Rooting and Unlocking the T-Mobile T9 (Franklin Wireless R717)

I recently acquired a T-Mobile T9 mobile hotspot from a friend who used it with their Test Drive program, and like I do with most embedded devices I poked around. This thread will go over my software findings, and will give you the information needed to gain root access and SIM Unlock the device.

NOTE: I am not responsible for any damage done to your T-Mobile Hotspot. Proceed at your own risk. Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.

OTAs

The OTA system on the device is very simplistic. It phones home to the following URL, with the following syntax:
https://fota.pintracview.com/fota/T9/check_update.php?carrier=<CARRIER>&rev=<CURRENTVERSION>&imei=<IMEI>

So for example, my T9 was reporting to check_update.php?carrier=tmobile&rev=891 when it was on firmware revision R717F21.FR.891. Manually calling this URL with any outdated revision will link you to the latest OTA file, which is a .enc

Thankfully, these .enc files are very easy to extract. If you are on a newer version of OpenSSL, you can extract this OTA using the following command:

openssl enc -aes-128-cbc -d -md md5 -in R717F21.FR.1311_ota_update_all_sm.enc -out R717F21.FR.1311_ota_update_all_sm.tar -k frkenc##KEY@R717

This will then provide you with a .tar file, which contains a file named ota_update_all.zip which has a copy of the rootfs files. On this device, all OTAs are full image releases, so you can upgrade and downgrade as you please using the web interface. As for the decryption key, I extracted this from the binary at /usr/bin/fota_app. I was also able to start a collection of firmwares, including an unreleased update. You can access these OTA files from this Mega Share.

As for the OTA zip, from what it looks like it is unsigned so you may be able to modify it and have it apply, but this has not been tested.

Config File

Once nice thing about this device is you can enable SSH, ADB, and other hidden goodies by simply generating a configuration backup, modifying it, and uploading it back to the device. As for the configuration backup itself, you can convert it from it’s .bin format to it’s true form, a .tar.gz, using the commands below:

openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg.bin -out hotspot_cfg_packed.tar -k frkenc##KEY@R717
mkdir hotspot_cfg_packed
tar xf hotspot_cfg_packed.tar -C ./hotspot_cfg_packed
cd hotspot_cfg_packed
mkdir hotspot_cfg_packed_2
tar xf hotspot_cfg.tar -C ./hotspot_cfg_packed_2

As you can see, the configuration dump is actually aes-128-cbc encrypted, and contains nested tar.gz files. You can now modify the configuration as you wish, repackage it, and re-upload it.

SSH

During my research it was found that SSH can be enabled on this device, and once enabled, you can login as the root user. If you are on a firmware version 891 or below, you can run the following command to quickly enable SSH.

curl "http://192.168.0.1/cgi-bin/webpst.service_setting.cgi" \
  -H "Content-Type: application/json" \
  -H "Origin: http://192.168.0.1" \
  -H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
  --data '{"command":"save","params":null,"data":{"ssh":"on","tether":"","bridge":""}}' \
  --insecure

Note that if your firmware is above version 891, then to enable SSH you will need to modify the Config File. If you want, I have created a basic python script that can do this for you, which is available on GitHub. Just note it requires OpenSSL 1.1.0 or newer, and is only tested on Ubuntu 18.04.

As for logging in over SSH, I was able to discover the root SSH password for these devices is frk9x07. Sadly, the engineers at Franklin Wireless only used a descrypt (DES) key for the device, which hashcat was able to crack within seconds using my GTX 1080.

ADB

As a bonus, you can enable an ADB shell that drops you right to a root prompt without any password! Note this seems to work on firmware version 891 and below, but it may not work on newer firmwares.

curl "http://192.168.0.1/cgi-bin/webpst.usb_mode.cgi" \
  -H "Content-Type: application/json" \
  -H "Origin: http://192.168.0.1" \
  -H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
  --data '{"command":"save","params":null,"data":{"usb_mode":"902D"}}' \
  --insecure

On newer OTAs, you can still enable ADB but it needs to be done manually from the /data/configs/mobileap_cfg.xml file. This is done by updating the UsbMode setting value from 9025 to 902D, saving, then rebooting the device. Note you also may need to replace the contents of /data/configs/hsusb_next with 902D as well.

Hidden Web Pages

During my digging around the device I found a handful of hidden pages, which were secured by plain text passwords that were statically built into binaries. Below you can find the pages I found, as well as where I found the passwords for said pages.

  • Hidden Configuration Pages
    • http://192.168.0.1/hidden/
    • http://192.168.0.1/webpst/
      • Password: frk@r717
      • Password was extracted from /var/volatile/www/htdocs/cgi-bin/login.cgi
  • IT Admin Page
    • http://192.168.0.1/itadmin/
      • Password: t9_it_@dmin
      • Password was extracted from /var/volatile/www/htdocs/cgi-bin/logi
  • Hidden Engineering Page
    • http://192.168.0.1/engineering/franklin/
      • Username: r717
      • Password: frkengr717
      • User and Password were extracted from /etc/pwlighttpd
      • Note: On firmwares newer than 891, you need to first run the following as root before you can access the engineering pages.
        • /usr/bin/copy_htdocs.sh eng

SIM Unlock

While exploring the binary at /usr/bin/QCMAP_Web_CLIENT, I accidentally stumbled upon the logic used to SIM Unlock the device. To generate your SIM unlock code, just use the following below in any Linux or Mac Terminal.

export IMEI=YOURIMEIGOESHERE
echo -n "${IMEI}simlock" | sha1sum | cut -c1-8

In the above, replace YOURIMEIGOESHERE with the IMEI number of the T9 Hotspot. Once done, you can enter the generated code into the Web UI to unlock the device for all SIM cards.

Conclusion

Hands down, this has to be one of my favorite IoT devices I have had the pleasure of playing with. I appreciate the fact that Franklin Wireless put minimal effort into securing the device since it makes for a great platform to build on top of. If anyone at Franklin Wireless is reading this, I recommend the following changes to help secure your devices.

  • Don’t store passwords in plain text in your binaries. Use sha256 or md5+salt, or some other method.
  • Please don’t allow your “hidden pages” to have password prompts skipped by modifying the browser’s HTML rendering. This is just sloppy, and is how I was able to get ADB access to start my research. Either having them locked down using lighttpd, or having a completely separate auth page that is properly hardened is my recommendation.
  • Don’t use DEScrypt linux passwords. The time it took me to crack the hash was less than 10 seconds. md5crypt at a MINIMUM, and sha1 if you want to get a bit fancier. Also, make the password longer than 8 characters to help reduce the chance of a successful bruteforce.
  • If you need to have ADB, Jail it down. Another T-Mobile hotspot I have allows for ADB, but it runs as a non-existent UID so you can barely view the filesystem. Something like this would probably be a safer bet.
  • Move to incremental OTAs, and SIGN THEM CORRECTLY. Most android OTAs use certs for OTA authentication. Also, implement rollback protection and disable the ability for users to upload OTAs.

2021 Update

It appears that in the latest 2602 update, a good chunk of my recommendations above were incorporated. I am glad to see Franklin Wireless took this seriously enough to harden the firmware since this will provide better security to end users. Note that at this time there is no downgrade path but if I find anything expect to see a followup blog post.

297 thoughts on “Rooting and Unlocking the T-Mobile T9 (Franklin Wireless R717)

  1. Malias

    I just have to say this is wonderful timing! I just got the T9 test drive device and found your post researching how to bandlock with it. I somehow softbricked it, but holding down the reset button with the cover off while it was powered up did the trick.
    Some peculiarities I’ve noticed, after rolling back the firmware to FR.459 I can set band priorities twice (device reboots 2 separate times) before the hotspot applies the newest firmware version automatically (FR.M1311) without my prompting. Fortunately the new band priorities aren’t overwritten, but it worries me that in the future they may implement some kind of rollback protection as you suggest. Any ideas on how to stop it from auto updating/phoning home?
    Thanks!

    Reply
      1. Stefan

        So I made this edit and they pushed the latest firmware anyways. After I reverted back to 891, my edit was still there. Any other ideas for preventing the OTA from happening?

        Reply
        1. Chris B - Admin Post author

          The device needs to be rebooted after the change is made for it to apply, otherwise the changes won’t get picked up by the running process.

          As for another method, in theory you could also kill the process for fota_app, and replace /usr/bin/fota_app with a bash script with an infinite loop and sleep.

          Reply
          1. Icarus

            I have a Windows/DOS background, not linux.

            Can you give me the procedure to “kill the process for fota_app, and replace /usr/bin/fota_app with a bash script for an infinite loop and sleep”?

            I am connected as root via SSH and I am in the /usr/bin/fota_app directory.

