I recently acquired a T-Mobile T9 mobile hotspot from a friend who used it with their Test Drive program, and like I do with most embedded devices I poked around. This thread will go over my software findings, and will give you the information needed to gain root access and SIM Unlock the device.
NOTE: I am not responsible for any damage done to your T-Mobile Hotspot. Proceed at your own risk. Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.
OTAs
The OTA system on the device is very simplistic. It phones home to the following URL, with the following syntax:
https://fota.pintracview.com/fota/T9/check_update.php?carrier=<CARRIER>&rev=<CURRENTVERSION>&imei=<IMEI>
So for example, my T9 was reporting to check_update.php?carrier=tmobile&rev=891 when it was on firmware revision R717F21.FR.891. Manually calling this URL with any outdated revision will link you to the latest OTA file, which is a .enc
Thankfully, these .enc files are very easy to extract. If you are on a newer version of OpenSSL, you can extract this OTA using the following command:
openssl enc -aes-128-cbc -d -md md5 -in R717F21.FR.1311_ota_update_all_sm.enc -out R717F21.FR.1311_ota_update_all_sm.tar -k frkenc##[email protected]This will then provide you with a .tar file, which contains a file named ota_update_all.zip which has a copy of the rootfs files. On this device, all OTAs are full image releases, so you can upgrade and downgrade as you please using the web interface. As for the decryption key, I extracted this from the binary at /usr/bin/fota_app. I was also able to start a collection of firmwares, including an unreleased update. You can access these OTA files from this Mega Share.
As for the OTA zip, from what it looks like it is unsigned so you may be able to modify it and have it apply, but this has not been tested.
Config File
Once nice thing about this device is you can enable SSH, ADB, and other hidden goodies by simply generating a configuration backup, modifying it, and uploading it back to the device. As for the configuration backup itself, you can convert it from it’s .bin format to it’s true form, a .tar.gz, using the commands below:
openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg.bin -out hotspot_cfg_packed.tar -k frkenc##[email protected]
mkdir hotspot_cfg_packed
tar xf hotspot_cfg_packed.tar -C ./hotspot_cfg_packed
cd hotspot_cfg_packed
mkdir hotspot_cfg_packed_2
tar xf hotspot_cfg.tar -C ./hotspot_cfg_packed_2As you can see, the configuration dump is actually aes-128-cbc encrypted, and contains nested tar.gz files. You can now modify the configuration as you wish, repackage it, and re-upload it.
SSH
During my research it was found that SSH can be enabled on this device, and once enabled, you can login as the root user. If you are on a firmware version 891 or below, you can run the following command to quickly enable SSH.
curl "http://192.168.0.1/cgi-bin/webpst.service_setting.cgi" \
-H "Content-Type: application/json" \
-H "Origin: http://192.168.0.1" \
-H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
--data '{"command":"save","params":null,"data":{"ssh":"on","tether":"","bridge":""}}' \
--insecureNote that if your firmware is above version 891, then to enable SSH you will need to modify the Config File. If you want, I have created a basic python script that can do this for you, which is available on GitHub. Just note it requires OpenSSL 1.1.0 or newer, and is only tested on Ubuntu 18.04.
As for logging in over SSH, I was able to discover the root SSH password for these devices is frk9x07. Sadly, the engineers at Franklin Wireless only used a descrypt (DES) key for the device, which hashcat was able to crack within seconds using my GTX 1080.
ADB
As a bonus, you can enable an ADB shell that drops you right to a root prompt without any password! Note this seems to work on firmware version 891 and below, but it may not work on newer firmwares.
curl "http://192.168.0.1/cgi-bin/webpst.usb_mode.cgi" \
-H "Content-Type: application/json" \
-H "Origin: http://192.168.0.1" \
-H "Referer: http://192.168.0.1/webpst/usb_mode.html" \
--data '{"command":"save","params":null,"data":{"usb_mode":"902D"}}' \
--insecureOn newer OTAs, you can still enable ADB but it needs to be done manually from the /data/configs/mobileap_cfg.xml file. This is done by updating the UsbMode setting value from 9025 to 902D, saving, then rebooting the device. Note you also may need to replace the contents of /data/configs/hsusb_next with 902D as well.
Hidden Web Pages
During my digging around the device I found a handful of hidden pages, which were secured by plain text passwords that were statically built into binaries. Below you can find the pages I found, as well as where I found the passwords for said pages.
- Hidden Configuration Pages
- http://192.168.0.1/hidden/
- http://192.168.0.1/webpst/
- Password: [email protected]
- Password was extracted from /var/volatile/www/htdocs/cgi-bin/login.cgi
- IT Admin Page
- http://192.168.0.1/itadmin/
- Password: [email protected]
- Password was extracted from /var/volatile/www/htdocs/cgi-bin/logi
- http://192.168.0.1/itadmin/
- Hidden Engineering Page
- http://192.168.0.1/engineering/franklin/
- Username: r717
- Password: frkengr717
- User and Password were extracted from /etc/pwlighttpd
- Note: On firmwares newer than 891, you need to first run the following as root before you can access the engineering pages.
/usr/bin/copy_htdocs.sh eng
- http://192.168.0.1/engineering/franklin/
SIM Unlock
While exploring the binary at /usr/bin/QCMAP_Web_CLIENT, I accidentally stumbled upon the logic used to SIM Unlock the device. To generate your SIM unlock code, just use the following below in any Linux or Mac Terminal.
export IMEI=YOURIMEIGOESHERE
echo -n "${IMEI}simlock" | sha1sum | cut -c1-8In the above, replace YOURIMEIGOESHERE with the IMEI number of the T9 Hotspot. Once done, you can enter the generated code into the Web UI to unlock the device for all SIM cards.
Conclusion
Hands down, this has to be one of my favorite IoT devices I have had the pleasure of playing with. I appreciate the fact that Franklin Wireless put minimal effort into securing the device since it makes for a great platform to build on top of. If anyone at Franklin Wireless is reading this, I recommend the following changes to help secure your devices.
- Don’t store passwords in plain text in your binaries. Use sha256 or md5+salt, or some other method.
- Please don’t allow your “hidden pages” to have password prompts skipped by modifying the browser’s HTML rendering. This is just sloppy, and is how I was able to get ADB access to start my research. Either having them locked down using lighttpd, or having a completely separate auth page that is properly hardened is my recommendation.
- Don’t use DEScrypt linux passwords. The time it took me to crack the hash was less than 10 seconds. md5crypt at a MINIMUM, and sha1 if you want to get a bit fancier. Also, make the password longer than 8 characters to help reduce the chance of a successful bruteforce.
- If you need to have ADB, Jail it down. Another T-Mobile hotspot I have allows for ADB, but it runs as a non-existent UID so you can barely view the filesystem. Something like this would probably be a safer bet.
- Move to incremental OTAs, and SIGN THEM CORRECTLY. Most android OTAs use certs for OTA authentication. Also, implement rollback protection and disable the ability for users to upload OTAs.
I just have to say this is wonderful timing! I just got the T9 test drive device and found your post researching how to bandlock with it. I somehow softbricked it, but holding down the reset button with the cover off while it was powered up did the trick.
Some peculiarities I’ve noticed, after rolling back the firmware to FR.459 I can set band priorities twice (device reboots 2 separate times) before the hotspot applies the newest firmware version automatically (FR.M1311) without my prompting. Fortunately the new band priorities aren’t overwritten, but it worries me that in the future they may implement some kind of rollback protection as you suggest. Any ideas on how to stop it from auto updating/phoning home?
Thanks!
Easiest way to prevent rollback would be to disable the OTA engine and change the URL it points to. This can be done by editing the configuration file at /data/configs/mobileap_cfg.xml and do changes similar to what I have documented at https://gist.github.com/riptidewave93/fc88a7de97abea669bd2d790a1df4c0a
So I made this edit and they pushed the latest firmware anyways. After I reverted back to 891, my edit was still there. Any other ideas for preventing the OTA from happening?
The device needs to be rebooted after the change is made for it to apply, otherwise the changes won’t get picked up by the running process.
As for another method, in theory you could also kill the process for fota_app, and replace /usr/bin/fota_app with a bash script with an infinite loop and sleep.
I simply renamed /etc/rc5.d/S99fota to prevent it from starting. Seems to work ok so far.
I have a Windows/DOS background, not linux.
Can you give me the procedure to “kill the process for fota_app, and replace /usr/bin/fota_app with a bash script for an infinite loop and sleep”?
I am connected as root via SSH and I am in the /usr/bin/fota_app directory.
Thank you. The unlock code worked!!! but I unzipped the OTA files and got tar files that I couldn’t open With and archive extractor 7-Zip WinZip etc
Thank you so much for writing this. Lots of fun options to play with on this device. One thing I’d like to do is to make a set of iptables/ip6tables rules for TTL mangling permanent – have you discovered any way to write these to the /data partition in a way that they’d get executed on every boot? Or do I need to go figure out how to build a firmware image? Just to share, here are the rules I’m playing with:
export TTL=66
export INTERFACE=rmnet_data0
ip6tables -t mangle -I POSTROUTING -o $INTERFACE -j HL –hl-set $TTL
ip6tables -t mangle -I PREROUTING -i $INTERFACE -j HL –hl-set $TTL
iptables -t mangle -I POSTROUTING -o $INTERFACE -j TTL –ttl-set $TTL
iptables -t mangle -I PREROUTING -i $INTERFACE -j TTL –ttl-set $TTL
I have this working via ssh (by the way, the ssh option in engineering settings worked for me on 891).
Thanks!
For what it’s worth, the rootfs is actually read/write on this device so you can setup your own /etc/init.d script and that in theory should do the trick.
Put a script together, and instructions. Here it is:
https://gist.github.com/weirded/f49ac134aecbd32b71ab22619c7496ab
What would be the purpose of TTL modification on a dedicated hotspot device like this, since devices are designed to be tethered to it anyway?
Is there an ability to root this device and trick it into tethering unlimited from a tmobile phone line sim ? I am using a phone sim with 10 GB hotspot with no issue but to be capped at 50 GB would be nice.
Nope since that is all locked on the network side. If you want more data, you can always setup a data line on the device with T-Mobile.
Has anyone found an easy way to send AT commands to the modem? I dug a little bit but haven’t had any luck.
I cant not get the unlock code for sim lock.
The method documented will work. Please make sure your running the terminal command correctly, and on a Linux or MacOS terminal. It will not work on Windows.
Do you recall were you enter the unlock code? I was able to generate an unlock code, and pretty much everything else you discovered was very helpful. Thank you!
Matthew
It is in the normal WebUI (non of the hidden pages) under SIM settings.
Actually, you can do it from Windows if you have WSL installed, aka Windows Subsystem for Linux. That’s how I generated my unlock code.
How do you connect to it, via the WIFI, then use something like Putty on Windows??
Connect to the hotspot via wifi, then browse to its webUI by typing 192.168.0.1 – you won’t need to use Putty to enter the unlock code, as there’s a field in the webUI to enter it.
I used a terminal emulator on an Android phone to generate the unlock code, connected to the hotspot on the same phone and entered the code. Easy.
Would you happen to recall what WebUI was used to enter the sim unlock code? I thought I looked through all of them, but I do not recall seeing it.
Thanks!
I have a few of these, and it occurred to me that it shouldn’t be hard to make this work as a wifi extender or repeater bridge. anyone willing to writes script to set it up?
What other carriers availble after sim unlock ? Anyone tested this with other att sim cards ?
I have been in contact with someone using AT&T via the (Engineering>Change target>DEFAULT) setting, I am using Sprint with the same setting.
I can use AT&T 4G LTE with TMobile target as well. I do need to change the IMEI of the device to mimic an AT&T compatible device to get the LTE, otherwise, it can only connect to 3G.
I was wondering.. if I can unlock it and I have access to its terminal/shell, could I use it as a regular wifi hotspot device? I want to boost the range of the wifi at my house for my IoT devices so I can isolate their network.
Possibly but the device was not built for this, so you would be in uncharted territory.
I am able to use the hotspot with sprint now, but have been unable to get the band priority table in hidden>Lte menu area to populate. Is there a way to force this menu to populate?
Before when using stock target (Engineering>Change target>TMOBILE) I had experienced this bug but it was fixed by factory resetting, unfortunately this doesn’t seem to work when my target is set to (Engineering>Change target>DEFAULT). Any idea if there’s an xml file I could alter similar to the FOTA fix? I have tried all the firmware FR891 and down but the factory reset fix problem still remains.
Or could I directly change the band priorities by downloading a backup, editing it, then restoring? I have looked through the cfg’s after extracting them and don’t see a place for band priorities.
The only place I have found the band settings referenced via adb are at (/etc/default/configs/DEFAULT # strings mcfg_sw.mbn) when printed it shows a list of nv locations that refer to band preferences explicitly for example (/nv/item_files/modem/mmode/lte_bandpref), but I dont know how to interreact with the non volatile memory.
can you write a guide for this? would like to use this with my sprint sim
The unlock code doesnt work for me after generating it using the commands with my imei i downloaded the 891 firmware from ur link
I am also not having any success with the password generated with sha1sum. BTW, I don’t see a “SIM settingss” tab on the http://mobile.hotspot page so I just tried entering the generated password when clicking the “Settings” tab.
I was able to get into the device with SSH though, is there perhaps a way to edit the config directly to do the SIM unlock?
Hmm, I wonder if it’s firmware version related then. Try updating the device and doing a factory reset. That should then hopefully expose the option in the Web Interface.
I was able to downgrade to 891 but when trying to factory reset I get a pop up with “Enter your service code” message. No idea what service code to enter. I tried both the IMEI based code and other passwords you called out in this page and none of that worked.
Ok, I found another way to do factory reset from http://192.168.0.1/engineering/franklin/. But after it rebooted still the same issue – I click on the “Settings” tab and I get prompted for a password and when I type in the one from sha1sum it fails.
Were you able to work around this? My firmware appears to be similar. Settings and additional pages behind a login page, the unlock code rejected as the password.
Hi,
I downgrade to 891 version, then use the command you provided, everytime after i excute the SSH command, then shows:
{
“msg”: “OK”,
“result”: “S_SAVE”
}
Then the device shows “Goodbye” and restart.
And I still cannot connect via SSH.
Do you know what’s wrong on my side?
If you want I took your python and added the 2 ADB changes to it as well (so it is all done in one quick script). Send me an email and I will get it to you.
how do i get the sim unlocked code would like to try with att sim card imei REMOVED BY ADMIN can you get my code for me and email it to me thank you.
I removed your IMEI for privacy reasons, but your unlock code should be 4b3cce62
were do i want to insert it at to unlock it do i just put the other sim inside then goto the iogin page and put the code in there.
Can u get my code for me also.
Sir,
I am having the same issue resolving the unlock code for my children’s device to work on our laptop via usb as it won’t work for wifi. Can you help as our school tech people have no idea and state the carrier unlock code is needed to switch the setting. Here is our IMEI ADMIN REMOVED Can you email or post our code?
Thank you!
CK
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
Can u give me my unlock code for mine also?
My IMEI
ADMIN REMOVED
Please reply when u have it thank you I dont know how to get the code and dont want to mess up my pc trying to figure out how to get it.
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
Hi, I’d like to request for the unlock code too.
this is the IMEI: ADMIN REMOVED
Could you post or email me the unlock too? Thanks so much in advance.
Note I won’t be providing codes, please find a way to generate your own, such as https://www.tutorialspoint.com/execute_bash_online.php
Works beautifully to unlock! I was able to get the code through a Linux Machine since Mac didn’t have the sha1sum package (at least on Catalina). thanks!
On the Mac running Catalina, the command for sha1sum is shasum so the command is slightly changed to:
export IMEI=YOURIMEIGOESHERE
echo -n “${IMEI}simlock” | shasum | cut -c1-8
Works perfectly.
This fiddle ought to generate the same codes, if people aren’t able to figure out how to grab it from the command line: https://jsfiddle.net/4zds6531/
@Chris B @Stefan In http://192.168.0.1/webpst/, there is a “FOTA Test” section to change the FOTA server path. Any idea if changing this will prevent automatic OTA updates? Cheers
It should, yes.
Hello, my device version is 891
After it is automatically updated, it keeps looping on the welcome interface when I turn it on.
Is there a way to fix it?
Thank you very much
Hmm have you tried using the reset button on the back of the device to reset it?
Lucky, reset it
Works good now.
Ugh same issue here. I thought I had everything perfect! Even got the TTL script added with scp copy and all was working for a full week. Woke up to Welcome screen bootloop this morning. Soft and hard reset don’t seem to work 🙁
take the sim card out and let it boot up.
Update – I got it to boot by taking out the SIM then a hard reset after it booted once. It looks like I auto-upgraded to version 1311, even though I followed Stefan’s guide for the TTL scripts which were working great before: https://gist.github.com/weirded/f49ac134aecbd32b71ab22619c7496ab
This has been really fun to tinker with BTW! But now I’m stuck understanding how to downgrade.
To downgrade back to 891, what exactly am I uploading? I downloaded 891 .enc file from Mega, converted .enc to .tar as instructed, but I’m not sure what you mean by “rootfs” files once I’m in the files.
And would I upload as a backup restore on IT admin, or as a firmware upgrade on webpst page?
It seems like no one has resolved the blocking of updates though right?
For flashing between versions, just upload the original .enc file (don’t decrypt it!) on the firmware upgrade page. You can either use the webpst one, or the firmware update page found in the normal webUI under settings.
Has anyone been able to get diag mode working on this so we can talk to it with Qualcomm tools like QPST or QXDM? This device is using the Qualcomm MDM9207-0 so it should be possible.
Nevermind, I asked prematurely and just got my hands on the device. I now see that DIAG can be enabled from the following page: http://192.168.0.1/webpst/usb_mode.html
This is a neat little device. Thanks to Chris for all the great info shared. And thanks to Stefan for the TTL script and info about stopping FOTA.
Hi, I’ve been trying to use QPST but it keeps blocking me requesting the SPC. Have you been able to get around this somehow?
Hmm, 000000 is not working?
I’m having the same issue. Have you tried?
Is there a change log for the firmware? I am on 891 and want to see if I should update the firmware or not
I was having trouble following the unlock sim instructions like some others have mentioned in comments.
This may help, when you navigate to the settings tab on the Web UI, a popup asks for the password. This is not the generated unlock key, but it is just “admin”.
From here I had to set a new password then I was able get into the settings tab and view/change settings.
Under Settings > Mobile Network > SIM – scroll down to Carrier Unlock and this is where you need to enter the generated unlock key. Right above mine now says Carrier Unlock Status: Unlocked
I figured out how to do some IMEI magic on the T9!!! I’m making a guide and posting it in a few days.
No need to ruin a good thing.
This was already referred to at the top of the article:
“Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.”
Would be interested in what you found out; mind sending an e-mail (please do not remove, this is a temp/throw away e-mail)? Address is [email protected]
I booted one of these devices up, fresh out of box without installing the SIM card
-rooted
-carrier unlocked
-modified the OTA upgrade script to not work and added TTL modification script
-added APN for visible wireless and set it to active
-shutdown / installed visible sim
— it booted, connected, and ran very well.
then — i inserted the stock tmobile test drive sim
it booted and worked, connected…..did some testing…
but it re-locked the carrier unlock status and did some kind of binding to make the hotspot only work with the tmobile sim.
When i try to use a non-tmobile sim in this hotspot, it says “sim error” and the sim status shows locked.
Has anyone else experienced this?
I would recommend NOT using the test-drive SIM if you plan to work with this device and unlock it etc.
I seem to remember previous test-drive sims doing a lock and binding the previous coolpad hotspots to only work with tmobile as well
Did you use the hard reset button on the back of the unit after you unlocked the device? If so, it will need unlocked again. This drove me crazy for quite a while until I figured it out.
Each time the hard reset button is used, the device will need unlocked again.
I’ve been trying to find where/how to edit APN settings that aren’t available in the web GUI. Could you please provide some guidance?
I’ve been digging through the decrypted ROMs and a decrypted settings backup with no luck.
Just go to http://192.168.0.1/settings/mobile_network-apn.html and click on “add”.
Thank you!
Generated and entered the unlock code and now my device is reporting “Unlocked”.
Firmware version: R717F21.FR.1311
Anyone have anyluck with ECM or RNDIS using the USB port? Seems to be 3 modes, but none of them work on any of my machines. Would like to use with a Watchguard Firewall as Failover ISP via USB.
Disregard, I had about 1/2 a dozen USB to microUSB cables that were all just charging cables (no data). after using the correct cable everything worked great.
Can someone do a guide on how to modify the TTL? I saw the instructions and enabled SSH but got lost on part 3. Thanks!
Thank you for sharing the information. It was easy to unlock, enable SSH and ADB. Just a question, is there any advantage to upgrade to a newer firmware beyond 891?
This is super helpful, thank you for your work.
I have a question, I’m reasonably technical but am not super fluent with everything done from the command line. So I’ve unpacked and edited the config to change the update URL and repacked everything into hotspot_cfg_packed.tar, how do I convert that back into the encrypted .bin file?
My best guess was the following but it spit out an error on my macbook pro running MacOS 11:
[email protected] hotspot % openssl enc -aes-128-cbc -d -md md5 -in hotspot_cfg_packed.tar -out hotspot_cfg.bin -k frkenc##[email protected]
bad magic number
Would appreciate any help and what the underlying issue is?
Thanks in advance
Hello Rich,
I recommend looking at the python script linked under the SSH section, since it helps show the process in which to repackage a configuration dump.
You’re using the -d flag which is for decryption. Remove the -d flag when you’re re-encrypting it back into the .bin.
Hi Tried above steps , generated the code it says below message .
Initial version was _891 , later updated to FR.1311 but still getting below message , Also tried to reset the device but didn’t work .
Incorrect Unlock Code
You will need to contact your service provider to get the unlock code.
Can you downgrade the firmware. I thought I saw that was relatively easy. Just grab off the mega site in the OP.
I tried but that didn’t work either
I unlocked it without any problem, thank you for all the information on this page.
I plan to have this hotspot unattended far from home, is there a way to configure a DDNS ??
thank you
Once you ssh into the device, you can a) change the password by using the passwd command. You can apply a blank password.
You can generate the unlock code directly on the device — use this command (all 1 line)
/var/volatile/www/htdocs/cgi-bin/webpst.imei_mac.cgi | awk ‘/imei/{printf( substr($2,2,15) “simlock”)}’|sha1sum|cut -c1-8
You get that guide yet?
Perhaps i am missing something here. Device was unlocked easily. But I am not able to SSH due to the incorrect password ‘frk9x07’. How do i find real password for ssh? Other than that ssh problem, great forum. Thanks
My bad, i mistyped command. Should be ssh [email protected].0.1 then provided password works. Thanks
This page is really helpful but still I am stuck at my problem. It seems my device bricked while getting the updates from tmobile. It’s not showing any Wi-Fi broadcast and reset is keep showing “Factory reset Restarting Now” I logged in to webpst and uploaded R717F21.FR.1312 but after 1-2 minutes while writing it, it is showing me upgrade failed. Hidden menu showing web version FR.1312. Is there any way to do re-install 1312 or 891 via openssl? or any other way to reset?
Thanks
Hmm somehow my hotspot did OTA and was bricked, LCD gets stuck at WELCOME message and never even starts up the hotspot. Any ideas on how to reflash/reset?
Same issue with my device. Please keep me posted if you find any solution.
Remove the SIM card and reboot it.
where to download 891 to downgrade ? Mine got updated to 1131 and I could not enable SSH. By the instruction, how do I run ty-enable-ssh.py to enable ssh for 891+ ?
https://mega.nz/folder/FJ8wWYAJ#Q1oUEtIUJrtjB1atkOAXrA
have to load Python on your computer; then save the T9’s configuration (from the menu) to a file on your PC; run python ty-enable-ssh.py hotspot_config.bin, which will generate a new config file. ten upload it back to the hotspot.
Awesome work. I see the engineering and other passwords plainly visible in multiple places…what a convenient mess! Do you have any insight into the configurations loaded through the “Change Target” menu? I was thinking of making a universal configuration to load in it, as I see that using the unbranded ‘Default’ breaks things like the ability to enter the SIM unlock code, however I haven’t found where the other configurations are stored to use as an example.
The hidden menu also has a disabled debranding page (among others) but navigating to it shows that the corresponding cgi (and perhaps the files that debranding would want) are missing, at least at a glance.
I wonder why accessing factory reset menu in webPST calls for the SPC?
There’s also a 100 firmware if you use the vendor franklin.
Different config settings are loaded from /etc/default/configs/*
It may be possible to just add your own there in a new folder?
The unbranded, Franklin and SKT configs don’t actually set a SIM_LOCK like the TMO/Sprint configs do which might be why the option to unlock the SIM goes away. I haven’t tested if the lock itself goes away when switching to those configs. Since the original config is TMO (with lock set), the SIM_LOCK NV value may be sticking despite the new unbranded/SKT/etc configs not using a SIM lock. And if set to unbranded/SKT from factory… then the TMO/Sprint SIM_LOCK NV setting never gets set and there’s never a SIM LOCK to remove.
And the reason the SIM LOCK comes back after a factory reset is because the TMOBILE config gets rewritten.. which then rewrites the SIM LOCK NV value.
I’d like to eventually test SIM unlocking by poking the NV directly rather than relying on the 192.168.0.1 pages.. just to figure out how to clear it out of the NV properly. The SIM_LOCK NV value set by TMO/Sprint is: 00 02 00 65 00 00 36 01 a0 00 36 01 c8 00 36 01 d2 00 36 01 dc 00 36 01 e6 00 36 01 f0 00 36 01 fa 00 36 01 04 01 36 01 0e 01 36 01 2c 01 36 01 36 01 36 01 ea 01 36 01 12 02 36 01 4e 02 36 01 80 02 36 01 94 02 36 01 20 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d3 00 00 00 0a 00 00 00
May just be as simple as zeroing it out to remove the lock… not sure yet.
The configurations are stored in: /etc/default/configs
Take a look at the configuration folders:
/etc/default/configs/
Also the following file:
/usr/bin/change_carrier.sh
This might help with the custom builds.
My auto upgrade stuck and now only seeing blinking led. Tried upgrading/downgrading ENC file but after 62%, it’s throwing Firmware failed error. SSH is not enabled. Is there any way to rewrite the firmware? Please help, Seems my device is bricked.
Thanks Chris, your work is awesome! After unlocked and added APN, I can use my Verzion sim to enjoy LTE.
This is awesome! I had played around with it a few months ago and managed to gain root access and unlock the SIM on my own through a bit of trial and error. I never reached this level of reverse-engineering, though!
Is there a way to put the T9 into “bridge mode” /firewall-less or a mode that I can put my own NATing router /firewall behind the T9 tethered via USB? So Im not double NATing.
Hmm… is FR891 using a debug kernel?
This is what I see in /var/log/dmesg
[ 0.000000] **********************************************************
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000] **
[ 0.000000] ** trace_printk() being used. Allocating extra memory.
[ 0.000000] **
[ 0.000000] ** This means that this is a DEBUG kernel and it is
[ 0.000000] ** unsafe for produciton use.
[ 0.000000] **
[ 0.000000] ** If you see this message and you are not debugging
[ 0.000000] ** the kernel, report this immediately to your vendor!
[ 0.000000] **
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000] **********************************************************
Why would this be? This keeps getting more interesting…
can someone help me out please, i was able to get unlock code but going to http://mobile.hotspot/#login=/settings/mobile_network-sim.html is asking for password and none of these work [email protected] [email protected] frkengr717
If you haven’t yet set up a password, the default for the interface is user:admin and password:admin. If that doesn’t work, just factory reset and try again, because that will set it back to the default admin:admin credentials.
hey bud thanks for reply indeed you were right, as when i opened the link it asked me for password which was “admin”
you will need access to a Linux or Mac terminal or Windows 10 running WSL. i was able to get the unlock code using this free terminal link= https://cocalc.com/doc/terminal.html
On the terminal type:
export IMEI=YOURIMEIGOESHERE
echo -n “${IMEI}simlock” | sha1sum | cut -c1-8
It should give you your unlock code.
and than Go to http://mobile.hotspot/settings/mobile_network-sim.html under “Carrier Unlock” to unlock it (remember ur laptop/pc needs to be connected to the Franklin T9)
For anyone have issues with it auto updating/boot looping take your sim out, restart it, downgrade back to 891, factory reset it, unlock, change your target in the engineering menu to TMOBILE_GCF, reset device again and when you try to update it says your on the latest version 891
I believe you can also stop the OTAs through a config I just didn’t have the ability/time to do is so I found this temp fix
You lose 3 sprint bands this way but since I have a ATT sim in it it’s not a big deal
Crap…forgot what I set the “admin” password that defaults to “admin” to when I did this. Is there a way to force change it via one of the DEV pages? Guess I need to factory reset and redo the unlock otherwise.
-ssh into hotspot
entering following command should show pass:
cat /data/configs/mobileap_cfg.xml | grep Password
Sadly, I can’t get root password to work. Maybe I’m still doing something wrong but I tried to login via root with Putty.
Nevermind, I figured it out….thanks for the help.
Thanks for all this info Chris!
Here’s a modified 1311 with SSH always on in the configs, FOTA and remote management on loopback, FOTA service start suspended, and engineering pages restored. Remember to trust but verify! Use the information on this page to extract this firmware and the original 1311 and validate my edits for peace of mind.
firmware link – https://mega.nz/file/Lk8k2TgI#DwuWhvQh2nd-Gv2247cFB0rnVodqNP9M0_k751o0XJw
MEGA folder link for future builds – https://mega.nz/folder/m81iVLYJ#ZkLM7wspDir5z0T7DuGlXg
V2 just includes some password reminders
Thank you very much for your contributions. If possible, could you modify the page so we can edit the TTL easily?
Question about the firmware:
I am still on the “stock” 891 firmware. Can anyone point to the advantages/features of any of the updated firmware?
I can make AT&T LTE work on firmware 891, but not 1131 (1131 always says SIM error). So I revert back to 891.
If anyone knows how to make AT&T sim acceptable by 1131 firmware please let me know. Thanks.
1. This morning I inserted my tmobile SIM and suddenly it worked and let me WIFI into the system and I flashed 891 firmware immediately successfully.
However,
2. When I tried to unlock it again manually like I did last time, it said my unlock code is incorrect, which I double checked it was the correct one that I used last time successfully. Looks like tmobile did something on the unlock mechanism.
Can someone help figure out how to unlock it again?
Bests,
Jeff
All this information has proven very useful and educational. Thank for all your effort in sharing it. Using the T-Mobile T9 (Franklin Wireless R717) I noticed that if your firmware if higher than the 891, activating SSH through the hidden menu is not possible. I rolled back mine form 1131 to 891 and ha no issues activating SSH in the hidden menu.
Thank you Chris and everyone involved.
I got everything all setup and working.
I got this device for creating a hotspot in my car so that my Android headunit can connect to it and use it for Spotify and Google Maps.
I found out that the device works without the battery if plugged in which is great for keeping in a car that can get really hot in the summer.
I really want the T9 to auto turn on whenever its plugged in (car turned on) without me turning it on manually.
You guys think there’s a way to do this? Software or Hardware mod.
Is there a way to view signal level info like RSRP, RSRQ, SNR?
Doing the test drive and I’d like to have better info to look at, not just a five bar “it’s fine” indicator.
Yes. Go to http://192.168.0.1/about/ and click the “debug” button
Has anyone figured out how to display arbitrary text on the LED screen?
Also, I’m thinking of writing a little script that changes the APN after boot depending on the ICCID.
Hey Chris,
I’m wanting to use one of the backup config files as a template to change SSID, password, device limit, etc. Is this possible to do, and if so how do I actually get into the directory? I’ve downloaded a copy of the config file now as a backup, but the ssl commands aren’t working.
Thanks in advance!!
Turns out it helps when you don’t have a typo in the URL…
I cannot use any other sim card other than the one that comes with the device on the latest firmware. Even the modded latest firmware. It’ll only work if I downgrade to 891.
Also, I had a blast modding this device!
this is my imei pls help me with the on lock code REDACTED
pls give me unlock code my imei is REDACTED pls help me i am stell waitting
pls as you have my imei pls give me code becouse you put my imei REDACTED
As mentioned earlier, I will not be generating codes for people and I will be censoring any IMEI’s posted. Please read through the comments, there are multiple documented ways to generate your own unlock code.
Hello Guys,
Need help!
I have my Franklin T9 device bricked. It was updating software when I dropped it and the battery came out causing the device firmware update to fail.
Now the device is switching on but nothing is working. Mobile.hotspot page is working but no information is available on the page. Same with hidden and webpst. I did try to force firmware to device using webpst page but it failed. IT admin page is asking for a password but the one provided here is not working. So i am unable to load .cfg file.
Any help is appreciated.
Thanks
Have you tried resetting to factory default? If not, pop off the back cover and hold down the reset button while the device is on. Also see some of the above comments about resetting a brick.
Just put your IMEI into this site, and it’ll give you an unlock code.
https://jsfiddle.net/4zds6531/
I need some help repackaging the config file. I’ve tried to just walk it back through the command prompt after successfully unpacking everything, but when I attempt to restore from the backup it fails. I have a feeling the problem is with the way I’m re-encrypting the .tar file. Steps below:
– Edit XML config file
– In command prompt:
$ tar cf [hotspot_cfg.tar] [data]
$ tar cf [hotspot_cfg] [hotspot_cfg_2] <— this includes hash/model/hotspot_cfg.tar
$ openssl enc -aes-128-cbc -md md5 -in hotspot_cfg.tar -out hotspot_cfg.bin -k frkenc##[email protected]
I've seen Chris' comment about the python script and have looked through it, but I'm not very familiar with python. Any help with this would be greatly appreciated.