The goal of this document is to make it easy for everyone to unlock their M6 Hotspot routers. I purchased a refurbished M6 router with a version that did not allow to do what I wanted. After several hours of research and experimentation, I was able to get it to work. Here’s what I did:
Before you get started:
- A windows machine ( to use FDT )
- M6 router (MR6500 or M6550)
- Latest stable M6550 Firmware, In case your router is not unlockable (MR6550-100PAS 12.01.54.00)
- FDT.exe version 4.6.2.0
- AC78x Drivers ( optional, but I had to install them )
- Putty
Depending on you version the unlock process might or not work. Attempt the unlocking process first, if any of the commands fails, you might want to consider installing a different firmware.
The order of operations is:
- Firmware flashing ( dangerous, only required if unlock process fails )
- Unlock process
- TTL Mangle and Update prevention
- In your router, make sure you have USB Tethering enabled.
- Connect the router to your windows computer via USB
- Make sure your router is connected by opening a browser and navigating to your router's config page, usually http://192.168.1.1/
- Open putty and use the following settings to connect to your router:
a. Host Name:
192.168.1.1b. Port:5510c. Connection Type:Telnet - On the terminal run
ATIThis command will output information about your device - On the terminal run
AT!OPENLOCK?This command will print a challenge - Navigate to https://sierra-keygen.uu.sg/ and use the following to generate a challenge response.
Device generation:
SDX65Challenge type:OPENLOCKChallenge:The challenge you got from the previous step. ex: 884B78W2BTE2AA2A - After you click generate, the website will output a challenge response command. this command looks like this
AT!OPENLOCK="6TTD4765F1894F64"type this command in your terminal. - On the terminal run
AT!OPENMEP?This will generate a challenge - Navigate to https://sierra-keygen.uu.sg/ and use the following to generate a challenge response.
Device generation:
SDX65Challenge type:OPENMEPChallenge:The challenge you got from the previous step. ex: 884B78W2BTE2AA2A - After you click generate, the website will output a challenge response command. this command looks like this:
AT!OPENMEP="C4E48EF7FA4C4C33"type this command in your terminal. - On the terminal run the following:
AT!TELEN=1AT!CUSTOM="RDENABLE",1AT!CUSTOM="TELNETENABLE",1AT!NVIMEIUNLOCK
- Navigate to https://carlosalaniz.github.io/imei-encryptor/ and input your IMEI.
- In the terminal type the command outputted on the previous step.
ex. AT!NVENCRYPTIMEI=00,00,00,00,00,00,00,00 - Restart with router by running
AT!RESET
- In your router, make sure you have USB Tethering enabled.
- Connect the router to your windows computer via USB
- Make sure your router is connected by opening a browser and navigating to your router's config page, usually http://192.168.1.1/
- Open putty and use the following settings to connect to your router:
a. Host Name:
192.168.1.1b. Port:23c. Connection Type:Telnet - On the terminal run the following:
dx -c Oma.DMAccountServerAddress1 https://no.updateforyou.net:443/junktouch /usr/sbin/set-ttl.sh
chmod +x /usr/sbin/set-ttl.shecho '#!/bin/bash' > /usr/sbin/set-ttl.sh
echo '' >> /usr/sbin/set-ttl.sh
echo '# Enable debugging' >> /usr/sbin/set-ttl.sh
echo 'set -x' >> /usr/sbin/set-ttl.sh
echo '' >> /usr/sbin/set-ttl.sh
echo '# Log output to a file' >> /usr/sbin/set-ttl.sh
echo 'exec > /var/log/set-ttl.log 2>&1' >> /usr/sbin/set-ttl.sh
echo '' >> /usr/sbin/set-ttl.sh
echo '# Flush mangle table rules for IPv4 and IPv6' >> /usr/sbin/set-ttl.sh
echo 'iptables -t mangle -F' >> /usr/sbin/set-ttl.sh
echo 'ip6tables -t mangle -F' >> /usr/sbin/set-ttl.sh
echo '' >> /usr/sbin/set-ttl.sh
echo '# Set TTL for IPv4 on rmnet_data0 interface' >> /usr/sbin/set-ttl.sh
echo 'ip6tables -t mangle -I POSTROUTING -o rmnet_data0 -j HL --hl-set 64' >> /usr/sbin/set-ttl.sh
echo 'iptables -t mangle -I POSTROUTING -o rmnet_data0 -j TTL --ttl-set 64' >> /usr/sbin/set-ttl.sh
echo '' >> /usr/sbin/set-ttl.sh
echo 'exit 0' >> /usr/sbin/set-ttl.shecho '[Unit]' > /etc/systemd/system/set-ttl.service
echo 'Description=Set TTL in mangle iptables' >> /etc/systemd/system/set-ttl.service
echo 'After=multi-user.target' >> /etc/systemd/system/set-ttl.service
echo '' >> /etc/systemd/system/set-ttl.service
echo '[Service]' >> /etc/systemd/system/set-ttl.service
echo 'ExecStart=/usr/sbin/set-ttl.sh' >> /etc/systemd/system/set-ttl.service
echo 'Type=simple' >> /etc/systemd/system/set-ttl.service
echo '' >> /etc/systemd/system/set-ttl.service
echo '[Install]' >> /etc/systemd/system/set-ttl.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/set-ttl.servicesetenforce 0
systemctl daemon-reload
systemctl start set-ttl
systemctl status set-ttl
systemctl enable set-ttl
systemctl list-unit-files | grep ttlThis is a dangerous process that could remove features, cause malfunction or even brick your device.
Make sure you have the firmware you want to install as well as fdt.exe in the same folder.
- Unplug and remove the battery from the your device.
- Press the power button for 8 seconds.
- While pressing the power button connect the device to a windows computer via USB.
- Keep pressing until the device goes into
Downloading software updatemode. - Open an administrator terminal (cmd or powershell)
cdinto the folder containingfdt.exeand the firmware file you want to flash- run the following command, where
.\MR6550-100APS_23115772_NTGX65_12.01.54.00_00_Generic_01.30_00.secc.cweis whatever version you want to flash into your device.
.\fdt.exe -f .\MR6550-100APS_23115772_NTGX65_12.01.54.00_00_Generic_01.30_00.secc.cwe- Wait for the device to finish flashing the firmware.
https://wirelessjoint.com/viewtopic.php?p=24271#p24271 https://www.reddit.com/r/Dish5G/comments/13err3x/owning_the_netgear_m6_pro_mr6400/ https://wirelessjoint.com/viewtopic.php?t=4183 https://github.com/developer-of-things/m6restore https://wirelessjoint.com/viewtopic.php?p=19653#p19653
Do you know what is the default value of "Oma.DMAccountServerAddress1"?
If I want to rollback all of them.