MR7400 Hacking and info thread

[Rich Hathaway]

I got a couple of these a few days ago, they are nice but have some updated securities so it is a work in progress.
Please add to this thread anything you find about it.
I was able to make up an spk loaded thru fdt and also make some custom firmware for it to be loaded thru fastboot.
it has a 40 partitioned layout that is 973,586 KB in size, these things are getting ridiculous in size they are as bad a iphone firms now.
I got the comports and root access to the read only filesystem enabled no problem then was able to set as read/write.
so far I can clear the imei but not write it back yet, TTL is no problem.
Can make and run scripts on it no prob either.
I worked with a friend a little on one of these mine is on 10.03.22.01, his was a lessor version and his would not run my
fastboot firmware nor would it boot after we loaded it but my spk loaded and recovered it and is ok now.
I am guessing it is fused and cannot decrement the firmware but only increment it, but this remains to be proven.
here is a video of the spk as it finishes loading.




https://www.youtube.com/shorts/SM_hPsrw ... ture=share

And some other pertinent info
dev: size erasesize name
mtd0: 00400000 00040000 "sbl"
mtd1: 00280000 00040000 "mibib"
mtd2: 01780000 00040000 "efs2"
mtd3: 00480000 00040000 "tz"
mtd4: 00100000 00040000 "tz_devcfg"
mtd5: 00180000 00040000 "cmnlib64"
mtd6: 00100000 00040000 "keymaster"
mtd7: 00080000 00040000 "ddr"
mtd8: 00180000 00040000 "ddr_debug"
mtd9: 00100000 00040000 "apdp"
mtd10: 00180000 00040000 "xbl_config"
mtd11: 00200000 00040000 "xbl_ramdump"
mtd12: 00100000 00040000 "multi_oem"
mtd13: 00100000 00040000 "multi_qti"
mtd14: 00100000 00040000 "aop"
mtd15: 00100000 00040000 "aop_devcfg"
mtd16: 00200000 00040000 "qhee"
mtd17: 00100000 00040000 "abl"
mtd18: 004c0000 00040000 "uefi"
mtd19: 04300000 00040000 "boot"
mtd20: 04680000 00040000 "scrub"
mtd21: 09380000 00040000 "modem"
mtd22: 001c0000 00040000 "misc"
mtd23: 00180000 00040000 "devinfo"
mtd24: 00080000 00040000 "recovery"
mtd25: 00080000 00040000 "fota"
mtd26: 00080000 00040000 "recoveryfs"
mtd27: 00100000 00040000 "sec"
mtd28: 00100000 00040000 "ipa_fw"
mtd29: 00100000 00040000 "qupfw"
mtd30: 00100000 00040000 "shrm"
mtd31: 00100000 00040000 "cpucpfw"
mtd32: 00100000 00040000 "usb_qti"
mtd33: 1f400000 00040000 "system"
mtd34: 01940000 00040000 "pad1"
mtd35: 05080000 00040000 "userrw"
mtd36: 07280000 00040000 "hdata"
mtd37: 008c0000 00040000 "cust"
mtd38: 01040000 00040000 "ntgrpersist"
mtd39: 3b6c0000 00040000 "ntgfota"
/ #

(bootloader) parallel-download-flash:no
(bootloader) hw-revision:10000
(bootloader) unlocked:yes
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:3700
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) erase-block-size: 0x40000
(bootloader) logical-block-size: 0x1000
(bootloader) variant:SDX NAND
(bootloader) partition-type:ntgfota:raw
(bootloader) partition-size:ntgfota: 0x37E80000
(bootloader) partition-type:ntgrpersist:raw
(bootloader) partition-size:ntgrpersist: 0xF00000
(bootloader) partition-type:cust:raw
(bootloader) partition-size:cust: 0x7C0000
(bootloader) partition-type:hdata:raw
(bootloader) partition-size:hdata: 0x6B80000
(bootloader) partition-type:userrw:raw
(bootloader) partition-size:userrw: 0x4B80000
(bootloader) partition-type:pad1:raw
(bootloader) partition-size:pad1: 0x1780000
(bootloader) partition-type:system:ext4
(bootloader) partition-size:system: 0x1D640000
(bootloader) partition-type:usb_qti:raw
(bootloader) partition-size:usb_qti: 0x80000
(bootloader) partition-type:cpucpfw:raw
(bootloader) partition-size:cpucpfw: 0x80000
(bootloader) partition-type:shrm:raw
(bootloader) partition-size:shrm: 0x80000
(bootloader) partition-type:qupfw:raw
(bootloader) partition-size:qupfw: 0x80000
(bootloader) partition-type:ipa_fw:raw
(bootloader) partition-size:ipa_fw: 0x80000
(bootloader) partition-type:sec:raw
(bootloader) partition-size:sec: 0x80000
(bootloader) partition-type:recoveryfs:raw
(bootloader) partition-size:recoveryfs: 0x1000
(bootloader) partition-type:fota:raw
(bootloader) partition-size:fota: 0x1000
(bootloader) partition-type:recovery:raw
(bootloader) partition-size:recovery: 0x1000
(bootloader) partition-type:devinfo:raw
(bootloader) partition-size:devinfo: 0x100000
(bootloader) partition-type:misc:raw
(bootloader) partition-size:misc: 0x140000
(bootloader) partition-type:modem:raw
(bootloader) partition-size:modem: 0x8A80000
(bootloader) partition-type:scrub:raw
(bootloader) partition-size:scrub: 0x4200000
(bootloader) partition-typeraw
(bootloader) partition-size 0x3EC0000
(bootloader) partition-type:uefi:raw
(bootloader) partition-size:uefi: 0x400000
(bootloader) partition-type:abl:raw
(bootloader) partition-size:abl: 0x80000
(bootloader) partition-type:qhee:raw
(bootloader) partition-size:qhee: 0x180000
(bootloader) partition-type:aop_devcfg:raw
(bootloader) partition-size:aop_devcfg: 0x80000
(bootloader) partition-type:aop:raw
(bootloader) partition-size:aop: 0x80000
(bootloader) partition-type:multi_qti:raw
(bootloader) partition-size:multi_qti: 0x80000
(bootloader) partition-type:multi_oem:raw
(bootloader) partition-size:multi_oem: 0x80000
(bootloader) partition-type:xbl_ramdump:raw
(bootloader) partition-size:xbl_ramdump: 0x180000
(bootloader) partition-type:xbl_config:raw
(bootloader) partition-size:xbl_config: 0x100000
(bootloader) partition-type:apdp:raw
(bootloader) partition-size:apdp: 0x80000
(bootloader) partition-type:ddr_debug:raw
(bootloader) partition-size:ddr_debug: 0x100000
(bootloader) partition-type:ddr:raw
(bootloader) partition-size:ddr: 0x1000
(bootloader) partition-type:keymaster:raw
(bootloader) partition-size:keymaster: 0x80000
(bootloader) partition-type:cmnlib64:raw
(bootloader) partition-size:cmnlib64: 0x100000
(bootloader) partition-type:tz_devcfg:raw
(bootloader) partition-size:tz_devcfg: 0x80000
(bootloader) partition-type:tz:raw
(bootloader) partition-size:tz: 0x3C0000
(bootloader) partition-type:efs2:raw
(bootloader) partition-size:efs2: 0x15C0000
(bootloader) partition-type:mibib:raw
(bootloader) partition-size:mibib: 0x200000
(bootloader) partition-type:sbl:raw
(bootloader) partition-size:sbl: 0x380000
(bootloader) secure:no
(bootloader) serialno:cc7d7f55
(bootloader) product:sdxpinn
(bootloader) max-download-size:966369280
(bootloader) kernel:uefi
all:
Finished. Total time: 0.112s

Index, Name, GW_Mask LTE_1-64 LTE_65-128 NSA_1-64 NSA_65-128 NSA_257-320 SA_1-64 SA_65-128 SA_257-320 Mode
00, All, 0000000000000000 0000A0803800285F 0000000000000002 0000800038002812 0000000000003002 0000000000000000 0000000000000000 0000000000000000 0000000000000000 1
01, LTE All, 0000000000000000 0000A0803800285F 0000000000000002 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 1

0000800000000000 - LTE B48
0000200000000000 - LTE B46
0000020000000000 - LTE B42
0000010000000000 - LTE B41
0000008000000000 - LTE B40
0000002000000000 - LTE B38
0000000020000000 - LTE B30
0000000010000000 - LTE B29
0000000008000000 - LTE B28
0000000000080000 - LTE B20
0000000000040000 - LTE B19
0000000000020000 - LTE B18
0000000000002000 - LTE B14
0000000000000800 - LTE B12
0000000000000080 - LTE B8
0000000000000040 - LTE B7
0000000000000010 - LTE B5
0000000000000008 - LTE B4
0000000000000004 - LTE B3
0000000000000002 - LTE B2
0000000000000001 - LTE B1
0000000000000002 - LTE B66
0000800000000000 - NR5G N48
0000010000000000 - NR5G N41
0000008000000000 - NR5G N40
0000002000000000 - NR5G N38
0000000020000000 - NR5G N30
0000000010000000 - NR5G N29
0000000008000000 - NR5G N28
0000000000080000 - NR5G N20
0000000000002000 - NR5G N14
0000000000000800 - NR5G N12
0000000000000080 - NR5G N8
0000000000000040 - NR5G N7
0000000000000010 - NR5G N5
0000000000000004 - NR5G N3
0000000000000002 - NR5G N2
0000000000000001 - NR5G N1
0000000000002000 - NR5G N78
0000000000001000 - NR5G N77
0000000000000002 - NR5G N66

[Rich Hathaway]

OK update since yesterday I have now got then imei written (hard code only)
Now need to make some de-throttle files for it, it runs about 220mbps on tmobile here without dethrottle so
lets de-throttle it and see what it can do.
here is a vid showing the gal s22 imei I put on it and it running on tmobile tablet plan not de-throttled yet

https://www.youtube.com/shorts/8yhsg2EO ... ture=share

[AKosterin]

https://github.com/bkerler/edl/pull/637 - my pull request to sierra keygen with !OPENLOCK and !OPENCND keys

[Rich Hathaway]

Codes for this cannot be calc yet but security can be bypassed and openmep can be enabled

will be nice to have keygen working to

putty.PNG

[w1lliam]

https://github.com/bkerler/edl/pull/637 - my pull request to sierra keygen with !OPENLOCK and !OPENCND keys

@AKosterin These keygen seems working, passing openlock/opencnd, but Telnet does not seem working after mod done. Were you able to telnet to the device after mod?

[Rich Hathaway]

my pull request to sierra keygen with !OPENLOCK and !OPENCND keys

security challenge working with your commit-good deal-

openmepworking.PNG

[Rich Hathaway]

Please stop the emails and messaging about this, here is the file I modified it with AKOSTERIN's commit it is temporary and does not have SDX65, I only added SDX75 to it to test with it so you should go to bkerlers git page and get the complete file
once edited by him.
I put that in the comments in the file as well.
as always if you take it please press the thank you/like button.

sierrakeygen.zip

[AKosterin]

security challenge working with your commit-good deal-

Unfortunately my M7 turned into a brick on the first day - it did not survive the firmware update via fdt.exe Now only the 900E port connects. If suddenly you have a way to restore this device, then I will be glad to use your services.

[Rich Hathaway]

No fastboot mode by the reset button?

[AKosterin]

No fastboot mode by the reset button?

Apart from the 900e, there are no signs of life. I am thinking about purchasing another device for experiments.

[Rich Hathaway]

For fastboot on netgear remove the battery and cable then hold the reset button on the back and slide the battery in first and continue to hold reset in and plug the cable in then keep holding reset until your pc dings, about 5 seconds or so.
If it will go to FB I can prob recover it for you, if not then your prob out of luck since we have no loader for SDX75 yet that is signed for NG

[bkerler]

The 900e is hard to solve (crash dump mode). It means that a firmware partition is broken. The only way out would be to wipe the sbl in order to enable 9003 mode, but that would require to have valid firehose loaders.

[soaringswine]

any tips on getting OPENMEP (or telnet for that matter) to work? do I need to UART in and make some filesystem changes? am I on the write path?

[Rich Hathaway]

I worked with a friend a little on one of these mine is on 10.03.22.01, his was a lessor version and his would not run my
fastboot firmware nor would it boot after we loaded it but my spk loaded and recovered it and is ok now.
I am guessing it is fused and cannot decrement the firmware but only increment it, but this remains to be proven.

I tried to edit my original post to update this part but I cannot edit my post, anyway it can decrement the firmware, it was found that the problem was the device did not complete the setup first and in this leaves the device in an inconsistent
state after reloading the system via ubi where it gets stuck loading the system and cannot complete booting.
completing the setup first then it can reload the system via ubi and fastboot with no booting problems.

[Klaus4]

There is a MR7500 Telstra at the market but nothing for Europe. Or does someone have more information?

Thanks