Passwords picked up the cap ...

By the way.
Whistler- Mountain peak just above Vancouver, in Canada.
https://www.google.com/…0591666!4d-122.9569444

Grouse- also a mountain town near Vancouver
https://www.google.com/…3722894!4d-123.0994869

Cypress- another mountain town near Vancouver
https://www.google.com/…9.396018!4d-123.204545

Lavender- also connected with mountains, and also near Vancouver
https://www.google.com/…7543404!4d-123.4617879


P.S. What's interesting: Sierra Wireless is also from Canada. Their main office and Mobile Device Development Center are just in Vancouver ....

Post has been editedSkvo - 11.02.17, 03:14

It needs to be tested.
Moreover, it is noted that nvu differ from different systems in structure and parameters, so many experiments may be required ...
Let's leave it for the most recent case if other options do not help ...


For sure! First you need to check ...
And here Windows is not needed, from under OS X you can protest ...

vitaly_dvIn QMS, have a look, you have to cross and test the AT! OPENLOCK algorithm ...


On the Netgear website, the firmware has two in common:
For European AC785-100EUS:
http: //www.downloads.n...2.08.00.51.00_EMEA.exe
And for the Australian AC785S-1TLAUS:
http: //www.downloads.n...elstra_02.08.00.17.exe

Both are gutted, but EFS is not visible in clear view. Maybe he is there, but something is packed ...

Post has been editedSkvo - 05.10.16, 10:59

It worked. It's good.

It will be interesting to check this password on the AirCard 785 and 790. Is this the same or other passwords?
But for this we will wait in the topic of owners of such routers ...


But this is unexpected.
The first time is. See right to cut. Privilege! Entercnd is no longer enough to change the parameters! Custom ...
We will go around in other ways ..

.
Here you can experience.

Configure user profiles for! Band:

(Add separate ranges):
at! entercnd = "whistler"
AT! BAND =0A7, "Band 7", 0.40
AT! BAND =0B8, "Band 20", 0.80000
AT! BAND =0D9, "Band 38", 0.20 million

Masks can be folded, for example.
AT! BAND = 5, "B3 + B7", 0.44

These profiles are stored in the router.

You can use both standard and custom profiles for selection. For example:
AT! BAND = 0 - automatic selection from any ranges
AT! BAND = 6 - automatic selection only from LTE bands
AT! BAND = 7 - only LTE Band 7
AT! BAND = 9 - only LTE Band 38
etc.

Supplement fromvitaly_dv!


other details here:
Netgear AirCard AC785 (S), AC790 (S), AC810 (S) - Discussion (Post vitaly_dv # 52546661)

Post has been editedSkvo - 05.10.16, 00:01

Switch coding does not immediately work ...
Do not immediately wait for an answer to * 105 * 9 #.


Here's the next command in the USSD, the UCS2 answers should already go.
Now they were * 100 # encoded in UCS2 and see the result ...

Post has been editedSkvo - 03.10.16, 18:55

Everything is bad here!
There is nothing useful for working with the "GSM 8-bit data" encoding that Megafon uses.


As a result, if you really need a USSD for Megaphone, then everything comes back to use UCS2 ...
- we translate the router to at + cscs = "UCS2"
- network, please send messages in Cyrillic: * 105 * 1 #
- at + cusd requests are sent to UCS2
- manually translate answers from UCS2 into a visual form ...

By the way, here’s a convenient online calculator for decrypting text from GSM 7-bit, GSM 8-bit data, UCS2. Suitable for both SMS and USSD:
http://smspdu.benjaminerhart.com/

Post has been editedSkvo - 03.10.16, 16:22

Here is a good example for you.
Bring backat + cscs = "GSM"

And further to the requestat + cusd = 1, "* 105 * 0 #", 15you must receive the answer in symbolic form
These words"Ustanovlena podderzhka polucheniya USSD v translite"- you must see in the answer in a visual form.

Check it again.
The answer fits into the GSM 7-bit encoding - everything should be displayed in symbolic form ...



The megaphone curve transliteration engine ...

In order for the USSD response to have symbolic information, it must be encoded in the "GSM 7-bit" encoding.

But with Megaphone, transliteration does not always fit into this encoding.
Conversion from Cyrillic to Latin is strictly according to GOST with the active use of the symbol `(reverse apostrophe).
For example, "Promised" is translated in "Obeshhanny`j".

But! The coding "GSM 7-bit" doesn’t have the symbol `(reverse apostrophe), therefore for sending text the coding is used in the format" GSM 8-bit data ", which needs to be further decoded, as well as additional decoding of the messages sent "UCS2".


Eventually:
If the characters fit into the range of the coding "GSM 7-bit" - then you will see the symbolic answer ...
If you use the "GSM 8-bit data" encoding (which is the majority of answers in Megafon's Latin mode), then you will not see anything, you need additional unpacking.
In the "UCS2" mode - just as well, the modem itself will not show you anything in the character mode, you need to decode the messages ..


By the way, what does the router say to at + cscs =?

Post has been editedSkvo - 03.10.16, 15:36

Right.
Megaphone GOST 7.79-2000, transliteration according to system B.

Translite in the "GSM 7-bit" interfere with just the letters about which you mentioned: s, uh, hard and soft sign. Also, except for letters, and some signs also do not fit into the "GSM 7-bit". Right now, I don’t remember which, but such Megaphone came across in transliteration in balance ...

If the answer does not have these letters and curved characters, then it is encoded immediately into a normal "GSM 7-bit". And we should see a symbolic response.

As a result, the request * 100 # will not always be empty. It all depends on the advertising added to the balance. Sometimes the answer will be symbolic ... Although it is rather an exception ...


P.S.
In some regions, MegaFon transliteration is better. They spit on the exact compliance with GOST, and get all the characters in the "GSM 7-bit". So, by the way, the MTS comes to transliteration ...

Post has been editedSkvo - 03.10.16, 15:24

I'll try. If where is inaccuracy - correct ...

Instructions for obtaining a password to! ENTERCND for AC785 router

1. On AC810 router - there was access to ADB by default, and through it we took a dump of the CUST section.
On the AC785 router, judging by the reviews in this topic, the ADB port is inactive, so the version by analogy with AC810 will not work, we do not have access to the Linux console ...

Let's go the other way. I suggest to take a dump through Qtools.


2. Connect to the AT port. As the cap says:
- connect the router with a USB cable to the computer.
- Use for example Putty or any other terminal and select in the settings
HostName: 192.168.1.1
Port: 5510
ConnectionType: Telnet


3. Execute AT commands:
To know which version of the router and firmware we are dealing with:
ATI
AT! PACKAGE?

We look at the flush model, and the number of bad blocks on it. (model is useful below)
AT! FMBADBLOCKS?

We look at the partition table on the flash drive (not sure what will work on the AC785, but suddenly?)
AT! PARTINFO?

Switch to Download mode:
AT! BOOTHOLD


4. According to the last AT! BOOTHOLD command - the router will switch the song to USB \ VID_0846 & PID_68E0
An unknown device appears on which to roll the driver.
Downloading from here (the link is the same as in the header):http: //www.downloads.n...stra/AC78xSDrivers.exe

After installing the driver should appear "NETGEAR QDLoader Port".
This is the Download mode intended for updating the firmware, we will try to remove the dump through it.

To remove the need qtools, take here:
https://yadi.sk/d/fu51UwOive479


5. We look in the device manager COM port number "NETGEAR QDLoader Port", we need comXx.

Next, in the console, we load the loader to the port:
qdload -pXX -k3 -i

If the loader came up, then in response we should see the type of flash memory is the same as above in AT! FMBADBLOCKS ?.

We look at the partition table on the flash:
qrflash -pXX -s @ -m

Remove section CUST
qrflash -pXX -fY
where Y is the CUST partition number from the partition table shown by the previous command.


I think this is enough for a start. All answers on AT-commands lay out here.
All answers from the qdload and qrflash programs are also fully revealed.

Exiting Download mode and switching back to normal command operation:
qcommand -pXX -c "c 0b"
or you can simply turn off and turn back the router ...

Post has been editedSkvo - 24.09.16, 20:38

There is no certainty. On ac785 it may well be ADB.
On ac810, they also didn’t immediately understand how to get through to it ...

If there is an ADB, I will publish detailed instructions for dumping sections from it ...


I have an AC330 (on MDM9200). It is analog MC7710 - the firmware is common for them ...

AC341 goes to MDM9615. It is generationally similar to EM / MC7305.
In my opinion, ADB should turn on if you give! OPENLOCK and then AT! CUSTOM = "ADBENABLE", 1
Here is the instruction:http://forum.ixbt.com/…gi?id=17LC3544:436#436
The! OPENLOCK algorithm for AC341 is used the same as the EM / MC7305. The calculator on the link above is suitable ...
Let him try ...


qtools last. Corrected a bit of command ...


Removed bad advice ...

Post has been editedSkvo - 24.09.16, 19:33

There is no ready recipe for changing TTL / IMEI. This router has never been studied so deeply ...

For 785S, for the time being, even the AT! ENTERCND password has not been calculated.
Those who wish to take a flash memory dump from their own copy and share with local gurus for research - until they found ...

Post has been editedSkvo - 21.09.16, 11:35

Not
Thanks for the test on the AC810S-1TLAUS.
The addresses of the update server, login and password - everything exactly corresponds to that specified in European AC810-100EUS.

I’ll add two more update commands here:

AT! WUCHECKINT? - shows the interval between the automatic search for updates.
The interval is calculated in minutes. The default value should be 10080 - this will be “once a week”.

AT! WUCHECKINT = xxx - accordingly setting this interval.

AT! WURUN - manual launch of the update search procedure.



I think that from the router itself it can be peeped, with what requests it is breaking to the update server. Access to the Linux console by ADB because we have ...

Linux guru, is this real?


I attach here the archive with all AT! commands that are processed by the modem subsystem firmware. Pulled out of AC810-100EUS.
The archive is just the names of the teams. For many there is no documentation how to apply them. But half of them correspond to the documented commands of the Sierra Wireless modems ...


at.zip(1.97 KB)


Post has been editedSkvo - 09.09.16, 09:16

For DC112A, add a link to the User Manual and the latest official firmware V1.0.0.30:
http: //www.downloads.n...12A_UMsrc_3Aug2015.pdf
http: //www.downloads.n...A-V1.0.0.30_1.0.60.zip

In addition to this docking station, in your post it is worth mentioning another docking station, simpler:
AirCard Signal Boosting Cradle with Ethernet (DC113A)

Official page:https: //www.netgear.co…e-hotspots/DC113A.aspx
Datasheet:http: //www.downloads.n...atasheet/en/DC113A.pdf

European version, SKU: DC113A-100EUS even imported to Russia for sale ...

DC113A - officially supports the Aircard 790, but it will work with the Aircard 810 too (there is a phrase in the datasheet, "All Future Aircard Mobile Hotspots").
P.S.
By the way, here in this post, in a note,vitaly_dvmentions her. He tried a bunch of DC113A + router AC810. The Ethernet port on the docking station worked ...
Netgear AirCard AC785 (S), AC790 (S), AC810 (S) - Discussion (Post vitaly_dv # 52546661)

Post has been editedSkvo - 08.09.16, 16:30

The password information for the AC810S-1TLAUS has gone to the header of this topic.
Password matching is unexpected by the way. The "grouse" is taken from the AT & T operator's AirCard 340U USB modem ... and then suddenly came up for Telstra ...


AT! BAND =? confirmed the ranges. The information in the header was correct, the frequencies are a bit unsuitable for our country: there is no Band 20 and no Band 38.


AT! PACKAGE? shows current firmware + configuration, AT! FACTPACKAGE? shows the factory (factory).
Since they are different, we conclude that the router was updated from the update server.
In this regard, throw more answers on a couple of teams.
I want to look at the address of the update server where the firmware is located, and the login and password to this server:

at! entercnd = "grouse"
AT! WUURL?
AT! WUAUTH?

Post has been editedSkvo - 08.09.16, 13:48

Thanks for the feedback.

As I understand it, at! Entercnd = "grouse" approached the Australian AC810S-1TLAUS.
If so, then show answers to several AT commands from your router:

ATI
at! entercnd = "grouse"
AT! BAND =?
AT! PACKAGE?
AT! FACTPACKAGE?
AT! UDINFO?

For starters, throw three answers to know exactly what we are dealing with:
ATI
AT! PACKAGE?
AT! FACTPACKAGE?

With a password is expected ... Each model of the router from Netgear has its own password ...

As previously mentioned in the topic, you need to climb into the flash for the password ... The original is in the EFS2 section, the backup is in the CUST section ...
As soon as we get to the dumps of any of these sections, then there will no longer be a problem to decrypt the password from it.

On the AC810, there was access to the ADB, through which the CUST dumps were removed and the password was pulled from there.

On the AC785, as you write, there is no access to the ADB, so we are going a different way.
In my opinion, it will be easier to remove dumps via qtools through the diagnostic port ... The AC785 chipset is qualcomm mdm9225, qtools is familiar with it, in the end, I think it should go without any problems ...

But first you need a computer in Windows, MacOS is not an assistant here ...
From the header, put the driver on and, for a start, configure QPST to make sure it works.

And then download qtools, transfer the router to Download mode via Diagnostic port XX:
qcommand -pXX -e -c "c 3a"

load the loader and initialize the flash controller:
qdload -pXX -k3 -s -i

and try to read the section map:
qrflash -pXX -s @ -m

....

Following the discussion in this topic, I added four ways to reach the AT port on Netgear Aircard in the header.
The first two should earn on the AC785. Try ...


P.S. Cap in the process of filling.
Send your suggestions / corrections / additions to QMS ...

Post has been editedSkvo - 27.08.16, 13:33

Talked a little with the Poles. As a result, we found out the frequencies ...

Here is a report on AT commands with the AC810S-1P1PLS:



As a result, the Polish version of the AirCard AC810S, SKU code: AC810S-1P1PLS:

- not locked to the PLAY operator. Works with any SIM cards.

- frequencies are similar to the European version of the AC810-100EUS:
LTE FDD: B1, B3, B7, B8, B20
LTE TDD: B38, B40, B41

- you can safely take it as an alternative to the European version of the AC810-100EUS.
In the domestic market of Poland, prices for new packages start from 500 zlotys:
http://olx.pl/elektron...utery-i-modemy/q-810s/
http://allegro.pl/list...gory-77976&string=810s

Post has been editedSkvo - 17.08.16, 15:14

Got pictures of the box from the AC810S for the Polish operator PLAY.

Frequencies are not listed. The presence of Band 38 - remains in question.
Supported aggregation combinations on the box - either.

UserManual on AC810S from Play, in which this can be told - is also not seen anywhere ...

P.S.
As a result, to determine the frequencies, there is an option to peep them at AT! BAND =?
We will wait for the real owner ...



Post has been editedSkvo - 12.08.16, 08:51

The story of getting the key for AT! ENTERCND continues ...

A bit of theory for everyone.
Sierra Wireless has always used the universal password “A710” by default.
After the transition of the mobile unit to Netgear, the new firmware changed the password to an alternative one.


This password is "grouse" fromAircard 340U

And in the first firmware from Sierra Wireless for AC340U - the password was "A710". In the latest firmware from Netgear, it became "grouse". Pulled it outthis firmware AC340U from Netgear.
It was hoped that this is a new universal from Netger, but not destiny. If this password did not fit the AirCard 810, then each Netgear product has its own separate password for AT! ENTERCND ...

Also, an attempt was made to obtain a password through elevation of rights, for example, as described hereusing AT! OPENLOCK authentication- but here we were waiting for a bummer. The algorithm for calculating the codes OPENLOCK for AC810 - varied ...

Remains an option through the search section EFS2. There will be a dump of the EFS2 section - I will try to get the password out of it ...

Although the password may be lit in other sections. For example in "CUST". This section stores a backup copy of NVRAM. It must also have a password ...

Post has been editedSkvo - 12.08.16, 08:42