Rooting and Unlocking the T-Mobile T9 (Franklin Wireless R717)

I recently acquired a T-Mobile T9 mobile hotspot from a friend who used it with their Test Drive program, and like I do with most embedded devices I poked around. This thread will go over my software findings, and will give you the information needed to gain root access and SIM Unlock the device.

NOTE: I am not responsible for any damage done to your T-Mobile Hotspot. Proceed at your own risk. Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.

OTAs

The OTA system on the device is very simplistic. It phones home to the following URL, with the following syntax:
https://fota.pintracview.com/fota/T9/check_update.php?carrier=<CARRIER>&rev=<CURRENTVERSION>&imei=<IMEI>

So for example, my T9 was reporting to check_update.php?carrier=tmobile&rev=891 when it was on firmware revision R717F21.FR.891. Manually calling this URL with any outdated revision will link you to the latest OTA file, which is a .enc

Thankfully, these .enc files are very easy to extract. If you are on a newer version of OpenSSL, you can extract this OTA using the following command:

openssl enc -aes-128-cbc -d -md md5 -in R717F21.FR.1311_ota_update_all_sm.enc -out R717F21.FR.1311_ota_update_all_sm.tar -k frkenc##[email protected]

This will then provide you with a .tar file, which contains a file named ota_update_all.zip which has a copy of the rootfs files. On this device, all OTAs are full image releases, so you can upgrade and downgrade as you please using the web interface. As for the decryption key, I extracted this from the binary at /usr/bin/fota_app. I was also able to start a collection of firmwares, including an unreleased update. You can access these OTA files from this Mega Share.

As for the OTA zip, from what it looks like it is unsigned so you may be able to modify it and have it apply, but this has not been tested.

Config File

Once nice thing about this device is you can enable SSH, ADB, and other hidden goodies by simply generating a configuration backup, modifying it, and uploading it back to the device. As for the configuration backup itself, you can convert it from it’s .bin format to it’s true form, a .tar.gz, using the commands below:

openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg.bin -out hotspot_cfg_packed.tar -k frkenc##[email protected]
mkdir hotspot_cfg_packed
tar xf hotspot_cfg_packed.tar -C ./hotspot_cfg_packed
cd hotspot_cfg_packed
mkdir hotspot_cfg_packed_2
tar xf hotspot_cfg.tar -C ./hotspot_cfg_packed_2

As you can see, the configuration dump is actually aes-128-cbc encrypted, and contains nested tar.gz files. You can now modify the configuration as you wish, repackage it, and re-upload it.

SSH

During my research it was found that SSH can be enabled on this device, and once enabled, you can login as the root user. If you are on a firmware version 891 or below, you can run the following command to quickly enable SSH.

curl "http://192.168.0.1/cgi-bin/webpst.service_setting.cgi" \
  -H "Content-Type: application/json" \
  -H "Origin: http://192.168.0.1" \
  -H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
  --data '{"command":"save","params":null,"data":{"ssh":"on","tether":"","bridge":""}}' \
  --insecure

Note that if your firmware is above version 891, then to enable SSH you will need to modify the Config File. If you want, I have created a basic python script that can do this for you, which is available on GitHub. Just note it requires OpenSSL 1.1.0 or newer, and is only tested on Ubuntu 18.04.

As for logging in over SSH, I was able to discover the root SSH password for these devices is frk9x07. Sadly, the engineers at Franklin Wireless only used a descrypt (DES) key for the device, which hashcat was able to crack within seconds using my GTX 1080.

ADB

As a bonus, you can enable an ADB shell that drops you right to a root prompt without any password! Note this seems to work on firmware version 891 and below, but it may not work on newer firmwares.

curl "http://192.168.0.1/cgi-bin/webpst.usb_mode.cgi" \
  -H "Content-Type: application/json" \
  -H "Origin: http://192.168.0.1" \
  -H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
  --data '{"command":"save","params":null,"data":{"usb_mode":"902D"}}' \
  --insecure

On newer OTAs, you can still enable ADB but it needs to be done manually from the /data/configs/mobileap_cfg.xml file. This is done by updating the UsbMode setting value from 9025 to 902D, saving, then rebooting the device. Note you also may need to replace the contents of /data/configs/hsusb_next with 902D as well.

