NetGear LM1200 LTE Modem

[Renate]

Did you get root access working on yours?

After 9+ days JtR still has not been kind enough to give me the password.
Yes, I know that there are other ways around this, but this would be a useful factoid for the community.

I've only had ADB access when I massacred the system.
So, what's the opposite of "CHRG_ONLY"?

When I write it with a proper loader from 9008 mode it takes about 5 min for either system or system_b to complete.

I didn't time it, but it's under 15 seconds to write everything using the improper loader and my EDL.

I did notice that the MiFi 8800L and the Orbic 400 are pretty similar.
Since the LM1200 has no mention at all of "nvtl" I knew that it was different.

 

[rich hathaway]

change it to DEBUG_MODE

 

[rich hathaway]

I've only had ADB access when I massacred the system.

I made a tool to enable the ports including the adb port.
I am not making it public as this is what I do for a living but you can use it if you keep it to yourself if you want to.

 

[Renate]

I made a tool to enable the ports including the adb port.
I am not making it public as this is what I do for a living but you can use it if you keep it to yourself if you want to.

Thanks! But that would be no fun.

 

[rich hathaway]

Ok I can respect that

 

[Renate]

I've updated ubi.exe so that it shows the volume table.
It can now be found at the bottom of my EDL page in my sig.

2045  ....  ...............................................................
2046  ....  ...............................................................
2047  ....  ...............................................................

Max erasure 19

Name              Offset    Size  Flags
----------------  ------  ------  --------
0:SBL                  0      10  000001ff
0:MIBIB               10      10  00ff01ff
0:EFS2                20      88  00ff01ff
0:sys_rev            108      20  000001ff
0:RAWDATA            128      12  000001ff
0:TZ                 140       5  000001ff
0:RPM                145       5  000001ff
0:aboot              150       5  000001ff
0:misc               155       5  000001ff
0:boot               160      36  000001ff
0:boot_b             196      36  000001ff
0:modem              232     232  000001ff
0:modem_b            464     232  000001ff
0:netgear_fs         696     140  000001ff
0:netgear_fs_b       836     140  000001ff
0:netgear_dat        976      80  000001ff
0:usr_data          1056     512  000001ff
0:system_b          1568     240  000001ff
0:system            1808     240  000001ff
                    2048

Edit: Oh, the thing with password/shadow: Copies are kept in (read-only) system and system_b and are copied to usr_data on booting.

Edit^2: It now identifies superblocks with 'S'. You should see lots of:

1820  UBI#  USXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

If you don't, your copy of ubi.exe is probably too old already.

 

[Renate]

As Freddie Prinze says, "Looking good!"

mdm9607 login: root
Password:
~ # id
uid=0(root) gid=0(root) groups=0(root)
~ #

Edit: Ok, I'll tell you what I did. I haven't cracked the stock password (yet), but I found etc/shadow in the system_b volume, edited the Hash$MD5 for root then fixed the CRC32. I hadn't bothered to look around before, but now I will and see about turning on ADB. Right now this only has utility for people who have the UART hooked up.

 

[Renate]

I've updated my native Windows EDL client so that it understands UBI volumes.
You can refer to whole volumes or parts.
For example, this is the makefile that I use to fix the password.

password:
	edl /n /r /psystem_b /s10048 /c64 chunk
	modfile chunk 15b09 /a "root:$$1$$abcdefgh$$rV6RhG4no19bGJfmub3Ui1"
	modfile chunk 15adc /l f966bba4
	crc32 chunk 62cc48c5
	edl /n /e /w /psystem_b /s10048 /c64 chunk

The doubled dollar signs is necessary for Gnu Make. The 2nd modfile fixes the UBI CRC32. The crc32 command checks the CRC32 of the chunk to make sure that the modifications were correct.

C:\>edl /n /g
Found EDL 9008
Configuring... Nope, configuring... Nope, configuring... Ok
Requesting info on LUN 0... Ok
Bad blocks: 1536, 1537, 1822, 1992
Requesting volume table... Ok, receiving... Ok

 #  Name                   Start       Count
--  ----------------  ----------  ----------
 1  SBL                        0         640
 2  MIBIB                    640         640
 3  EFS2                    1280        5632
 4  sys_rev                 6912        1280
 5  RAWDATA                 8192         768
 6  TZ                      8960         320
 7  RPM                     9280         320
 8  aboot                   9600         320
 9  misc                    9920         320
10  boot                   10240        2304
11  boot_b                 12544        2304
12  modem                  14848       14848
13  modem_b                29696       14848
14  netgear_fs             44544        8960
15  netgear_fs_b           53504        8960
16  netgear_dat            62464        5120
17  usr_data               67584       32768
18  system_b              100352       15360
19  system                115712       15360

 

[rich hathaway]

I know you are building out your edl but Just for the purposes of education the root pass can easily be changed to most anything with the passwd tool on the device, see below.

 

[Renate]

Yes, I tried passwd once with a crippled system and there was a problem with it.

 

[rich hathaway]

Yes it has to have a full filesystem to work, I used it thru adb and it worked fine

 

[Renate]

/custdata/nv/user/USB_COMP_STR.0 needs to be changed from CHRG_ONLY to DEBUG_MODE to enable ADB. (Thanks, Rick!)
Since it's null-padded to 16 bytes we might as well keep it that way just to be neat.

# echo -e -n "\\x44\\x45\\x42\\x55\\x47\\x5f\\x4d\\x4f\\x44\\x45\\x00\\x00\\x00\\x00\\x00\\x00" > /custdata/nv/user/USB_COMP_STR.0

 

[rich hathaway]

USB_COMP_STR.0 resides in netgear_dat if you are looking at that partition by itself and with the spare it resides at D1F038 without the spare it will be at DF0F38 or in ubi form its located at 306C18
if you are looking at it from a full (0-7ff) nand dump, with the spare you will find it at 11130F38 or in bin form without the spare it will be at
108E9A68 you can also get all ports working by just corrupting that string, such as change it from 55 to 00 or 55 to FF
or in txt change USB_COMP_STR.0 to
xSB_COMP_STR.0
glad you found it also

 

[Renate]

There's a ton of duplicated code all over for configuration of the USB:

case ${USB_COMP} in
        *CHRG_ONLY* )
                # use charge only when OTA NV is ready
                run_charge_only &
                ;;
        *68E2* )
                run_68E2 &
                ;;
        * )
                run_9607 &
                ;;
esac

 

[rich hathaway]

I tried to call up PID=68E2 which is what is used on most Sierra devices to enable the real ports but it does not work on this one because of the Quectel modem, I am sure there is a proprietary cmd for it, prob an AT cmd or qmi cmd.
but always best to make your changes at the place of residence and not elsewhere where coding gets copied to or it can cause problems and conflicts that can tie up the processor with chasing its tail and slow the device.

 

[Renate]

The 192.168.5.1/api/wwanadv.json gives us most of what we want in a small package.:

"wwanadv": {
	"curBand":"LTE B4",
	"radioQuality":38,
	"country":"USA",
	"RAC":0,
	"LAC":1234,
	"MCC":"311",
	"MNC":"480",
	"MNCFmt":3,
	"cellId":12345678,
	"chanId":2100,
	"primScode":-1,
	"plmnSrvErrBitMask":0,
	"chanIdUl":20100,
	"txLevel":-50,
	"rxLevel":-116,
	"end":""	
}

But... you have to be logged in and it does a bunch of redirections/session ids.

 

[rich hathaway]

Can you edit any of that from there and does the device respect it if you do?
You can change most all of that in the nv via dm commands.

 

[Renate]

Can you edit any of that from there and does the device respect it if you do?

No, I haven't gotten that far.
The HTML and JSON come out of templates in /custapp/usr/hdata
The templates (.tmpl) use goofy control characters as markup.
I haven't parsed it out yet.
However, here is a URL that tells you everything (390 variables), so you can figure out what you want to make into your own .tmpl or variables names if we can work around the templates to generate it simpler.
http://192.168.5.1/Introspection.html

 

[Renate]

I can put files in /custapp/usr/hdata and recall them with web.
I can't get programs to cgi execute there, but I can run them manually.

/custapp/usr/hdata # whoami       <= stock software
root
/custapp/usr/hdata # ./whoami.cgi <= my own shell/cgi software
User:   0 root
Groups: 0 root

whoami.cgi is compiled under RPi but the loader patched from /lib/ld-linux-armhf.so.3 to /lib/ld-linux.so.3

 

[Renate]

So I have a proof of concept here. It enables access for some of the variables, specifically the "wwanadv".
You can see what you get with http://192.168.5.1/api/wwanadv.json
Except that you normally have to be logged in on the main website to get it.
Try when you're not logged in and you'll get nothing.

Warnings: This is PoC. Save a backup copy of NetgearWebApp. This requires common sense to execute, don't follow the instructions literally. Don't do this if your NetgearWebApp is a different size. Stop and restore if it says "wrong place". There will be a nicer version later. I'll be making a custom template later. Those are struct addresses, not the specific location. There's no guarantee that this data is totally inaccessible from the networks side.

C:\>adb push ngwa /custapp/usr/bin
C:\>adb shell
# cd /custapp/usr/bin
/custapp/usr/bin # ls -l NetgearWebApp
-rwxr-xr-x    1 1000     1000        628504 Jun  3 15:40 NetgearWebApp
/custapp/usr/bin # chmod 755 ngwa
/custapp/usr/bin # ps |grep Netgear
 1622 root       0:00 {restartNetgearW} /bin/busybox /bin/sh /custapp/usr/sbin/restartNetgearWebApp
 1635 root       0:05 /custapp/usr/bin/NetgearWebApp
14988 root       0:00 {grep} /bin/busybox /bin/grep Netgear
/custapp/usr/bin # kill -9 1622
/custapp/usr/bin # kill -9 1635
/custapp/usr/bin # ./ngwa
97644  2200 => 2222
9765c  2200 => 2222
97674  2200 => 2222
9768c  2200 => 2222
976a4  2200 => 2222
976bc  2200 => 2222
976d4  2200 => 2222
976ec  2200 => 2222
97704  2200 => 2222
9771c  2200 => 2222
97734  2200 => 2222
9774c  2200 => 2222
97764  2200 => 2222
9777c  2200 => 2222
97794  2200 => 2222
977ac  2200 => 2222
Ok
/custapp/usr/bin # reboot

Sigh. Netgear is so stupid. I don't like JSON but at least I don't violate it:
These are all (separately) valid JSON: 0, {x: 1, y: 2, z: 3}
This is not valid JSON: x: 0, "wwanadv": { whatever...

Edit: Attachment deleted. There will be a new version soon.