PDA

View Full Version : Netgear LM1200 Hacking and info thread



rich hathaway
06-07-2023, 09:46 AM
Netgear LM1200
A quectel modem with a qualcomm MDM9607 chip

IMEI, bands, MEID, pESN, FID and TTL are mod-able on it once you have root
it is de/re-brandable and pretty much anything can be modded that it does.
it has an android/linux os on one side and os2 on a triple stacked ubi over ubifs over mtd for the firmware.
It is a 19 partition layout and has an unlocked bootloader which makes it nice to work with.


# Start Size A0 A1 A2 F# format ------ Name------
================================================== ==========

00 0 00000a ff 01 00 00 LNX 0:SBL

01 a 00000a ff 01 ff 00 LNX 0:MIBIB

02 14 000058 ff 01 ff 00 LNX 0:EFS2

03 6c 000014 ff 01 00 00 LNX 0:sys_rev

04 80 00000c ff 01 00 00 LNX 0:RAWDATA

05 8c 000005 ff 01 00 00 LNX 0:TZ

06 91 000005 ff 01 00 00 LNX 0:RPM

07 96 000005 ff 01 00 00 LNX 0:aboot

08 9b 000005 ff 01 00 00 LNX 0:misc

09 a0 000024 ff 01 00 00 LNX 0:boot

10 c4 000024 ff 01 00 00 LNX 0:boot_b

11 e8 0000e8 ff 01 00 00 LNX 0:modem

12 1d0 0000e8 ff 01 00 00 LNX 0:modem_b

13 2b8 00008c ff 01 00 00 LNX 0:netgear_fs

14 344 00008c ff 01 00 00 LNX 0:netgear_fs_b

15 3d0 000050 ff 01 00 00 LNX 0:netgear_dat

16 420 000200 ff 01 00 00 LNX 0:usr_data

17 620 0000f0 ff 01 00 00 LNX 0:system_b

18 710 0000f0 ff 01 00 00 LNX 0:system
================================================== ==========
Partition Table Version: 4

the nand registers are below
---------------------------

* 000 NAND_FLASH_CMD = 0008000b
* 004 NAND_ADDR0 = ffff0000
* 008 NAND_ADDR1 = 00000001
* 00c NAND_CHIP_SELECT = 00000000
* 010 NANDC_EXEC_CMD = 00000000
* 014 NAND_FLASH_STATUS = 00007020
* 018 NANDC_BUFFER_STATUS = 00ff0200
* 020 NAND_DEV0_CFG0 = 295409c0
* 024 NAND_DEV0_CFG1 = 08065d5d
* 028 NAND_DEV0_ECC_CFG = 42040d11
* 040 NAND_FLASH_READ_ID = 2690ac98
* 044 NAND_FLASH_READ_STATUS = 00000000
* 048 NAND_FLASH_READ_ID2 = 00081676
* 064 FLASH_MACRO1_REG = 00000000
* 070 FLASH_XFR_STEP1 = 00000000
* 074 FLASH_XFR_STEP2 = 00000000
* 078 FLASH_XFR_STEP3 = 00000000
* 07c FLASH_XFR_STEP4 = 00000000
* 080 FLASH_XFR_STEP5 = 00000000
* 084 FLASH_XFR_STEP6 = 00000000
* 088 FLASH_XFR_STEP7 = 00000000
* 0a0 FLASH_DEV_CMD0 = 00000000
* 0a4 FLASH_DEV_CMD1 = 00000000
* 0a8 FLASH_DEV_CMD2 = 00000000
* 0ac FLASH_DEV_CMD_VLD = 00000000
* 0d0 FLASH_DEV_CMD3 = 00000000
* 0d4 FLASH_DEV_CMD4 = 00000000
* 0d8 FLASH_DEV_CMD5 = 00000000
* 0dc FLASH_DEV_CMD6 = 00000000
* 0e8 NAND_ERASED_CW_DET_CFG = 00000022
* 0ec NAND_ERASED_CW_DET_ST = 000000f2
* 0f0 EBI2_ECC_BUF_CFG = 00000000

and its ubi info
------------------
/ # ubinfo -a
UBI version: 1
Count of UBI devices: 5
UBI control device major/minor: 10:53
Present UBI devices: ubi0, ubi1, ubi2, ubi3, ubi4

ubi0
Volumes count: 1
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 240 (60948480 bytes, 58.1 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 40
Current maximum erase counter value: 1
Minimum input/output unit size: 4096 bytes
Character device major/minor: 238:0
Present volumes: 0

Volume ID: 0 (on ubi0)
Type: dynamic
Alignment: 1
Size: 196 LEBs (49774592 bytes, 47.5 MiB)
State: OK
Name: rootfs
Character device major/minor: 238:1

===================================

ubi1
Volumes count: 1
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 232 (58916864 bytes, 56.2 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 40
Current maximum erase counter value: 1
Minimum input/output unit size: 4096 bytes
Character device major/minor: 237:0
Present volumes: 0

Volume ID: 0 (on ubi1)
Type: dynamic
Alignment: 1
Size: 188 LEBs (47742976 bytes, 45.5 MiB)
State: OK
Name: modem
Character device major/minor: 237:1

===================================

ubi2
Volumes count: 1
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 510 (129515520 bytes, 123.5 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 2
Count of reserved physical eraseblocks: 38
Current maximum erase counter value: 5
Minimum input/output unit size: 4096 bytes
Character device major/minor: 236:0
Present volumes: 0

Volume ID: 0 (on ubi2)
Type: dynamic
Alignment: 1
Size: 468 LEBs (118849536 bytes, 113.3 MiB)
State: OK
Name: usrdata
Character device major/minor: 236:1

===================================

ubi3
Volumes count: 2
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 140 (35553280 bytes, 33.9 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 5
Current maximum erase counter value: 5
Minimum input/output unit size: 4096 bytes
Character device major/minor: 234:0
Present volumes: 0, 1

Volume ID: 0 (on ubi3)
Type: dynamic
Alignment: 1
Size: 104 LEBs (26411008 bytes, 25.2 MiB)
State: OK
Name: custapp
Character device major/minor: 234:1
-----------------------------------
Volume ID: 1 (on ubi3)
Type: dynamic
Alignment: 1
Size: 27 LEBs (6856704 bytes, 6.5 MiB)
State: OK
Name: hdata
Character device major/minor: 234:2

===================================

ubi4
Volumes count: 0
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 80 (20316160 bytes, 19.4 MiB)
Amount of available logical eraseblocks: 36 (9142272 bytes, 8.7 MiB)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 40
Current maximum erase counter value: 1
Minimum input/output unit size: 4096 bytes
Character device major/minor: 235:0
/ #

--------------------------------
To open the ports you need to edit USB_COMP_STR.0 resides in netgear_dat if you are looking at that partition by itself and with the spare it resides at D1F038 without the spare it will be at DF0F38 or in ubi form(on your desktop) its located at 306C18
if you are looking at it from a full (0-7ff) nand dump, with the spare you will find it at 11130F38 or in bin form without the spare it will be at
108E9A68 you can also get all ports working by just corrupting that string, such as change it from 55 to 00 or 55 to FF
or in txt change USB_COMP_STR.0 to
xSB_COMP_STR.0
or change its value from CHARGE_ONLY to DEBUG_MODE any of those will get your ports enabled.

the hardware id's are below

USB COMPOSITE DEVICE
USB\VID_2C7C&PID_0125&REV_0318
USB\VID_2C7C&PID_0125


ADB
USB\VID_2C7C&PID_0125&REV_0318&MI_05
USB\VID_2C7C&PID_0125&MI_05

DIAG
USB\VID_2C7C&PID_0125&REV_0318&MI_00
USB\VID_2C7C&PID_0125&MI_00

NMEA
USB\VID_2C7C&PID_0125&REV_0318&MI_01
USB\VID_2C7C&PID_0125&MI_01


AT
USB\VID_2C7C&PID_0125&REV_0318&MI_02
USB\VID_2C7C&PID_0125&MI_02

modem
USB\VID_2C7C&PID_0125&REV_0318&MI_03
USB\VID_2C7C&PID_0125&MI_03

--------------------------------------
I will attach the proper drivers for this device to this thread, if you download it please show some courtesy and hit the thank you button.
Quectel_LTE&5G_Linux_USB_Driver_V1.0.zipPlease add your findings to this thread those of you who hack on this device :)

[Only registered and activated users can see links] <-----DRIVER IS HERE!!!