Join Today













Site Sponsor
Results 1 to 1 of 1
  1. #1

    iPhone Moderator, Trusted Guru &
    CDMA GURUS Booster
    rich hathaway's Avatar


    Join Date
    Apr 2010
    Location
    kansas city
    Posts
    2,960
    Rep Power
    5942

    Default Netgear LM1200 Hacking and info thread

    Netgear LM1200
    A quectel modem with a qualcomm MDM9607 chip

    IMEI, bands, MEID, pESN, FID and TTL are mod-able on it once you have root
    it is de/re-brandable and pretty much anything can be modded that it does.
    it has an android/linux os on one side and os2 on a triple stacked ubi over ubifs over mtd for the firmware.
    It is a 19 partition layout and has an unlocked bootloader which makes it nice to work with.


    # Start Size A0 A1 A2 F# format ------ Name------
    ================================================== ==========

    00 0 00000a ff 01 00 00 LNX 0:SBL

    01 a 00000a ff 01 ff 00 LNX 0:MIBIB

    02 14 000058 ff 01 ff 00 LNX 0:EFS2

    03 6c 000014 ff 01 00 00 LNX 0:sys_rev

    04 80 00000c ff 01 00 00 LNX 0:RAWDATA

    05 8c 000005 ff 01 00 00 LNX 0:TZ

    06 91 000005 ff 01 00 00 LNX 0:RPM

    07 96 000005 ff 01 00 00 LNX 0:aboot

    08 9b 000005 ff 01 00 00 LNX 0:misc

    09 a0 000024 ff 01 00 00 LNX 0:boot

    10 c4 000024 ff 01 00 00 LNX 0:boot_b

    11 e8 0000e8 ff 01 00 00 LNX 0:modem

    12 1d0 0000e8 ff 01 00 00 LNX 0:modem_b

    13 2b8 00008c ff 01 00 00 LNX 0:netgear_fs

    14 344 00008c ff 01 00 00 LNX 0:netgear_fs_b

    15 3d0 000050 ff 01 00 00 LNX 0:netgear_dat

    16 420 000200 ff 01 00 00 LNX 0:usr_data

    17 620 0000f0 ff 01 00 00 LNX 0:system_b

    18 710 0000f0 ff 01 00 00 LNX 0:system
    ================================================== ==========
    Partition Table Version: 4

    the nand registers are below
    ---------------------------

    * 000 NAND_FLASH_CMD = 0008000b
    * 004 NAND_ADDR0 = ffff0000
    * 008 NAND_ADDR1 = 00000001
    * 00c NAND_CHIP_SELECT = 00000000
    * 010 NANDC_EXEC_CMD = 00000000
    * 014 NAND_FLASH_STATUS = 00007020
    * 018 NANDC_BUFFER_STATUS = 00ff0200
    * 020 NAND_DEV0_CFG0 = 295409c0
    * 024 NAND_DEV0_CFG1 = 08065d5d
    * 028 NAND_DEV0_ECC_CFG = 42040d11
    * 040 NAND_FLASH_READ_ID = 2690ac98
    * 044 NAND_FLASH_READ_STATUS = 00000000
    * 048 NAND_FLASH_READ_ID2 = 00081676
    * 064 FLASH_MACRO1_REG = 00000000
    * 070 FLASH_XFR_STEP1 = 00000000
    * 074 FLASH_XFR_STEP2 = 00000000
    * 078 FLASH_XFR_STEP3 = 00000000
    * 07c FLASH_XFR_STEP4 = 00000000
    * 080 FLASH_XFR_STEP5 = 00000000
    * 084 FLASH_XFR_STEP6 = 00000000
    * 088 FLASH_XFR_STEP7 = 00000000
    * 0a0 FLASH_DEV_CMD0 = 00000000
    * 0a4 FLASH_DEV_CMD1 = 00000000
    * 0a8 FLASH_DEV_CMD2 = 00000000
    * 0ac FLASH_DEV_CMD_VLD = 00000000
    * 0d0 FLASH_DEV_CMD3 = 00000000
    * 0d4 FLASH_DEV_CMD4 = 00000000
    * 0d8 FLASH_DEV_CMD5 = 00000000
    * 0dc FLASH_DEV_CMD6 = 00000000
    * 0e8 NAND_ERASED_CW_DET_CFG = 00000022
    * 0ec NAND_ERASED_CW_DET_ST = 000000f2
    * 0f0 EBI2_ECC_BUF_CFG = 00000000

