlines what I and other have been dealing with. Sorry for the book :( I will end on this:

1) Do you have any advice on things to look for and/or do to be sure that the device is ok.
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

ColoradoMurf wrote: Wed Oct 25, 2023 2:59 pm
1) Do you have any advice on things to look for and/or do to be sure that the device is ok.
Well you could wipe it and reload it, then everything on it before would be gone but you would have to have firmware for it and a way to load it
SuttonX
Posts: 10
Joined: Wed Dec 01, 2021 5:04 am
Has thanked: 0
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by SuttonX »

Rich Hathaway wrote: Mon Oct 30, 2023 10:06 am
ColoradoMurf wrote: Wed Oct 25, 2023 2:59 pm
1) Do you have any advice on things to look for and/or do to be sure that the device is ok.
Well you could wipe it and reload it, then everything on it before would be gone but you would have to have firmware for it and a way to load it
Rich -

I tried to perform these steps:

https://www.reddit.com/r/Dish5G/comment ... t/lr8t73q/

And after the FDT step it goes through all the motions and then fails, bringing me to this:

https://www.reddit.com/r/Dish5G/s/2FBsYLl3Ai

I used the FDT linked in the first post and this FW:
https://web.archive.org/web/20230204055 ... rmware.zip

Any ideas how to proceed from here? I can disconnect it, remove the battery, hold power and plug it back in to get back in to download mode and use FDT again, but the same thing happens again. Tried 5x already.

Do you have another FW anywhere I can try?
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

Your device is likely fuzed and cannot downgrade or load cross platform sku's firm, its just a guess though.
SuttonX
Posts: 10
Joined: Wed Dec 01, 2021 5:04 am
Has thanked: 0
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by SuttonX »

Rich Hathaway wrote: Thu Oct 10, 2024 10:02 am Your device is likely fuzed and cannot downgrade or load cross platform sku's firm, its just a guess though.
Do you know of any FW's I can try to flash at it instead just to get it booting again? Whether it be the latest 6400, or a different model?

I've been scouring the internet and the only one I could find to D/L was the one I linked above. Netgear's website just has the Android app in the downloads section

I'm just trying to get a link to SOME firmware that I can FDT to it to get it operational again in any capacity
User avatar
Rich Hathaway
Posts: 609
Joined: Mon Mar 08, 2021 2:41 pm
Has thanked: 12 times
Been thanked: 210 times

Re: NETGEAR / SIERRA MR6400 THREAD

Post by Rich Hathaway »

look in the forum somewhere here there is some links to some MRxxxx firmwares, I would not try loading cross sku files to your device if it is fuzed or you will be needing my services to recover it.
SuttonX
Posts: 10
Joined: Wed Dec 01, 2021 5:04 am
Has thanked: 0
Been thanked: 0

Re: NETGEAR / SIERRA MR6400 THREAD

Post by SuttonX »

Post Reply

Return to “Netgear”