Hidden Web Pages

During my digging around the device I found a handful of hidden pages, which were secured by plain text passwords that were statically built into binaries. Below you can find the pages I found, as well as where I found the passwords for said pages.

  • Hidden Configuration Pages
    • http://192.168.0.1/hidden/
    • http://192.168.0.1/webpst/
      • Password: [email protected]
      • Password was extracted from /var/volatile/www/htdocs/cgi-bin/login.cgi
  • IT Admin Page
    • http://192.168.0.1/itadmin/
      • Password: [email protected]
      • Password was extracted from /var/volatile/www/htdocs/cgi-bin/logi
  • Hidden Engineering Page
    • http://192.168.0.1/engineering/franklin/
      • Username: r717
      • Password: frkengr717
      • User and Password were extracted from /etc/pwlighttpd
      • Note: On firmwares newer than 891, you need to first run the following as root before you can access the engineering pages.
        • /usr/bin/copy_htdocs.sh eng

SIM Unlock

While exploring the binary at /usr/bin/QCMAP_Web_CLIENT, I accidentally stumbled upon the logic used to SIM Unlock the device. To generate your SIM unlock code, just use the following below in any Linux or Mac Terminal.

export IMEI=YOURIMEIGOESHERE
echo -n "${IMEI}simlock" | sha1sum | cut -c1-8

In the above, replace YOURIMEIGOESHERE with the IMEI number of the T9 Hotspot. Once done, you can enter the generated code into the Web UI to unlock the device for all SIM cards.

Conclusion

Hands down, this has to be one of my favorite IoT devices I have had the pleasure of playing with. I appreciate the fact that Franklin Wireless put minimal effort into securing the device since it makes for a great platform to build on top of. If anyone at Franklin Wireless is reading this, I recommend the following changes to help secure your devices.

  • Don’t store passwords in plain text in your binaries. Use sha256 or md5+salt, or some other method.
  • Please don’t allow your “hidden pages” to have password prompts skipped by modifying the browser’s HTML rendering. This is just sloppy, and is how I was able to get ADB access to start my research. Either having them locked down using lighttpd, or having a completely separate auth page that is properly hardened is my recommendation.
  • Don’t use DEScrypt linux passwords. The time it took me to crack the hash was less than 10 seconds. md5crypt at a MINIMUM, and sha1 if you want to get a bit fancier. Also, make the password longer than 8 characters to help reduce the chance of a successful bruteforce.
  • If you need to have ADB, Jail it down. Another T-Mobile hotspot I have allows for ADB, but it runs as a non-existent UID so you can barely view the filesystem. Something like this would probably be a safer bet.
  • Move to incremental OTAs, and SIGN THEM CORRECTLY. Most android OTAs use certs for OTA authentication. Also, implement rollback protection and disable the ability for users to upload OTAs.

139 thoughts on “Rooting and Unlocking the T-Mobile T9 (Franklin Wireless R717)

  1. Malias

    I just have to say this is wonderful timing! I just got the T9 test drive device and found your post researching how to bandlock with it. I somehow softbricked it, but holding down the reset button with the cover off while it was powered up did the trick.
    Some peculiarities I’ve noticed, after rolling back the firmware to FR.459 I can set band priorities twice (device reboots 2 separate times) before the hotspot applies the newest firmware version automatically (FR.M1311) without my prompting. Fortunately the new band priorities aren’t overwritten, but it worries me that in the future they may implement some kind of rollback protection as you suggest. Any ideas on how to stop it from auto updating/phoning home?
    Thanks!

    Reply
      1. Stefan

        So I made this edit and they pushed the latest firmware anyways. After I reverted back to 891, my edit was still there. Any other ideas for preventing the OTA from happening?

        Reply
        1. Chris B - Admin Post author

          The device needs to be rebooted after the change is made for it to apply, otherwise the changes won’t get picked up by the running process.

          As for another method, in theory you could also kill the process for fota_app, and replace /usr/bin/fota_app with a bash script with an infinite loop and sleep.

          Reply
          1. Icarus

            I have a Windows/DOS background, not linux.

            Can you give me the procedure to “kill the process for fota_app, and replace /usr/bin/fota_app with a bash script for an infinite loop and sleep”?

            I am connected as root via SSH and I am in the /usr/bin/fota_app directory.

      2. Artem Sorokin

        Thank you. The unlock code worked!!! but I unzipped the OTA files and got tar files that I couldn’t open With and archive extractor 7-Zip WinZip etc

        Reply
  2. Stefan

    Thank you so much for writing this. Lots of fun options to play with on this device. One thing I’d like to do is to make a set of iptables/ip6tables rules for TTL mangling permanent – have you discovered any way to write these to the /data partition in a way that they’d get executed on every boot? Or do I need to go figure out how to build a firmware image? Just to share, here are the rules I’m playing with:

    export TTL=66
    export INTERFACE=rmnet_data0
    ip6tables -t mangle -I POSTROUTING -o $INTERFACE -j HL –hl-set $TTL
    ip6tables -t mangle -I PREROUTING -i $INTERFACE -j HL –hl-set $TTL
    iptables -t mangle -I POSTROUTING -o $INTERFACE -j TTL –ttl-set $TTL
    iptables -t mangle -I PREROUTING -i $INTERFACE -j TTL –ttl-set $TTL

    I have this working via ssh (by the way, the ssh option in engineering settings worked for me on 891).

    Thanks!

    Reply
    1. wh2k9

      What would be the purpose of TTL modification on a dedicated hotspot device like this, since devices are designed to be tethered to it anyway?

      Reply
  3. Arie

    Is there an ability to root this device and trick it into tethering unlimited from a tmobile phone line sim ? I am using a phone sim with 10 GB hotspot with no issue but to be capped at 50 GB would be nice.

    Reply
      1. Matthew

        Do you recall were you enter the unlock code? I was able to generate an unlock code, and pretty much everything else you discovered was very helpful. Thank you!

        Matthew

        Reply
      2. Mike

        Actually, you can do it from Windows if you have WSL installed, aka Windows Subsystem for Linux. That’s how I generated my unlock code.

        Reply
          1. Rick

            Connect to the hotspot via wifi, then browse to its webUI by typing 192.168.0.1 – you won’t need to use Putty to enter the unlock code, as there’s a field in the webUI to enter it.

            I used a terminal emulator on an Android phone to generate the unlock code, connected to the hotspot on the same phone and entered the code. Easy.

  4. Matthew

    Would you happen to recall what WebUI was used to enter the sim unlock code? I thought I looked through all of them, but I do not recall seeing it.

    Thanks!

    Reply
  5. Edric

    I have a few of these, and it occurred to me that it shouldn’t be hard to make this work as a wifi extender or repeater bridge. anyone willing to writes script to set it up?

    Reply
    1. Malias

      I have been in contact with someone using AT&T via the (Engineering>Change target>DEFAULT) setting, I am using Sprint with the same setting.

      Reply
    2. Jim

      I can use AT&T 4G LTE with TMobile target as well. I do need to change the IMEI of the device to mimic an AT&T compatible device to get the LTE, otherwise, it can only connect to 3G.

      Reply
  6. The_Vaccine

    I was wondering.. if I can unlock it and I have access to its terminal/shell, could I use it as a regular wifi hotspot device? I want to boost the range of the wifi at my house for my IoT devices so I can isolate their network.

    Reply
  7. Malias

    I am able to use the hotspot with sprint now, but have been unable to get the band priority table in hidden>Lte menu area to populate. Is there a way to force this menu to populate?

    Before when using stock target (Engineering>Change target>TMOBILE) I had experienced this bug but it was fixed by factory resetting, unfortunately this doesn’t seem to work when my target is set to (Engineering>Change target>DEFAULT). Any idea if there’s an xml file I could alter similar to the FOTA fix? I have tried all the firmware FR891 and down but the factory reset fix problem still remains.

    Or could I directly change the band priorities by downloading a backup, editing it, then restoring? I have looked through the cfg’s after extracting them and don’t see a place for band priorities.

    The only place I have found the band settings referenced via adb are at (/etc/default/configs/DEFAULT # strings mcfg_sw.mbn) when printed it shows a list of nv locations that refer to band preferences explicitly for example (/nv/item_files/modem/mmode/lte_bandpref), but I dont know how to interreact with the non volatile memory.

    Reply
  8. Daniel

    The unlock code doesnt work for me after generating it using the commands with my imei i downloaded the 891 firmware from ur link

    Reply
  9. Zach

    I am also not having any success with the password generated with sha1sum. BTW, I don’t see a “SIM settingss” tab on the http://mobile.hotspot page so I just tried entering the generated password when clicking the “Settings” tab.
    I was able to get into the device with SSH though, is there perhaps a way to edit the config directly to do the SIM unlock?

    Reply
    1. Chris B - Admin Post author

      Hmm, I wonder if it’s firmware version related then. Try updating the device and doing a factory reset. That should then hopefully expose the option in the Web Interface.

      Reply
      1. Zach

        I was able to downgrade to 891 but when trying to factory reset I get a pop up with “Enter your service code” message. No idea what service code to enter. I tried both the IMEI based code and other passwords you called out in this page and none of that worked.

        Reply
          1. Kurt

            Were you able to work around this? My firmware appears to be similar. Settings and additional pages behind a login page, the unlock code rejected as the password.

  10. Eric

    Hi,

    I downgrade to 891 version, then use the command you provided, everytime after i excute the SSH command, then shows:
    {
    “msg”: “OK”,
    “result”: “S_SAVE”
    }

    Then the device shows “Goodbye” and restart.
    And I still cannot connect via SSH.
    Do you know what’s wrong on my side?

    Reply
  11. Lando

    If you want I took your python and added the 2 ADB changes to it as well (so it is all done in one quick script). Send me an email and I will get it to you.

    Reply
  12. anthony kuhn

    how do i get the sim unlocked code would like to try with att sim card imei REMOVED BY ADMIN can you get my code for me and email it to me thank you.

    Reply
      1. anthony kuhn

        were do i want to insert it at to unlock it do i just put the other sim inside then goto the iogin page and put the code in there.

        Reply
      2. CK

        Sir,

        I am having the same issue resolving the unlock code for my children’s device to work on our laptop via usb as it won’t work for wifi. Can you help as our school tech people have no idea and state the carrier unlock code is needed to switch the setting. Here is our IMEI ADMIN REMOVED Can you email or post our code?

        Thank you!

        CK

        Reply
    1. Andrew

      My IMEI

      ADMIN REMOVED
      Please reply when u have it thank you I dont know how to get the code and dont want to mess up my pc trying to figure out how to get it.

      Reply
  13. Tony

    Hi, I’d like to request for the unlock code too.
    this is the IMEI: ADMIN REMOVED

    Could you post or email me the unlock too? Thanks so much in advance.

    Reply
  14. TCW

    Works beautifully to unlock! I was able to get the code through a Linux Machine since Mac didn’t have the sha1sum package (at least on Catalina). thanks!

    Reply
    1. Erik

      On the Mac running Catalina, the command for sha1sum is shasum so the command is slightly changed to:

      export IMEI=YOURIMEIGOESHERE
      echo -n “${IMEI}simlock” | shasum | cut -c1-8

      Works perfectly.

      Reply
  15. Tcppa

    Hello, my device version is 891
    After it is automatically updated, it keeps looping on the welcome interface when I turn it on.
    Is there a way to fix it?
    Thank you very much

    Reply
    1. www

      Ugh same issue here. I thought I had everything perfect! Even got the TTL script added with scp copy and all was working for a full week. Woke up to Welcome screen bootloop this morning. Soft and hard reset don’t seem to work 🙁

      Reply
  16. www

    Update – I got it to boot by taking out the SIM then a hard reset after it booted once. It looks like I auto-upgraded to version 1311, even though I followed Stefan’s guide for the TTL scripts which were working great before: https://gist.github.com/weirded/f49ac134aecbd32b71ab22619c7496ab

    This has been really fun to tinker with BTW! But now I’m stuck understanding how to downgrade.

    To downgrade back to 891, what exactly am I uploading? I downloaded 891 .enc file from Mega, converted .enc to .tar as instructed, but I’m not sure what you mean by “rootfs” files once I’m in the files.

    And would I upload as a backup restore on IT admin, or as a firmware upgrade on webpst page?

    It seems like no one has resolved the blocking of updates though right?

    Reply
    1. Chris B - Admin Post author

      For flashing between versions, just upload the original .enc file (don’t decrypt it!) on the firmware upgrade page. You can either use the webpst one, or the firmware update page found in the normal webUI under settings.

      Reply
  17. Jay Fyre

    Has anyone been able to get diag mode working on this so we can talk to it with Qualcomm tools like QPST or QXDM? This device is using the Qualcomm MDM9207-0 so it should be possible.

    Reply
    1. Jay Fyre

      Nevermind, I asked prematurely and just got my hands on the device. I now see that DIAG can be enabled from the following page: http://192.168.0.1/webpst/usb_mode.html

      This is a neat little device. Thanks to Chris for all the great info shared. And thanks to Stefan for the TTL script and info about stopping FOTA.

      Reply
      1. Malias

        Hi, I’ve been trying to use QPST but it keeps blocking me requesting the SPC. Have you been able to get around this somehow?

        Reply
  18. Jefferson

    I was having trouble following the unlock sim instructions like some others have mentioned in comments.
    This may help, when you navigate to the settings tab on the Web UI, a popup asks for the password. This is not the generated unlock key, but it is just “admin”.

    From here I had to set a new password then I was able get into the settings tab and view/change settings.

    Under Settings > Mobile Network > SIM – scroll down to Carrier Unlock and this is where you need to enter the generated unlock key. Right above mine now says Carrier Unlock Status: Unlocked

    Reply
    1. Tom Smith

      No need to ruin a good thing.

      This was already referred to at the top of the article:
      “Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.”

      Reply
  19. matt

    I booted one of these devices up, fresh out of box without installing the SIM card
    -rooted
    -carrier unlocked
    -modified the OTA upgrade script to not work and added TTL modification script
    -added APN for visible wireless and set it to active
    -shutdown / installed visible sim
    — it booted, connected, and ran very well.

    then — i inserted the stock tmobile test drive sim
    it booted and worked, connected…..did some testing…
    but it re-locked the carrier unlock status and did some kind of binding to make the hotspot only work with the tmobile sim.

    When i try to use a non-tmobile sim in this hotspot, it says “sim error” and the sim status shows locked.

    Has anyone else experienced this?
    I would recommend NOT using the test-drive SIM if you plan to work with this device and unlock it etc.
    I seem to remember previous test-drive sims doing a lock and binding the previous coolpad hotspots to only work with tmobile as well

    Reply
    1. Anthony

      Did you use the hard reset button on the back of the unit after you unlocked the device? If so, it will need unlocked again. This drove me crazy for quite a while until I figured it out.

      Each time the hard reset button is used, the device will need unlocked again.

      Reply
  20. Mark

    I’ve been trying to find where/how to edit APN settings that aren’t available in the web GUI. Could you please provide some guidance?

    Reply
  21. NotReallyMyName

    Thank you!

    Generated and entered the unlock code and now my device is reporting “Unlocked”.

    Firmware version: R717F21.FR.1311

    Reply
  22. Ben

    Anyone have anyluck with ECM or RNDIS using the USB port? Seems to be 3 modes, but none of them work on any of my machines. Would like to use with a Watchguard Firewall as Failover ISP via USB.

    Reply
    1. Ben

      Disregard, I had about 1/2 a dozen USB to microUSB cables that were all just charging cables (no data). after using the correct cable everything worked great.

      Reply
  23. Aviv

    Thank you for sharing the information. It was easy to unlock, enable SSH and ADB. Just a question, is there any advantage to upgrade to a newer firmware beyond 891?

    Reply
  24. rich

    This is super helpful, thank you for your work.

    I have a question, I’m reasonably technical but am not super fluent with everything done from the command line. So I’ve unpacked and edited the config to change the update URL and repacked everything into hotspot_cfg_packed.tar, how do I convert that back into the encrypted .bin file?

    My best guess was the following but it spit out an error on my macbook pro running MacOS 11:
    [email protected] hotspot % openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg_packed.tar -out hotspot_cfg.bin -k frkenc##[email protected]
    bad magic number

    Would appreciate any help and what the underlying issue is?

    Thanks in advance

    Reply
    1. KYP

      You’re using the -d flag which is for decryption. Remove the -d flag when you’re re-encrypting it back into the .bin.

      Reply
  25. Dexter

    Hi Tried above steps , generated the code it says below message .

    Initial version was _891 , later updated to FR.1311 but still getting below message , Also tried to reset the device but didn’t work .

    Incorrect Unlock Code
    You will need to contact your service provider to get the unlock code.

    Reply
  26. nelson h

    I unlocked it without any problem, thank you for all the information on this page.

    I plan to have this hotspot unattended far from home, is there a way to configure a DDNS ??

    thank you

    Reply
  27. jPi

    Once you ssh into the device, you can a) change the password by using the passwd command. You can apply a blank password.

    You can generate the unlock code directly on the device — use this command (all 1 line)
    /var/volatile/www/htdocs/cgi-bin/webpst.imei_mac.cgi | awk ‘/imei/{printf( substr($2,2,15) “simlock”)}’|sha1sum|cut -c1-8

    Reply
  28. Ivan

    Perhaps i am missing something here. Device was unlocked easily. But I am not able to SSH due to the incorrect password ‘frk9x07’. How do i find real password for ssh? Other than that ssh problem, great forum. Thanks

    Reply
  29. romesh

    This page is really helpful but still I am stuck at my problem. It seems my device bricked while getting the updates from tmobile. It’s not showing any Wi-Fi broadcast and reset is keep showing “Factory reset Restarting Now” I logged in to webpst and uploaded R717F21.FR.1312 but after 1-2 minutes while writing it, it is showing me upgrade failed. Hidden menu showing web version FR.1312. Is there any way to do re-install 1312 or 891 via openssl? or any other way to reset?
    Thanks

    Reply
  30. ERic

    Hmm somehow my hotspot did OTA and was bricked, LCD gets stuck at WELCOME message and never even starts up the hotspot. Any ideas on how to reflash/reset?

    Reply
  31. Andy

    where to download 891 to downgrade ? Mine got updated to 1131 and I could not enable SSH. By the instruction, how do I run ty-enable-ssh.py to enable ssh for 891+ ?

    Reply
    1. jPi

      have to load Python on your computer; then save the T9’s configuration (from the menu) to a file on your PC; run python ty-enable-ssh.py hotspot_config.bin, which will generate a new config file. ten upload it back to the hotspot.

      Reply
  32. Erik

    Awesome work. I see the engineering and other passwords plainly visible in multiple places…what a convenient mess! Do you have any insight into the configurations loaded through the “Change Target” menu? I was thinking of making a universal configuration to load in it, as I see that using the unbranded ‘Default’ breaks things like the ability to enter the SIM unlock code, however I haven’t found where the other configurations are stored to use as an example.

    The hidden menu also has a disabled debranding page (among others) but navigating to it shows that the corresponding cgi (and perhaps the files that debranding would want) are missing, at least at a glance.

    I wonder why accessing factory reset menu in webPST calls for the SPC?

    Reply
    1. Jay Fyre

      Different config settings are loaded from /etc/default/configs/*
      It may be possible to just add your own there in a new folder?

      The unbranded, Franklin and SKT configs don’t actually set a SIM_LOCK like the TMO/Sprint configs do which might be why the option to unlock the SIM goes away. I haven’t tested if the lock itself goes away when switching to those configs. Since the original config is TMO (with lock set), the SIM_LOCK NV value may be sticking despite the new unbranded/SKT/etc configs not using a SIM lock. And if set to unbranded/SKT from factory… then the TMO/Sprint SIM_LOCK NV setting never gets set and there’s never a SIM LOCK to remove.

      And the reason the SIM LOCK comes back after a factory reset is because the TMOBILE config gets rewritten.. which then rewrites the SIM LOCK NV value.

      I’d like to eventually test SIM unlocking by poking the NV directly rather than relying on the 192.168.0.1 pages.. just to figure out how to clear it out of the NV properly. The SIM_LOCK NV value set by TMO/Sprint is: 00 02 00 65 00 00 36 01 a0 00 36 01 c8 00 36 01 d2 00 36 01 dc 00 36 01 e6 00 36 01 f0 00 36 01 fa 00 36 01 04 01 36 01 0e 01 36 01 2c 01 36 01 36 01 36 01 ea 01 36 01 12 02 36 01 4e 02 36 01 80 02 36 01 94 02 36 01 20 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d3 00 00 00 0a 00 00 00

      May just be as simple as zeroing it out to remove the lock… not sure yet.

      Reply
    2. Dre

      Take a look at the configuration folders:
      /etc/default/configs/

      Also the following file:
      /usr/bin/change_carrier.sh

      This might help with the custom builds.

      Reply
  33. Romesh

    My auto upgrade stuck and now only seeing blinking led. Tried upgrading/downgrading ENC file but after 62%, it’s throwing Firmware failed error. SSH is not enabled. Is there any way to rewrite the firmware? Please help, Seems my device is bricked.

    Reply
  34. natthawk

    This is awesome! I had played around with it a few months ago and managed to gain root access and unlock the SIM on my own through a bit of trial and error. I never reached this level of reverse-engineering, though!

    Reply
  35. Chris

    Is there a way to put the T9 into “bridge mode” /firewall-less or a mode that I can put my own NATing router /firewall behind the T9 tethered via USB? So Im not double NATing.

    Reply
  36. natthawk

    Hmm… is FR891 using a debug kernel?
    This is what I see in /var/log/dmesg
    [ 0.000000] **********************************************************
    [ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
    [ 0.000000] **
    [ 0.000000] ** trace_printk() being used. Allocating extra memory.
    [ 0.000000] **
    [ 0.000000] ** This means that this is a DEBUG kernel and it is
    [ 0.000000] ** unsafe for produciton use.
    [ 0.000000] **
    [ 0.000000] ** If you see this message and you are not debugging
    [ 0.000000] ** the kernel, report this immediately to your vendor!
    [ 0.000000] **
    [ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
    [ 0.000000] **********************************************************

    Why would this be? This keeps getting more interesting…

    Reply
    1. natthawk

      If you haven’t yet set up a password, the default for the interface is user:admin and password:admin. If that doesn’t work, just factory reset and try again, because that will set it back to the default admin:admin credentials.

      Reply
      1. tdi200

        hey bud thanks for reply indeed you were right, as when i opened the link it asked me for password which was “admin”

        you will need access to a Linux or Mac terminal or Windows 10 running WSL. i was able to get the unlock code using this free terminal link= https://cocalc.com/doc/terminal.html

        On the terminal type:

        export IMEI=YOURIMEIGOESHERE

        echo -n “${IMEI}simlock” | sha1sum | cut -c1-8

        It should give you your unlock code.

        and than Go to http://mobile.hotspot/settings/mobile_network-sim.html under “Carrier Unlock” to unlock it (remember ur laptop/pc needs to be connected to the Franklin T9)

        Reply
  37. JRocket

    For anyone have issues with it auto updating/boot looping take your sim out, restart it, downgrade back to 891, factory reset it, unlock, change your target in the engineering menu to TMOBILE_GCF, reset device again and when you try to update it says your on the latest version 891

    I believe you can also stop the OTAs through a config I just didn’t have the ability/time to do is so I found this temp fix

    You lose 3 sprint bands this way but since I have a ATT sim in it it’s not a big deal

    Reply
  38. holocron

    Crap…forgot what I set the “admin” password that defaults to “admin” to when I did this. Is there a way to force change it via one of the DEV pages? Guess I need to factory reset and redo the unlock otherwise.

    Reply
      1. Holcoron

        Sadly, I can’t get root password to work. Maybe I’m still doing something wrong but I tried to login via root with Putty.

        Reply
      1. Matthew

        Thank you very much for your contributions. If possible, could you modify the page so we can edit the TTL easily?

        Reply
  39. Holocron

    Question about the firmware:

    I am still on the “stock” 891 firmware. Can anyone point to the advantages/features of any of the updated firmware?

    Reply
  40. Jim

    I can make AT&T LTE work on firmware 891, but not 1131 (1131 always says SIM error). So I revert back to 891.

    If anyone knows how to make AT&T sim acceptable by 1131 firmware please let me know. Thanks.

    Reply
  41. jeff

    1. This morning I inserted my tmobile SIM and suddenly it worked and let me WIFI into the system and I flashed 891 firmware immediately successfully.

    However,

    2. When I tried to unlock it again manually like I did last time, it said my unlock code is incorrect, which I double checked it was the correct one that I used last time successfully. Looks like tmobile did something on the unlock mechanism.

    Can someone help figure out how to unlock it again?

    Bests,
    Jeff

    Reply
  42. jacob

    All this information has proven very useful and educational. Thank for all your effort in sharing it. Using the T-Mobile T9 (Franklin Wireless R717) I noticed that if your firmware if higher than the 891, activating SSH through the hidden menu is not possible. I rolled back mine form 1131 to 891 and ha no issues activating SSH in the hidden menu.

    Reply
  43. PandaDeng

    Thank you Chris and everyone involved.
    I got everything all setup and working.

    I got this device for creating a hotspot in my car so that my Android headunit can connect to it and use it for Spotify and Google Maps.

    I found out that the device works without the battery if plugged in which is great for keeping in a car that can get really hot in the summer.

    I really want the T9 to auto turn on whenever its plugged in (car turned on) without me turning it on manually.
    You guys think there’s a way to do this? Software or Hardware mod.

    Reply
  44. Scott

    Is there a way to view signal level info like RSRP, RSRQ, SNR?

    Doing the test drive and I’d like to have better info to look at, not just a five bar “it’s fine” indicator.

    Reply
  45. Trent

    Has anyone figured out how to display arbitrary text on the LED screen?

    Also, I’m thinking of writing a little script that changes the APN after boot depending on the ICCID.

    Reply
  46. Eric

    Hey Chris,

    I’m wanting to use one of the backup config files as a template to change SSID, password, device limit, etc. Is this possible to do, and if so how do I actually get into the directory? I’ve downloaded a copy of the config file now as a backup, but the ssl commands aren’t working.

    Thanks in advance!!

    Reply
  47. Mehhish

    I cannot use any other sim card other than the one that comes with the device on the latest firmware. Even the modded latest firmware. It’ll only work if I downgrade to 891.

    Also, I had a blast modding this device!

    Reply
      1. Chris B - Admin Post author

        As mentioned earlier, I will not be generating codes for people and I will be censoring any IMEI’s posted. Please read through the comments, there are multiple documented ways to generate your own unlock code.

        Reply
  48. Alex

    Hello Guys,

    Need help!

    I have my Franklin T9 device bricked. It was updating software when I dropped it and the battery came out causing the device firmware update to fail.

    Now the device is switching on but nothing is working. Mobile.hotspot page is working but no information is available on the page. Same with hidden and webpst. I did try to force firmware to device using webpst page but it failed. IT admin page is asking for a password but the one provided here is not working. So i am unable to load .cfg file.

    Any help is appreciated.

    Thanks

    Reply
    1. Eric

      Have you tried resetting to factory default? If not, pop off the back cover and hold down the reset button while the device is on. Also see some of the above comments about resetting a brick.

      Reply
  49. Eric

    I need some help repackaging the config file. I’ve tried to just walk it back through the command prompt after successfully unpacking everything, but when I attempt to restore from the backup it fails. I have a feeling the problem is with the way I’m re-encrypting the .tar file. Steps below:

    – Edit XML config file
    – In command prompt:
    $ tar cf [hotspot_cfg.tar] [data]
    $ tar cf [hotspot_cfg] [hotspot_cfg_2] <— this includes hash/model/hotspot_cfg.tar
    $ openssl enc -aes-128-cbc -md md5 -in hotspot_cfg.tar -out hotspot_cfg.bin -k frkenc##[email protected]

    I've seen Chris' comment about the python script and have looked through it, but I'm not very familiar with python. Any help with this would be greatly appreciated.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *