I recently acquired a T-Mobile T9 mobile hotspot from a friend who used it with their Test Drive program, and like I do with most embedded devices I poked around. This thread will go over my software findings, and will give you the information needed to gain root access and SIM Unlock the device.
NOTE: I am not responsible for any damage done to your T-Mobile Hotspot. Proceed at your own risk. Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.
OTAs
The OTA system on the device is very simplistic. It phones home to the following URL, with the following syntax:
https://fota.pintracview.com/fota/T9/check_update.php?carrier=<CARRIER>&rev=<CURRENTVERSION>&imei=<IMEI>
So for example, my T9 was reporting to check_update.php?carrier=tmobile&rev=891 when it was on firmware revision R717F21.FR.891. Manually calling this URL with any outdated revision will link you to the latest OTA file, which is a .enc
Thankfully, these .enc files are very easy to extract. If you are on a newer version of OpenSSL, you can extract this OTA using the following command:
openssl enc -aes-128-cbc -d -md md5 -in R717F21.FR.1311_ota_update_all_sm.enc -out R717F21.FR.1311_ota_update_all_sm.tar -k frkenc##[email protected]This will then provide you with a .tar file, which contains a file named ota_update_all.zip which has a copy of the rootfs files. On this device, all OTAs are full image releases, so you can upgrade and downgrade as you please using the web interface. As for the decryption key, I extracted this from the binary at /usr/bin/fota_app. I was also able to start a collection of firmwares, including an unreleased update. You can access these OTA files from this Mega Share.
As for the OTA zip, from what it looks like it is unsigned so you may be able to modify it and have it apply, but this has not been tested.
Config File
Once nice thing about this device is you can enable SSH, ADB, and other hidden goodies by simply generating a configuration backup, modifying it, and uploading it back to the device. As for the configuration backup itself, you can convert it from it’s .bin format to it’s true form, a .tar.gz, using the commands below:
openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg.bin -out hotspot_cfg_packed.tar -k frkenc##[email protected]
mkdir hotspot_cfg_packed
tar xf hotspot_cfg_packed.tar -C ./hotspot_cfg_packed
cd hotspot_cfg_packed
mkdir hotspot_cfg_packed_2
tar xf hotspot_cfg.tar -C ./hotspot_cfg_packed_2As you can see, the configuration dump is actually aes-128-cbc encrypted, and contains nested tar.gz files. You can now modify the configuration as you wish, repackage it, and re-upload it.
SSH
During my research it was found that SSH can be enabled on this device, and once enabled, you can login as the root user. If you are on a firmware version 891 or below, you can run the following command to quickly enable SSH.
curl "http://192.168.0.1/cgi-bin/webpst.service_setting.cgi" \
-H "Content-Type: application/json" \
-H "Origin: http://192.168.0.1" \
-H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
--data '{"command":"save","params":null,"data":{"ssh":"on","tether":"","bridge":""}}' \
--insecureNote that if your firmware is above version 891, then to enable SSH you will need to modify the Config File. If you want, I have created a basic python script that can do this for you, which is available on GitHub. Just note it requires OpenSSL 1.1.0 or newer, and is only tested on Ubuntu 18.04.
As for logging in over SSH, I was able to discover the root SSH password for these devices is frk9x07. Sadly, the engineers at Franklin Wireless only used a descrypt (DES) key for the device, which hashcat was able to crack within seconds using my GTX 1080.
ADB
As a bonus, you can enable an ADB shell that drops you right to a root prompt without any password! Note this seems to work on firmware version 891 and below, but it may not work on newer firmwares.
curl "http://192.168.0.1/cgi-bin/webpst.usb_mode.cgi" \
-H "Content-Type: application/json" \
-H "Origin: http://192.168.0.1" \
-H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
--data '{"command":"save","params":null,"data":{"usb_mode":"902D"}}' \
--insecureOn newer OTAs, you can still enable ADB but it needs to be done manually from the /data/configs/mobileap_cfg.xml file. This is done by updating the UsbMode setting value from 9025 to 902D, saving, then rebooting the device. Note you also may need to replace the contents of /data/configs/hsusb_next with 902D as well.
Hidden Web Pages
During my digging around the device I found a handful of hidden pages, which were secured by plain text passwords that were statically built into binaries. Below you can find the pages I found, as well as where I found the passwords for said pages.
- Hidden Configuration Pages
- http://192.168.0.1/hidden/
- http://192.168.0.1/webpst/
- Password: [email protected]
- Password was extracted from /var/volatile/www/htdocs/cgi-bin/login.cgi
- IT Admin Page
- http://192.168.0.1/itadmin/
- Password: [email protected]
- Password was extracted from /var/volatile/www/htdocs/cgi-bin/logi
- http://192.168.0.1/itadmin/
- Hidden Engineering Page
- http://192.168.0.1/engineering/franklin/
- Username: r717
- Password: frkengr717
- User and Password were extracted from /etc/pwlighttpd
- Note: On firmwares newer than 891, you need to first run the following as root before you can access the engineering pages.
/usr/bin/copy_htdocs.sh eng
- http://192.168.0.1/engineering/franklin/
SIM Unlock
While exploring the binary at /usr/bin/QCMAP_Web_CLIENT, I accidentally stumbled upon the logic used to SIM Unlock the device. To generate your SIM unlock code, just use the following below in any Linux or Mac Terminal.
export IMEI=YOURIMEIGOESHERE
echo -n "${IMEI}simlock" | sha1sum | cut -c1-8In the above, replace YOURIMEIGOESHERE with the IMEI number of the T9 Hotspot. Once done, you can enter the generated code into the Web UI to unlock the device for all SIM cards.
Conclusion
Hands down, this has to be one of my favorite IoT devices I have had the pleasure of playing with. I appreciate the fact that Franklin Wireless put minimal effort into securing the device since it makes for a great platform to build on top of. If anyone at Franklin Wireless is reading this, I recommend the following changes to help secure your devices.
- Don’t store passwords in plain text in your binaries. Use sha256 or md5+salt, or some other method.
- Please don’t allow your “hidden pages” to have password prompts skipped by modifying the browser’s HTML rendering. This is just sloppy, and is how I was able to get ADB access to start my research. Either having them locked down using lighttpd, or having a completely separate auth page that is properly hardened is my recommendation.
- Don’t use DEScrypt linux passwords. The time it took me to crack the hash was less than 10 seconds. md5crypt at a MINIMUM, and sha1 if you want to get a bit fancier. Also, make the password longer than 8 characters to help reduce the chance of a successful bruteforce.
- If you need to have ADB, Jail it down. Another T-Mobile hotspot I have allows for ADB, but it runs as a non-existent UID so you can barely view the filesystem. Something like this would probably be a safer bet.
- Move to incremental OTAs, and SIGN THEM CORRECTLY. Most android OTAs use certs for OTA authentication. Also, implement rollback protection and disable the ability for users to upload OTAs.
I just have to say this is wonderful timing! I just got the T9 test drive device and found your post researching how to bandlock with it. I somehow softbricked it, but holding down the reset button with the cover off while it was powered up did the trick.
Some peculiarities I’ve noticed, after rolling back the firmware to FR.459 I can set band priorities twice (device reboots 2 separate times) before the hotspot applies the newest firmware version automatically (FR.M1311) without my prompting. Fortunately the new band priorities aren’t overwritten, but it worries me that in the future they may implement some kind of rollback protection as you suggest. Any ideas on how to stop it from auto updating/phoning home?
Thanks!
Easiest way to prevent rollback would be to disable the OTA engine and change the URL it points to. This can be done by editing the configuration file at /data/configs/mobileap_cfg.xml and do changes similar to what I have documented at https://gist.github.com/riptidewave93/fc88a7de97abea669bd2d790a1df4c0a
So I made this edit and they pushed the latest firmware anyways. After I reverted back to 891, my edit was still there. Any other ideas for preventing the OTA from happening?
The device needs to be rebooted after the change is made for it to apply, otherwise the changes won’t get picked up by the running process.
As for another method, in theory you could also kill the process for fota_app, and replace /usr/bin/fota_app with a bash script with an infinite loop and sleep.
I simply renamed /etc/rc5.d/S99fota to prevent it from starting. Seems to work ok so far.
I have a Windows/DOS background, not linux.
Can you give me the procedure to “kill the process for fota_app, and replace /usr/bin/fota_app with a bash script for an infinite loop and sleep”?
I am connected as root via SSH and I am in the /usr/bin/fota_app directory.
Thank you. The unlock code worked!!! but I unzipped the OTA files and got tar files that I couldn’t open With and archive extractor 7-Zip WinZip etc
alert(‘Mallory found the XSS!’);
Thank you so much for writing this. Lots of fun options to play with on this device. One thing I’d like to do is to make a set of iptables/ip6tables rules for TTL mangling permanent – have you discovered any way to write these to the /data partition in a way that they’d get executed on every boot? Or do I need to go figure out how to build a firmware image? Just to share, here are the rules I’m playing with:
export TTL=66
export INTERFACE=rmnet_data0
ip6tables -t mangle -I POSTROUTING -o $INTERFACE -j HL –hl-set $TTL
ip6tables -t mangle -I PREROUTING -i $INTERFACE -j HL –hl-set $TTL
iptables -t mangle -I POSTROUTING -o $INTERFACE -j TTL –ttl-set $TTL
iptables -t mangle -I PREROUTING -i $INTERFACE -j TTL –ttl-set $TTL
I have this working via ssh (by the way, the ssh option in engineering settings worked for me on 891).
Thanks!
For what it’s worth, the rootfs is actually read/write on this device so you can setup your own /etc/init.d script and that in theory should do the trick.
Put a script together, and instructions. Here it is:
https://gist.github.com/weirded/f49ac134aecbd32b71ab22619c7496ab
What would be the purpose of TTL modification on a dedicated hotspot device like this, since devices are designed to be tethered to it anyway?
Is there an ability to root this device and trick it into tethering unlimited from a tmobile phone line sim ? I am using a phone sim with 10 GB hotspot with no issue but to be capped at 50 GB would be nice.
Nope since that is all locked on the network side. If you want more data, you can always setup a data line on the device with T-Mobile.
Has anyone found an easy way to send AT commands to the modem? I dug a little bit but haven’t had any luck.
I cant not get the unlock code for sim lock.
The method documented will work. Please make sure your running the terminal command correctly, and on a Linux or MacOS terminal. It will not work on Windows.
Do you recall were you enter the unlock code? I was able to generate an unlock code, and pretty much everything else you discovered was very helpful. Thank you!
Matthew
It is in the normal WebUI (non of the hidden pages) under SIM settings.
Is the SIM unlock page available only after your root it?
Actually, you can do it from Windows if you have WSL installed, aka Windows Subsystem for Linux. That’s how I generated my unlock code.
How do you connect to it, via the WIFI, then use something like Putty on Windows??
Connect to the hotspot via wifi, then browse to its webUI by typing 192.168.0.1 – you won’t need to use Putty to enter the unlock code, as there’s a field in the webUI to enter it.
I used a terminal emulator on an Android phone to generate the unlock code, connected to the hotspot on the same phone and entered the code. Easy.
Would you happen to recall what WebUI was used to enter the sim unlock code? I thought I looked through all of them, but I do not recall seeing it.
Thanks!
I have a few of these, and it occurred to me that it shouldn’t be hard to make this work as a wifi extender or repeater bridge. anyone willing to writes script to set it up?
What other carriers availble after sim unlock ? Anyone tested this with other att sim cards ?
I have been in contact with someone using AT&T via the (Engineering>Change target>DEFAULT) setting, I am using Sprint with the same setting.
I can use AT&T 4G LTE with TMobile target as well. I do need to change the IMEI of the device to mimic an AT&T compatible device to get the LTE, otherwise, it can only connect to 3G.
I can get 4G LTE using one of my TMobile voice lines but it registers as “unknown device” on the TMO website. Is this an issue that could spark further review and if so how do I fix it?
btw, the website does show the updated imei
I was wondering.. if I can unlock it and I have access to its terminal/shell, could I use it as a regular wifi hotspot device? I want to boost the range of the wifi at my house for my IoT devices so I can isolate their network.
Possibly but the device was not built for this, so you would be in uncharted territory.
I am able to use the hotspot with sprint now, but have been unable to get the band priority table in hidden>Lte menu area to populate. Is there a way to force this menu to populate?
Before when using stock target (Engineering>Change target>TMOBILE) I had experienced this bug but it was fixed by factory resetting, unfortunately this doesn’t seem to work when my target is set to (Engineering>Change target>DEFAULT). Any idea if there’s an xml file I could alter similar to the FOTA fix? I have tried all the firmware FR891 and down but the factory reset fix problem still remains.
Or could I directly change the band priorities by downloading a backup, editing it, then restoring? I have looked through the cfg’s after extracting them and don’t see a place for band priorities.
The only place I have found the band settings referenced via adb are at (/etc/default/configs/DEFAULT # strings mcfg_sw.mbn) when printed it shows a list of nv locations that refer to band preferences explicitly for example (/nv/item_files/modem/mmode/lte_bandpref), but I dont know how to interreact with the non volatile memory.
can you write a guide for this? would like to use this with my sprint sim
The unlock code doesnt work for me after generating it using the commands with my imei i downloaded the 891 firmware from ur link
On macOS (Catalina) and making sure that openssl was updated, I was able to generate the SIM unlock code in terminal with the command below (changing sha1sum to shasum)
echo -n “${IMEI}simlock” | shasum | cut -c1-8
The code generated successfully SIM unlocked my T9 with firmware R717F21.FR.M1311
Hope this helps.
me podes ayudar con la generación del código para el desbloque no tengo Mac ni Linux
Please read through the comments, there are multiple different methods available to generate an unlock code.
I am also not having any success with the password generated with sha1sum. BTW, I don’t see a “SIM settingss” tab on the http://mobile.hotspot page so I just tried entering the generated password when clicking the “Settings” tab.
I was able to get into the device with SSH though, is there perhaps a way to edit the config directly to do the SIM unlock?
Hmm, I wonder if it’s firmware version related then. Try updating the device and doing a factory reset. That should then hopefully expose the option in the Web Interface.
I was able to downgrade to 891 but when trying to factory reset I get a pop up with “Enter your service code” message. No idea what service code to enter. I tried both the IMEI based code and other passwords you called out in this page and none of that worked.
Ok, I found another way to do factory reset from http://192.168.0.1/engineering/franklin/. But after it rebooted still the same issue – I click on the “Settings” tab and I get prompted for a password and when I type in the one from sha1sum it fails.
Were you able to work around this? My firmware appears to be similar. Settings and additional pages behind a login page, the unlock code rejected as the password.
Hi,
I downgrade to 891 version, then use the command you provided, everytime after i excute the SSH command, then shows:
{
“msg”: “OK”,
“result”: “S_SAVE”
}
Then the device shows “Goodbye” and restart.
And I still cannot connect via SSH.
Do you know what’s wrong on my side?
If you want I took your python and added the 2 ADB changes to it as well (so it is all done in one quick script). Send me an email and I will get it to you.
how do i get the sim unlocked code would like to try with att sim card imei REMOVED BY ADMIN can you get my code for me and email it to me thank you.
I removed your IMEI for privacy reasons, but your unlock code should be 4b3cce62
were do i want to insert it at to unlock it do i just put the other sim inside then goto the iogin page and put the code in there.
Can u get my code for me also.
Sir,
I am having the same issue resolving the unlock code for my children’s device to work on our laptop via usb as it won’t work for wifi. Can you help as our school tech people have no idea and state the carrier unlock code is needed to switch the setting. Here is our IMEI ADMIN REMOVED Can you email or post our code?
Thank you!
CK
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
That works like magic. I was able to unlock my T-Mobile test drive Franklin T9 I bought on eBay, but when I submit the IMEI to Sprint for activation, it says the device cannot be activated on their network, even though Sprint offers the T9 for $90. Apparently the IMEI is blacklisted. Is their any way I can get the device activated on Sprint?
Can u give me my unlock code for mine also?
My IMEI
ADMIN REMOVED
Please reply when u have it thank you I dont know how to get the code and dont want to mess up my pc trying to figure out how to get it.
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
Hi, I’d like to request for the unlock code too.
this is the IMEI: ADMIN REMOVED
Could you post or email me the unlock too? Thanks so much in advance.
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
Works beautifully to unlock! I was able to get the code through a Linux Machine since Mac didn’t have the sha1sum package (at least on Catalina). thanks!
On the Mac running Catalina, the command for sha1sum is shasum so the command is slightly changed to:
export IMEI=YOURIMEIGOESHERE
echo -n “${IMEI}simlock” | shasum | cut -c1-8
Works perfectly.
This fiddle ought to generate the same codes, if people aren’t able to figure out how to grab it from the command line: https://jsfiddle.net/4zds6531/
Thank you so much! This worked great!
Thanks I worked all day never could get it….. you are the man……
@Chris B @Stefan In http://192.168.0.1/webpst/, there is a “FOTA Test” section to change the FOTA server path. Any idea if changing this will prevent automatic OTA updates? Cheers
It should, yes.
Hello, my device version is 891
After it is automatically updated, it keeps looping on the welcome interface when I turn it on.
Is there a way to fix it?
Thank you very much
Hmm have you tried using the reset button on the back of the device to reset it?
Lucky, reset it
Works good now.
Ugh same issue here. I thought I had everything perfect! Even got the TTL script added with scp copy and all was working for a full week. Woke up to Welcome screen bootloop this morning. Soft and hard reset don’t seem to work 🙁
take the sim card out and let it boot up.
Update – I got it to boot by taking out the SIM then a hard reset after it booted once. It looks like I auto-upgraded to version 1311, even though I followed Stefan’s guide for the TTL scripts which were working great before: https://gist.github.com/weirded/f49ac134aecbd32b71ab22619c7496ab
This has been really fun to tinker with BTW! But now I’m stuck understanding how to downgrade.
To downgrade back to 891, what exactly am I uploading? I downloaded 891 .enc file from Mega, converted .enc to .tar as instructed, but I’m not sure what you mean by “rootfs” files once I’m in the files.
And would I upload as a backup restore on IT admin, or as a firmware upgrade on webpst page?
It seems like no one has resolved the blocking of updates though right?
For flashing between versions, just upload the original .enc file (don’t decrypt it!) on the firmware upgrade page. You can either use the webpst one, or the firmware update page found in the normal webUI under settings.
Has anyone been able to get diag mode working on this so we can talk to it with Qualcomm tools like QPST or QXDM? This device is using the Qualcomm MDM9207-0 so it should be possible.
Nevermind, I asked prematurely and just got my hands on the device. I now see that DIAG can be enabled from the following page: http://192.168.0.1/webpst/usb_mode.html
This is a neat little device. Thanks to Chris for all the great info shared. And thanks to Stefan for the TTL script and info about stopping FOTA.
Hi, I’ve been trying to use QPST but it keeps blocking me requesting the SPC. Have you been able to get around this somehow?
Hmm, 000000 is not working?
I’m having the same issue. Have you tried?
Is there a change log for the firmware? I am on 891 and want to see if I should update the firmware or not
I was having trouble following the unlock sim instructions like some others have mentioned in comments.
This may help, when you navigate to the settings tab on the Web UI, a popup asks for the password. This is not the generated unlock key, but it is just “admin”.
From here I had to set a new password then I was able get into the settings tab and view/change settings.
Under Settings > Mobile Network > SIM – scroll down to Carrier Unlock and this is where you need to enter the generated unlock key. Right above mine now says Carrier Unlock Status: Unlocked
I figured out how to do some IMEI magic on the T9!!! I’m making a guide and posting it in a few days.
No need to ruin a good thing.
This was already referred to at the top of the article:
“Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.”
Would be interested in what you found out; mind sending an e-mail (please do not remove, this is a temp/throw away e-mail)? Address is [email protected]
I booted one of these devices up, fresh out of box without installing the SIM card
-rooted
-carrier unlocked
-modified the OTA upgrade script to not work and added TTL modification script
-added APN for visible wireless and set it to active
-shutdown / installed visible sim
— it booted, connected, and ran very well.
then — i inserted the stock tmobile test drive sim
it booted and worked, connected…..did some testing…
but it re-locked the carrier unlock status and did some kind of binding to make the hotspot only work with the tmobile sim.
When i try to use a non-tmobile sim in this hotspot, it says “sim error” and the sim status shows locked.
Has anyone else experienced this?
I would recommend NOT using the test-drive SIM if you plan to work with this device and unlock it etc.
I seem to remember previous test-drive sims doing a lock and binding the previous coolpad hotspots to only work with tmobile as well
Did you use the hard reset button on the back of the unit after you unlocked the device? If so, it will need unlocked again. This drove me crazy for quite a while until I figured it out.
Each time the hard reset button is used, the device will need unlocked again.
I’ve been trying to find where/how to edit APN settings that aren’t available in the web GUI. Could you please provide some guidance?
I’ve been digging through the decrypted ROMs and a decrypted settings backup with no luck.
Just go to http://192.168.0.1/settings/mobile_network-apn.html and click on “add”.
Thank you!
Generated and entered the unlock code and now my device is reporting “Unlocked”.
Firmware version: R717F21.FR.1311
Anyone have anyluck with ECM or RNDIS using the USB port? Seems to be 3 modes, but none of them work on any of my machines. Would like to use with a Watchguard Firewall as Failover ISP via USB.
Disregard, I had about 1/2 a dozen USB to microUSB cables that were all just charging cables (no data). after using the correct cable everything worked great.
Can someone do a guide on how to modify the TTL? I saw the instructions and enabled SSH but got lost on part 3. Thanks!
Thank you for sharing the information. It was easy to unlock, enable SSH and ADB. Just a question, is there any advantage to upgrade to a newer firmware beyond 891?
This is super helpful, thank you for your work.
I have a question, I’m reasonably technical but am not super fluent with everything done from the command line. So I’ve unpacked and edited the config to change the update URL and repacked everything into hotspot_cfg_packed.tar, how do I convert that back into the encrypted .bin file?
My best guess was the following but it spit out an error on my macbook pro running MacOS 11:
[email protected] hotspot % openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg_packed.tar -out hotspot_cfg.bin -k frkenc##[email protected]
bad magic number
Would appreciate any help and what the underlying issue is?
Thanks in advance
Hello Rich,
I recommend looking at the python script linked under the SSH section, since it helps show the process in which to repackage a configuration dump.
You’re using the -d flag which is for decryption. Remove the -d flag when you’re re-encrypting it back into the .bin.
Hi Tried above steps , generated the code it says below message .
Initial version was _891 , later updated to FR.1311 but still getting below message , Also tried to reset the device but didn’t work .
Incorrect Unlock Code
You will need to contact your service provider to get the unlock code.
Can you downgrade the firmware. I thought I saw that was relatively easy. Just grab off the mega site in the OP.
I tried but that didn’t work either
I unlocked it without any problem, thank you for all the information on this page.
I plan to have this hotspot unattended far from home, is there a way to configure a DDNS ??
thank you
Once you ssh into the device, you can a) change the password by using the passwd command. You can apply a blank password.
You can generate the unlock code directly on the device — use this command (all 1 line)
/var/volatile/www/htdocs/cgi-bin/webpst.imei_mac.cgi | awk ‘/imei/{printf( substr($2,2,15) “simlock”)}’|sha1sum|cut -c1-8
You get that guide yet?
Perhaps i am missing something here. Device was unlocked easily. But I am not able to SSH due to the incorrect password ‘frk9x07’. How do i find real password for ssh? Other than that ssh problem, great forum. Thanks
My bad, i mistyped command. Should be ssh [email protected].0.1 then provided password works. Thanks
This page is really helpful but still I am stuck at my problem. It seems my device bricked while getting the updates from tmobile. It’s not showing any Wi-Fi broadcast and reset is keep showing “Factory reset Restarting Now” I logged in to webpst and uploaded R717F21.FR.1312 but after 1-2 minutes while writing it, it is showing me upgrade failed. Hidden menu showing web version FR.1312. Is there any way to do re-install 1312 or 891 via openssl? or any other way to reset?
Thanks
Hmm somehow my hotspot did OTA and was bricked, LCD gets stuck at WELCOME message and never even starts up the hotspot. Any ideas on how to reflash/reset?
Same issue with my device. Please keep me posted if you find any solution.
Remove the SIM card and reboot it.
This works, thanks
where to download 891 to downgrade ? Mine got updated to 1131 and I could not enable SSH. By the instruction, how do I run ty-enable-ssh.py to enable ssh for 891+ ?
https://mega.nz/folder/FJ8wWYAJ#Q1oUEtIUJrtjB1atkOAXrA
have to load Python on your computer; then save the T9’s configuration (from the menu) to a file on your PC; run python ty-enable-ssh.py hotspot_config.bin, which will generate a new config file. ten upload it back to the hotspot.
Awesome work. I see the engineering and other passwords plainly visible in multiple places…what a convenient mess! Do you have any insight into the configurations loaded through the “Change Target” menu? I was thinking of making a universal configuration to load in it, as I see that using the unbranded ‘Default’ breaks things like the ability to enter the SIM unlock code, however I haven’t found where the other configurations are stored to use as an example.
The hidden menu also has a disabled debranding page (among others) but navigating to it shows that the corresponding cgi (and perhaps the files that debranding would want) are missing, at least at a glance.
I wonder why accessing factory reset menu in webPST calls for the SPC?
There’s also a 100 firmware if you use the vendor franklin.
Different config settings are loaded from /etc/default/configs/*
It may be possible to just add your own there in a new folder?
The unbranded, Franklin and SKT configs don’t actually set a SIM_LOCK like the TMO/Sprint configs do which might be why the option to unlock the SIM goes away. I haven’t tested if the lock itself goes away when switching to those configs. Since the original config is TMO (with lock set), the SIM_LOCK NV value may be sticking despite the new unbranded/SKT/etc configs not using a SIM lock. And if set to unbranded/SKT from factory… then the TMO/Sprint SIM_LOCK NV setting never gets set and there’s never a SIM LOCK to remove.
And the reason the SIM LOCK comes back after a factory reset is because the TMOBILE config gets rewritten.. which then rewrites the SIM LOCK NV value.
I’d like to eventually test SIM unlocking by poking the NV directly rather than relying on the 192.168.0.1 pages.. just to figure out how to clear it out of the NV properly. The SIM_LOCK NV value set by TMO/Sprint is: 00 02 00 65 00 00 36 01 a0 00 36 01 c8 00 36 01 d2 00 36 01 dc 00 36 01 e6 00 36 01 f0 00 36 01 fa 00 36 01 04 01 36 01 0e 01 36 01 2c 01 36 01 36 01 36 01 ea 01 36 01 12 02 36 01 4e 02 36 01 80 02 36 01 94 02 36 01 20 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d3 00 00 00 0a 00 00 00
May just be as simple as zeroing it out to remove the lock… not sure yet.
The configurations are stored in: /etc/default/configs
Take a look at the configuration folders:
/etc/default/configs/
Also the following file:
/usr/bin/change_carrier.sh
This might help with the custom builds.
My auto upgrade stuck and now only seeing blinking led. Tried upgrading/downgrading ENC file but after 62%, it’s throwing Firmware failed error. SSH is not enabled. Is there any way to rewrite the firmware? Please help, Seems my device is bricked.
Thanks Chris, your work is awesome! After unlocked and added APN, I can use my Verzion sim to enjoy LTE.
This is awesome! I had played around with it a few months ago and managed to gain root access and unlock the SIM on my own through a bit of trial and error. I never reached this level of reverse-engineering, though!
Is there a way to put the T9 into “bridge mode” /firewall-less or a mode that I can put my own NATing router /firewall behind the T9 tethered via USB? So Im not double NATing.
Hmm… is FR891 using a debug kernel?
This is what I see in /var/log/dmesg
[ 0.000000] **********************************************************
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000] **
[ 0.000000] ** trace_printk() being used. Allocating extra memory.
[ 0.000000] **
[ 0.000000] ** This means that this is a DEBUG kernel and it is
[ 0.000000] ** unsafe for produciton use.
[ 0.000000] **
[ 0.000000] ** If you see this message and you are not debugging
[ 0.000000] ** the kernel, report this immediately to your vendor!
[ 0.000000] **
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000] **********************************************************
Why would this be? This keeps getting more interesting…
can someone help me out please, i was able to get unlock code but going to http://mobile.hotspot/#login=/settings/mobile_network-sim.html is asking for password and none of these work [email protected] [email protected] frkengr717
If you haven’t yet set up a password, the default for the interface is user:admin and password:admin. If that doesn’t work, just factory reset and try again, because that will set it back to the default admin:admin credentials.
hey bud thanks for reply indeed you were right, as when i opened the link it asked me for password which was “admin”
you will need access to a Linux or Mac terminal or Windows 10 running WSL. i was able to get the unlock code using this free terminal link= https://cocalc.com/doc/terminal.html
On the terminal type:
export IMEI=YOURIMEIGOESHERE
echo -n “${IMEI}simlock” | sha1sum | cut -c1-8
It should give you your unlock code.
and than Go to http://mobile.hotspot/settings/mobile_network-sim.html under “Carrier Unlock” to unlock it (remember ur laptop/pc needs to be connected to the Franklin T9)
For anyone have issues with it auto updating/boot looping take your sim out, restart it, downgrade back to 891, factory reset it, unlock, change your target in the engineering menu to TMOBILE_GCF, reset device again and when you try to update it says your on the latest version 891
I believe you can also stop the OTAs through a config I just didn’t have the ability/time to do is so I found this temp fix
You lose 3 sprint bands this way but since I have a ATT sim in it it’s not a big deal
Crap…forgot what I set the “admin” password that defaults to “admin” to when I did this. Is there a way to force change it via one of the DEV pages? Guess I need to factory reset and redo the unlock otherwise.
-ssh into hotspot
entering following command should show pass:
cat /data/configs/mobileap_cfg.xml | grep Password
Sadly, I can’t get root password to work. Maybe I’m still doing something wrong but I tried to login via root with Putty.
Nevermind, I figured it out….thanks for the help.
Thanks for all this info Chris!
Here’s a modified 1311 with SSH always on in the configs, FOTA and remote management on loopback, FOTA service start suspended, and engineering pages restored. Remember to trust but verify! Use the information on this page to extract this firmware and the original 1311 and validate my edits for peace of mind.
firmware link – https://mega.nz/file/Lk8k2TgI#DwuWhvQh2nd-Gv2247cFB0rnVodqNP9M0_k751o0XJw
MEGA folder link for future builds – https://mega.nz/folder/m81iVLYJ#ZkLM7wspDir5z0T7DuGlXg
V2 just includes some password reminders
Thank you very much for your contributions. If possible, could you modify the page so we can edit the TTL easily?
By any chance was the password to ‘http://192.168.0.1/hidden/’ updated as part of the changes you made? Looks like there isn’t a password reminder nor will [email protected] work to gain access to band configs.
Are you sure you flashed V2? I have access to the hidden page using the default password and a reminder is present on the login dialog box.
Question about the firmware:
I am still on the “stock” 891 firmware. Can anyone point to the advantages/features of any of the updated firmware?
I can make AT&T LTE work on firmware 891, but not 1131 (1131 always says SIM error). So I revert back to 891.
If anyone knows how to make AT&T sim acceptable by 1131 firmware please let me know. Thanks.
1. This morning I inserted my tmobile SIM and suddenly it worked and let me WIFI into the system and I flashed 891 firmware immediately successfully.
However,
2. When I tried to unlock it again manually like I did last time, it said my unlock code is incorrect, which I double checked it was the correct one that I used last time successfully. Looks like tmobile did something on the unlock mechanism.
Can someone help figure out how to unlock it again?
Bests,
Jeff
All this information has proven very useful and educational. Thank for all your effort in sharing it. Using the T-Mobile T9 (Franklin Wireless R717) I noticed that if your firmware if higher than the 891, activating SSH through the hidden menu is not possible. I rolled back mine form 1131 to 891 and ha no issues activating SSH in the hidden menu.
Thank you Chris and everyone involved.
I got everything all setup and working.
I got this device for creating a hotspot in my car so that my Android headunit can connect to it and use it for Spotify and Google Maps.
I found out that the device works without the battery if plugged in which is great for keeping in a car that can get really hot in the summer.
I really want the T9 to auto turn on whenever its plugged in (car turned on) without me turning it on manually.
You guys think there’s a way to do this? Software or Hardware mod.
Is there a way to view signal level info like RSRP, RSRQ, SNR?
Doing the test drive and I’d like to have better info to look at, not just a five bar “it’s fine” indicator.
Yes. Go to http://192.168.0.1/about/ and click the “debug” button
Has anyone figured out how to display arbitrary text on the LED screen?
Also, I’m thinking of writing a little script that changes the APN after boot depending on the ICCID.
Hey Chris,
I’m wanting to use one of the backup config files as a template to change SSID, password, device limit, etc. Is this possible to do, and if so how do I actually get into the directory? I’ve downloaded a copy of the config file now as a backup, but the ssl commands aren’t working.
Thanks in advance!!
Turns out it helps when you don’t have a typo in the URL…
I cannot use any other sim card other than the one that comes with the device on the latest firmware. Even the modded latest firmware. It’ll only work if I downgrade to 891.
Also, I had a blast modding this device!
this is my imei pls help me with the on lock code REDACTED
pls give me unlock code my imei is REDACTED pls help me i am stell waitting
pls as you have my imei pls give me code becouse you put my imei REDACTED
As mentioned earlier, I will not be generating codes for people and I will be censoring any IMEI’s posted. Please read through the comments, there are multiple documented ways to generate your own unlock code.
Hello Guys,
Need help!
I have my Franklin T9 device bricked. It was updating software when I dropped it and the battery came out causing the device firmware update to fail.
Now the device is switching on but nothing is working. Mobile.hotspot page is working but no information is available on the page. Same with hidden and webpst. I did try to force firmware to device using webpst page but it failed. IT admin page is asking for a password but the one provided here is not working. So i am unable to load .cfg file.
Any help is appreciated.
Thanks
Have you tried resetting to factory default? If not, pop off the back cover and hold down the reset button while the device is on. Also see some of the above comments about resetting a brick.
Just put your IMEI into this site, and it’ll give you an unlock code.
https://jsfiddle.net/4zds6531/
I need some help repackaging the config file. I’ve tried to just walk it back through the command prompt after successfully unpacking everything, but when I attempt to restore from the backup it fails. I have a feeling the problem is with the way I’m re-encrypting the .tar file. Steps below:
– Edit XML config file
– In command prompt:
$ tar cf [hotspot_cfg.tar] [data]
$ tar cf [hotspot_cfg] [hotspot_cfg_2] <— this includes hash/model/hotspot_cfg.tar
$ openssl enc -aes-128-cbc -md md5 -in hotspot_cfg.tar -out hotspot_cfg.bin -k frkenc##[email protected]
I've seen Chris' comment about the python script and have looked through it, but I'm not very familiar with python. Any help with this would be greatly appreciated.
I use the R717F21.FR.891_ota_update_all.enc download from your mega drive, and update use the web page to restore from Backup use this file, but now I can’t turn on the device, just the power button light is flashing. What should I do now? How to reset the device? Thank you so much.
Is there any script that force the device to restart ever x hours? Thank you
My end goal was to use this as a hotspot with a T Mobile sim, but for fun I also SIM Unlocked.
Quick guide for me-
I ssh’d into the device in terminal with command
ssh [email protected].0.1
when asked for password its frk9x07
now you want to change the TTL with command
echo “Setting TTL on $INTERFACE to $TTL=65
you should see the system confirm
Ran command
exit
Completed speed test and verified TTL was -1 at 64.
for sim unlock code I used website https://jsfiddle.net/4zds6531/ and put in my IMEI- wrote the code down and plugged it in the mobile.hotspot page and the device rebooted and is now unlocked.
If I use Putty for ssh, is this command run at the top level directory and then logoff?
echo “Setting TTL on $INTERFACE to $TTL=65
Also do I need to run this command every time when I power up the T9 to set the TTL?
Does this TTL change only affect tether? In other words, I’m not seeing a TTL change when connected via WiFi to the T9.
How can I set the USB Mode back to RNDIS + ECM after enabling ADB without a full reset?
Nevermind, I was only using the device tethered but after setting up the WiFi address/pw the WebUI is still easily accessible and USB mode can obviously easily be changed from webpst menu.
Most of you guys posting are way more talented geeks, but thanks to this thread I turned the free Test Drive Franklin T9 into a budget backup hotspot to cover gaps in the field and at home when the wired Internet and wifi crap out.
Bottom line used https://jsfiddle.net/4zds6531/ for the SIM code unlock. Used my initial $15/mo T-Mobile Connect UNL Talk & Text w/2GB data SIM card to get a number & to confirm speed/coverage. Changed the plan to a mobile data only (2GB) option @ $10/mo. Ran that SIM on my phone, powered off and put that SIM card into my now unlocked Franklin T9 and restarted the T9. Viola! A complimentary Franklin T9 Mobile Hotspot. T-Mobile has the superior LTE data throughput inside my home vs ATT/Verizon. I can upgrade/downgrade the prepaid data plan as needed without carrying the extra expense of a voice/text plan or just activate/deactivate data service as needed.
Yes, T-mobile stuck me for $25 on the initial SIM card cost and activation for the Prepaid phone SIM.
Still not clear if an unlocked T9 works with Mobile data only AT&T SIMs or Verizon SIMS or MVNO data only SIMS plans or what exact tweaks accomplish that.
Ok so I managed to hard-brick my t9 worse than anyone else so far (lol). I accidentally deleted /bin (long story) and it started bootlooping. However, I did find out that you can enter fastboot mode by shorting the two small pads on the PCB next to the display connector while powering on (you might have to pop off the metal EMI shield).
Anyway, I tried to flash a new system image with fastboot, but it appears that the system.img is not included in the ota images provided above. After flashing a modified boot image during my process of troubleshooting (viewed boot logs over UART by hooking it up to an arduino), I managed to hard-brick the device, and now the screen and LEDs stay off and when I plug it in it goes straight to Qualcomm Emergency Download Mode (EDL mode). I can’t even reach fastboot anymore or ADB–it appears that it is only loading the Qualcomm “primary bootloader” and not even the Franklin secondary one. The boot process seems to be four stages:
1. Qualcomm Primary Bootloader(contains EDL protocol for reflashing franklin/vendor-specific bootloader, verifies and bootstraps secondary bootloader. Factory-set in ROM). — I’m assuming that my system gets stuck here because the verification of the modified boot.img I flashed fails.
2. Franklin (secondary) bootloader — (seems to take care of rest of POST and preliminary system checks. Activates Wifi radios, battery management, other device-specific systems, then loads tertiary android bootloader) However, also seems to contain the linux kernel itself that the following android bootloader loads into RAM (further research required, I’m very uncertain about this process)
3. “aboot” — (android bootloader, this is what loads the linux kernel/mounts the filesystem. This is what fastboot interfaces with.)
4. Linux — (the actual OS itself)
Because the OTA updates appear to be only patches rather than full system ROMs/images, here’s what I would like:
Can someone with a working device dump the ENTIRE filesystem and upload it to a mega or an admin email it to me? The device supports a SCP connection in SSH mode so this shouldn’t be too difficult. You can also use adb. I would really like a complete “factory” image to help me troubleshoot once I manage to reflash the secondary bootloader through EDL (boot.img, this is included in the ota files Chris provided).
@natthawk shoot me an email and ill see if I can get you what you need.
Unfortunately, unless you know a way to unlock the bootloader, fastboot won’t let you overwrite system or recoveryfs (recovery and most other partitions are fine though). Your only real shot is to use EDL to write a new system image. Bjoern Kerler’s EDL tool is most promising for streaming download to NAND based devices, but it’s a work in progress and doesn’t play nice writing to our units yet (dumps work fine). There are other methods, but they’re very manual. I have dumps of all the partitions. If you find an EDL flashing method that works for you, I can get you a clean system.img if you still lack one (my current dump has a lot of my own personalizations).
Hi, sorry for the delayed reply.
Great minds think alike, I guess, since I tried this very tool to no avail :/ Now I’m beyond even trying to reflash system.img as I said above because I accidentally flashed a modified boot.img. I can’t get the flash programmer mbn file to cooperate, and I don’t even know if it’s legit since it’s a random one I found on a sketchy forum, and I’m also brand new to this Qualcomm Sahara/firehose stuff and how it works so I don’t really know how to troubleshoot either. When I view boot log over UART, it throws an ELF verification error when verifying the boot loader, then drops itself into 900E mode. Fastboot is inaccessible since the android high-level bootloader is never activated.
When I try to flash the boot.img to “boot” with EDL Tools using NPRG9x07.mbn as the loader it accepts the programmer (loader), returns the serial number, and then errors out with a python traceback 🙁 This even happens when I try to dump partitions. ENPRG9x07.mbn also doesn’t even get accepted in the first place. Also, it’s not even showing up in 9008 (EDL) mode, it’s showing up in 900E. Could you share the programmer file you used/the specific command that worked and what platform?
Plus the device uses UBIFS as a file system, which is a whole other level of abstraction I had basically no knowledge of before a week ago.
I guess my next course of action is to try to interface with the (very nicely labeled, thanks Franklin!) JTAG pads on the PCB, unless you can get EDL write working, but this will be a hassle and probably require some soldering.
Latest device has a different firmware and different unlock procedure. By going though the js code, it seems that they are using AES ECB base64 now with key “abcdefghijklmn12”. Not sure about the special code though.
Oh interesting, what firmware version does your device report?
Out of the box without letting it update, it’s on TMOHS1_0.04.18
As someone who has this device as part of my postpaid plan I’m glad to see the firmware available for download. Typically I like to reload the firmware when the device crashes as a fresh coat of paint but T-Mobile hasn’t been able to provide it for me.
Thanks.
Right now T-Mobile send the new device is not T9 Franklin. Can you study how to unlock the new device?
I would need the device to do that. What model and brand is it? Can you share photos of it?
I believe I received the same unit. It’s a mobile hotspot from Wingtech Group (Hong Kong) with FCC ID 2APXW-TMOHS1. I guess it’s a new product; no more LCD screen and just dimmable LEDS below the t-mobile logo. It has 5G and 2.4G wifi but cannot operate simultaneously. Apparently and sadly the Franklin hacks doesn’t work on it at all…
Did some research on it. Here’s the manufacturer’s website: http://www.wingtech.com/en (in terms of product support, it’s even less transparent than Franklin’s barren support website, lol)
Here are some notable specifications from T-mobile’s info page on the device, which I pasted a link to in a reply below:
– 256MB RAM, 512MB ROM (I think the T9 only had 256M rom, but someone can correct me)
– MDM9207 CPU/SOC (Same as the T9 – I’m guessing the firmwares are very similar)
-USB C (yay!)
If someone with the device uploads the HTML and JS source of the web interface, maybe we can get a head start on reverse-engineering it. Let’s hope Wingtech learned their security practices from Franklin, lol.
Just received the TMOHS1 version as well. Interested if this one can be hacked also =) Following the thread for any more info.
How do i upload the HTML and JS source of the web interface?
I have placed the admin HTML, JS, and CSS files for the TMOHS1 in a zip file (tmohs1_files.zip) at:
https://mega.nz/file/MkRBDCQb#e1rIR7aD4cebyavw_vQVCjyGPVUo3zGRBChGq3XiXl8
The sha256 is:
2ee424d3d0ca26a02d523683189c055466ea6efb21e957b884263ab8a34521df
The files:
static/js/chunk-vendors.b06997a3.js
static/js/app.cf45a03c.js
static/css/app.5f283b77.css
static/css/chunk-vendors.55852678.css
home.html
Also got a different MIFI device from T-mobile, modeled as “TMOHS1”
Searching with the model name leads to some FCC certification docs, and nothing else quite available yet. Here’s a photo of the device I took. The tiny display is replaced by several indicator lights. One good thing about this device is USB-C is used for charging now
Sorry, forgot image link
https://imgur.com/a/cz6Zm7K
I got the same device and there is no information about it at all
more info about TMOHS1
https://imgur.com/a/SS0XJUW
https://fccid.io/2APXW-TMOHS1
I have one in hand. Anything I can do to help?
here’s a copy of the hotspot’s webpage saved. a mix of htm, css, js files for someone knows what to look for.
https://github.com/visible1025/TMOHS1/blob/main/unlock%20page.zip
Any idea how to unlock and do an imei change on this new device?
here are some details from the information page on the TMOHS1 GUI (I don’t have SIM inserted so some of the details are missing or removed)
Phone Number Unknown
IMSI Unknown
IMEI _REMOVED_
Signal Strength Unknown
Network Name (SSID) _REMOVED_ Change
Max Connected Devices 8
LAN Domain mobile.hotspot
MAC Address _REMOVED_
IP Address 192.168.0.1
WAN IP Address Unknown
Software Version TMOHS1_0.04.18
Hardware Version 89527_1_11
IMEI SV 4
Model Name TMOHS1
T-Mobile Customer care number 1-800-937-8997
Hello all,
I just put out a python wrapper for many of the Franklin T9 functionalities exposed in the GUI.
Welcome contributors and feedback:
https://github.com/RayBB/franklin-t9-api
Can you tell us how to use it! I got mine unlocked, SSH accessed,
Here’s a tmobile support link for the new device: https://www.t-mobile.com/support/devices/mobile-internet/t-mobile-hotspot
It appears that the T9 may no longer be being sent out.
Pingback: T-Mobile Mobile Hotspot TMOHS1 - Rotar [email protected]
Hello, my T9 is version 891. I have unlocked it and set the visible APN, but as soon as I put it in the visible sim card T9, it locked again. The visible VPN is gone. When I put it in Google fi, everything is normal. I don’t understand why the visible doesn’t work.
I have Visible working on the T9 with this apn “VSBLINTERNET” not very fast speeds though 12-15 mbps. I put the Visible sim in a phone and get 45-50 mbps.
Just received the TMOHS1 also. Is it normal to have the sim activated as soon as it is powered on? I never activated it. The speed isn’t very fast (about 13-16 mbps).
Anyone able to enable the OTG function of T9? We can use this to install Checkra1n and Jailbreak the iPhone.
Also, if the screen could be used to show the status of jailbreak, that would be perfect.
there is a hidden path for the TMOHS1, not sure if it’s useful but it’s
http://192.168.0.1/#/FotaHide and present you with the following options
FOTA Server settings
Switch to product server Apply
Switch to STAGING server Apply
Switch to LAB Server Apply
Remove OTA bootstrap Apply
FOTA Server information
ServerID TMOFOTA1
ServerAddress https://omadm.iot.t-mobile.com:443/omadm-server/dm12
ServerPort 443
ServerAuthName TMOFOTA1
ServerAuthType DIGEST
ClientAuthType DIGEST
FOTA Scheduled events
Delaytimes 0
Yes mine was online as soon as I powered the TMOHS1 on as well, though it took about 30 minutes before it would work properly (provisioning time I guess?)
Following for unlock updates.
hey fellers. I have t9 unlocked. but i can’t get the att sim card to work. i’ve tried setting different targets and apn. What am i missing?
As soon as I turned on my TMOHS1 it activated and the time started ticking. The speeds I get are never above 10Mbps. That is pretty crappy if you ask me. I’m hoping we can unlock these and perhaps get better speeds with other carriers.