NetGear LM1200 LTE Modem

Search This thread


Recognized Contributor / Inactive Recognized Dev
Did you get root access working on yours?
After 9+ days JtR still has not been kind enough to give me the password.
Yes, I know that there are other ways around this, but this would be a useful factoid for the community.

I've only had ADB access when I massacred the system.
So, what's the opposite of "CHRG_ONLY"?

When I write it with a proper loader from 9008 mode it takes about 5 min for either system or system_b to complete.
I didn't time it, but it's under 15 seconds to write everything using the improper loader and my EDL.

I did notice that the MiFi 8800L and the Orbic 400 are pretty similar.
Since the LM1200 has no mention at all of "nvtl" I knew that it was different.
  • Like
Reactions: roirraW "edor" ehT


Recognized Contributor / Inactive Recognized Dev
I've updated ubi.exe so that it shows the volume table.
It can now be found at the bottom of my EDL page in my sig.
2045  ....  ...............................................................
2046  ....  ...............................................................
2047  ....  ...............................................................

Max erasure 19

Name              Offset    Size  Flags
----------------  ------  ------  --------
0:SBL                  0      10  000001ff
0:MIBIB               10      10  00ff01ff
0:EFS2                20      88  00ff01ff
0:sys_rev            108      20  000001ff
0:RAWDATA            128      12  000001ff
0:TZ                 140       5  000001ff
0:RPM                145       5  000001ff
0:aboot              150       5  000001ff
0:misc               155       5  000001ff
0:boot               160      36  000001ff
0:boot_b             196      36  000001ff
0:modem              232     232  000001ff
0:modem_b            464     232  000001ff
0:netgear_fs         696     140  000001ff
0:netgear_fs_b       836     140  000001ff
0:netgear_dat        976      80  000001ff
0:usr_data          1056     512  000001ff
0:system_b          1568     240  000001ff
0:system            1808     240  000001ff

Edit: Oh, the thing with password/shadow: Copies are kept in (read-only) system and system_b and are copied to usr_data on booting.

Edit^2: It now identifies superblocks with 'S'. You should see lots of:
If you don't, your copy of ubi.exe is probably too old already.
Last edited:
  • Like
Reactions: roirraW "edor" ehT


Recognized Contributor / Inactive Recognized Dev
As Freddie Prinze says, "Looking good!"
mdm9607 login: root
~ # id
uid=0(root) gid=0(root) groups=0(root)
~ #

Edit: Ok, I'll tell you what I did. I haven't cracked the stock password (yet), but I found etc/shadow in the system_b volume, edited the Hash$MD5 for root then fixed the CRC32. I hadn't bothered to look around before, but now I will and see about turning on ADB. Right now this only has utility for people who have the UART hooked up.
Last edited:


Recognized Contributor / Inactive Recognized Dev
I've updated my native Windows EDL client so that it understands UBI volumes.
You can refer to whole volumes or parts.
For example, this is the makefile that I use to fix the password.
	edl /n /r /psystem_b /s10048 /c64 chunk
	modfile chunk 15b09 /a "root:$$1$$abcdefgh$$rV6RhG4no19bGJfmub3Ui1"
	modfile chunk 15adc /l f966bba4
	crc32 chunk 62cc48c5
	edl /n /e /w /psystem_b /s10048 /c64 chunk
The doubled dollar signs is necessary for Gnu Make. The 2nd modfile fixes the UBI CRC32. The crc32 command checks the CRC32 of the chunk to make sure that the modifications were correct.
C:\>edl /n /g
Found EDL 9008
Configuring... Nope, configuring... Nope, configuring... Ok
Requesting info on LUN 0... Ok
Bad blocks: 1536, 1537, 1822, 1992
Requesting volume table... Ok, receiving... Ok

 #  Name                   Start       Count
--  ----------------  ----------  ----------
 1  SBL                        0         640
 2  MIBIB                    640         640
 3  EFS2                    1280        5632
 4  sys_rev                 6912        1280
 5  RAWDATA                 8192         768
 6  TZ                      8960         320
 7  RPM                     9280         320
 8  aboot                   9600         320
 9  misc                    9920         320
10  boot                   10240        2304
11  boot_b                 12544        2304
12  modem                  14848       14848
13  modem_b                29696       14848
14  netgear_fs             44544        8960
15  netgear_fs_b           53504        8960
16  netgear_dat            62464        5120
17  usr_data               67584       32768
18  system_b              100352       15360
19  system                115712       15360
Last edited:
  • Like
Reactions: roirraW "edor" ehT

rich hathaway

Senior Member
Apr 2, 2010
kansas city
I know you are building out your edl but Just for the purposes of education the root pass can easily be changed to most anything with the passwd tool on the device, see below.
root pass chng.PNG
  • Like
Reactions: roirraW "edor" ehT


Recognized Contributor / Inactive Recognized Dev
/custdata/nv/user/USB_COMP_STR.0 needs to be changed from CHRG_ONLY to DEBUG_MODE to enable ADB. (Thanks, Rick!)
Since it's null-padded to 16 bytes we might as well keep it that way just to be neat.
# echo -e -n "\\x44\\x45\\x42\\x55\\x47\\x5f\\x4d\\x4f\\x44\\x45\\x00\\x00\\x00\\x00\\x00\\x00" > /custdata/nv/user/USB_COMP_STR.0
  • Like
Reactions: roirraW "edor" ehT

rich hathaway

Senior Member
Apr 2, 2010
kansas city
USB_COMP_STR.0 resides in netgear_dat if you are looking at that partition by itself and with the spare it resides at D1F038 without the spare it will be at DF0F38 or in ubi form its located at 306C18
if you are looking at it from a full (0-7ff) nand dump, with the spare you will find it at 11130F38 or in bin form without the spare it will be at
108E9A68 you can also get all ports working by just corrupting that string, such as change it from 55 to 00 or 55 to FF
or in txt change USB_COMP_STR.0 to
glad you found it also :)
  • Like
Reactions: roirraW "edor" ehT

rich hathaway

Senior Member
Apr 2, 2010
kansas city
I tried to call up PID=68E2 which is what is used on most Sierra devices to enable the real ports but it does not work on this one because of the Quectel modem, I am sure there is a proprietary cmd for it, prob an AT cmd or qmi cmd.
but always best to make your changes at the place of residence and not elsewhere where coding gets copied to or it can cause problems and conflicts that can tie up the processor with chasing its tail and slow the device.
  • Like
Reactions: roirraW "edor" ehT


Recognized Contributor / Inactive Recognized Dev
The gives us most of what we want in a small package.:
"wwanadv": {
	"curBand":"LTE B4",
But... you have to be logged in and it does a bunch of redirections/session ids.
  • Like
Reactions: roirraW "edor" ehT


Recognized Contributor / Inactive Recognized Dev
Can you edit any of that from there and does the device respect it if you do?
No, I haven't gotten that far.
The HTML and JSON come out of templates in /custapp/usr/hdata
The templates (.tmpl) use goofy control characters as markup.
I haven't parsed it out yet.
However, here is a URL that tells you everything (390 variables), so you can figure out what you want to make into your own .tmpl or variables names if we can work around the templates to generate it simpler.
  • Like
Reactions: roirraW "edor" ehT


Recognized Contributor / Inactive Recognized Dev
I can put files in /custapp/usr/hdata and recall them with web.
I can't get programs to cgi execute there, but I can run them manually.
/custapp/usr/hdata # whoami       <= stock software
/custapp/usr/hdata # ./whoami.cgi <= my own shell/cgi software
User:   0 root
Groups: 0 root
whoami.cgi is compiled under RPi but the loader patched from /lib/ to /lib/
  • Like
Reactions: roirraW "edor" ehT


Recognized Contributor / Inactive Recognized Dev
So I have a proof of concept here. It enables access for some of the variables, specifically the "wwanadv".
You can see what you get with
Except that you normally have to be logged in on the main website to get it.
Try when you're not logged in and you'll get nothing.

Warnings: This is PoC. Save a backup copy of NetgearWebApp. This requires common sense to execute, don't follow the instructions literally. Don't do this if your NetgearWebApp is a different size. Stop and restore if it says "wrong place". There will be a nicer version later. I'll be making a custom template later. Those are struct addresses, not the specific location. There's no guarantee that this data is totally inaccessible from the networks side.

C:\>adb push ngwa /custapp/usr/bin
C:\>adb shell
# cd /custapp/usr/bin
/custapp/usr/bin # ls -l NetgearWebApp
-rwxr-xr-x    1 1000     1000        628504 Jun  3 15:40 NetgearWebApp
/custapp/usr/bin # chmod 755 ngwa
/custapp/usr/bin # ps |grep Netgear
 1622 root       0:00 {restartNetgearW} /bin/busybox /bin/sh /custapp/usr/sbin/restartNetgearWebApp
 1635 root       0:05 /custapp/usr/bin/NetgearWebApp
14988 root       0:00 {grep} /bin/busybox /bin/grep Netgear
/custapp/usr/bin # kill -9 1622
/custapp/usr/bin # kill -9 1635
/custapp/usr/bin # ./ngwa
97644  2200 => 2222
9765c  2200 => 2222
97674  2200 => 2222
9768c  2200 => 2222
976a4  2200 => 2222
976bc  2200 => 2222
976d4  2200 => 2222
976ec  2200 => 2222
97704  2200 => 2222
9771c  2200 => 2222
97734  2200 => 2222
9774c  2200 => 2222
97764  2200 => 2222
9777c  2200 => 2222
97794  2200 => 2222
977ac  2200 => 2222
/custapp/usr/bin # reboot

Sigh. Netgear is so stupid. I don't like JSON but at least I don't violate it:
These are all (separately) valid JSON: 0, {x: 1, y: 2, z: 3}
This is not valid JSON: x: 0, "wwanadv": { whatever...

Edit: Attachment deleted. There will be a new version soon.
Last edited:
  • Like
Reactions: roirraW "edor" ehT

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    I wanted cellular service but wanted it separate from my router with wired and WiFi.
    There were some OEM modems available but I ended up with a NetGear LM1200 LTE modem (USD 150).
    I plugged it in using the SIM from my old MiFi 8800L and it booted and connected fine.
    I was surprised that I could tracert to something VZW even without any service plan.

    Screws are hidden under the rubber mat. I marked the position, pulled up a corner, used an office hole punch.
    The UART is accessible. It uses 1.8V logic levels, 115.2 kbps, 8-n-1.
    I mounted a JST XH-3 connector on the back panel and glued it in.
    It works fine, but I need the UART login password.
    mdm-perf 202108182013 mdm9607 /dev/ttyHSL0
    mdm9607 login:

    I loaded a software update on my usual connection and uploaded it to the modem.
    The biggest difference is that the WAN input for fallback is now supported.
    One thing that is nice is that the modem has a fixed IP ( even when in bridge mode and having a network granted IP.
    The web way to get status is through
    You can add bogus query parameters if you are worried about something caching, &x=1234
    Still, it only has one version of this JSON that is 12 kB and takes over 300 mS to deliver!
    OTOH, it gives out information that my old 8800L didn't have, like Local Area code.
    Many tower DBs won't give you anything with just the tower ID.

    I really want to get into this to add my own CGI to get a terse and useful status.
    I like to be able to easily see signal quality when driving around and considering where to park.
    OMG, this project is turning into a blockbuster! Just look how many downloads there are on ngwa.bin

    Eh, it's ok. I do this to amuse myself. I'm very happy with the useful Android app.


    Edit: The utility of this is proving itself on the road. Obviously in a fixed location there's not a lot of interest to see.
    Still, the arbitrariness of which band it picks make me scratch my head.
    95+% of the time it picks B4, often when my cell phone has picked B2, B5 or B13.
    A minute ago I had a great signal -100 dBm and "quality" of 69 on B13.
    Then it just switched all by itself to -117 dBm and Q of 34 on B4!
    I got a lm1200 today someone sent to me :)
    got the firmware backed up and made some tools for it


    got it broken down to root filesystem if you need it for whatever you are doing


    im going to make a build tomorrow to enable the ports so they always stay on.
    IMEI MEID ESN TTL and FID are changeable like the other sierra devices it seems to not be very locked down other than no ports and read only filesystem by default but easy to correct those.
    Try password – oelinux123
    login: root
    change it to DEBUG_MODE