    and its ubi info
    ------------------
    / # ubinfo -a
    UBI version: 1
    Count of UBI devices: 5
    UBI control device major/minor: 10:53
    Present UBI devices: ubi0, ubi1, ubi2, ubi3, ubi4

    ubi0
    Volumes count: 1
    Logical eraseblock size: 253952 bytes, 248.0 KiB
    Total amount of logical eraseblocks: 240 (60948480 bytes, 58.1 MiB)
    Amount of available logical eraseblocks: 0 (0 bytes)
    Maximum count of volumes 128
    Count of bad physical eraseblocks: 0
    Count of reserved physical eraseblocks: 40
    Current maximum erase counter value: 1
    Minimum input/output unit size: 4096 bytes
    Character device major/minor: 238:0
    Present volumes: 0

    Volume ID: 0 (on ubi0)
    Type: dynamic
    Alignment: 1
    Size: 196 LEBs (49774592 bytes, 47.5 MiB)
    State: OK
    Name: rootfs
    Character device major/minor: 238:1

    ===================================

    ubi1
    Volumes count: 1
    Logical eraseblock size: 253952 bytes, 248.0 KiB
    Total amount of logical eraseblocks: 232 (58916864 bytes, 56.2 MiB)
    Amount of available logical eraseblocks: 0 (0 bytes)
    Maximum count of volumes 128
    Count of bad physical eraseblocks: 0
    Count of reserved physical eraseblocks: 40
    Current maximum erase counter value: 1
    Minimum input/output unit size: 4096 bytes
    Character device major/minor: 237:0
    Present volumes: 0

    Volume ID: 0 (on ubi1)
    Type: dynamic
    Alignment: 1
    Size: 188 LEBs (47742976 bytes, 45.5 MiB)
    State: OK
    Name: modem
    Character device major/minor: 237:1

    ===================================

    ubi2
    Volumes count: 1
    Logical eraseblock size: 253952 bytes, 248.0 KiB
    Total amount of logical eraseblocks: 510 (129515520 bytes, 123.5 MiB)
    Amount of available logical eraseblocks: 0 (0 bytes)
    Maximum count of volumes 128
    Count of bad physical eraseblocks: 2
    Count of reserved physical eraseblocks: 38
    Current maximum erase counter value: 5
    Minimum input/output unit size: 4096 bytes
    Character device major/minor: 236:0
    Present volumes: 0

    Volume ID: 0 (on ubi2)
    Type: dynamic
    Alignment: 1
    Size: 468 LEBs (118849536 bytes, 113.3 MiB)
    State: OK
    Name: usrdata
    Character device major/minor: 236:1

    ===================================

    ubi3
    Volumes count: 2
    Logical eraseblock size: 253952 bytes, 248.0 KiB
    Total amount of logical eraseblocks: 140 (35553280 bytes, 33.9 MiB)
    Amount of available logical eraseblocks: 0 (0 bytes)
    Maximum count of volumes 128
    Count of bad physical eraseblocks: 0
    Count of reserved physical eraseblocks: 5
    Current maximum erase counter value: 5
    Minimum input/output unit size: 4096 bytes
    Character device major/minor: 234:0
    Present volumes: 0, 1

    Volume ID: 0 (on ubi3)
    Type: dynamic
    Alignment: 1
    Size: 104 LEBs (26411008 bytes, 25.2 MiB)
    State: OK
    Name: custapp
    Character device major/minor: 234:1
    -----------------------------------
    Volume ID: 1 (on ubi3)
    Type: dynamic
    Alignment: 1
    Size: 27 LEBs (6856704 bytes, 6.5 MiB)
    State: OK
    Name: hdata
    Character device major/minor: 234:2

    ===================================

    ubi4
    Volumes count: 0
    Logical eraseblock size: 253952 bytes, 248.0 KiB
    Total amount of logical eraseblocks: 80 (20316160 bytes, 19.4 MiB)
    Amount of available logical eraseblocks: 36 (9142272 bytes, 8.7 MiB)
    Maximum count of volumes 128
    Count of bad physical eraseblocks: 0
    Count of reserved physical eraseblocks: 40
    Current maximum erase counter value: 1
    Minimum input/output unit size: 4096 bytes
    Character device major/minor: 235:0
    / #

    --------------------------------
    To open the ports you need to edit USB_COMP_STR.0 resides in netgear_dat if you are looking at that partition by itself and with the spare it resides at D1F038 without the spare it will be at DF0F38 or in ubi form(on your desktop) its located at 306C18
    if you are looking at it from a full (0-7ff) nand dump, with the spare you will find it at 11130F38 or in bin form without the spare it will be at
    108E9A68 you can also get all ports working by just corrupting that string, such as change it from 55 to 00 or 55 to FF
    or in txt change USB_COMP_STR.0 to
    xSB_COMP_STR.0
    or change its value from CHARGE_ONLY to DEBUG_MODE any of those will get your ports enabled.

    the hardware id's are below

    USB COMPOSITE DEVICE
    USB\VID_2C7C&PID_0125&REV_0318
    USB\VID_2C7C&PID_0125


    ADB
    USB\VID_2C7C&PID_0125&REV_0318&MI_05
    USB\VID_2C7C&PID_0125&MI_05

    DIAG
    USB\VID_2C7C&PID_0125&REV_0318&MI_00
    USB\VID_2C7C&PID_0125&MI_00

    NMEA
    USB\VID_2C7C&PID_0125&REV_0318&MI_01
    USB\VID_2C7C&PID_0125&MI_01


    AT
    USB\VID_2C7C&PID_0125&REV_0318&MI_02
    USB\VID_2C7C&PID_0125&MI_02

    modem
    USB\VID_2C7C&PID_0125&REV_0318&MI_03
    USB\VID_2C7C&PID_0125&MI_03

    --------------------------------------
    I will attach the proper drivers for this device to this thread, if you download it please show some courtesy and hit the thank you button.
    Quectel_LTE&5G_Linux_USB_Driver_V1.0.zipPlease add your findings to this thread those of you who hack on this device

    [Only registered and activated users can see links. ] <-----DRIVER IS HERE!!!
    Last edited by rich hathaway; 06-07-2023 at 09:49 AM.
    Custom tools and custom phone & mifi firmwares built to your specs.Contact me !

    I WILL NOT ANSWER SUPPORT QUESTIONS THRU PRIVATE MSG.
    See mifis.us for unlimited data on vzw-AT&T-TMO-or some MVNO's (Resellers welcome)

    www.mifis.us <--get yer unlimited data mifis here


 

Similar Threads

  1. Inseego mifi x 3000/3100 pro info & hacking thread
    By rich hathaway in forum Novatel / Inseego
    Replies: 7
    Last Post: 08-14-2023, 04:49 PM
  2. INSEEGO FG2000 Hacking and info thread
    By rich hathaway in forum Novatel / Inseego
    Replies: 0
    Last Post: 05-08-2023, 07:47 AM
  3. INSEEGO wavemaker FW2000e AND FW2000 HACKING AND INFO THREAD
    By rich hathaway in forum Novatel / Inseego
    Replies: 1
    Last Post: 05-08-2023, 07:38 AM
  4. Faq. & info thread for novatel mifi throttle fix
    By rich hathaway in forum Novatel / Inseego
    Replies: 13
    Last Post: 08-21-2018, 11:39 PM
  5. Official samsung suede (muve music r710) -hacking thread
    By rich hathaway in forum Flashing Samsungs to Cricket
    Replies: 4
    Last Post: 04-27-2011, 09:06 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •