NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

icaruspony's avatar
icaruspony
Luminary
Jun 19, 2020

We can find out the ENTERCND password... with your help...

One of the best things you can do with the Nighthawk MR1100 M1 Router is to lock it's bands.  However, for AT&T, these commands are locked behind a password:

 

AT!ENTERCND <password>

 

Unfortunately, none of the known passwords that work for other carriers around the world work under AT&T, and to date, no one has figured this out.  That is where you come in.  There are people who use a Nighthawk MR1100 M1 with other providers who have known passwords.  As Tauroka mentioned on 2017-12-09, there is a method that those of you who know your provider's passwords could help us locate our password in memory.  The problem is that no one has followed his instructions, therefore, we do not know where to look for it... yet.

 

If someone who knows their Nighthawk MR1100 M1's password under their own carrier (any carrier, as long as you are using this hardware and you know the ENTERCND password your carrier uses), all they need to do is take a snapshot of memory, enter in the carrier's password, use this elevated access to change the password (just make anything up, as long as it's different... this is only temporary and goes back to normal on next reboot), then take another snapshot.  By comparing the two snapshots, we could see what part of memory changes when the password is updated... which means those of us with AT&T can dump our memory, look at that same area of our memory and see what the password is.  Tauroka wrote the directions, below.  If you could help us out, it would be greatly appreciated.  Hopefully Tauroka will chime in. 

 

The password is stored in NVRAM.

Could someone with a modem that has a known password, complete the following steps:

1. backup the NVRAM (xqcn format)

2A. AT!ENTERCND="oldpassword"

2B. AT!SETCND="password"

3. backup the NVRAM (xqcn format)

4. compare the xqcn files

5. identify the NV_Items EFS_Data stream that changed, e.g.

<Storage Name='EFS_Data'>
	  <Stream Name="00000001" Length="8" Value="04 00 00 00 00 00 00 00 "/>

 6. identify the NV_Items EFS_Dir that has the matching stream

<Storage Name='NV_Items'>
        <Storage Name='EFS_Dir'>
	  <Stream Name="00000001" Length="28" Value="2F 6E 76 2F 69 74 65 6D 5F 66 69 6C 65 73 2F 72 66 6E 76 2F 30 30 30 32 35 32 31 34 "/>

 7. Report back here the EFS_Data for both passwords, both passwords and the EFS_Dir.

Please note there will also be EFS_Dir and EFS_Data under EFS_Backup in the xml so don't mix them up.

 

Once we know the EFS_Dir and password encoding, we'll know where to look for users with modems that have unknown passwords.

 

 

 

No RepliesBe the first to reply