I recently acquired a T-Mobile T9 mobile hotspot from a friend who used it with their Test Drive program, and like I do with most embedded devices I poked around. This thread will go over my software findings, and will give you the information needed to gain root access and SIM Unlock the device.
NOTE: I am not responsible for any damage done to your T-Mobile Hotspot. Proceed at your own risk. Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.
OTAs
The OTA system on the device is very simplistic. It phones home to the following URL, with the following syntax:
https://fota.pintracview.com/fota/T9/check_update.php?carrier=<CARRIER>&rev=<CURRENTVERSION>&imei=<IMEI>
So for example, my T9 was reporting to check_update.php?carrier=tmobile&rev=891 when it was on firmware revision R717F21.FR.891. Manually calling this URL with any outdated revision will link you to the latest OTA file, which is a .enc
Thankfully, these .enc files are very easy to extract. If you are on a newer version of OpenSSL, you can extract this OTA using the following command:
openssl enc -aes-128-cbc -d -md md5 -in R717F21.FR.1311_ota_update_all_sm.enc -out R717F21.FR.1311_ota_update_all_sm.tar -k frkenc##[email protected]This will then provide you with a .tar file, which contains a file named ota_update_all.zip which has a copy of the rootfs files. On this device, all OTAs are full image releases, so you can upgrade and downgrade as you please using the web interface. As for the decryption key, I extracted this from the binary at /usr/bin/fota_app. I was also able to start a collection of firmwares, including an unreleased update. You can access these OTA files from this Mega Share.
As for the OTA zip, from what it looks like it is unsigned so you may be able to modify it and have it apply, but this has not been tested.
Config File
Once nice thing about this device is you can enable SSH, ADB, and other hidden goodies by simply generating a configuration backup, modifying it, and uploading it back to the device. As for the configuration backup itself, you can convert it from it’s .bin format to it’s true form, a .tar.gz, using the commands below:
openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg.bin -out hotspot_cfg_packed.tar -k frkenc##[email protected]
mkdir hotspot_cfg_packed
tar xf hotspot_cfg_packed.tar -C ./hotspot_cfg_packed
cd hotspot_cfg_packed
mkdir hotspot_cfg_packed_2
tar xf hotspot_cfg.tar -C ./hotspot_cfg_packed_2As you can see, the configuration dump is actually aes-128-cbc encrypted, and contains nested tar.gz files. You can now modify the configuration as you wish, repackage it, and re-upload it.
SSH
During my research it was found that SSH can be enabled on this device, and once enabled, you can login as the root user. If you are on a firmware version 891 or below, you can run the following command to quickly enable SSH.
curl "http://192.168.0.1/cgi-bin/webpst.service_setting.cgi" \
-H "Content-Type: application/json" \
-H "Origin: http://192.168.0.1" \
-H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
--data '{"command":"save","params":null,"data":{"ssh":"on","tether":"","bridge":""}}' \
--insecureNote that if your firmware is above version 891, then to enable SSH you will need to modify the Config File. If you want, I have created a basic python script that can do this for you, which is available on GitHub. Just note it requires OpenSSL 1.1.0 or newer, and is only tested on Ubuntu 18.04.
As for logging in over SSH, I was able to discover the root SSH password for these devices is frk9x07. Sadly, the engineers at Franklin Wireless only used a descrypt (DES) key for the device, which hashcat was able to crack within seconds using my GTX 1080.
ADB
As a bonus, you can enable an ADB shell that drops you right to a root prompt without any password! Note this seems to work on firmware version 891 and below, but it may not work on newer firmwares.
curl "http://192.168.0.1/cgi-bin/webpst.usb_mode.cgi" \
-H "Content-Type: application/json" \
-H "Origin: http://192.168.0.1" \
-H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
--data '{"command":"save","params":null,"data":{"usb_mode":"902D"}}' \
--insecureOn newer OTAs, you can still enable ADB but it needs to be done manually from the /data/configs/mobileap_cfg.xml file. This is done by updating the UsbMode setting value from 9025 to 902D, saving, then rebooting the device. Note you also may need to replace the contents of /data/configs/hsusb_next with 902D as well.
Hidden Web Pages
During my digging around the device I found a handful of hidden pages, which were secured by plain text passwords that were statically built into binaries. Below you can find the pages I found, as well as where I found the passwords for said pages.
- Hidden Configuration Pages
- http://192.168.0.1/hidden/
- http://192.168.0.1/webpst/
- Password: [email protected]
- Password was extracted from /var/volatile/www/htdocs/cgi-bin/login.cgi
- IT Admin Page
- http://192.168.0.1/itadmin/
- Password: [email protected]
- Password was extracted from /var/volatile/www/htdocs/cgi-bin/logi
- http://192.168.0.1/itadmin/
- Hidden Engineering Page
- http://192.168.0.1/engineering/franklin/
- Username: r717
- Password: frkengr717
- User and Password were extracted from /etc/pwlighttpd
- Note: On firmwares newer than 891, you need to first run the following as root before you can access the engineering pages.
/usr/bin/copy_htdocs.sh eng
- http://192.168.0.1/engineering/franklin/
SIM Unlock
While exploring the binary at /usr/bin/QCMAP_Web_CLIENT, I accidentally stumbled upon the logic used to SIM Unlock the device. To generate your SIM unlock code, just use the following below in any Linux or Mac Terminal.
export IMEI=YOURIMEIGOESHERE
echo -n "${IMEI}simlock" | sha1sum | cut -c1-8In the above, replace YOURIMEIGOESHERE with the IMEI number of the T9 Hotspot. Once done, you can enter the generated code into the Web UI to unlock the device for all SIM cards.
Conclusion
Hands down, this has to be one of my favorite IoT devices I have had the pleasure of playing with. I appreciate the fact that Franklin Wireless put minimal effort into securing the device since it makes for a great platform to build on top of. If anyone at Franklin Wireless is reading this, I recommend the following changes to help secure your devices.
- Don’t store passwords in plain text in your binaries. Use sha256 or md5+salt, or some other method.
- Please don’t allow your “hidden pages” to have password prompts skipped by modifying the browser’s HTML rendering. This is just sloppy, and is how I was able to get ADB access to start my research. Either having them locked down using lighttpd, or having a completely separate auth page that is properly hardened is my recommendation.
- Don’t use DEScrypt linux passwords. The time it took me to crack the hash was less than 10 seconds. md5crypt at a MINIMUM, and sha1 if you want to get a bit fancier. Also, make the password longer than 8 characters to help reduce the chance of a successful bruteforce.
- If you need to have ADB, Jail it down. Another T-Mobile hotspot I have allows for ADB, but it runs as a non-existent UID so you can barely view the filesystem. Something like this would probably be a safer bet.
- Move to incremental OTAs, and SIGN THEM CORRECTLY. Most android OTAs use certs for OTA authentication. Also, implement rollback protection and disable the ability for users to upload OTAs.
2021 Update
It appears that in the latest 2602 update, a good chunk of my recommendations above were incorporated. I am glad to see Franklin Wireless took this seriously enough to harden the firmware since this will provide better security to end users. Note that at this time there is no downgrade path but if I find anything expect to see a followup blog post.
I just have to say this is wonderful timing! I just got the T9 test drive device and found your post researching how to bandlock with it. I somehow softbricked it, but holding down the reset button with the cover off while it was powered up did the trick.
Some peculiarities I’ve noticed, after rolling back the firmware to FR.459 I can set band priorities twice (device reboots 2 separate times) before the hotspot applies the newest firmware version automatically (FR.M1311) without my prompting. Fortunately the new band priorities aren’t overwritten, but it worries me that in the future they may implement some kind of rollback protection as you suggest. Any ideas on how to stop it from auto updating/phoning home?
Thanks!
Easiest way to prevent rollback would be to disable the OTA engine and change the URL it points to. This can be done by editing the configuration file at /data/configs/mobileap_cfg.xml and do changes similar to what I have documented at https://gist.github.com/riptidewave93/fc88a7de97abea669bd2d790a1df4c0a
So I made this edit and they pushed the latest firmware anyways. After I reverted back to 891, my edit was still there. Any other ideas for preventing the OTA from happening?
The device needs to be rebooted after the change is made for it to apply, otherwise the changes won’t get picked up by the running process.
As for another method, in theory you could also kill the process for fota_app, and replace /usr/bin/fota_app with a bash script with an infinite loop and sleep.
I simply renamed /etc/rc5.d/S99fota to prevent it from starting. Seems to work ok so far.
I have a Windows/DOS background, not linux.
Can you give me the procedure to “kill the process for fota_app, and replace /usr/bin/fota_app with a bash script for an infinite loop and sleep”?
I am connected as root via SSH and I am in the /usr/bin/fota_app directory.
Thank you. The unlock code worked!!! but I unzipped the OTA files and got tar files that I couldn’t open With and archive extractor 7-Zip WinZip etc
alert(‘Mallory found the XSS!’);
Thank you so much for writing this. Lots of fun options to play with on this device. One thing I’d like to do is to make a set of iptables/ip6tables rules for TTL mangling permanent – have you discovered any way to write these to the /data partition in a way that they’d get executed on every boot? Or do I need to go figure out how to build a firmware image? Just to share, here are the rules I’m playing with:
export TTL=66
export INTERFACE=rmnet_data0
ip6tables -t mangle -I POSTROUTING -o $INTERFACE -j HL –hl-set $TTL
ip6tables -t mangle -I PREROUTING -i $INTERFACE -j HL –hl-set $TTL
iptables -t mangle -I POSTROUTING -o $INTERFACE -j TTL –ttl-set $TTL
iptables -t mangle -I PREROUTING -i $INTERFACE -j TTL –ttl-set $TTL
I have this working via ssh (by the way, the ssh option in engineering settings worked for me on 891).
Thanks!
For what it’s worth, the rootfs is actually read/write on this device so you can setup your own /etc/init.d script and that in theory should do the trick.
Put a script together, and instructions. Here it is:
https://gist.github.com/weirded/f49ac134aecbd32b71ab22619c7496ab
is there any code generator for this Tmobile T9 or franklin R717
if si so please contact me
What would be the purpose of TTL modification on a dedicated hotspot device like this, since devices are designed to be tethered to it anyway?
Is there an ability to root this device and trick it into tethering unlimited from a tmobile phone line sim ? I am using a phone sim with 10 GB hotspot with no issue but to be capped at 50 GB would be nice.
Nope since that is all locked on the network side. If you want more data, you can always setup a data line on the device with T-Mobile.
Has anyone found an easy way to send AT commands to the modem? I dug a little bit but haven’t had any luck.
I cant not get the unlock code for sim lock.
The method documented will work. Please make sure your running the terminal command correctly, and on a Linux or MacOS terminal. It will not work on Windows.
Do you recall were you enter the unlock code? I was able to generate an unlock code, and pretty much everything else you discovered was very helpful. Thank you!
Matthew
It is in the normal WebUI (non of the hidden pages) under SIM settings.
Is the SIM unlock page available only after your root it?
Actually, you can do it from Windows if you have WSL installed, aka Windows Subsystem for Linux. That’s how I generated my unlock code.
How do you connect to it, via the WIFI, then use something like Putty on Windows??
Connect to the hotspot via wifi, then browse to its webUI by typing 192.168.0.1 – you won’t need to use Putty to enter the unlock code, as there’s a field in the webUI to enter it.
I used a terminal emulator on an Android phone to generate the unlock code, connected to the hotspot on the same phone and entered the code. Easy.
Would you happen to recall what WebUI was used to enter the sim unlock code? I thought I looked through all of them, but I do not recall seeing it.
Thanks!
I have a few of these, and it occurred to me that it shouldn’t be hard to make this work as a wifi extender or repeater bridge. anyone willing to writes script to set it up?
What other carriers availble after sim unlock ? Anyone tested this with other att sim cards ?
I have been in contact with someone using AT&T via the (Engineering>Change target>DEFAULT) setting, I am using Sprint with the same setting.
I can use AT&T 4G LTE with TMobile target as well. I do need to change the IMEI of the device to mimic an AT&T compatible device to get the LTE, otherwise, it can only connect to 3G.
I can get 4G LTE using one of my TMobile voice lines but it registers as “unknown device” on the TMO website. Is this an issue that could spark further review and if so how do I fix it?
btw, the website does show the updated imei
I was wondering.. if I can unlock it and I have access to its terminal/shell, could I use it as a regular wifi hotspot device? I want to boost the range of the wifi at my house for my IoT devices so I can isolate their network.
Possibly but the device was not built for this, so you would be in uncharted territory.
I am able to use the hotspot with sprint now, but have been unable to get the band priority table in hidden>Lte menu area to populate. Is there a way to force this menu to populate?
Before when using stock target (Engineering>Change target>TMOBILE) I had experienced this bug but it was fixed by factory resetting, unfortunately this doesn’t seem to work when my target is set to (Engineering>Change target>DEFAULT). Any idea if there’s an xml file I could alter similar to the FOTA fix? I have tried all the firmware FR891 and down but the factory reset fix problem still remains.
Or could I directly change the band priorities by downloading a backup, editing it, then restoring? I have looked through the cfg’s after extracting them and don’t see a place for band priorities.
The only place I have found the band settings referenced via adb are at (/etc/default/configs/DEFAULT # strings mcfg_sw.mbn) when printed it shows a list of nv locations that refer to band preferences explicitly for example (/nv/item_files/modem/mmode/lte_bandpref), but I dont know how to interreact with the non volatile memory.
can you write a guide for this? would like to use this with my sprint sim
The unlock code doesnt work for me after generating it using the commands with my imei i downloaded the 891 firmware from ur link
On macOS (Catalina) and making sure that openssl was updated, I was able to generate the SIM unlock code in terminal with the command below (changing sha1sum to shasum)
echo -n “${IMEI}simlock” | shasum | cut -c1-8
The code generated successfully SIM unlocked my T9 with firmware R717F21.FR.M1311
Hope this helps.
me podes ayudar con la generación del código para el desbloque no tengo Mac ni Linux
Please read through the comments, there are multiple different methods available to generate an unlock code.
I am also not having any success with the password generated with sha1sum. BTW, I don’t see a “SIM settingss” tab on the http://mobile.hotspot page so I just tried entering the generated password when clicking the “Settings” tab.
I was able to get into the device with SSH though, is there perhaps a way to edit the config directly to do the SIM unlock?
Hmm, I wonder if it’s firmware version related then. Try updating the device and doing a factory reset. That should then hopefully expose the option in the Web Interface.
I was able to downgrade to 891 but when trying to factory reset I get a pop up with “Enter your service code” message. No idea what service code to enter. I tried both the IMEI based code and other passwords you called out in this page and none of that worked.
Ok, I found another way to do factory reset from http://192.168.0.1/engineering/franklin/. But after it rebooted still the same issue – I click on the “Settings” tab and I get prompted for a password and when I type in the one from sha1sum it fails.
Were you able to work around this? My firmware appears to be similar. Settings and additional pages behind a login page, the unlock code rejected as the password.
Hi,
I downgrade to 891 version, then use the command you provided, everytime after i excute the SSH command, then shows:
{
“msg”: “OK”,
“result”: “S_SAVE”
}
Then the device shows “Goodbye” and restart.
And I still cannot connect via SSH.
Do you know what’s wrong on my side?
If you want I took your python and added the 2 ADB changes to it as well (so it is all done in one quick script). Send me an email and I will get it to you.
how do i get the sim unlocked code would like to try with att sim card imei REMOVED BY ADMIN can you get my code for me and email it to me thank you.
I removed your IMEI for privacy reasons, but your unlock code should be 4b3cce62
were do i want to insert it at to unlock it do i just put the other sim inside then goto the iogin page and put the code in there.
Can u get my code for me also.
Sir,
I am having the same issue resolving the unlock code for my children’s device to work on our laptop via usb as it won’t work for wifi. Can you help as our school tech people have no idea and state the carrier unlock code is needed to switch the setting. Here is our IMEI ADMIN REMOVED Can you email or post our code?
Thank you!
CK
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
That works like magic. I was able to unlock my T-Mobile test drive Franklin T9 I bought on eBay, but when I submit the IMEI to Sprint for activation, it says the device cannot be activated on their network, even though Sprint offers the T9 for $90. Apparently the IMEI is blacklisted. Is their any way I can get the device activated on Sprint?
Sir,
All this time later and I can’t figure out how to get the unlock code. Can you please help me? Thank you!!
Can u give me my unlock code for mine also?
My IMEI
ADMIN REMOVED
Please reply when u have it thank you I dont know how to get the code and dont want to mess up my pc trying to figure out how to get it.
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
Hi, I’d like to request for the unlock code too.
this is the IMEI: ADMIN REMOVED
Could you post or email me the unlock too? Thanks so much in advance.
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
Works beautifully to unlock! I was able to get the code through a Linux Machine since Mac didn’t have the sha1sum package (at least on Catalina). thanks!
On the Mac running Catalina, the command for sha1sum is shasum so the command is slightly changed to:
export IMEI=YOURIMEIGOESHERE
echo -n “${IMEI}simlock” | shasum | cut -c1-8
Works perfectly.
This fiddle ought to generate the same codes, if people aren’t able to figure out how to grab it from the command line: https://jsfiddle.net/4zds6531/
Thank you so much! This worked great!
Thanks I worked all day never could get it….. you are the man……
Merci beaucoup !
I had tried running it on MacOS 11.3.1, FreeBSD 11, and Ubuntu 18.04 with different results each time.
@Chris B @Stefan In http://192.168.0.1/webpst/, there is a “FOTA Test” section to change the FOTA server path. Any idea if changing this will prevent automatic OTA updates? Cheers
It should, yes.
Hello, my device version is 891
After it is automatically updated, it keeps looping on the welcome interface when I turn it on.
Is there a way to fix it?
Thank you very much
Hmm have you tried using the reset button on the back of the device to reset it?
Lucky, reset it
Works good now.
Ugh same issue here. I thought I had everything perfect! Even got the TTL script added with scp copy and all was working for a full week. Woke up to Welcome screen bootloop this morning. Soft and hard reset don’t seem to work 🙁
take the sim card out and let it boot up.
Update – I got it to boot by taking out the SIM then a hard reset after it booted once. It looks like I auto-upgraded to version 1311, even though I followed Stefan’s guide for the TTL scripts which were working great before: https://gist.github.com/weirded/f49ac134aecbd32b71ab22619c7496ab
This has been really fun to tinker with BTW! But now I’m stuck understanding how to downgrade.
To downgrade back to 891, what exactly am I uploading? I downloaded 891 .enc file from Mega, converted .enc to .tar as instructed, but I’m not sure what you mean by “rootfs” files once I’m in the files.
And would I upload as a backup restore on IT admin, or as a firmware upgrade on webpst page?
It seems like no one has resolved the blocking of updates though right?
For flashing between versions, just upload the original .enc file (don’t decrypt it!) on the firmware upgrade page. You can either use the webpst one, or the firmware update page found in the normal webUI under settings.
Has anyone been able to get diag mode working on this so we can talk to it with Qualcomm tools like QPST or QXDM? This device is using the Qualcomm MDM9207-0 so it should be possible.
Nevermind, I asked prematurely and just got my hands on the device. I now see that DIAG can be enabled from the following page: http://192.168.0.1/webpst/usb_mode.html
This is a neat little device. Thanks to Chris for all the great info shared. And thanks to Stefan for the TTL script and info about stopping FOTA.
Hi, I’ve been trying to use QPST but it keeps blocking me requesting the SPC. Have you been able to get around this somehow?
Hmm, 000000 is not working?
I’m having the same issue. Have you tried?
Is there a change log for the firmware? I am on 891 and want to see if I should update the firmware or not
I was having trouble following the unlock sim instructions like some others have mentioned in comments.
This may help, when you navigate to the settings tab on the Web UI, a popup asks for the password. This is not the generated unlock key, but it is just “admin”.
From here I had to set a new password then I was able get into the settings tab and view/change settings.
Under Settings > Mobile Network > SIM – scroll down to Carrier Unlock and this is where you need to enter the generated unlock key. Right above mine now says Carrier Unlock Status: Unlocked
I figured out how to do some IMEI magic on the T9!!! I’m making a guide and posting it in a few days.
No need to ruin a good thing.
This was already referred to at the top of the article:
“Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.”
Would be interested in what you found out; mind sending an e-mail (please do not remove, this is a temp/throw away e-mail)? Address is [email protected]
I booted one of these devices up, fresh out of box without installing the SIM card
-rooted
-carrier unlocked
-modified the OTA upgrade script to not work and added TTL modification script
-added APN for visible wireless and set it to active
-shutdown / installed visible sim
— it booted, connected, and ran very well.
then — i inserted the stock tmobile test drive sim
it booted and worked, connected…..did some testing…
but it re-locked the carrier unlock status and did some kind of binding to make the hotspot only work with the tmobile sim.
When i try to use a non-tmobile sim in this hotspot, it says “sim error” and the sim status shows locked.
Has anyone else experienced this?
I would recommend NOT using the test-drive SIM if you plan to work with this device and unlock it etc.
I seem to remember previous test-drive sims doing a lock and binding the previous coolpad hotspots to only work with tmobile as well
Did you use the hard reset button on the back of the unit after you unlocked the device? If so, it will need unlocked again. This drove me crazy for quite a while until I figured it out.
Each time the hard reset button is used, the device will need unlocked again.
I’ve been trying to find where/how to edit APN settings that aren’t available in the web GUI. Could you please provide some guidance?
I’ve been digging through the decrypted ROMs and a decrypted settings backup with no luck.
Just go to http://192.168.0.1/settings/mobile_network-apn.html and click on “add”.
Thank you!
Generated and entered the unlock code and now my device is reporting “Unlocked”.
Firmware version: R717F21.FR.1311
Anyone have anyluck with ECM or RNDIS using the USB port? Seems to be 3 modes, but none of them work on any of my machines. Would like to use with a Watchguard Firewall as Failover ISP via USB.
Disregard, I had about 1/2 a dozen USB to microUSB cables that were all just charging cables (no data). after using the correct cable everything worked great.
Can someone do a guide on how to modify the TTL? I saw the instructions and enabled SSH but got lost on part 3. Thanks!
Thank you for sharing the information. It was easy to unlock, enable SSH and ADB. Just a question, is there any advantage to upgrade to a newer firmware beyond 891?
This is super helpful, thank you for your work.
I have a question, I’m reasonably technical but am not super fluent with everything done from the command line. So I’ve unpacked and edited the config to change the update URL and repacked everything into hotspot_cfg_packed.tar, how do I convert that back into the encrypted .bin file?
My best guess was the following but it spit out an error on my macbook pro running MacOS 11:
[email protected] hotspot % openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg_packed.tar -out hotspot_cfg.bin -k frkenc##[email protected]
bad magic number
Would appreciate any help and what the underlying issue is?
Thanks in advance
Hello Rich,
I recommend looking at the python script linked under the SSH section, since it helps show the process in which to repackage a configuration dump.
Hello do you think you could look into the t9 no longer being able to be downgraded on 2602
You’re using the -d flag which is for decryption. Remove the -d flag when you’re re-encrypting it back into the .bin.
Hi Tried above steps , generated the code it says below message .
Initial version was _891 , later updated to FR.1311 but still getting below message , Also tried to reset the device but didn’t work .
Incorrect Unlock Code
You will need to contact your service provider to get the unlock code.
Can you downgrade the firmware. I thought I saw that was relatively easy. Just grab off the mega site in the OP.
I tried but that didn’t work either
I unlocked it without any problem, thank you for all the information on this page.
I plan to have this hotspot unattended far from home, is there a way to configure a DDNS ??
thank you
Once you ssh into the device, you can a) change the password by using the passwd command. You can apply a blank password.
You can generate the unlock code directly on the device — use this command (all 1 line)
/var/volatile/www/htdocs/cgi-bin/webpst.imei_mac.cgi | awk ‘/imei/{printf( substr($2,2,15) “simlock”)}’|sha1sum|cut -c1-8
You get that guide yet?
Perhaps i am missing something here. Device was unlocked easily. But I am not able to SSH due to the incorrect password ‘frk9x07’. How do i find real password for ssh? Other than that ssh problem, great forum. Thanks
My bad, i mistyped command. Should be ssh [email protected].0.1 then provided password works. Thanks
You have to type in terminal [email protected]
This page is really helpful but still I am stuck at my problem. It seems my device bricked while getting the updates from tmobile. It’s not showing any Wi-Fi broadcast and reset is keep showing “Factory reset Restarting Now” I logged in to webpst and uploaded R717F21.FR.1312 but after 1-2 minutes while writing it, it is showing me upgrade failed. Hidden menu showing web version FR.1312. Is there any way to do re-install 1312 or 891 via openssl? or any other way to reset?
Thanks
Hmm somehow my hotspot did OTA and was bricked, LCD gets stuck at WELCOME message and never even starts up the hotspot. Any ideas on how to reflash/reset?
Same issue with my device. Please keep me posted if you find any solution.
Remove the SIM card and reboot it.
This works, thanks
where to download 891 to downgrade ? Mine got updated to 1131 and I could not enable SSH. By the instruction, how do I run ty-enable-ssh.py to enable ssh for 891+ ?
https://mega.nz/folder/FJ8wWYAJ#Q1oUEtIUJrtjB1atkOAXrA
have to load Python on your computer; then save the T9’s configuration (from the menu) to a file on your PC; run python ty-enable-ssh.py hotspot_config.bin, which will generate a new config file. ten upload it back to the hotspot.
Awesome work. I see the engineering and other passwords plainly visible in multiple places…what a convenient mess! Do you have any insight into the configurations loaded through the “Change Target” menu? I was thinking of making a universal configuration to load in it, as I see that using the unbranded ‘Default’ breaks things like the ability to enter the SIM unlock code, however I haven’t found where the other configurations are stored to use as an example.
The hidden menu also has a disabled debranding page (among others) but navigating to it shows that the corresponding cgi (and perhaps the files that debranding would want) are missing, at least at a glance.
I wonder why accessing factory reset menu in webPST calls for the SPC?
There’s also a 100 firmware if you use the vendor franklin.
Different config settings are loaded from /etc/default/configs/*
It may be possible to just add your own there in a new folder?
The unbranded, Franklin and SKT configs don’t actually set a SIM_LOCK like the TMO/Sprint configs do which might be why the option to unlock the SIM goes away. I haven’t tested if the lock itself goes away when switching to those configs. Since the original config is TMO (with lock set), the SIM_LOCK NV value may be sticking despite the new unbranded/SKT/etc configs not using a SIM lock. And if set to unbranded/SKT from factory… then the TMO/Sprint SIM_LOCK NV setting never gets set and there’s never a SIM LOCK to remove.
And the reason the SIM LOCK comes back after a factory reset is because the TMOBILE config gets rewritten.. which then rewrites the SIM LOCK NV value.
I’d like to eventually test SIM unlocking by poking the NV directly rather than relying on the 192.168.0.1 pages.. just to figure out how to clear it out of the NV properly. The SIM_LOCK NV value set by TMO/Sprint is: 00 02 00 65 00 00 36 01 a0 00 36 01 c8 00 36 01 d2 00 36 01 dc 00 36 01 e6 00 36 01 f0 00 36 01 fa 00 36 01 04 01 36 01 0e 01 36 01 2c 01 36 01 36 01 36 01 ea 01 36 01 12 02 36 01 4e 02 36 01 80 02 36 01 94 02 36 01 20 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d3 00 00 00 0a 00 00 00
May just be as simple as zeroing it out to remove the lock… not sure yet.
The configurations are stored in: /etc/default/configs
Take a look at the configuration folders:
/etc/default/configs/
Also the following file:
/usr/bin/change_carrier.sh
This might help with the custom builds.
My auto upgrade stuck and now only seeing blinking led. Tried upgrading/downgrading ENC file but after 62%, it’s throwing Firmware failed error. SSH is not enabled. Is there any way to rewrite the firmware? Please help, Seems my device is bricked.
Thanks Chris, your work is awesome! After unlocked and added APN, I can use my Verzion sim to enjoy LTE.
This is awesome! I had played around with it a few months ago and managed to gain root access and unlock the SIM on my own through a bit of trial and error. I never reached this level of reverse-engineering, though!
Is there a way to put the T9 into “bridge mode” /firewall-less or a mode that I can put my own NATing router /firewall behind the T9 tethered via USB? So Im not double NATing.
Hmm… is FR891 using a debug kernel?
This is what I see in /var/log/dmesg
[ 0.000000] **********************************************************
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000] **
[ 0.000000] ** trace_printk() being used. Allocating extra memory.
[ 0.000000] **
[ 0.000000] ** This means that this is a DEBUG kernel and it is
[ 0.000000] ** unsafe for produciton use.
[ 0.000000] **
[ 0.000000] ** If you see this message and you are not debugging
[ 0.000000] ** the kernel, report this immediately to your vendor!
[ 0.000000] **
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000] **********************************************************
Why would this be? This keeps getting more interesting…
can someone help me out please, i was able to get unlock code but going to http://mobile.hotspot/#login=/settings/mobile_network-sim.html is asking for password and none of these work [email protected] [email protected] frkengr717
If you haven’t yet set up a password, the default for the interface is user:admin and password:admin. If that doesn’t work, just factory reset and try again, because that will set it back to the default admin:admin credentials.
hey bud thanks for reply indeed you were right, as when i opened the link it asked me for password which was “admin”
you will need access to a Linux or Mac terminal or Windows 10 running WSL. i was able to get the unlock code using this free terminal link= https://cocalc.com/doc/terminal.html
On the terminal type:
export IMEI=YOURIMEIGOESHERE
echo -n “${IMEI}simlock” | sha1sum | cut -c1-8
It should give you your unlock code.
and than Go to http://mobile.hotspot/settings/mobile_network-sim.html under “Carrier Unlock” to unlock it (remember ur laptop/pc needs to be connected to the Franklin T9)
Hi, I received my unlock code but the web page is not allowing me to apply the unlock code. Desired action has no options available and the button it self is greyed out! Please help, can i apply the unlock code through terminal?
I am also on FM.version 891
also stuck at this spot.
For anyone have issues with it auto updating/boot looping take your sim out, restart it, downgrade back to 891, factory reset it, unlock, change your target in the engineering menu to TMOBILE_GCF, reset device again and when you try to update it says your on the latest version 891
I believe you can also stop the OTAs through a config I just didn’t have the ability/time to do is so I found this temp fix
You lose 3 sprint bands this way but since I have a ATT sim in it it’s not a big deal
Crap…forgot what I set the “admin” password that defaults to “admin” to when I did this. Is there a way to force change it via one of the DEV pages? Guess I need to factory reset and redo the unlock otherwise.
-ssh into hotspot
entering following command should show pass:
cat /data/configs/mobileap_cfg.xml | grep Password
Sadly, I can’t get root password to work. Maybe I’m still doing something wrong but I tried to login via root with Putty.
Nevermind, I figured it out….thanks for the help.
Thanks for all this info Chris!
Here’s a modified 1311 with SSH always on in the configs, FOTA and remote management on loopback, FOTA service start suspended, and engineering pages restored. Remember to trust but verify! Use the information on this page to extract this firmware and the original 1311 and validate my edits for peace of mind.
firmware link – https://mega.nz/file/Lk8k2TgI#DwuWhvQh2nd-Gv2247cFB0rnVodqNP9M0_k751o0XJw
MEGA folder link for future builds – https://mega.nz/folder/m81iVLYJ#ZkLM7wspDir5z0T7DuGlXg
V2 just includes some password reminders
Thank you very much for your contributions. If possible, could you modify the page so we can edit the TTL easily?
By any chance was the password to ‘http://192.168.0.1/hidden/’ updated as part of the changes you made? Looks like there isn’t a password reminder nor will [email protected] work to gain access to band configs.
Are you sure you flashed V2? I have access to the hidden page using the default password and a reminder is present on the login dialog box.
Extracted your modified 1311, but now wondering how to actually flash it? I tried the web GUI “Software Update” and selecting the ota_update_all.zip file, but after a few seconds of uploading it, it returns an error “Invalid file”. Am I doing this right? TIA.
Question about the firmware:
I am still on the “stock” 891 firmware. Can anyone point to the advantages/features of any of the updated firmware?
I can make AT&T LTE work on firmware 891, but not 1131 (1131 always says SIM error). So I revert back to 891.
If anyone knows how to make AT&T sim acceptable by 1131 firmware please let me know. Thanks.
1. This morning I inserted my tmobile SIM and suddenly it worked and let me WIFI into the system and I flashed 891 firmware immediately successfully.
However,
2. When I tried to unlock it again manually like I did last time, it said my unlock code is incorrect, which I double checked it was the correct one that I used last time successfully. Looks like tmobile did something on the unlock mechanism.
Can someone help figure out how to unlock it again?
Bests,
Jeff
All this information has proven very useful and educational. Thank for all your effort in sharing it. Using the T-Mobile T9 (Franklin Wireless R717) I noticed that if your firmware if higher than the 891, activating SSH through the hidden menu is not possible. I rolled back mine form 1131 to 891 and ha no issues activating SSH in the hidden menu.
Thank you Chris and everyone involved.
I got everything all setup and working.
I got this device for creating a hotspot in my car so that my Android headunit can connect to it and use it for Spotify and Google Maps.
I found out that the device works without the battery if plugged in which is great for keeping in a car that can get really hot in the summer.
I really want the T9 to auto turn on whenever its plugged in (car turned on) without me turning it on manually.
You guys think there’s a way to do this? Software or Hardware mod.
PandaDeng, did you ever find a way to auto turn on once plugged in? I have a similar use case. For me I need to use this to remotely manage door lock access codes. I’d rather not keep the battery in it to avoid overcharging / overheating / failure, but if I leave the battery out and the power goes out, it won’t auto start and then I’ll no longer be able to control the access codes. It’s not a problem for it to go out temporarily, but when I need to change the codes I need it to work. I’d be grateful for any ideas!
I found that if you hold down the power button it will fully power on when plugged in, and won’t turn off. I ended up cutting a piece of plastic to wedge between the inside of the case and the power button so it’s always pressed down. So far it works pretty good for me.
Is there a way to view signal level info like RSRP, RSRQ, SNR?
Doing the test drive and I’d like to have better info to look at, not just a five bar “it’s fine” indicator.
Yes. Go to http://192.168.0.1/about/ and click the “debug” button
Has anyone figured out how to display arbitrary text on the LED screen?
Also, I’m thinking of writing a little script that changes the APN after boot depending on the ICCID.
Hey Chris,
I’m wanting to use one of the backup config files as a template to change SSID, password, device limit, etc. Is this possible to do, and if so how do I actually get into the directory? I’ve downloaded a copy of the config file now as a backup, but the ssl commands aren’t working.
Thanks in advance!!
Turns out it helps when you don’t have a typo in the URL…
I cannot use any other sim card other than the one that comes with the device on the latest firmware. Even the modded latest firmware. It’ll only work if I downgrade to 891.
Also, I had a blast modding this device!
this is my imei pls help me with the on lock code REDACTED
pls give me unlock code my imei is REDACTED pls help me i am stell waitting
pls as you have my imei pls give me code becouse you put my imei REDACTED
As mentioned earlier, I will not be generating codes for people and I will be censoring any IMEI’s posted. Please read through the comments, there are multiple documented ways to generate your own unlock code.
Hello Guys,
Need help!
I have my Franklin T9 device bricked. It was updating software when I dropped it and the battery came out causing the device firmware update to fail.
Now the device is switching on but nothing is working. Mobile.hotspot page is working but no information is available on the page. Same with hidden and webpst. I did try to force firmware to device using webpst page but it failed. IT admin page is asking for a password but the one provided here is not working. So i am unable to load .cfg file.
Any help is appreciated.
Thanks
Have you tried resetting to factory default? If not, pop off the back cover and hold down the reset button while the device is on. Also see some of the above comments about resetting a brick.
Just put your IMEI into this site, and it’ll give you an unlock code.
https://jsfiddle.net/4zds6531/
uffffffff master of puppets…
magnific
can u make an offline code generator whit this.
I need some help repackaging the config file. I’ve tried to just walk it back through the command prompt after successfully unpacking everything, but when I attempt to restore from the backup it fails. I have a feeling the problem is with the way I’m re-encrypting the .tar file. Steps below:
– Edit XML config file
– In command prompt:
$ tar cf [hotspot_cfg.tar] [data]
$ tar cf [hotspot_cfg] [hotspot_cfg_2] <— this includes hash/model/hotspot_cfg.tar
$ openssl enc -aes-128-cbc -md md5 -in hotspot_cfg.tar -out hotspot_cfg.bin -k frkenc##[email protected]
I've seen Chris' comment about the python script and have looked through it, but I'm not very familiar with python. Any help with this would be greatly appreciated.
I use the R717F21.FR.891_ota_update_all.enc download from your mega drive, and update use the web page to restore from Backup use this file, but now I can’t turn on the device, just the power button light is flashing. What should I do now? How to reset the device? Thank you so much.
Is there any script that force the device to restart ever x hours? Thank you
My end goal was to use this as a hotspot with a T Mobile sim, but for fun I also SIM Unlocked.
Quick guide for me-
I ssh’d into the device in terminal with command
ssh [email protected].0.1
when asked for password its frk9x07
now you want to change the TTL with command
echo “Setting TTL on $INTERFACE to $TTL=65
you should see the system confirm
Ran command
exit
Completed speed test and verified TTL was -1 at 64.
for sim unlock code I used website https://jsfiddle.net/4zds6531/ and put in my IMEI- wrote the code down and plugged it in the mobile.hotspot page and the device rebooted and is now unlocked.
If I use Putty for ssh, is this command run at the top level directory and then logoff?
echo “Setting TTL on $INTERFACE to $TTL=65
Also do I need to run this command every time when I power up the T9 to set the TTL?
Does this TTL change only affect tether? In other words, I’m not seeing a TTL change when connected via WiFi to the T9.
How can I set the USB Mode back to RNDIS + ECM after enabling ADB without a full reset?
Nevermind, I was only using the device tethered but after setting up the WiFi address/pw the WebUI is still easily accessible and USB mode can obviously easily be changed from webpst menu.
Most of you guys posting are way more talented geeks, but thanks to this thread I turned the free Test Drive Franklin T9 into a budget backup hotspot to cover gaps in the field and at home when the wired Internet and wifi crap out.
Bottom line used https://jsfiddle.net/4zds6531/ for the SIM code unlock. Used my initial $15/mo T-Mobile Connect UNL Talk & Text w/2GB data SIM card to get a number & to confirm speed/coverage. Changed the plan to a mobile data only (2GB) option @ $10/mo. Ran that SIM on my phone, powered off and put that SIM card into my now unlocked Franklin T9 and restarted the T9. Viola! A complimentary Franklin T9 Mobile Hotspot. T-Mobile has the superior LTE data throughput inside my home vs ATT/Verizon. I can upgrade/downgrade the prepaid data plan as needed without carrying the extra expense of a voice/text plan or just activate/deactivate data service as needed.
Yes, T-mobile stuck me for $25 on the initial SIM card cost and activation for the Prepaid phone SIM.
Still not clear if an unlocked T9 works with Mobile data only AT&T SIMs or Verizon SIMS or MVNO data only SIMS plans or what exact tweaks accomplish that.
Ok so I managed to hard-brick my t9 worse than anyone else so far (lol). I accidentally deleted /bin (long story) and it started bootlooping. However, I did find out that you can enter fastboot mode by shorting the two small pads on the PCB next to the display connector while powering on (you might have to pop off the metal EMI shield).
Anyway, I tried to flash a new system image with fastboot, but it appears that the system.img is not included in the ota images provided above. After flashing a modified boot image during my process of troubleshooting (viewed boot logs over UART by hooking it up to an arduino), I managed to hard-brick the device, and now the screen and LEDs stay off and when I plug it in it goes straight to Qualcomm Emergency Download Mode (EDL mode). I can’t even reach fastboot anymore or ADB–it appears that it is only loading the Qualcomm “primary bootloader” and not even the Franklin secondary one. The boot process seems to be four stages:
1. Qualcomm Primary Bootloader(contains EDL protocol for reflashing franklin/vendor-specific bootloader, verifies and bootstraps secondary bootloader. Factory-set in ROM). — I’m assuming that my system gets stuck here because the verification of the modified boot.img I flashed fails.
2. Franklin (secondary) bootloader — (seems to take care of rest of POST and preliminary system checks. Activates Wifi radios, battery management, other device-specific systems, then loads tertiary android bootloader) However, also seems to contain the linux kernel itself that the following android bootloader loads into RAM (further research required, I’m very uncertain about this process)
3. “aboot” — (android bootloader, this is what loads the linux kernel/mounts the filesystem. This is what fastboot interfaces with.)
4. Linux — (the actual OS itself)
Because the OTA updates appear to be only patches rather than full system ROMs/images, here’s what I would like:
Can someone with a working device dump the ENTIRE filesystem and upload it to a mega or an admin email it to me? The device supports a SCP connection in SSH mode so this shouldn’t be too difficult. You can also use adb. I would really like a complete “factory” image to help me troubleshoot once I manage to reflash the secondary bootloader through EDL (boot.img, this is included in the ota files Chris provided).
@natthawk shoot me an email and ill see if I can get you what you need.
my franklin t9 says stolen device got it off offerup help me brother how can I use it
Unfortunately, unless you know a way to unlock the bootloader, fastboot won’t let you overwrite system or recoveryfs (recovery and most other partitions are fine though). Your only real shot is to use EDL to write a new system image. Bjoern Kerler’s EDL tool is most promising for streaming download to NAND based devices, but it’s a work in progress and doesn’t play nice writing to our units yet (dumps work fine). There are other methods, but they’re very manual. I have dumps of all the partitions. If you find an EDL flashing method that works for you, I can get you a clean system.img if you still lack one (my current dump has a lot of my own personalizations).
Hi, sorry for the delayed reply.
Great minds think alike, I guess, since I tried this very tool to no avail :/ Now I’m beyond even trying to reflash system.img as I said above because I accidentally flashed a modified boot.img. I can’t get the flash programmer mbn file to cooperate, and I don’t even know if it’s legit since it’s a random one I found on a sketchy forum, and I’m also brand new to this Qualcomm Sahara/firehose stuff and how it works so I don’t really know how to troubleshoot either. When I view boot log over UART, it throws an ELF verification error when verifying the boot loader, then drops itself into 900E mode. Fastboot is inaccessible since the android high-level bootloader is never activated.
When I try to flash the boot.img to “boot” with EDL Tools using NPRG9x07.mbn as the loader it accepts the programmer (loader), returns the serial number, and then errors out with a python traceback 🙁 This even happens when I try to dump partitions. ENPRG9x07.mbn also doesn’t even get accepted in the first place. Also, it’s not even showing up in 9008 (EDL) mode, it’s showing up in 900E. Could you share the programmer file you used/the specific command that worked and what platform?
Plus the device uses UBIFS as a file system, which is a whole other level of abstraction I had basically no knowledge of before a week ago.
I guess my next course of action is to try to interface with the (very nicely labeled, thanks Franklin!) JTAG pads on the PCB, unless you can get EDL write working, but this will be a hassle and probably require some soldering.
my franklin was reprted stolen once I bought it from owner what a jerk
anything I can do to use it as a hotspot?
Latest device has a different firmware and different unlock procedure. By going though the js code, it seems that they are using AES ECB base64 now with key “abcdefghijklmn12”. Not sure about the special code though.
Oh interesting, what firmware version does your device report?
Out of the box without letting it update, it’s on TMOHS1_0.04.18
As someone who has this device as part of my postpaid plan I’m glad to see the firmware available for download. Typically I like to reload the firmware when the device crashes as a fresh coat of paint but T-Mobile hasn’t been able to provide it for me.
Thanks.
Right now T-Mobile send the new device is not T9 Franklin. Can you study how to unlock the new device?
I would need the device to do that. What model and brand is it? Can you share photos of it?
I believe I received the same unit. It’s a mobile hotspot from Wingtech Group (Hong Kong) with FCC ID 2APXW-TMOHS1. I guess it’s a new product; no more LCD screen and just dimmable LEDS below the t-mobile logo. It has 5G and 2.4G wifi but cannot operate simultaneously. Apparently and sadly the Franklin hacks doesn’t work on it at all…
Did some research on it. Here’s the manufacturer’s website: http://www.wingtech.com/en (in terms of product support, it’s even less transparent than Franklin’s barren support website, lol)
Here are some notable specifications from T-mobile’s info page on the device, which I pasted a link to in a reply below:
– 256MB RAM, 512MB ROM (I think the T9 only had 256M rom, but someone can correct me)
– MDM9207 CPU/SOC (Same as the T9 – I’m guessing the firmwares are very similar)
-USB C (yay!)
If someone with the device uploads the HTML and JS source of the web interface, maybe we can get a head start on reverse-engineering it. Let’s hope Wingtech learned their security practices from Franklin, lol.
Just received the TMOHS1 version as well. Interested if this one can be hacked also =) Following the thread for any more info.
How do i upload the HTML and JS source of the web interface?
I have placed the admin HTML, JS, and CSS files for the TMOHS1 in a zip file (tmohs1_files.zip) at:
https://mega.nz/file/MkRBDCQb#e1rIR7aD4cebyavw_vQVCjyGPVUo3zGRBChGq3XiXl8
The sha256 is:
2ee424d3d0ca26a02d523683189c055466ea6efb21e957b884263ab8a34521df
The files:
static/js/chunk-vendors.b06997a3.js
static/js/app.cf45a03c.js
static/css/app.5f283b77.css
static/css/chunk-vendors.55852678.css
home.html
Same here!
Also got a different MIFI device from T-mobile, modeled as “TMOHS1”
Searching with the model name leads to some FCC certification docs, and nothing else quite available yet. Here’s a photo of the device I took. The tiny display is replaced by several indicator lights. One good thing about this device is USB-C is used for charging now
Sorry, forgot image link
https://imgur.com/a/cz6Zm7K
I got the same device and there is no information about it at all
more info about TMOHS1
https://imgur.com/a/SS0XJUW
https://fccid.io/2APXW-TMOHS1
I have one in hand. Anything I can do to help?
here’s a copy of the hotspot’s webpage saved. a mix of htm, css, js files for someone knows what to look for.
https://github.com/visible1025/TMOHS1/blob/main/unlock%20page.zip
Any idea how to unlock and do an imei change on this new device?
here are some details from the information page on the TMOHS1 GUI (I don’t have SIM inserted so some of the details are missing or removed)
Phone Number Unknown
IMSI Unknown
IMEI _REMOVED_
Signal Strength Unknown
Network Name (SSID) _REMOVED_ Change
Max Connected Devices 8
LAN Domain mobile.hotspot
MAC Address _REMOVED_
IP Address 192.168.0.1
WAN IP Address Unknown
Software Version TMOHS1_0.04.18
Hardware Version 89527_1_11
IMEI SV 4
Model Name TMOHS1
T-Mobile Customer care number 1-800-937-8997
Hello all,
I just put out a python wrapper for many of the Franklin T9 functionalities exposed in the GUI.
Welcome contributors and feedback:
https://github.com/RayBB/franklin-t9-api
Can you tell us how to use it! I got mine unlocked, SSH accessed,
Here’s a tmobile support link for the new device: https://www.t-mobile.com/support/devices/mobile-internet/t-mobile-hotspot
It appears that the T9 may no longer be being sent out.
Pingback: T-Mobile Mobile Hotspot TMOHS1 - Rotar [email protected]
Hello, my T9 is version 891. I have unlocked it and set the visible APN, but as soon as I put it in the visible sim card T9, it locked again. The visible VPN is gone. When I put it in Google fi, everything is normal. I don’t understand why the visible doesn’t work.
I have Visible working on the T9 with this apn “VSBLINTERNET” not very fast speeds though 12-15 mbps. I put the Visible sim in a phone and get 45-50 mbps.
Just received the TMOHS1 also. Is it normal to have the sim activated as soon as it is powered on? I never activated it. The speed isn’t very fast (about 13-16 mbps).
Anyone able to enable the OTG function of T9? We can use this to install Checkra1n and Jailbreak the iPhone.
Also, if the screen could be used to show the status of jailbreak, that would be perfect.
there is a hidden path for the TMOHS1, not sure if it’s useful but it’s
http://192.168.0.1/#/FotaHide and present you with the following options
FOTA Server settings
Switch to product server Apply
Switch to STAGING server Apply
Switch to LAB Server Apply
Remove OTA bootstrap Apply
FOTA Server information
ServerID TMOFOTA1
ServerAddress https://omadm.iot.t-mobile.com:443/omadm-server/dm12
ServerPort 443
ServerAuthName TMOFOTA1
ServerAuthType DIGEST
ClientAuthType DIGEST
FOTA Scheduled events
Delaytimes 0
I did some digging on DIGEST Authentication and trying to get the rom file. I’ve been getting 405 error. @Chris B, can you provide some guidance on where should we look at next to somehow get the rom file? Thanks!
Yes mine was online as soon as I powered the TMOHS1 on as well, though it took about 30 minutes before it would work properly (provisioning time I guess?)
Following for unlock updates.
hey fellers. I have t9 unlocked. but i can’t get the att sim card to work. i’ve tried setting different targets and apn. What am i missing?
As soon as I turned on my TMOHS1 it activated and the time started ticking. The speeds I get are never above 10Mbps. That is pretty crappy if you ask me. I’m hoping we can unlock these and perhaps get better speeds with other carriers.
Is there any success on unlocking the new TMOHS1?
I’ve enabled SSH but need assistance in configuring ttl settings. I have the code necessary but not sure where to begin and not very familiar with Putty or others. Note I’m on MAC. Can anyone assist?
When accessing mobile.hotspot > Settings I am prompted with a login screen. I use the default password of “admin” and the password prompt disappears but I am left with a greyed out screen and I am unable to access the settings page. I have tried factory reset via back panel button but I get same results each time. Any work arounds? I am currently downloading FR.891 to see if a rollback works.
I have limited computer ability, but I wanted to ask a few questions about the Franklin R717.
My internet provider is Sprint, which is billed through “PCs for People” which provides $15/mo internet for low income people. The drawback is there is no service or help if you have a problem. In my experience, after about two years of service with a given modem, the cell towers make some change that makes the modem not connect for the average person. Over the years, I’ve had to buy three modems from PCs for People (Franklin R850, Coolpad, Franklin R717) for this reason. Two things that have extended the life of the modem are:
1)”update data profile” and “update prl”
2) disable one or more of 3 the bands
Disabling the bands requires the MSL/password. On the Franklin r850, I was able to use another post that showed how to bypass the MSL/password (using html trick that you mentioned). On the Coolpad, I found no such trick, but after calling Sprint several times, they gave me the MSL/password for my modem. On the Franklin r717, I was able to use the html trick, but the band priority doesn’t show properly, (can’t choose band), see attached photo (https://files.videohelp.com/u/61125/t9a.jpg). In your post, you gave a MSL/password ([email protected]) that you got by your methods (above my ability) to be able to disable bands. But very oddly, your password worked on my r717. This is very strange, because I think each modem has its own unique password. Also very strange, when I entered the disable band screen using your MSL/password, the band priority now shows ,see attached photo (https://files.videohelp.com/u/61125/t9b.jpg).
So can someone tell me:
1) why does your MSL/password work on my r717? It seems that your MSL/password is some kind of master password that might work on all r717, because I think (based on the passwords given from Sprint on the r850 and Coolpad) the MSL/password should have 6 digits, no letters or @ sign, and not contain the modem model (frk,r717).
2) when using your MSL/password, why does the band priority appear, when I use the html method, the band priority doesn’t appear?
3) There is a screen on the r717, see attached photo (https://files.videohelp.com/u/61125/usage.jpg) that sets data usage limit. I thought usage limit was set by Sprint. This modem was shipped as 20GB limit. I’m assuming that when I reach 20GB, the internet will stop. But it appears that the one can increase the usage limit, simply by typing in a larger number. Is this true? If so, what is the point of having a data usage limit screen on the modem?
This works the same on a Sprint (Tmobile) R850.
Put R850 into the passwords instead of R717!
I’m having a lot of problems with the instructions. So, you download this file from mega “R717F21.FR.1311_ota_update_all_sm.enc” then run this command?
openssl enc -aes-128-cbc -d -md md5 -in R717F21.FR.1311_ota_update_all_sm.enc -out R717F21.FR.1311_ota_update_all_sm.tar -k frkenc##[email protected]
I searched everywhere in that tar file and can’t find the “hotspot_cfg.bin” file to do the next step.
When I run the next command, it says this “hotspot_cfg.bin: No such file or directory”.(obviously the file isnt there) What am I doing wrong? Am I supposed to pull that image off the hotspot? Im running Big Sur on a Mac. I’m completely lost in what to do next cause I have no access to the hotspot to pull files off or anything.
I finished setting up the Sim Unlock/SSH/ADB, and was wondering if we needed to do the step for the config file? I tried to run this command once I had a SSH connection, but it doesn’t work. (openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg.bin -out hotspot_cfg_packed.tar -k frkenc##[email protected]) Really happy this thing was able to be unlocked!
I used to have one of these! Gonna have to see how much they cost so I can get another one. Had no clue this was even possible.
My Franklin auto updated last night. Ugh. I thought I had done everything right. Current firmware is R717F21.FR.2602. Having trouble downgrading back to firmware 891. When I try to upload the firmware file from Mega, it uploads until about 20% and then errors out with the message “Error occurred at file sending.” I’ve factory reset the device and tried both usb and wifi to upload but no luck. Any tips?
I have an R850, all the stuff posted above worked on it, for the login pw I had to substitute r850 for the r717.
That has now stopped working, the secret page with the settings now returns a 404 page.
It seems Franklin might have changed it. Does anyone know how to access it now?
I’d imagine they would have changed the address the unit calls home to as well.
I guess Franklin’s engineers are reading the same page we are. Heh.
Chris, are you able to look at that?
Oh, and the http://192.168.0.1/itadmin/ page now redirects to http://192.168.0.1/
http://192.168.0.1/webpst/
still works. It asks the MSL for the unit, which I have.
Hello since the 2602 update I no longer have any hidden pages. For some reason I am also not able to downgrade the version with any of the files above anyone have any clue what I should try? Any help is appreciated.
Hello! Not sure if you’re still monitoring this post/site, but I’ve got an issue with my brand new T9 that I cannot seem to resolve.
My device came with firmware version 2602 and refuses to be downgraded to 891. I have tried every combination of things I can think of (SIM in, SIM out, reboot, factory reset, connect via USB to PC and Mac) but every time I try to upload the older firmware it fails.
I also am not able to access the /hidden, /webpst, or /engineering menus. I return a 404 not found error for all of those.
If you’ve got any suggestions I’d love to hear them!
Chris,
2602 had a bunch of security updates, it upgraded mine and I can’t get it to downgrade either. They moved the hidden stuff as far as I can tell. I can’t wait until we find a way around this as it screwed me pretty hard (it does not pick the best channel in my area). Some people are able to downgrade but my guess is yours get stuck at 35% and fails? That is exactly what mine does.
Yes, 35% is the best mine manages.
Also can’t access hidden menu any longer due to OTA update to 2602! Terrible as my thousand dollar investment to get internet is now completely ruined!
Help!
same
This didn’t harden security for end users in any way any of us will ever notice. It only screwed us over. Thanks!
Cool, next time I won’t publish my findings and will just forward them to the manufacturer.
Fuck that shit! Sharing stuff like this is the whole bread and butter of open source and the point of the internet. I say you did an awesome thing, I picked up so much useful knowledge in just attempting and completing the steps you laid out so simply and clearly. One way or another this security flaw was going to get patched, and someone in the company should have rewarded you for discovering and preventing what could eventually have been a major security flaw later if anyone ever used these for more than just unlocked boxes. These were give away throw-away devices long past end of life anyhow. Thank you for sharing. I look often over your blog hoping for more insight.
-Bubba DeeS Troy Von Spankleton III
I was being sarcastic in my last reply, but thank you. Your feedback is what I needed to hear, and I’m glad someone finds use in my research.
Please ignore that troll!
Just to be clear… does ‘SIM Unlock’ mean I can then put an AT&T SIM in it?
Yes
if you are resetting yours allot and playing with targets etc – to prevent it from updatting edit /etc/hosts and add
127.0.0.1 fota.pintracview.com
the OS has VI installed
as well as
127.0.0.1 t9datafiles.s3.us-east-2.amazonaws.com if you accidently turn on remote management
When I change /etc/hosts using vi, my changes stick until I reboot. After a reboot, it returns to the default /etc/hosts
i am on firmware 891.
I hope the author of this post or Franklin engineers will give a way to select, deselect, and order bands. The capability is needed in many areas if the country.
Neither the author of this post or Franklin engineers will do that. It’s up to T Mobile to allow users to select band priority and they won’t do that either. I was able to select any band I wanted through the hidden menu but nobody knows where it is now. I just wrap the front cover with aluminum tape to force the device to change bands, mostly from B41 to B4 but sometimes I get a band I don’t want. If anybody knows where the hell the hidden menu is, speak up!
has anyone gotten cron to work on the t9s version of busybox? its installed and appears to be running but i cant get anything i schedule (via crontab -e) to run. I’ved tried classic cron denotion with times as well as @reboot and */ demotions
just some info i put together that will likely help someone
———————to add your own user/password
1. ssh into hotspot
1. add user via typing the following (replace admin with any id you want) :
adduser admin
2.. make the user root
vi /etc/passwd
change the line for the user you just added – edit the group from 1001:1001 (could also be 1000:1000) to 0:0
3. ssh into you hotspot with your own account (this does get wiped with new firmware)
—————–to automatically enable engineering on 1311
type the following commands one at a time via ssh
1. echo r717:frkengr717>/etc/pwlighttpd
2. echo sleep 60 >/etc/init.d/startup.sh
3. echo /usr/bin/copy_htdocs.sh eng >>/etc/init.d/startup.sh
4. chmod 755 /etc/init.d/startup.sh
4. cd /etc/rc5.d/; ln -s /etc/init.d/startup.sh S98startup.sh
—- to enable crond`
type the following commands one at a time via ssh
1. mkdir -p /var/spool/cron/crontabs
2. echo > /var/spool/cron/crontabs/root
3. chmod 755 /var/spool/cron/crontabs/root
4. crontab -e
edit as you like using vi commands – ex run the script myscript.sh every 5 mins add the following line
*/5 * * * * /home/root/myscript.sh
5. echo /sbin/crond > /etc/init.d/crond.sh
6. chmod 755 /etc/init.d/crond.sh
7. cd /etc/rc5.d/; ln -s /etc/init.d/crond.sh S98crond
—- to set TTL on every boot
type the following commands one at a time via ssh
1. echo iptables -t mangle -F>/etc/init.d/ttl.sh
2. echo export TTL=65>>/etc/init.d/ttl.sh
3. echo export INTERFACE=rmnet_data0>>/etc/init.d/ttl.sh
4. echo ip6tables -t mangle -I POSTROUTING -o $INTERFACE -j HL –hl-set $TTL>>/etc/init.d/ttl.sh
5. echo ip6tables -t mangle -I PREROUTING -i $INTERFACE -j HL –hl-set $TTL>>/etc/init.d/ttl.sh
6. echo iptables -t mangle -I POSTROUTING -o $INTERFACE -j TTL –ttl-set $TTL>>/etc/init.d/ttl.sh
7. echo iptables -t mangle -I PREROUTING -i $INTERFACE -j TTL –ttl-set $TTL>>/etc/init.d/ttl.sh
8. chmod 755 /etc/init.d/ttl.sh
9. cd /etc/rc5.d/; ln -s /etc/init.d/ttl.sh S98ttl
You can edit via the following if you want to change TTL to a different value
vi /etc/init.d/ttl.sh
you can run the command to reset ttl without rebooting to change ttl via the following
./etc/init.d/ttl.sh
—- vi command guide if you have never used it before
https://www.cs.colostate.edu/helpdocs/vi.html
thanks again to the author of this thread – this has been allot of fun playing with this.
Thank you
Hello all, I had been using the t9 just fine with my Verizon lte sim after unlocking months ago. I hadn’t used it for a bit and I recently powered up and went through a firmware update.
Now my speeds are very bad. Less than 1.0 mbps.
Apn settings are the same as I had Configured to use Verizon apn. Any ideas? Seems like the firmware update changed something as I was getting good speeds.
did you disable OTA update? if it auto updated, then it’s fvcked.
been poking at 2026. it seems they included both public and private keys for the settings file in the OTA.
If ADB is still available and not locked down this may be away into the hotspots.
ssh is another possibility, the ssh root password hash is available as well although it is using stronger encryption then before
I picked up another T9 from ebay to test this but this one is stuck at 891 and i cant upgrade or downgrade it. it is fully functional – just stuck at 891. FOTA app is running, the settings file has it enabled, the host file and url are all fine. there is plenty of space. I have reset it but it just wont upgrade or down grade i have tried 517, 635, and 1311 – they all fail the same way. i even tried to get it to upgrade via ota, same result. these same images work on my other t9 so its weird i cant get them to work. It goes through the whole process then reboots and it fails. It is fully functional at 891 – the logs (at least the ones i have found) do not record any info on the upgrade process.
any ideas as to what else to check – if i can’t get this one to upgrade ill just buy another one and sell this one. – hell most people here probably one one stuck at 891.
For what it’s worth Fuzzy, I may have a downgrade solution in the works for those who are a bit more technical, so you may want to keep your eyes out for that or email me directly if you want some info.
> I may have a downgrade solution
yes. sign me up [r850, soon t9]
do you have the solution yet?
Keep your eyes pealed for a new blog post on here sometime in the future.
franklin R850 using uBlock Origin MSL bypass.
how does one _prevent_ OTA firmware updates?
webpst enable SSH? search for OTA file names cp to a backup and rm ?
is there an info page or command line tool to reveal band in use? The cell maps sites show which bands are in use near my house but guessing has become too much of a MasterMind game.
Some devices can be force downgrade flashed with direct eMMC writing.
Just ordered my free T9 from T-Mobile. Any advice on how to keep it from auto-updating to 2602 on the first boot?
Also recently received a free Test Drive from T-Mobile and it wasn’t a T9 Franklin but a TMOHS1.
https://www.t-mobile.com/support/devices/mobile-internet/t-mobile-hotspot
Just in case for now it can’t be sim unlocked even though the specs are similar between hotspot models.
https://www.reddit.com/r/tmobile/comments/mawhaz/new_tmohs1_test_drive_hotspot/
https://www.reddit.com/r/tmobile/comments/m7evpx/my_test_drive_arrived_today_questions_about_use/
Remove sim?
In case anyone wants to use more then one of these on the same layer2 network i have found that all of the T9s have the same Mac address of F4:63:49:00:00:01 on the bridge0 interface.
To change it on every boot do the following – change the MAC below to anything you like
type the following commands one at a time via ssh
1. echo ifconfig bridge0 hw ether F4:63:49:00:00:04>/etc/init.d/bridgemac.sh
2. chmod 755 /etc/init.d/bridgemac.sh
3. cd /etc/rc5.d/; ln -s /etc/init.d/bridgemac.sh S20bridgemac.sh
4. /etc/init.d/bridgemac.sh
If you want to load balance or PBR between multiple of these you will likely need to do this.
I used the 50gb redpocket in the tmobile franklin t9 for a week then it stopped working “SIM Pin Lock sim disabled ..0 attempts remain until your sim is PIN unblock code locked. Entering an incorrect PIN too many times will PIN unblock code lock your SIM and you will unable to use this device. You will need to contact your service provider to unlock the SIM.” it’s a 4 digit pin which i never set.
i livechatted with redpocket and they said the sim is not disabled. they were right as i got it working again on a different phone.
my franklin t9 shows current software version as r717f21.fr.1311
what is the 4 digit sim pin unblock code /how do i unlock ?
thanks
I have a feeling RP blocked the sim for hotspot usage, but the rep doesn’t see it on their end. I’ve also just got my RP sim working (using APN: RESELLER) and at the moment it’s working great. Was planning to use it on a trip later this week. Hopefully I won’t run into the same issue as you and will keep it off until I need it. BTW, the default SIM PIN for GSMA is 1111, but it sounds like you can’t even enter the PIN.
I know this thread has been quiet for a while but does anyone know how to change the maximum DHCP Clients above 15 ?
Is there any way to make the device boot when you apply power (no battery scenario), rather than waiting for someone to hold the power button?
Never mind. Robpol86 gave the solution already. A couple Velcro ties, a toothpick, and some folded cardstock, and now the power button is pinned down. I’d love a software solution – but there’s no need to go looking for it now. I think I did see it reboot once without requiring a button press (maybe on the firmware OTA downgrade). So, there’s probably a software solution. But meh.
I do love this hack, and the revisit to permit the downgrade. It’s awesome!
The T9 has fastboot if you hold down the WPS button while turning it on. You could try to run ‘fastboot oem off-mode-charge 0’ from a computer. There might be more things you can change with ‘fastboot getvar all’ as well if that doesn’t work.
Is there a way to make T9 turn on automatically anytime it gets power over USB?
Is there anyway of verifying what the TTL of the device is actually set at. I have looked at the various hidden menus and did not see anything. I have set up the script to set it at startup, but want to verify that it actually works.
Any link to datasheet?
Whats its FCC ID?
What speeds do you observe?
Thanks
Curious, what hashcat command did you use to crack the ssh password?
Just a basic bruteforce against the hash type. It was honestly nothing special, didn’t even need to use a wordlist.
Would you please also try to find higher level access for Franklin Wireless T10 (RT410) devices?
Get me a device, and I will take a look. I can only research devices I have in hand.
Help….
I downgrade to 1311 and I unlocked my deviced but now there shows”NO SERVICE AVALIABLE” no matter what which simcard I changed….. simcard still working before I downgreade….
Current Software Version
R717F21.FR.1311
Thank you so much!
Dear hacker
I hope you will apply your skill to the T10
I keep getting the same ipv4 address which has a low integrity score preventing me from using some apps.
Pingback: Mobile Hotspot Login Admin | Get Latest Information