      2. Artem Sorokin

        Thank you. The unlock code worked!!! but I unzipped the OTA files and got tar files that I couldn’t open With and archive extractor 7-Zip WinZip etc

        Reply
  2. Stefan

    Thank you so much for writing this. Lots of fun options to play with on this device. One thing I’d like to do is to make a set of iptables/ip6tables rules for TTL mangling permanent – have you discovered any way to write these to the /data partition in a way that they’d get executed on every boot? Or do I need to go figure out how to build a firmware image? Just to share, here are the rules I’m playing with:

    export TTL=66
    export INTERFACE=rmnet_data0
    ip6tables -t mangle -I POSTROUTING -o $INTERFACE -j HL –hl-set $TTL
    ip6tables -t mangle -I PREROUTING -i $INTERFACE -j HL –hl-set $TTL
    iptables -t mangle -I POSTROUTING -o $INTERFACE -j TTL –ttl-set $TTL
    iptables -t mangle -I PREROUTING -i $INTERFACE -j TTL –ttl-set $TTL

    I have this working via ssh (by the way, the ssh option in engineering settings worked for me on 891).

    Thanks!

    Reply
    1. wh2k9

      What would be the purpose of TTL modification on a dedicated hotspot device like this, since devices are designed to be tethered to it anyway?

      Reply
  3. Arie

    Is there an ability to root this device and trick it into tethering unlimited from a tmobile phone line sim ? I am using a phone sim with 10 GB hotspot with no issue but to be capped at 50 GB would be nice.

    Reply
      1. Matthew

        Do you recall were you enter the unlock code? I was able to generate an unlock code, and pretty much everything else you discovered was very helpful. Thank you!

        Matthew

        Reply
      2. Mike

        Actually, you can do it from Windows if you have WSL installed, aka Windows Subsystem for Linux. That’s how I generated my unlock code.

        Reply
          1. Rick

            Connect to the hotspot via wifi, then browse to its webUI by typing 192.168.0.1 – you won’t need to use Putty to enter the unlock code, as there’s a field in the webUI to enter it.

            I used a terminal emulator on an Android phone to generate the unlock code, connected to the hotspot on the same phone and entered the code. Easy.

  4. Matthew

    Would you happen to recall what WebUI was used to enter the sim unlock code? I thought I looked through all of them, but I do not recall seeing it.

    Thanks!

    Reply
  5. Edric

    I have a few of these, and it occurred to me that it shouldn’t be hard to make this work as a wifi extender or repeater bridge. anyone willing to writes script to set it up?

    Reply
    1. Malias

      I have been in contact with someone using AT&T via the (Engineering>Change target>DEFAULT) setting, I am using Sprint with the same setting.

      Reply
    2. Jim

      I can use AT&T 4G LTE with TMobile target as well. I do need to change the IMEI of the device to mimic an AT&T compatible device to get the LTE, otherwise, it can only connect to 3G.

      Reply
      1. Bob the builder

        I can get 4G LTE using one of my TMobile voice lines but it registers as “unknown device” on the TMO website. Is this an issue that could spark further review and if so how do I fix it?

        btw, the website does show the updated imei

        Reply
  6. The_Vaccine

    I was wondering.. if I can unlock it and I have access to its terminal/shell, could I use it as a regular wifi hotspot device? I want to boost the range of the wifi at my house for my IoT devices so I can isolate their network.

    Reply
  7. Malias

    I am able to use the hotspot with sprint now, but have been unable to get the band priority table in hidden>Lte menu area to populate. Is there a way to force this menu to populate?

    Before when using stock target (Engineering>Change target>TMOBILE) I had experienced this bug but it was fixed by factory resetting, unfortunately this doesn’t seem to work when my target is set to (Engineering>Change target>DEFAULT). Any idea if there’s an xml file I could alter similar to the FOTA fix? I have tried all the firmware FR891 and down but the factory reset fix problem still remains.

    Or could I directly change the band priorities by downloading a backup, editing it, then restoring? I have looked through the cfg’s after extracting them and don’t see a place for band priorities.

    The only place I have found the band settings referenced via adb are at (/etc/default/configs/DEFAULT # strings mcfg_sw.mbn) when printed it shows a list of nv locations that refer to band preferences explicitly for example (/nv/item_files/modem/mmode/lte_bandpref), but I dont know how to interreact with the non volatile memory.

    Reply
  8. Daniel

    The unlock code doesnt work for me after generating it using the commands with my imei i downloaded the 891 firmware from ur link

    Reply
    1. blvkoblsk

      On macOS (Catalina) and making sure that openssl was updated, I was able to generate the SIM unlock code in terminal with the command below (changing sha1sum to shasum)

      echo -n “${IMEI}simlock” | shasum | cut -c1-8

      The code generated successfully SIM unlocked my T9 with firmware R717F21.FR.M1311

      Hope this helps.

      Reply
  9. Zach

    I am also not having any success with the password generated with sha1sum. BTW, I don’t see a “SIM settingss” tab on the http://mobile.hotspot page so I just tried entering the generated password when clicking the “Settings” tab.
    I was able to get into the device with SSH though, is there perhaps a way to edit the config directly to do the SIM unlock?

    Reply
    1. Chris B - Admin Post author

      Hmm, I wonder if it’s firmware version related then. Try updating the device and doing a factory reset. That should then hopefully expose the option in the Web Interface.

      Reply
      1. Zach

        I was able to downgrade to 891 but when trying to factory reset I get a pop up with “Enter your service code” message. No idea what service code to enter. I tried both the IMEI based code and other passwords you called out in this page and none of that worked.

        Reply
          1. Kurt

            Were you able to work around this? My firmware appears to be similar. Settings and additional pages behind a login page, the unlock code rejected as the password.

  10. Eric

    Hi,

    I downgrade to 891 version, then use the command you provided, everytime after i excute the SSH command, then shows:
    {
    “msg”: “OK”,
    “result”: “S_SAVE”
    }

    Then the device shows “Goodbye” and restart.
    And I still cannot connect via SSH.
    Do you know what’s wrong on my side?

    Reply
  11. Lando

    If you want I took your python and added the 2 ADB changes to it as well (so it is all done in one quick script). Send me an email and I will get it to you.

    Reply
  12. anthony kuhn

    how do i get the sim unlocked code would like to try with att sim card imei REMOVED BY ADMIN can you get my code for me and email it to me thank you.

    Reply
      1. anthony kuhn

        were do i want to insert it at to unlock it do i just put the other sim inside then goto the iogin page and put the code in there.

        Reply
      2. CK

        Sir,

        I am having the same issue resolving the unlock code for my children’s device to work on our laptop via usb as it won’t work for wifi. Can you help as our school tech people have no idea and state the carrier unlock code is needed to switch the setting. Here is our IMEI ADMIN REMOVED Can you email or post our code?

        Thank you!

        CK

        Reply
          1. Steve Brown

            That works like magic. I was able to unlock my T-Mobile test drive Franklin T9 I bought on eBay, but when I submit the IMEI to Sprint for activation, it says the device cannot be activated on their network, even though Sprint offers the T9 for $90. Apparently the IMEI is blacklisted. Is their any way I can get the device activated on Sprint?

          2. CK

            Sir,

            All this time later and I can’t figure out how to get the unlock code. Can you please help me? Thank you!!

    1. Andrew

      My IMEI

      ADMIN REMOVED
      Please reply when u have it thank you I dont know how to get the code and dont want to mess up my pc trying to figure out how to get it.

      Reply
  13. Tony

    Hi, I’d like to request for the unlock code too.
    this is the IMEI: ADMIN REMOVED

    Could you post or email me the unlock too? Thanks so much in advance.

    Reply
  14. TCW

    Works beautifully to unlock! I was able to get the code through a Linux Machine since Mac didn’t have the sha1sum package (at least on Catalina). thanks!

    Reply
    1. Erik

      On the Mac running Catalina, the command for sha1sum is shasum so the command is slightly changed to:

      export IMEI=YOURIMEIGOESHERE
      echo -n “${IMEI}simlock” | shasum | cut -c1-8

      Works perfectly.

      Reply
    1. JOE HAMELIN

      Merci beaucoup !

      I had tried running it on MacOS 11.3.1, FreeBSD 11, and Ubuntu 18.04 with different results each time.

      Reply
  15. Tcppa

    Hello, my device version is 891
    After it is automatically updated, it keeps looping on the welcome interface when I turn it on.
    Is there a way to fix it?
    Thank you very much

    Reply
    1. www

      Ugh same issue here. I thought I had everything perfect! Even got the TTL script added with scp copy and all was working for a full week. Woke up to Welcome screen bootloop this morning. Soft and hard reset don’t seem to work 🙁

      Reply
  16. www

    Update – I got it to boot by taking out the SIM then a hard reset after it booted once. It looks like I auto-upgraded to version 1311, even though I followed Stefan’s guide for the TTL scripts which were working great before: https://gist.github.com/weirded/f49ac134aecbd32b71ab22619c7496ab

    This has been really fun to tinker with BTW! But now I’m stuck understanding how to downgrade.

    To downgrade back to 891, what exactly am I uploading? I downloaded 891 .enc file from Mega, converted .enc to .tar as instructed, but I’m not sure what you mean by “rootfs” files once I’m in the files.

    And would I upload as a backup restore on IT admin, or as a firmware upgrade on webpst page?

    It seems like no one has resolved the blocking of updates though right?

    Reply
    1. Chris B - Admin Post author

      For flashing between versions, just upload the original .enc file (don’t decrypt it!) on the firmware upgrade page. You can either use the webpst one, or the firmware update page found in the normal webUI under settings.

      Reply
  17. Jay Fyre

    Has anyone been able to get diag mode working on this so we can talk to it with Qualcomm tools like QPST or QXDM? This device is using the Qualcomm MDM9207-0 so it should be possible.

    Reply
    1. Jay Fyre

      Nevermind, I asked prematurely and just got my hands on the device. I now see that DIAG can be enabled from the following page: http://192.168.0.1/webpst/usb_mode.html

      This is a neat little device. Thanks to Chris for all the great info shared. And thanks to Stefan for the TTL script and info about stopping FOTA.

      Reply
      1. Malias

        Hi, I’ve been trying to use QPST but it keeps blocking me requesting the SPC. Have you been able to get around this somehow?

        Reply
  18. Jefferson

    I was having trouble following the unlock sim instructions like some others have mentioned in comments.
    This may help, when you navigate to the settings tab on the Web UI, a popup asks for the password. This is not the generated unlock key, but it is just “admin”.

    From here I had to set a new password then I was able get into the settings tab and view/change settings.

    Under Settings > Mobile Network > SIM – scroll down to Carrier Unlock and this is where you need to enter the generated unlock key. Right above mine now says Carrier Unlock Status: Unlocked

    Reply
    1. Tom Smith

      No need to ruin a good thing.

      This was already referred to at the top of the article:
      “Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.”

      Reply
  19. matt

    I booted one of these devices up, fresh out of box without installing the SIM card
    -rooted
    -carrier unlocked
    -modified the OTA upgrade script to not work and added TTL modification script
    -added APN for visible wireless and set it to active
    -shutdown / installed visible sim
    — it booted, connected, and ran very well.

    then — i inserted the stock tmobile test drive sim
    it booted and worked, connected…..did some testing…
    but it re-locked the carrier unlock status and did some kind of binding to make the hotspot only work with the tmobile sim.

    When i try to use a non-tmobile sim in this hotspot, it says “sim error” and the sim status shows locked.

    Has anyone else experienced this?
    I would recommend NOT using the test-drive SIM if you plan to work with this device and unlock it etc.
    I seem to remember previous test-drive sims doing a lock and binding the previous coolpad hotspots to only work with tmobile as well

    Reply
    1. Anthony

      Did you use the hard reset button on the back of the unit after you unlocked the device? If so, it will need unlocked again. This drove me crazy for quite a while until I figured it out.

      Each time the hard reset button is used, the device will need unlocked again.

      Reply
  20. Mark

    I’ve been trying to find where/how to edit APN settings that aren’t available in the web GUI. Could you please provide some guidance?

    Reply
  21. NotReallyMyName

    Thank you!

    Generated and entered the unlock code and now my device is reporting “Unlocked”.

    Firmware version: R717F21.FR.1311

    Reply
  22. Ben

    Anyone have anyluck with ECM or RNDIS using the USB port? Seems to be 3 modes, but none of them work on any of my machines. Would like to use with a Watchguard Firewall as Failover ISP via USB.

    Reply
    1. Ben

      Disregard, I had about 1/2 a dozen USB to microUSB cables that were all just charging cables (no data). after using the correct cable everything worked great.

      Reply
  23. Aviv

    Thank you for sharing the information. It was easy to unlock, enable SSH and ADB. Just a question, is there any advantage to upgrade to a newer firmware beyond 891?

    Reply
  24. rich

    This is super helpful, thank you for your work.

    I have a question, I’m reasonably technical but am not super fluent with everything done from the command line. So I’ve unpacked and edited the config to change the update URL and repacked everything into hotspot_cfg_packed.tar, how do I convert that back into the encrypted .bin file?

    My best guess was the following but it spit out an error on my macbook pro running MacOS 11:
    rich@rbookpro hotspot % openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg_packed.tar -out hotspot_cfg.bin -k frkenc##KEY@R717
    bad magic number

    Would appreciate any help and what the underlying issue is?

    Thanks in advance

    Reply
    1. KYP

      You’re using the -d flag which is for decryption. Remove the -d flag when you’re re-encrypting it back into the .bin.

      Reply
  25. Dexter

    Hi Tried above steps , generated the code it says below message .

    Initial version was _891 , later updated to FR.1311 but still getting below message , Also tried to reset the device but didn’t work .

    Incorrect Unlock Code
    You will need to contact your service provider to get the unlock code.

    Reply
  26. nelson h

    I unlocked it without any problem, thank you for all the information on this page.

    I plan to have this hotspot unattended far from home, is there a way to configure a DDNS ??

    thank you

    Reply
  27. jPi

    Once you ssh into the device, you can a) change the password by using the passwd command. You can apply a blank password.

    You can generate the unlock code directly on the device — use this command (all 1 line)
    /var/volatile/www/htdocs/cgi-bin/webpst.imei_mac.cgi | awk ‘/imei/{printf( substr($2,2,15) “simlock”)}’|sha1sum|cut -c1-8

    Reply
    1. edgar mora

      this the code correct
      /var/volatile/www/htdocs/cgi-bin/webpst.imei_mac.cgi | awk ‘/imei/ {printf substr($2,2,15) “simlock”}’ | sha1sum | cut -c1-8

      Reply
  28. Ivan

    Perhaps i am missing something here. Device was unlocked easily. But I am not able to SSH due to the incorrect password ‘frk9x07’. How do i find real password for ssh? Other than that ssh problem, great forum. Thanks

    Reply
  29. romesh

    This page is really helpful but still I am stuck at my problem. It seems my device bricked while getting the updates from tmobile. It’s not showing any Wi-Fi broadcast and reset is keep showing “Factory reset Restarting Now” I logged in to webpst and uploaded R717F21.FR.1312 but after 1-2 minutes while writing it, it is showing me upgrade failed. Hidden menu showing web version FR.1312. Is there any way to do re-install 1312 or 891 via openssl? or any other way to reset?
    Thanks

    Reply
  30. ERic

    Hmm somehow my hotspot did OTA and was bricked, LCD gets stuck at WELCOME message and never even starts up the hotspot. Any ideas on how to reflash/reset?

    Reply
  31. Andy

    where to download 891 to downgrade ? Mine got updated to 1131 and I could not enable SSH. By the instruction, how do I run ty-enable-ssh.py to enable ssh for 891+ ?

    Reply
    1. jPi

      have to load Python on your computer; then save the T9’s configuration (from the menu) to a file on your PC; run python ty-enable-ssh.py hotspot_config.bin, which will generate a new config file. ten upload it back to the hotspot.

      Reply
  32. Erik

    Awesome work. I see the engineering and other passwords plainly visible in multiple places…what a convenient mess! Do you have any insight into the configurations loaded through the “Change Target” menu? I was thinking of making a universal configuration to load in it, as I see that using the unbranded ‘Default’ breaks things like the ability to enter the SIM unlock code, however I haven’t found where the other configurations are stored to use as an example.

    The hidden menu also has a disabled debranding page (among others) but navigating to it shows that the corresponding cgi (and perhaps the files that debranding would want) are missing, at least at a glance.

    I wonder why accessing factory reset menu in webPST calls for the SPC?

    Reply
    1. Jay Fyre

      Different config settings are loaded from /etc/default/configs/*
      It may be possible to just add your own there in a new folder?

      The unbranded, Franklin and SKT configs don’t actually set a SIM_LOCK like the TMO/Sprint configs do which might be why the option to unlock the SIM goes away. I haven’t tested if the lock itself goes away when switching to those configs. Since the original config is TMO (with lock set), the SIM_LOCK NV value may be sticking despite the new unbranded/SKT/etc configs not using a SIM lock. And if set to unbranded/SKT from factory… then the TMO/Sprint SIM_LOCK NV setting never gets set and there’s never a SIM LOCK to remove.

      And the reason the SIM LOCK comes back after a factory reset is because the TMOBILE config gets rewritten.. which then rewrites the SIM LOCK NV value.

      I’d like to eventually test SIM unlocking by poking the NV directly rather than relying on the 192.168.0.1 pages.. just to figure out how to clear it out of the NV properly. The SIM_LOCK NV value set by TMO/Sprint is: 00 02 00 65 00 00 36 01 a0 00 36 01 c8 00 36 01 d2 00 36 01 dc 00 36 01 e6 00 36 01 f0 00 36 01 fa 00 36 01 04 01 36 01 0e 01 36 01 2c 01 36 01 36 01 36 01 ea 01 36 01 12 02 36 01 4e 02 36 01 80 02 36 01 94 02 36 01 20 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d3 00 00 00 0a 00 00 00

      May just be as simple as zeroing it out to remove the lock… not sure yet.

      Reply
    2. Dre

      Take a look at the configuration folders:
      /etc/default/configs/

      Also the following file:
      /usr/bin/change_carrier.sh

      This might help with the custom builds.

      Reply
  33. Romesh

    My auto upgrade stuck and now only seeing blinking led. Tried upgrading/downgrading ENC file but after 62%, it’s throwing Firmware failed error. SSH is not enabled. Is there any way to rewrite the firmware? Please help, Seems my device is bricked.

    Reply
  34. natthawk

    This is awesome! I had played around with it a few months ago and managed to gain root access and unlock the SIM on my own through a bit of trial and error. I never reached this level of reverse-engineering, though!

    Reply
  35. Chris

    Is there a way to put the T9 into “bridge mode” /firewall-less or a mode that I can put my own NATing router /firewall behind the T9 tethered via USB? So Im not double NATing.

    Reply
  36. natthawk

    Hmm… is FR891 using a debug kernel?
    This is what I see in /var/log/dmesg
    [ 0.000000] **********************************************************
    [ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
    [ 0.000000] **
    [ 0.000000] ** trace_printk() being used. Allocating extra memory.
    [ 0.000000] **
    [ 0.000000] ** This means that this is a DEBUG kernel and it is
    [ 0.000000] ** unsafe for produciton use.
    [ 0.000000] **
    [ 0.000000] ** If you see this message and you are not debugging
    [ 0.000000] ** the kernel, report this immediately to your vendor!
    [ 0.000000] **
    [ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
    [ 0.000000] **********************************************************

    Why would this be? This keeps getting more interesting…

    Reply
    1. natthawk

      If you haven’t yet set up a password, the default for the interface is user:admin and password:admin. If that doesn’t work, just factory reset and try again, because that will set it back to the default admin:admin credentials.

      Reply
      1. tdi200

        hey bud thanks for reply indeed you were right, as when i opened the link it asked me for password which was “admin”

        you will need access to a Linux or Mac terminal or Windows 10 running WSL. i was able to get the unlock code using this free terminal link= https://cocalc.com/doc/terminal.html

        On the terminal type:

        export IMEI=YOURIMEIGOESHERE

        echo -n “${IMEI}simlock” | sha1sum | cut -c1-8

        It should give you your unlock code.

        and than Go to http://mobile.hotspot/settings/mobile_network-sim.html under “Carrier Unlock” to unlock it (remember ur laptop/pc needs to be connected to the Franklin T9)

        Reply
        1. Bobby Jr

          Hi, I received my unlock code but the web page is not allowing me to apply the unlock code. Desired action has no options available and the button it self is greyed out! Please help, can i apply the unlock code through terminal?

          Reply
  37. JRocket

    For anyone have issues with it auto updating/boot looping take your sim out, restart it, downgrade back to 891, factory reset it, unlock, change your target in the engineering menu to TMOBILE_GCF, reset device again and when you try to update it says your on the latest version 891

    I believe you can also stop the OTAs through a config I just didn’t have the ability/time to do is so I found this temp fix

    You lose 3 sprint bands this way but since I have a ATT sim in it it’s not a big deal

    Reply
  38. holocron

    Crap…forgot what I set the “admin” password that defaults to “admin” to when I did this. Is there a way to force change it via one of the DEV pages? Guess I need to factory reset and redo the unlock otherwise.

    Reply
      1. Holcoron

        Sadly, I can’t get root password to work. Maybe I’m still doing something wrong but I tried to login via root with Putty.

        Reply
      1. Matthew

        Thank you very much for your contributions. If possible, could you modify the page so we can edit the TTL easily?

        Reply
      2. SL

        By any chance was the password to ‘http://192.168.0.1/hidden/’ updated as part of the changes you made? Looks like there isn’t a password reminder nor will frk@r717 work to gain access to band configs.

        Reply
        1. ServError

          Are you sure you flashed V2? I have access to the hidden page using the default password and a reminder is present on the login dialog box.

          Reply
      3. Neil

        Hi ServError,
        I installed v1 and then v2 following your instructions and my T9 seems to be working well. Its unlocked running a Tmo MVNO sim just fine.
        My only issue is SSH off. Can’t seem to figure out for the life of me how to get SSH on.

        Reply
    1. bryanus

      Extracted your modified 1311, but now wondering how to actually flash it? I tried the web GUI “Software Update” and selecting the ota_update_all.zip file, but after a few seconds of uploading it, it returns an error “Invalid file”. Am I doing this right? TIA.

      Reply
  39. Holocron

    Question about the firmware:

    I am still on the “stock” 891 firmware. Can anyone point to the advantages/features of any of the updated firmware?

    Reply
  40. Jim

    I can make AT&T LTE work on firmware 891, but not 1131 (1131 always says SIM error). So I revert back to 891.

    If anyone knows how to make AT&T sim acceptable by 1131 firmware please let me know. Thanks.

    Reply
  41. jeff

    1. This morning I inserted my tmobile SIM and suddenly it worked and let me WIFI into the system and I flashed 891 firmware immediately successfully.

    However,

    2. When I tried to unlock it again manually like I did last time, it said my unlock code is incorrect, which I double checked it was the correct one that I used last time successfully. Looks like tmobile did something on the unlock mechanism.

    Can someone help figure out how to unlock it again?

    Bests,
    Jeff

    Reply
  42. jacob

    All this information has proven very useful and educational. Thank for all your effort in sharing it. Using the T-Mobile T9 (Franklin Wireless R717) I noticed that if your firmware if higher than the 891, activating SSH through the hidden menu is not possible. I rolled back mine form 1131 to 891 and ha no issues activating SSH in the hidden menu.

    Reply
  43. PandaDeng

    Thank you Chris and everyone involved.
    I got everything all setup and working.

    I got this device for creating a hotspot in my car so that my Android headunit can connect to it and use it for Spotify and Google Maps.

    I found out that the device works without the battery if plugged in which is great for keeping in a car that can get really hot in the summer.

    I really want the T9 to auto turn on whenever its plugged in (car turned on) without me turning it on manually.
    You guys think there’s a way to do this? Software or Hardware mod.

    Reply
    1. Wes

      PandaDeng, did you ever find a way to auto turn on once plugged in? I have a similar use case. For me I need to use this to remotely manage door lock access codes. I’d rather not keep the battery in it to avoid overcharging / overheating / failure, but if I leave the battery out and the power goes out, it won’t auto start and then I’ll no longer be able to control the access codes. It’s not a problem for it to go out temporarily, but when I need to change the codes I need it to work. I’d be grateful for any ideas!

      Reply
      1. Robpol86

        I found that if you hold down the power button it will fully power on when plugged in, and won’t turn off. I ended up cutting a piece of plastic to wedge between the inside of the case and the power button so it’s always pressed down. So far it works pretty good for me.

        Reply
  44. Scott

    Is there a way to view signal level info like RSRP, RSRQ, SNR?

    Doing the test drive and I’d like to have better info to look at, not just a five bar “it’s fine” indicator.

    Reply
  45. Trent

    Has anyone figured out how to display arbitrary text on the LED screen?

    Also, I’m thinking of writing a little script that changes the APN after boot depending on the ICCID.

    Reply
  46. Eric

    Hey Chris,

    I’m wanting to use one of the backup config files as a template to change SSID, password, device limit, etc. Is this possible to do, and if so how do I actually get into the directory? I’ve downloaded a copy of the config file now as a backup, but the ssl commands aren’t working.

    Thanks in advance!!

    Reply
  47. Mehhish

    I cannot use any other sim card other than the one that comes with the device on the latest firmware. Even the modded latest firmware. It’ll only work if I downgrade to 891.

    Also, I had a blast modding this device!

    Reply
      1. Chris B - Admin Post author

        As mentioned earlier, I will not be generating codes for people and I will be censoring any IMEI’s posted. Please read through the comments, there are multiple documented ways to generate your own unlock code.

        Reply
  48. Alex

    Hello Guys,

    Need help!

    I have my Franklin T9 device bricked. It was updating software when I dropped it and the battery came out causing the device firmware update to fail.

    Now the device is switching on but nothing is working. Mobile.hotspot page is working but no information is available on the page. Same with hidden and webpst. I did try to force firmware to device using webpst page but it failed. IT admin page is asking for a password but the one provided here is not working. So i am unable to load .cfg file.

    Any help is appreciated.

    Thanks

    Reply
    1. Eric

      Have you tried resetting to factory default? If not, pop off the back cover and hold down the reset button while the device is on. Also see some of the above comments about resetting a brick.

      Reply
  49. Eric

    I need some help repackaging the config file. I’ve tried to just walk it back through the command prompt after successfully unpacking everything, but when I attempt to restore from the backup it fails. I have a feeling the problem is with the way I’m re-encrypting the .tar file. Steps below:

    – Edit XML config file
    – In command prompt:
    $ tar cf [hotspot_cfg.tar] [data]
    $ tar cf [hotspot_cfg] [hotspot_cfg_2] <— this includes hash/model/hotspot_cfg.tar
    $ openssl enc -aes-128-cbc -md md5 -in hotspot_cfg.tar -out hotspot_cfg.bin -k frkenc##KEY@R717

    I've seen Chris' comment about the python script and have looked through it, but I'm not very familiar with python. Any help with this would be greatly appreciated.

    Reply
  50. Allen

    I use the R717F21.FR.891_ota_update_all.enc download from your mega drive, and update use the web page to restore from Backup use this file, but now I can’t turn on the device, just the power button light is flashing. What should I do now? How to reset the device? Thank you so much.

    Reply
  51. Gerald

    My end goal was to use this as a hotspot with a T Mobile sim, but for fun I also SIM Unlocked.

    Quick guide for me-

    I ssh’d into the device in terminal with command
    ssh [email protected].0.1

    when asked for password its frk9x07

    now you want to change the TTL with command
    echo “Setting TTL on $INTERFACE to $TTL=65

    you should see the system confirm

    Ran command
    exit

    Completed speed test and verified TTL was -1 at 64.

    for sim unlock code I used website https://jsfiddle.net/4zds6531/ and put in my IMEI- wrote the code down and plugged it in the mobile.hotspot page and the device rebooted and is now unlocked.

    Reply
    1. Geo

      If I use Putty for ssh, is this command run at the top level directory and then logoff?
      echo “Setting TTL on $INTERFACE to $TTL=65

      Also do I need to run this command every time when I power up the T9 to set the TTL?

      Reply
    2. Josj

      Does this TTL change only affect tether? In other words, I’m not seeing a TTL change when connected via WiFi to the T9.

      Reply
    1. Dozer

      Nevermind, I was only using the device tethered but after setting up the WiFi address/pw the WebUI is still easily accessible and USB mode can obviously easily be changed from webpst menu.

      Reply
  52. mike33_an

    Most of you guys posting are way more talented geeks, but thanks to this thread I turned the free Test Drive Franklin T9 into a budget backup hotspot to cover gaps in the field and at home when the wired Internet and wifi crap out.
    Bottom line used https://jsfiddle.net/4zds6531/ for the SIM code unlock. Used my initial $15/mo T-Mobile Connect UNL Talk & Text w/2GB data SIM card to get a number & to confirm speed/coverage. Changed the plan to a mobile data only (2GB) option @ $10/mo. Ran that SIM on my phone, powered off and put that SIM card into my now unlocked Franklin T9 and restarted the T9. Viola! A complimentary Franklin T9 Mobile Hotspot. T-Mobile has the superior LTE data throughput inside my home vs ATT/Verizon. I can upgrade/downgrade the prepaid data plan as needed without carrying the extra expense of a voice/text plan or just activate/deactivate data service as needed.
    Yes, T-mobile stuck me for $25 on the initial SIM card cost and activation for the Prepaid phone SIM.
    Still not clear if an unlocked T9 works with Mobile data only AT&T SIMs or Verizon SIMS or MVNO data only SIMS plans or what exact tweaks accomplish that.

    Reply
  53. natthawk

    Ok so I managed to hard-brick my t9 worse than anyone else so far (lol). I accidentally deleted /bin (long story) and it started bootlooping. However, I did find out that you can enter fastboot mode by shorting the two small pads on the PCB next to the display connector while powering on (you might have to pop off the metal EMI shield).

    Anyway, I tried to flash a new system image with fastboot, but it appears that the system.img is not included in the ota images provided above. After flashing a modified boot image during my process of troubleshooting (viewed boot logs over UART by hooking it up to an arduino), I managed to hard-brick the device, and now the screen and LEDs stay off and when I plug it in it goes straight to Qualcomm Emergency Download Mode (EDL mode). I can’t even reach fastboot anymore or ADB–it appears that it is only loading the Qualcomm “primary bootloader” and not even the Franklin secondary one. The boot process seems to be four stages:

    1. Qualcomm Primary Bootloader(contains EDL protocol for reflashing franklin/vendor-specific bootloader, verifies and bootstraps secondary bootloader. Factory-set in ROM). — I’m assuming that my system gets stuck here because the verification of the modified boot.img I flashed fails.

    2. Franklin (secondary) bootloader — (seems to take care of rest of POST and preliminary system checks. Activates Wifi radios, battery management, other device-specific systems, then loads tertiary android bootloader) However, also seems to contain the linux kernel itself that the following android bootloader loads into RAM (further research required, I’m very uncertain about this process)

    3. “aboot” — (android bootloader, this is what loads the linux kernel/mounts the filesystem. This is what fastboot interfaces with.)

    4. Linux — (the actual OS itself)

    Because the OTA updates appear to be only patches rather than full system ROMs/images, here’s what I would like:

    Can someone with a working device dump the ENTIRE filesystem and upload it to a mega or an admin email it to me? The device supports a SCP connection in SSH mode so this shouldn’t be too difficult. You can also use adb. I would really like a complete “factory” image to help me troubleshoot once I manage to reflash the secondary bootloader through EDL (boot.img, this is included in the ota files Chris provided).

    Reply
    1. ServError

      Unfortunately, unless you know a way to unlock the bootloader, fastboot won’t let you overwrite system or recoveryfs (recovery and most other partitions are fine though). Your only real shot is to use EDL to write a new system image. Bjoern Kerler’s EDL tool is most promising for streaming download to NAND based devices, but it’s a work in progress and doesn’t play nice writing to our units yet (dumps work fine). There are other methods, but they’re very manual. I have dumps of all the partitions. If you find an EDL flashing method that works for you, I can get you a clean system.img if you still lack one (my current dump has a lot of my own personalizations).

      Reply
      1. natthawk

        Hi, sorry for the delayed reply.

        Great minds think alike, I guess, since I tried this very tool to no avail :/ Now I’m beyond even trying to reflash system.img as I said above because I accidentally flashed a modified boot.img. I can’t get the flash programmer mbn file to cooperate, and I don’t even know if it’s legit since it’s a random one I found on a sketchy forum, and I’m also brand new to this Qualcomm Sahara/firehose stuff and how it works so I don’t really know how to troubleshoot either. When I view boot log over UART, it throws an ELF verification error when verifying the boot loader, then drops itself into 900E mode. Fastboot is inaccessible since the android high-level bootloader is never activated.

        When I try to flash the boot.img to “boot” with EDL Tools using NPRG9x07.mbn as the loader it accepts the programmer (loader), returns the serial number, and then errors out with a python traceback 🙁 This even happens when I try to dump partitions. ENPRG9x07.mbn also doesn’t even get accepted in the first place. Also, it’s not even showing up in 9008 (EDL) mode, it’s showing up in 900E. Could you share the programmer file you used/the specific command that worked and what platform?

        Plus the device uses UBIFS as a file system, which is a whole other level of abstraction I had basically no knowledge of before a week ago.

        I guess my next course of action is to try to interface with the (very nicely labeled, thanks Franklin!) JTAG pads on the PCB, unless you can get EDL write working, but this will be a hassle and probably require some soldering.

        Reply
      2. lee

        my franklin was reprted stolen once I bought it from owner what a jerk
        anything I can do to use it as a hotspot?

        Reply
  54. XL

    Latest device has a different firmware and different unlock procedure. By going though the js code, it seems that they are using AES ECB base64 now with key “abcdefghijklmn12”. Not sure about the special code though.

    Reply
  55. Ikouy

    As someone who has this device as part of my postpaid plan I’m glad to see the firmware available for download. Typically I like to reload the firmware when the device crashes as a fresh coat of paint but T-Mobile hasn’t been able to provide it for me.

    Thanks.

    Reply
      1. zhoushiyi213

        I believe I received the same unit. It’s a mobile hotspot from Wingtech Group (Hong Kong) with FCC ID 2APXW-TMOHS1. I guess it’s a new product; no more LCD screen and just dimmable LEDS below the t-mobile logo. It has 5G and 2.4G wifi but cannot operate simultaneously. Apparently and sadly the Franklin hacks doesn’t work on it at all…

        Reply
        1. natthawk

          Did some research on it. Here’s the manufacturer’s website: http://www.wingtech.com/en (in terms of product support, it’s even less transparent than Franklin’s barren support website, lol)

          Here are some notable specifications from T-mobile’s info page on the device, which I pasted a link to in a reply below:
          – 256MB RAM, 512MB ROM (I think the T9 only had 256M rom, but someone can correct me)
          – MDM9207 CPU/SOC (Same as the T9 – I’m guessing the firmwares are very similar)
          -USB C (yay!)

          If someone with the device uploads the HTML and JS source of the web interface, maybe we can get a head start on reverse-engineering it. Let’s hope Wingtech learned their security practices from Franklin, lol.

          Reply
          1. Dominic

            Just received the TMOHS1 version as well. Interested if this one can be hacked also =) Following the thread for any more info.

            How do i upload the HTML and JS source of the web interface?

      2. Zetar

        Also got a different MIFI device from T-mobile, modeled as “TMOHS1”
        Searching with the model name leads to some FCC certification docs, and nothing else quite available yet. Here’s a photo of the device I took. The tiny display is replaced by several indicator lights. One good thing about this device is USB-C is used for charging now

        Reply
      3. Al

        here are some details from the information page on the TMOHS1 GUI (I don’t have SIM inserted so some of the details are missing or removed)

        Phone Number Unknown 
        IMSI Unknown 
        IMEI _REMOVED_
        Signal Strength Unknown 
        Network Name (SSID) _REMOVED_ Change 
        Max Connected Devices 8
        LAN Domain mobile.hotspot
        MAC Address _REMOVED_
        IP Address 192.168.0.1
        WAN IP Address Unknown 
        Software Version TMOHS1_0.04.18
        Hardware Version 89527_1_11
        IMEI SV 4
        Model Name TMOHS1
        T-Mobile Customer care number 1-800-937-8997

        Reply
        1. compraguru

          can you explain me with wich programm i can do the ssh access and root ? cuz i dont even know where do i have to paste the commands :c

          Reply
  56. Pingback: T-Mobile Mobile Hotspot TMOHS1 - Rotar E@rth

  57. Allen

    Hello, my T9 is version 891. I have unlocked it and set the visible APN, but as soon as I put it in the visible sim card T9, it locked again. The visible VPN is gone. When I put it in Google fi, everything is normal. I don’t understand why the visible doesn’t work.

    Reply
    1. Mike

      I have Visible working on the T9 with this apn “VSBLINTERNET” not very fast speeds though 12-15 mbps. I put the Visible sim in a phone and get 45-50 mbps.

      Reply
  58. Mike

    Just received the TMOHS1 also. Is it normal to have the sim activated as soon as it is powered on? I never activated it. The speed isn’t very fast (about 13-16 mbps).

    Reply
  59. ERIC

    Anyone able to enable the OTG function of T9? We can use this to install Checkra1n and Jailbreak the iPhone.
    Also, if the screen could be used to show the status of jailbreak, that would be perfect.

    Reply
  60. Al

    there is a hidden path for the TMOHS1, not sure if it’s useful but it’s
    http://192.168.0.1/#/FotaHide and present you with the following options

    FOTA Server settings
    Switch to product server Apply
    Switch to STAGING server Apply
    Switch to LAB Server Apply
    Remove OTA bootstrap Apply

    FOTA Server information
    ServerID TMOFOTA1
    ServerAddress https://omadm.iot.t-mobile.com:443/omadm-server/dm12
    ServerPort 443
    ServerAuthName TMOFOTA1
    ServerAuthType DIGEST
    ClientAuthType DIGEST

    FOTA Scheduled events
    Delaytimes 0

    Reply
    1. x-r-c

      I did some digging on DIGEST Authentication and trying to get the rom file. I’ve been getting 405 error. @Chris B, can you provide some guidance on where should we look at next to somehow get the rom file? Thanks!

      Reply
  61. Oranges

    Yes mine was online as soon as I powered the TMOHS1 on as well, though it took about 30 minutes before it would work properly (provisioning time I guess?)

    Following for unlock updates.

    Reply
  62. Jason Robinson

    hey fellers. I have t9 unlocked. but i can’t get the att sim card to work. i’ve tried setting different targets and apn. What am i missing?

    Reply
  63. Jay

    As soon as I turned on my TMOHS1 it activated and the time started ticking. The speeds I get are never above 10Mbps. That is pretty crappy if you ask me. I’m hoping we can unlock these and perhaps get better speeds with other carriers.

    Reply
  64. Enrico

    I’ve enabled SSH but need assistance in configuring ttl settings. I have the code necessary but not sure where to begin and not very familiar with Putty or others. Note I’m on MAC. Can anyone assist?

    Reply
  65. Picksix

    When accessing mobile.hotspot > Settings I am prompted with a login screen. I use the default password of “admin” and the password prompt disappears but I am left with a greyed out screen and I am unable to access the settings page. I have tried factory reset via back panel button but I get same results each time. Any work arounds? I am currently downloading FR.891 to see if a rollback works.

    Reply
  66. jim days

    I have limited computer ability, but I wanted to ask a few questions about the Franklin R717.
    My internet provider is Sprint, which is billed through “PCs for People” which provides $15/mo internet for low income people. The drawback is there is no service or help if you have a problem. In my experience, after about two years of service with a given modem, the cell towers make some change that makes the modem not connect for the average person. Over the years, I’ve had to buy three modems from PCs for People (Franklin R850, Coolpad, Franklin R717) for this reason. Two things that have extended the life of the modem are:
    1)”update data profile” and “update prl”
    2) disable one or more of 3 the bands
    Disabling the bands requires the MSL/password. On the Franklin r850, I was able to use another post that showed how to bypass the MSL/password (using html trick that you mentioned). On the Coolpad, I found no such trick, but after calling Sprint several times, they gave me the MSL/password for my modem. On the Franklin r717, I was able to use the html trick, but the band priority doesn’t show properly, (can’t choose band), see attached photo (https://files.videohelp.com/u/61125/t9a.jpg). In your post, you gave a MSL/password (frk@r717) that you got by your methods (above my ability) to be able to disable bands. But very oddly, your password worked on my r717. This is very strange, because I think each modem has its own unique password. Also very strange, when I entered the disable band screen using your MSL/password, the band priority now shows ,see attached photo (https://files.videohelp.com/u/61125/t9b.jpg).
    So can someone tell me:
    1) why does your MSL/password work on my r717? It seems that your MSL/password is some kind of master password that might work on all r717, because I think (based on the passwords given from Sprint on the r850 and Coolpad) the MSL/password should have 6 digits, no letters or @ sign, and not contain the modem model (frk,r717).
    2) when using your MSL/password, why does the band priority appear, when I use the html method, the band priority doesn’t appear?
    3) There is a screen on the r717, see attached photo (https://files.videohelp.com/u/61125/usage.jpg) that sets data usage limit. I thought usage limit was set by Sprint. This modem was shipped as 20GB limit. I’m assuming that when I reach 20GB, the internet will stop. But it appears that the one can increase the usage limit, simply by typing in a larger number. Is this true? If so, what is the point of having a data usage limit screen on the modem?

    Reply
  67. jake

    I’m having a lot of problems with the instructions. So, you download this file from mega “R717F21.FR.1311_ota_update_all_sm.enc” then run this command?

    openssl enc -aes-128-cbc -d -md md5 -in R717F21.FR.1311_ota_update_all_sm.enc -out R717F21.FR.1311_ota_update_all_sm.tar -k frkenc##KEY@R717

    I searched everywhere in that tar file and can’t find the “hotspot_cfg.bin” file to do the next step.

    When I run the next command, it says this “hotspot_cfg.bin: No such file or directory”.(obviously the file isnt there) What am I doing wrong? Am I supposed to pull that image off the hotspot? Im running Big Sur on a Mac. I’m completely lost in what to do next cause I have no access to the hotspot to pull files off or anything.

    Reply
  68. Thomas

    I finished setting up the Sim Unlock/SSH/ADB, and was wondering if we needed to do the step for the config file? I tried to run this command once I had a SSH connection, but it doesn’t work. (openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg.bin -out hotspot_cfg_packed.tar -k frkenc##KEY@R717) Really happy this thing was able to be unlocked!

    Reply
  69. Kyle

    I used to have one of these! Gonna have to see how much they cost so I can get another one. Had no clue this was even possible.

    Reply
  70. Bernie

    My Franklin auto updated last night. Ugh. I thought I had done everything right. Current firmware is R717F21.FR.2602. Having trouble downgrading back to firmware 891. When I try to upload the firmware file from Mega, it uploads until about 20% and then errors out with the message “Error occurred at file sending.” I’ve factory reset the device and tried both usb and wifi to upload but no luck. Any tips?

    Reply
  71. Steevo

    I have an R850, all the stuff posted above worked on it, for the login pw I had to substitute r850 for the r717.
    That has now stopped working, the secret page with the settings now returns a 404 page.
    It seems Franklin might have changed it. Does anyone know how to access it now?
    I’d imagine they would have changed the address the unit calls home to as well.
    I guess Franklin’s engineers are reading the same page we are. Heh.
    Chris, are you able to look at that?

    Reply
  72. MJ

    Hello since the 2602 update I no longer have any hidden pages. For some reason I am also not able to downgrade the version with any of the files above anyone have any clue what I should try? Any help is appreciated.

    Reply
  73. Chris

    Hello! Not sure if you’re still monitoring this post/site, but I’ve got an issue with my brand new T9 that I cannot seem to resolve.

    My device came with firmware version 2602 and refuses to be downgraded to 891. I have tried every combination of things I can think of (SIM in, SIM out, reboot, factory reset, connect via USB to PC and Mac) but every time I try to upload the older firmware it fails.

    I also am not able to access the /hidden, /webpst, or /engineering menus. I return a 404 not found error for all of those.

    If you’ve got any suggestions I’d love to hear them!

    Reply
    1. Orlando Teixeira

      Chris,

      2602 had a bunch of security updates, it upgraded mine and I can’t get it to downgrade either. They moved the hidden stuff as far as I can tell. I can’t wait until we find a way around this as it screwed me pretty hard (it does not pick the best channel in my area). Some people are able to downgrade but my guess is yours get stuck at 35% and fails? That is exactly what mine does.

      Reply
  74. Josh

    Also can’t access hidden menu any longer due to OTA update to 2602! Terrible as my thousand dollar investment to get internet is now completely ruined!

    Help!

    Reply
  75. JC

    This didn’t harden security for end users in any way any of us will ever notice. It only screwed us over. Thanks!

    Reply
      1. BDT

        Fuck that shit! Sharing stuff like this is the whole bread and butter of open source and the point of the internet. I say you did an awesome thing, I picked up so much useful knowledge in just attempting and completing the steps you laid out so simply and clearly. One way or another this security flaw was going to get patched, and someone in the company should have rewarded you for discovering and preventing what could eventually have been a major security flaw later if anyone ever used these for more than just unlocked boxes. These were give away throw-away devices long past end of life anyhow. Thank you for sharing. I look often over your blog hoping for more insight.

        -Bubba DeeS Troy Von Spankleton III

        Reply
  76. Fuzzy

    if you are resetting yours allot and playing with targets etc – to prevent it from updatting edit /etc/hosts and add
    127.0.0.1 fota.pintracview.com

    the OS has VI installed

    Reply
    1. fuzzy

      as well as
      127.0.0.1 t9datafiles.s3.us-east-2.amazonaws.com if you accidently turn on remote management

      Reply
      1. Marc T

        When I change /etc/hosts using vi, my changes stick until I reboot. After a reboot, it returns to the default /etc/hosts
        i am on firmware 891.

        Reply
  77. Sam

    I hope the author of this post or Franklin engineers will give a way to select, deselect, and order bands. The capability is needed in many areas if the country.

    Reply
    1. Les

      Neither the author of this post or Franklin engineers will do that. It’s up to T Mobile to allow users to select band priority and they won’t do that either. I was able to select any band I wanted through the hidden menu but nobody knows where it is now. I just wrap the front cover with aluminum tape to force the device to change bands, mostly from B41 to B4 but sometimes I get a band I don’t want. If anybody knows where the hell the hidden menu is, speak up!

      Reply
  78. Fuzzy

    has anyone gotten cron to work on the t9s version of busybox? its installed and appears to be running but i cant get anything i schedule (via crontab -e) to run. I’ved tried classic cron denotion with times as well as @reboot and */ demotions

    Reply
  79. Fuzzy

    just some info i put together that will likely help someone

    ———————to add your own user/password
    1. ssh into hotspot
    1. add user via typing the following (replace admin with any id you want) :
    adduser admin
    2.. make the user root
    vi /etc/passwd
    change the line for the user you just added – edit the group from 1001:1001 (could also be 1000:1000) to 0:0
    3. ssh into you hotspot with your own account (this does get wiped with new firmware)

    —————–to automatically enable engineering on 1311
    type the following commands one at a time via ssh
    1. echo r717:frkengr717>/etc/pwlighttpd
    2. echo sleep 60 >/etc/init.d/startup.sh
    3. echo /usr/bin/copy_htdocs.sh eng >>/etc/init.d/startup.sh
    4. chmod 755 /etc/init.d/startup.sh
    4. cd /etc/rc5.d/; ln -s /etc/init.d/startup.sh S98startup.sh

    —- to enable crond`
    type the following commands one at a time via ssh
    1. mkdir -p /var/spool/cron/crontabs
    2. echo > /var/spool/cron/crontabs/root
    3. chmod 755 /var/spool/cron/crontabs/root
    4. crontab -e
    edit as you like using vi commands – ex run the script myscript.sh every 5 mins add the following line
    */5 * * * * /home/root/myscript.sh
    5. echo /sbin/crond > /etc/init.d/crond.sh
    6. chmod 755 /etc/init.d/crond.sh
    7. cd /etc/rc5.d/; ln -s /etc/init.d/crond.sh S98crond

    —- to set TTL on every boot
    type the following commands one at a time via ssh
    1. echo iptables -t mangle -F>/etc/init.d/ttl.sh
    2. echo export TTL=65>>/etc/init.d/ttl.sh
    3. echo export INTERFACE=rmnet_data0>>/etc/init.d/ttl.sh
    4. echo ip6tables -t mangle -I POSTROUTING -o $INTERFACE -j HL –hl-set $TTL>>/etc/init.d/ttl.sh
    5. echo ip6tables -t mangle -I PREROUTING -i $INTERFACE -j HL –hl-set $TTL>>/etc/init.d/ttl.sh
    6. echo iptables -t mangle -I POSTROUTING -o $INTERFACE -j TTL –ttl-set $TTL>>/etc/init.d/ttl.sh
    7. echo iptables -t mangle -I PREROUTING -i $INTERFACE -j TTL –ttl-set $TTL>>/etc/init.d/ttl.sh
    8. chmod 755 /etc/init.d/ttl.sh
    9. cd /etc/rc5.d/; ln -s /etc/init.d/ttl.sh S98ttl

    You can edit via the following if you want to change TTL to a different value
    vi /etc/init.d/ttl.sh
    you can run the command to reset ttl without rebooting to change ttl via the following
    ./etc/init.d/ttl.sh

    —- vi command guide if you have never used it before
    https://www.cs.colostate.edu/helpdocs/vi.html

    thanks again to the author of this thread – this has been allot of fun playing with this.

    Reply
  80. J

    Hello all, I had been using the t9 just fine with my Verizon lte sim after unlocking months ago. I hadn’t used it for a bit and I recently powered up and went through a firmware update.

    Now my speeds are very bad. Less than 1.0 mbps.

    Apn settings are the same as I had Configured to use Verizon apn. Any ideas? Seems like the firmware update changed something as I was getting good speeds.

    Reply
  81. Fuzzy

    been poking at 2026. it seems they included both public and private keys for the settings file in the OTA.
    If ADB is still available and not locked down this may be away into the hotspots.
    ssh is another possibility, the ssh root password hash is available as well although it is using stronger encryption then before

    I picked up another T9 from ebay to test this but this one is stuck at 891 and i cant upgrade or downgrade it. it is fully functional – just stuck at 891. FOTA app is running, the settings file has it enabled, the host file and url are all fine. there is plenty of space. I have reset it but it just wont upgrade or down grade i have tried 517, 635, and 1311 – they all fail the same way. i even tried to get it to upgrade via ota, same result. these same images work on my other t9 so its weird i cant get them to work. It goes through the whole process then reboots and it fails. It is fully functional at 891 – the logs (at least the ones i have found) do not record any info on the upgrade process.
    any ideas as to what else to check – if i can’t get this one to upgrade ill just buy another one and sell this one. – hell most people here probably one one stuck at 891.

    Reply
    1. Chris B - Admin Post author

      For what it’s worth Fuzzy, I may have a downgrade solution in the works for those who are a bit more technical, so you may want to keep your eyes out for that or email me directly if you want some info.

      Reply
  82. Seth Black

    franklin R850 using uBlock Origin MSL bypass.

    how does one _prevent_ OTA firmware updates?

    webpst enable SSH? search for OTA file names cp to a backup and rm ?

    is there an info page or command line tool to reveal band in use? The cell maps sites show which bands are in use near my house but guessing has become too much of a MasterMind game.

    Reply
    1. Darko

      Also recently received a free Test Drive from T-Mobile and it wasn’t a T9 Franklin but a TMOHS1.
      https://www.t-mobile.com/support/devices/mobile-internet/t-mobile-hotspot

      Just in case for now it can’t be sim unlocked even though the specs are similar between hotspot models.
      https://www.reddit.com/r/tmobile/comments/mawhaz/new_tmohs1_test_drive_hotspot/
      https://www.reddit.com/r/tmobile/comments/m7evpx/my_test_drive_arrived_today_questions_about_use/

      Reply
  83. Fuzzy

    In case anyone wants to use more then one of these on the same layer2 network i have found that all of the T9s have the same Mac address of F4:63:49:00:00:01 on the bridge0 interface.
    To change it on every boot do the following – change the MAC below to anything you like

    type the following commands one at a time via ssh
    1. echo ifconfig bridge0 hw ether F4:63:49:00:00:04>/etc/init.d/bridgemac.sh
    2. chmod 755 /etc/init.d/bridgemac.sh
    3. cd /etc/rc5.d/; ln -s /etc/init.d/bridgemac.sh S20bridgemac.sh
    4. /etc/init.d/bridgemac.sh

    If you want to load balance or PBR between multiple of these you will likely need to do this.

    Reply
  84. eyeyeye

    I used the 50gb redpocket in the tmobile franklin t9 for a week then it stopped working “SIM Pin Lock sim disabled ..0 attempts remain until your sim is PIN unblock code locked. Entering an incorrect PIN too many times will PIN unblock code lock your SIM and you will unable to use this device. You will need to contact your service provider to unlock the SIM.” it’s a 4 digit pin which i never set.
    i livechatted with redpocket and they said the sim is not disabled. they were right as i got it working again on a different phone.
    my franklin t9 shows current software version as r717f21.fr.1311
    what is the 4 digit sim pin unblock code /how do i unlock ?
    thanks

    Reply
    1. bryanus

      I have a feeling RP blocked the sim for hotspot usage, but the rep doesn’t see it on their end. I’ve also just got my RP sim working (using APN: RESELLER) and at the moment it’s working great. Was planning to use it on a trip later this week. Hopefully I won’t run into the same issue as you and will keep it off until I need it. BTW, the default SIM PIN for GSMA is 1111, but it sounds like you can’t even enter the PIN.

      Reply
  85. Taco Pony

    I know this thread has been quiet for a while but does anyone know how to change the maximum DHCP Clients above 15 ?

    Reply
  86. p.elsie

    Is there any way to make the device boot when you apply power (no battery scenario), rather than waiting for someone to hold the power button?

    Reply
  87. p.elsie

    Never mind. Robpol86 gave the solution already. A couple Velcro ties, a toothpick, and some folded cardstock, and now the power button is pinned down. I’d love a software solution – but there’s no need to go looking for it now. I think I did see it reboot once without requiring a button press (maybe on the firmware OTA downgrade). So, there’s probably a software solution. But meh.

    I do love this hack, and the revisit to permit the downgrade. It’s awesome!

    Reply
    1. Jeff

      The T9 has fastboot if you hold down the WPS button while turning it on. You could try to run ‘fastboot oem off-mode-charge 0’ from a computer. There might be more things you can change with ‘fastboot getvar all’ as well if that doesn’t work.

      Reply
  88. steve

    Is there anyway of verifying what the TTL of the device is actually set at. I have looked at the various hidden menus and did not see anything. I have set up the script to set it at startup, but want to verify that it actually works.

    Reply
  89. Richi

    Help….
    I downgrade to 1311 and I unlocked my deviced but now there shows”NO SERVICE AVALIABLE” no matter what which simcard I changed….. simcard still working before I downgreade….

    Current Software Version
    R717F21.FR.1311

    Thank you so much!

    Reply
    1. jd

      I had that problem with it not connecting to the cell service, upgrade it back to the 2000 firmware. The hidden menus still work there.

      Reply
  90. Max O

    Dear hacker
    I hope you will apply your skill to the T10
    I keep getting the same ipv4 address which has a low integrity score preventing me from using some apps.

    Reply
  91. Pingback: Mobile Hotspot Login Admin | Get Latest Information

  92. jd

    How do you increase the number of connected devices? I tried editing mobileap_cfg.xml but it doesnt let me go over 15. I would like to not have to use an additional router to get more devices online…

    Reply
  93. Maor

    Hi Chris,
    mine is on 2602:
    Software VersionR717F21.FR.2602
    Firmware VersionR717F21.FR.M2602
    Build DateApr 15 2021
    Web App VersionR717F21.FR.A2602
    Bootloader VersionR717F21.FR.B2602
    Is there anything I can do? Any way to downgrade it?
    Thanks

    Reply
    1. Maor

      Ha, nm, I saw your update regarding the 2602, got mine downgraded no problem.
      Had a Tmobile SIM in it already, with data working.
      The downgrade was very quick, maybe 2 minutes and I was back up and running with 1311.
      Was able to run the python script and get an unlock code.
      Thanks much!

      Reply
  94. Eli

    Any idea on how to generate a lock code for the Franklin T-10? It looks like they are using a different method.

    Reply
  95. Zach

    I was looking for a way to poke and prod at the LCD screen. Luckily Franklin was nice enough to include a utility to allow you to display what ever text you want! It always seems to cut off the first char though.

    /usr/bin/guimgr_cli lcd_eng_mode xMessageHere

    It can be as long as you want, the LCD scrolls 🙂

    Can set it back to “normal” with

    /usr/bin/guimgr_cli lcd_eng_mode 0

    It seems overall they use nano-x as the GUI manager. If you want to bit bang raw data to the LCD, /dev/fb0 is your man. You can kill the process that draws to the buffer (nano-X) and it won’t clear it on you anymore, but you’ll lose the backlight control. It’s 128x36px, 1 bit per pixel.

    Blank the LCD
    echo 1 > /sys/class/graphics/fb0/blank

    TV static
    cat /dev/urandom > /dev/fb0

    You can control the backlight yourself, but you’ll need a helper program for it. Cross complies on ubuntu with arm-linux-gnueabi-gcc just fine
    On: ioctl(28, _IOC(0, 0x00, 0xc8, 0x00), 0)
    Off: ioctl(21, _IOC(0, 0x00, 0xc9, 0x00), 0)
    Where 28/21 is just an fd to /dev/fb0

    #include
    #include
    int main() {
    return ioctl(open(“/dev/fb0”, O_RDWR), _IOC(0, 0x00, 0xc8, 0x00));
    }

    Reply
  96. neil

    just fyi, i was having trouble connecting the hotspot to my work laptop. I could connect to my personal laptop just fine. couldn’t figure out why the work laptop was blocking it but what got it working was adding DNS entries to the hotspot.

    Reply
  97. Kiran

    Dear Author,
    Your work was amazing w.r.t T9 and its findings. Now with test drive T-mobile released massive loads of T10 devices, T-mobile won’t unlock T10, they say they can only unlock phones not Hotspots. Any light you can throw on T10 is really appreciated.

    Thank You

    Reply
      1. Toastman Jack

        Hey can you find a way to get mintmobile, boostmobile or other t-mobile mvno sim working in this box? T10 NOT T9

        Reply
  98. Jhonny

    Hello i judt disable the reset button on my router t-mobile t9 and disable the dhcp and i can’t use it anymore i can’t rvdn get access to the admin webpage.

    Reply
  99. Franklin

    I deleted all the “change target” in the engineering menu, except the default, and my hotspot no longer works. Does anyone have the files that I can load to restore the targets?

    Reply
  100. saymon

    Can someone give me the code to unlock the country, my IMEI number is 355866234738917, thank you very much, I can’t do it myself

    Reply
  101. Marcos Gomez

    buenas noches

    tengo una duda tengo el mismo dispositivo R717 Mobile Hotspot pero me dice Invalid Sim me puede ayudar con eso o a alguien le ha pasado esto sucedio porque sin pensar se reseteo el dispositivo ahora me dice eso

    Reply
  102. Rich Hathaway

    I am a little late to this party lol
    I just got this device a couple of weeks ago, a fun little device to fool with.
    these enc firmwares are so limited and cannot recover any borked device.
    the real firmware dumped from the device is much more versatile.
    Already made a build with everything baked in it

    it loads from edl (9008) mode with a properly patched loader.
    hynix nand is always kind of a pain in the ass, but it is what it is.
    —————
    Novatel Wireless Status Port (COM110)
    Novatel Wireless VCOM GPS Port (COM10)
    NETGEAR WWAN Modem VSP (COM3)
    NETGEAR DM Port VSP (COM4)
    NETGEAR NMEA Port VSP (COM5)
    =======================================================

    Enter QDLoader port #: 110

    Chipset: MDM9x07
    Waiting for a Hello packet from the device…

    Boot image id: 0000000d

    Loading loaders/9607p.bin…

    Sending the Loader to the device…

    Loader transferred successfully

    Hello ver: 3
    Chipset: MDM9x07
    NAND controller base address: 079b0000
    Nand flash: Hynix H9TA2GG1GJAMCR, NAND 256MiB 1.8V 8-bit
    Sector size: 516 byte
    Page size: 2048 byte (4 sectors)
    Pages num in block: 64
    OOB Size: 64 byte
    ECC Type: BCH, 4 bit
    ECC Size: 7 byte
    Spare size: 4 byte
    Bad block marker position: user+1d1
    Total Flash Size = 2048 blocks (256 MB)
    Press any key to continue . . .

    Hello ver: 3
    Chipset: MDM9x07
    NAND controller base address: 079b0000
    Nand flash: Hynix H9TA2GG1GJAMCR, NAND 256MiB 1.8V 8-bit
    Sector size: 516 byte
    Page size: 2048 byte (4 sectors)
    Pages num in block: 64
    OOB Size: 64 byte
    ECC Type: BCH, 4 bit
    ECC Size: 7 byte
    Spare size: 4 byte
    Bad block marker position: user+1d1
    Total Flash Size = 2048 blocks (256 MB)
    Press any key to continue . . .
    reading raw images with spare

    # Start Size A0 A1 A2 F# format —— Name——
    ============================================================
    00 0 00000a ff 01 00 00 LNX 0:SBL
    01 a 00000a ff 01 ff 00 LNX 0:MIBIB
    02 14 000060 ff 01 ff 00 LNX 0:EFS2
    03 74 000006 ff 01 00 00 LNX 0:TZ
    04 7a 000003 ff 01 00 00 LNX 0:RPM
    05 7d 000005 ff 01 00 00 LNX 0:aboot
    06 82 00003f ff 01 00 00 LNX 0:boot
    07 c1 000082 ff 01 00 00 LNX 0:SCRUB
    08 143 000148 ff 01 00 00 LNX 0:modem
    * R: Block 00015b [start+018] (7%)
    ! Page 33 sector 3: adjusted bit: 1
    09 28b 00000a ff 01 00 00 LNX 0:misc
    10 295 00003f ff 01 00 00 LNX 0:recovery
    11 2d4 00000c ff 01 00 00 LNX 0:fota
    12 2e0 00008f ff 01 00 00 LNX 0:recoveryfs
    13 36f 000002 ff 01 00 00 LNX 0:sec
    14 371 00048f ff 01 00 00 LNX 0:system
    * R: Block 0007ff [start+48e] (100%)

    —- response —
    00000000: 7e 0c 14 3a 7e *~..:~ *

    Press any key to continue . . .

    Reply
  103. Clement

    Hi members, can a Franklin R702 4G LTE Portable Wi-Fi Hotspot be unlocked?
    Device Name Franklin R702
    Device Description 4G LTE Portable Wi-Fi Hotspot
    Manufacturer Franklin Technology Inc.
    Modem Model R702
    Hardware Version MP1
    Firmware Version R702F47.SM.M280

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *