M6 6500-M6 6550 (US) Root - IMEI Restore - TTL Mangle

[organiclatte]

Updates will be made on this gist: https://gist.github.com/carlosalaniz/a0 ... bf78141c8

M6 6500 / M6 6550 (US)
The goal of this document is to make it easy for everyone to unlock their M6 Hotspot routers. I purchased a refurbished M6 router with a version that did not allow to do what I wanted. After several hours of research and experimentation, I was able to get it to work. Here’s what I did:

Before you get started:
You will need:

• A windows machine (to use FDT)
• M6 router (MR6500 or M6550)
• Latest stable M6550 Firmware, In case your router is not unlockable (MR6550-100PAS 12.01.54.00)
• FDT.exe version 4.6.2.0
• AC78x Drivers (optional, but I had to install them)
• Putty

Depending on your version, the unlock process might or might not work. Attempt the unlocking process first, if any of the commands fail, you might want to consider installing a different firmware.

The order of operations is:

1. Firmware flashing (dangerous, only required if the unlock process fails)
2. Unlock process
3. TTL Mangle and Update prevention

Unlock process

1. In your router, make sure you have USB Tethering enabled.
2. Connect the router to your Windows computer via USB.
3. Make sure your router is connected by opening a browser and navigating to your router's config page, usually http://192.168.1.1/.
4. Open Putty and use the following settings to connect to your router:
   • Host Name: 192.168.1.1
   • Port: 5510
   • Connection Type: Telnet
5. On the terminal run

   Code: Select all

   ATI

   . This command will output information about your device.
6. On the terminal run

   Code: Select all

   AT!OPENLOCK?

   . This command will print a challenge.
7. Navigate to https://sierra-keygen.uu.sg/ and use the following to generate a challenge response:
   • Device generation: SDX65
   • Challenge type: OPENLOCK
   • Challenge: The challenge you got from the previous step. ex: 884B78W2BTE2AA2A
8. After you click generate, the website will output a challenge response command. This command looks like

   Code: Select all

   AT!OPENLOCK="6TTD4765F1894F64"

   . Type this command in your terminal.
9. On the terminal run

   Code: Select all

   AT!OPENMEP?

   . This will generate a challenge.
10. Navigate to https://sierra-keygen.uu.sg/ and use the following to generate a challenge response:
    • Device generation: SDX65
    • Challenge type: OPENMEP
    • Challenge: The challenge you got from the previous step. ex: 884B78W2BTE2AA2A
11. After you click generate, the website will output a challenge response command. This command looks like

    Code: Select all

    AT!OPENMEP="C4E48EF7FA4C4C33"

    . Type this command in your terminal.
12. On the terminal run the following:

    • Code: Select all

      AT!TELEN=1

    • Code: Select all

      AT!CUSTOM="RDENABLE",1

    • Code: Select all

      AT!CUSTOM="TELNETENABLE",1

    • Code: Select all

      AT!NVIMEIUNLOCK

13. Navigate to https://carlosalaniz.github.io/imei-encryptor/ and input your IMEI.
14. In the terminal type the command outputted in the previous step. ex.

    Code: Select all

    AT!NVENCRYPTIMEI=00,00,00,00,00,00,00,00

    [/i]
15. Restart the router by running

    Code: Select all

    AT!RESET

TTL Mangle and Update prevention

1. In your router, make sure you have USB Tethering enabled.
2. Connect the router to your Windows computer via USB.
3. Make sure your router is connected by opening a browser and navigating to your router's config page, usually http://192.168.1.1/.
4. Open Putty and use the following settings to connect to your router:
   • Host Name: 192.168.1.1
   • Port: 23
   • Connection Type: Telnet
5. On the terminal run the following:

   Code: Select all

   dx -c Oma.DMAccountServerAddress1 https://no.updateforyou.net:443/junk
     

   Code: Select all

   touch /usr/sbin/set-ttl.sh
   chmod +x /usr/sbin/set-ttl.sh
     

   Code: Select all

   echo '#!/bin/bash' > /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo '# Enable debugging' >> /usr/sbin/set-ttl.sh
   echo 'set -x' >> /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo '# Log output to a file' >> /usr/sbin/set-ttl.sh
   echo 'exec > /var/log/set-ttl.log 2>&1' >> /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo '# Flush mangle table rules for IPv4 and IPv6' >> /usr/sbin/set-ttl.sh
   echo 'iptables -t mangle -F' >> /usr/sbin/set-ttl.sh
   echo 'ip6tables -t mangle -F' >> /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo '# Set TTL for IPv4 on rmnet_data0 interface' >> /usr/sbin/set-ttl.sh
   echo 'ip6tables -t mangle -I POSTROUTING -o rmnet_data0 -j HL --hl-set 64' >> /usr/sbin/set-ttl.sh
   echo 'iptables -t mangle -I POSTROUTING -o rmnet_data0 -j TTL --ttl-set 64' >> /usr/sbin/set-ttl.sh
   echo '' >> /usr/sbin/set-ttl.sh
   echo 'exit 0' >> /usr/sbin/set-ttl.sh
     

   Code: Select all

   echo '[Unit]' > /etc/systemd/system/set-ttl.service
   echo 'Description=Set TTL in mangle iptables' >> /etc/systemd/system/set-ttl.service
   echo 'After=multi-user.target' >> /etc/systemd/system/set-ttl.service
   echo '' >> /etc/systemd/system/set-ttl.service
   echo '[Service]' >> /etc/systemd/system/set-ttl.service
   echo 'ExecStart=/usr/sbin/set-ttl.sh' >> /etc/systemd/system/set-ttl.service
   echo 'Type=simple' >> /etc/systemd/system/set-ttl.service
   echo '' >> /etc/systemd/system/set-ttl.service
   echo '[Install]' >> /etc/systemd/system/set-ttl.service
   echo 'WantedBy=multi-user.target' >> /etc/systemd/system/set-ttl.service
     

   Code: Select all

   setenforce 0
   
   systemctl daemon-reload
   
   systemctl start set-ttl
   
   systemctl status set-ttl
   
   systemctl enable set-ttl
   
   systemctl list-unit-files | grep ttl
     

Firmware flashing
This is a dangerous process that could remove features, cause malfunction, or even brick your device.

Make sure you have the firmware you want to install as well as fdt.exe in the same folder.

1. Unplug and remove the battery from your device.
2. Press the power button for 8 seconds.
3. While pressing the power button, connect the device to a Windows computer via USB.
4. Keep pressing until the device goes into Downloading software update mode.
5. Open an administrator terminal (cmd or powershell).
6. Navigate to the folder containing fdt.exe and the firmware file you want to flash.
7. Run the following command, where .\MR6550-100APS_23115772_NTGX65_12.01.54.00_00_Generic_01.30_00.secc.cwe is whatever version you want to flash into your device.

   Code: Select all

   .\fdt.exe -f .\MR6550-100APS_23115772_NTGX65_12.01.54.00_00_Generic_01.30_00.secc.cwe
     

8. Wait for the device to finish flashing the firmware.

Sources:
https://wirelessjoint.com/viewtopic.php?p=24271#p24271
https://www.reddit.com/r/Dish5G/comments/13err3x/owning_the_netgear_m6_pro_mr6400/
https://wirelessjoint.com/viewtopic.php?t=4183
https://github.com/developer-of-things/m6restore
https://wirelessjoint.com/viewtopic.php?p=19653#p19653

[dfkinca]

WONDERFUL POST; I LOVE the fact that you put all this information in one place; thank you for having done that!

I understand that you are only sharing what you did (and NOT recommending that others do this), but one minor feedback point:

I think that there are still unresolved issues with the .54 FW that you recommend flashing in your last step (see, e.g.:
1. https://community.netgear.com/t5/Cell-S ... 253#M26616 , and
2. https://community.netgear.com/t5/Cell-S ... 109#M26486 (this issue appears to exist in .47FW as well))
So any firmware flashing of the .54 FW should be done keeping those issues in mind.

Other than this very minor nit of mine, FANTASTIC POST!

[dfkinca]

Two more minor nits/comments/questions re: your MANGLE process/terminal commands:

1. What is the directory where you choose to save your 'script.sh'? (You may be missing a 'cd' command at the beginning of your provided sequence of commands, unless you save it in the home directory)

[EDIT START]
I think I figured out the answer to my question:
You may need the following additional command (right after your 'chmod +x /usr/sbin/set-ttl.sh' command):
cd /usr/sbin
Also, where you reference as part of your 'echo . . .' commands the file 'script.sh', each of those references likely needs to be changed to 'set-ttl.sh'
[EDIT STOP]

2. When setting the TTL via the MANGLE terminal command, (a) I have had to play around with either TTL=65 (Verizon) or TTL=64 (T-Mobile) to get working TTL mod (depends on the cellular carrier), and (b) to avoid any issues with potential different name of internet interface, I have used "rmnet_data+" instead of "rmnet_data0"

[EDIT: Pointed out potential needed correction in Q.1, above]

[organiclatte]

Two more minor nits/comments/questions re: your MANGLE process/terminal commands:

1. What is the directory where you choose to save your 'script.sh'? (You may be missing a 'cd' command at the beginning of your provided sequence of commands, unless you save it in the home directory)

[EDIT START]
I think I figured out the answer to my question:
You may need the following additional command (right after your 'chmod +x /usr/sbin/set-ttl.sh' command):
cd /usr/sbin
Also, where you reference as part of your 'echo . . .' commands the file 'script.sh', each of those references likely needs to be changed to 'set-ttl.sh'
[EDIT STOP]

2. When setting the TTL via the MANGLE terminal command, (a) I have had to play around with either TTL=65 (Verizon) or TTL=64 (T-Mobile) to get working TTL mod (depends on the cellular carrier), and (b) to avoid any issues with potential different name of internet interface, I have used "rmnet_data+" instead of "rmnet_data0"

[EDIT: Pointed out potential needed correction in Q.1, above]

Thanks!! I've updated the post as well as the gist to reflect the correct commands. As for the version, I'm thinking about maybe adding a link to the post with all the different version so people can pick, I've been daily driving .54 without issues so far on TMO, but mostly LTE sadly I don't think there's a public way yet to enable all bands. I think rich figured it out but haven't seen any posts about it.

I would love to know how to fully flash FW into these devices. I would also like to learn how unpack and mess around with FW. I'm a software developer, but very rarely get to work at this low level.

[Rich Hathaway]

I would love to know how to fully flash FW into these devices.

That wont happen until a loader is leaked/found and patched for these chips, the best you can do now is to build your firm
for each partition and load via fastboot.
I can verify you can erase all parts via fb and load them back successfully with proper built parts.

I would also like to learn how unpack and mess around with FW. I'm a software developer, but very rarely get to work at this low level.

Not sure I would call this low level....
unpacking manually is kind of a headache although it is pretty easy to split the spk or cwe
This is what you get when you split the spk or cwe

12.01.47 unpacked.png

it is more difficult to further break it down from here

[organiclatte]

Is there a guide, sources for me to learn how to do this? If the FW can be patched via fastboot a web patcher for these should not be hard to make leveraging webUSB and fastboot.js

Are you planning to releasing your 6500 version for 6550? One of the main issues with these cheap 6550 that are floating around is the lack of bands which to my understanding are not present in the FW, am I correct?

I would love to know how to fully flash FW into these devices.

That wont happen until a loader is leaked/found and patched for these chips, the best you can do now is to build your firm
for each partition and load via fastboot.
I can verify you can erase all parts via fb and load them back successfully with proper built parts.

I would also like to learn how unpack and mess around with FW. I'm a software developer, but very rarely get to work at this low level.

Not sure I would call this low level....
unpacking manually is kind of a headache although it is pretty easy to split the spk or cwe
This is what you get when you split the spk or cwe

12.01.47 unpacked.png

it is more difficult to further break it down from here

[jsmith3301]

Sorry if this is a dumb question but in the Firmware Flash section,
1. Unplug and remove the battery from your device.
2. Press the power button for 8 seconds.
3. While pressing the power button, connect the device to a Windows computer via USB.
4. Keep pressing until the device goes into Downloading software update mode.

How would the device power up to get into Downloading software update mode? When I plug in my MR6500 (without battery) to a PC's USB port, the only message on the device display is "Use the supplied power adapter when operating without battery". Am I missing something?

[jsmith3301]

Never mind, figured out what I did wrong.

[BillA]

Never mind, figured out what I did wrong.

On some devices you may get a blank screen or an error message which is fine, it's still in download or fastboot mode.

[imelectronic]

Thanks @organiclatte worked great for the TTL Mangle, TMo user here.

[ali jameel]

hi

if i want the back enable update is there any command i type in terminal ?

thanks

[suspi]

Registered an account here to report on a couple gotchas.

Make sure Windows SmartScreen didn't flag fdt.exe and the cwe file as malicious. You can unblock it in the file properties.

My USB drivers didn't load because I had Core isolation/Memory Integrity turned on in Windows Security.

For reference, I have a MR6500-1A1NAS and was on NTGX65_12.01.48.00 and couldn't get AT!OPENMEP? to resolve without an error. Flashing MR6550-100PAS_23115682_NTGX65_12.01.54.00_00_Generic_05.08_00.secc.cwe allowed OPENMEP to succeed.

In a very dumb gotcha, make sure you're encrypting your IMEI number and not your ICCID number by mistake.

[Maplewood]

Thank you for providing this information. I have a MR6500-1A1NAS that came with firmware NTGX65_12.01.16.01. On that firmware the AT!OPENMEP command would error. I upgraded the firmware with FDT to NTGX65_12.01.54.00 and was able to unlock, enable telnet, change my IMEI, prevent updates, and enable the mangle TTL.

T-Mobile now sees my device at a 5G phone and connected devices get speeds of 120-170 Mbps downloads. I do notice that its only connection using LTE on B66. I believe I'll need to unlock some additional bands to use the T-Mobile N41 or N71 bands. I found another thread that mentions this is still a work in progress for this device.

Thanks again and I'll keep monitoring this board for more updates.

[Maplewood]

Does anyone know if this process also works on the MR6400?

[kikasssai]

Is the same process for a MR6110? i bough one unlocked but need to change ttl, is still giving me speeds of visible hotspot, any speed after that im good with it.

[jrtelecom]

Will this work for change TTL for MR6110?

[Maplewood]

Does anyone know if this process also works on the MR6400?

I'll answer my own question for anyone else interested. Yes, the process works the same. I picked up a brand new MR6400 and it has firmware version NTGX65_10.01.41.02. I was able to run all the same instructions and unlock everything, change the IMEI, enable telnet, TTL mangle, disable updates, etc. Because the 6400 has all the T-Mobile bands enabled in the radio firmware, I do get 5G speeds about 3x faster than using my 6500 on T-Mobile which only connects using LTE.

The old firmware that came on it is pretty buggy. Does anyone know what the latest firmware I could flash without burning the fuse and preventing going back?

[tambutso]

to disable future FW updates, I saw this code:

Code: Select all

dx -c Oma.DMAccountServerAddress1 https://no.updateforyou.net:443/junk

Does anybody know the actual default server address in case I decide to start receiving official firmware builds again? Or how do I actually list the default server that is programmed in my device? I have an MR6150

[Rich Hathaway]

It is

https://acupdates.netgear.com/swiwu/updates.aspx

[Spidy829]

Can someone please help me I’m getting an error at the IMEI encryption step