After requests from the online community I am glad to announce that a downgrade method has been found for T-Mobile branded Franklin Wireless R717 Access Points on firmware 2602. In this I will go over how I found this method, how to do the downgrade, and links to the required files.
Research
When I found out that 2602 was released for the T9, I quickly got a copy using their OTA endpoint I documented in my last blog post around rooting the device. Once acquired, I extracted it and was quite surprised by my findings:
- All passwords that were previously documented were changed/rotated
- The root user password was now a SHA256 salt, a huge improvement!
- hidden/engineering pages have new passwords, that are ALSO stored as salted SHA256
- OTAs are now verified via a public cert on upload, so there is no way to create a custom OTA image.
- Config Dumps are also signed, and verified. However since devices have to generate these, both the public and private cert are available.
- Dropbear (SSH server) has been removed from the image completely.
Since I had a copy of the OTA, I decided to flash it on one of my devices, but with the root password changed ahead of time using the decryption/encryption method from my previous blog post. With this, I was able to use UART to have root into the device. This is how I started my initial research around digging inside the new update.
To save everyone a ton of time I will just jump to my findings. At the end of the day, I found that the config dumps allow a user to put files in /data/misc, and /data/configs. These are the only two paths you can create files in. With this, I then messed around with the AP configuration file named mobileap_cfg.xml and was able to find that command line injection was possible on some of the fields.
With the two findings combined, I was then able to successfully create and sign a custom configuration dump that includes a bash script that is executed on boot by the device. This means we can run arbitrary commands on the device as root, and flash a custom OTA image!
But wait, how am I able to use a custom OTA image if there is no way to sign a modified update? Well, since Franklin Wireless implemented the image verification logic in userspace and not the recovery environment itself, we can just skip it all! Below you can find the magic I use to completely bypass the OTA verification process.
# Make the OTA system be OK with the abusive install method
mkdir -p /cache/recovery
echo "--update_package=/cache/ota_update_all.zip" > /cache/recovery/command
echo "--debug_no_reboot" >> /cache/recovery/command
mkdir -p /cache/sec
echo 1 > /cache/sec/download_verified
echo 1 > /cache/update_file_verified
...
# Reboot into recovery to install
/usr/bin/go_recovery.sh
With everything combined, we now have what we need to downgrade devices on 2602!
Usage
To do the downgrade process you will want to download the appropriate configuration for your specific use case. In most cases, the 1311 downgrade is recommended.
- Download the appropriate downgrade file for your specific carrier
- Make sure your Franklin Wireless R717 T9 access point is on firmware 2602 and has a charged battery, and has a working data connection. This means it has to have a working SIM!
- With the downgrade file you downloaded, go to the config restore page at http://192.168.0.1/settings/device-backup_and_restore.html. Once here, select the Downgrade config and click “Restore Now“. It will take a moment to upload.
- Once the config is uploaded, the device will reboot on it’s own. Once done, let the device sit for 15 minutes! As long as it has a working data connection, it will download the downgrade image in the background and install it. NOTE: If you had a custom APN, you may need to re-add it before the downgrade will work. To do this, sign into the web UI using the password of “password” and ONLY update the APN. Once done, let the device sit!
- You will know the device is downgrading since the LCD screen will show “Updating”.
- Once complete, the device will boot up on the downgraded firmware with a factory configuration. Also note the downgraded image “should” also have OTAs disabled!
Downloads
Before you continue, please understand that this may or may not work for you. I am also not responsible for you downloading these files, or for how you use them. If you end up with a bricked and/or broken AP, you understand it was your own doing and to not expect any support.
These were tested to work on T-Mobile SIMs, with mixed reports for SPRINT SIMs. Your results may vary. Also note that the firmware versions being installed are modified to try and disable OTAs.
And for those who are curious on what these configs do, the source code used to create them can be found at https://github.com/riptidewave93/franklin-r717-t9-downgrade
For Franklin Wireless
Thank you for spending the time to harden the firmware for the T9 after my last research post. Even if it makes it harder as a researcher, it’s good to see effort being put in to harden the OS, since IoT devices like this are targets for newer generations of malware. I would argue there isn’t much left to improve on, but I expect you will patch my findings in a future OTA update. Just note that giving users choice around what runs on their AP isn’t a bad thing, it just shouldn’t be as wide open as it was previously. Also, please consider offering a bug bounty program.
So this might be a stupid question but am I supposed to run that code stuff before trying to upload the file? If so how exactly should I go about doing that?
Hello,
No you do not. All you need to do is follow the info under the “Usage” section. Everything above that is just me explaining my research.
My Franklyn T9 is locked to admin and i cannot access ithe admin.Is there any way flash the hotspot. Please help
Very cool. Just a couple issues with the configuration files you link. You say to wait 15 minutes, but the timeout without a connection is only 10 minutes. It would also be nice if the display timeout could also be extended.
The reason for the 15 min wait is for the actual download and verification, since when the script is ran it should have network connectivity within 30 seconds. I hope that helps explain the reasoning.
Worked for me, eventually. After an hour I still had the 2602 firmware, but the wifi re-enabled but was named “Franklin Downgrade” (or nearly that). I tried rebooting, and then waiting more. After maybe another hour, I decided to try re-uploading… but the web UI password had changed to something that wasn’t what I programmed it to, nor the default from Franklin. Finally I used the reset button near the battery, then got into the web UI again, uploaded the downgrade config, and then it rebooted a few times and finally displayed “updating”. After just a few minutes it was back online and I was able to see the old firmware version, turn on bandlocking, etc.
Are you with T-Mo or Sprint?
I tried this and immediately after the downgrade my device lost all bars and wouldn’t get any service. Nothing I tried worked until I was lucky enough to find someone on reddit who had a link to the current firmware which I had to upgrade back to. Since then my speeds have next to halved as well.
Hello, I currently have one of the TMobile test drive hotspots that they give out for the free 30 day or 30gb to check the availability of their Network. It looks very similar to the Franklin T9 and is even a Franklin device. Would there be a way to flash it through one of the above methods and possibly put one of the T9 OTAs on it and unlock the sim so I could then use it as a regular hotspot with a monthly service plan? As of right now it’s kinda useless but whenever it was working I really liked the little guy. I’m not really concerned about unlocking the sim so much as just being able to get a monthly service plan on it the TMobile network picks up pretty well in my location. Thanks for the help!
This will only work on the T9 device (R717). If your device’s model sticker under the battery doesn’t say the Model as T9, then you should not attempt to use these files to downgrade it.
Simply GENIUS!!! Thank you so much!!!
Hi Chris. Thanks so much for your work. I’ve been using 2 T9’s for several months, one at 891 and the other at 1311.
On 1311, people should also stop OMA DM from running when on Sprint and possibly other carriers. OMA DM allows carriers to make almost any change to your device remotely – they can also use it to remotely do firmware updates. For me, OMA DM was causing 100% CPU while failing to activate the Sprint SIM. However, data works and activation is not necessary. The device works completely fine without it running. I suggest :
mv /etc/init.d/start_omadm /home/root
On 891, OMA DM isn’t even part of the firmware so that also showed me that it is completely unnecessary for full functionality [it’s also on Sprint]. It is only there to give carriers the power to remotely provision or modify your device.
I’ve also written a battery management system in a shell script that lets you keep the battery at a voltage of your choice. The default charging logic in this hotspot tries to keep it at 4.34 volts – that’s quite a bit higher than 4.2 volts, which is 100% charged. This 4.34 volt issue is why the batteries swell in these if you operate them for 6+ months on the charger.
I prefer to keep mine at 4.1 volts which still provides 80% charge when it’s necessary. For long term life it’s recommended to keep Li-Ion batteries between 20% to 80% charge.
I will release the script on your other T9 thread once it’s been thoroughly tested.
Finally, regarding this topic of roll back and requiring internet, couldn’t you also put in a tftp option to get it from a local computer on WiFi? On the hotspot use tftp which is part of busybox. On the computer you can use a TFTP utility on Windows (and Mac/Linux) to serve the firmware. You could tell people it will attempt to TFTP from a certain IP or you could pull a list of IP’s from “arp -an” and start concurrent attempts to TFTP the file from them all.
I’m getting 2 more T9’s in a few days. If they have 2602 on them I can modify your root.sh to provide this functionality.
Hey Steve,
Good callout on the OMA DM. I didn’t dig into it much since I don’t use Sprint, so I’m glad to see you calling this out.
As for the rollback and internet requirement, I wanted the downgrade solution to be usable for anyone non tech-literate. Sure I could have just had a tftp server or sftp server setup, but for users who have never used ssh/CLI, this would have made the downgrade impossible.
Don’t get me wrong – I like your solution of doing it easily over the internet (properly via https too!). I just like having options. 🙂
I received the 2 “parts” T9’s today. One has even older firmware than 891! It’s running R717F21.FR.635 with a build date of Dec 5 2019. I’m going to go over the build closely, but so far I can report it has even worse security than 891, which should be expected.
/hidden and /webpst don’t even have passwords. /itadmin wasn’t written yet. /engineering/franklin exists with the same credentials as 891.
It’s not showing bands 66 and 71 in the hidden DATA>LTE list with no SIM installed. I’m not sure if it’s because of no SIM (brand issue) or because the bands were possibly added in modem firmware updates in 891+.
The other unit shows Welcome on power up, then goes permanently to a blank screen. If you hold the power button it does show Goodbye and turns off. The factory reset button shows the factory reset message on the screen, but it never reboots and just sits there. It never broadcasts any WiFi signal.
Any ideas how I can get to recovery somehow or get into it via ADB?
Sadly I don’t know of any way to force access to recovery. As for the one with the permanent black screen, it may be worth wiring up UART and using that to see if you can get a root shell using the login for the older firmwares. It may also help you see what exactly is failing on the device during boot.
This black screen one is odd. I know from a note on the battery cover that the previous owner was using a modified IMEI (so it was hacked/modified). Looks like they didn’t block updates. It doesn’t broadcast wifi but it does pop up using RNDIS on my Windows 7 machine.
Now I can bring up the web pages, but whenever I enter in any password the password box disappears and I’m left with a greyed out page. That’s instead of saying Wrong password in red like old firmware. To be ultra specific, with browser dev tools, login.cgi is returning a
{}
response instead of the response from 891 firmware:
{
“msg”: “Wrong Password.”,
“result”: “F_LOGIN”
}
Everything is behind login.cgi protection and to top it off it’s running build 2661, which I didn’t know was out. I can’t even bring up the about page, but I realized I could use the following 2 URLs to check the firmware.
$ curl “http://192.168.0.1/fti_sw_ver”
R717F21.FR.A2661
$ curl “http://192.168.0.1/build_date”
Tue Jun 8 11:42:16 KST 2021
I will mess around some more, but at least I have 1 working T9 and I only paid $10 total for both of them. Correct me if I’m wrong, but wiring up the UART would not be useful if the root password got changed during the 2661 update, right?
**Total speculation here BUT : This could indicate a warning about firmware updates of modified devices to 2661 and it causing them to stop working. Always be careful people.
My name above should link to my Reddit user page if anyone wants to reach me.
Please can I have the testing battery script? I have these device unattended for wifi cameras and 2 out 5 battery is swollen up, These device do not start themselves when unexpected shutdown so I have to have the battery in. Right now my remedy is the smart plug that have schedule of 2 hours off/on.
This is my current implementation, but I will likely change the logic. This works decent, but it doesn’t always strictly maintain the voltage. Don’t worry, no harm can come from this script. All it does is *limit* the input current the device can pull over USB. The worst it could do in complete failure is 1) not allow enough current and deplete the battery or 2) allow the same current that is allowed by stock settings anyway.
Create /etc/init.d/bms.sh with the contents of this pastebin : https://pastebin.com/VjDVrGhw
chmod 755 /etc/init.d/bms.sh
ln -s ../init.d/bms.sh /etc/rc5.d/S99bms.sh
then reboot or run /etc/init.d/bms.sh from the shell
* This pastebin is only good for a month as I hope to have a better version by then. Currently if you have very strong cell signal it will keep it slightly higher than 4.1 volts and if you have a very weak signal it will be slightly lower than 4.1.
This logs to /var/log/bms.log where you can see the voltage, the current limit, and the CPU temperature every minute. This log is stored in RAM. Use “tail -f /var/log/bms.log” to monitor.
Again, this is designed mostly to keep the batteries from bulging. The hardware has no way to set the charge voltage, you can only vary the current. The battery may slightly charge and discharge throughout the day. From my knowledge of batteries, this script cannot be worse than Franklin’s stock charge logic of holding the battery at far too high of voltage. Standard disclaimer: I’m not responsible for anything that may happen to your battery or device. I am 1 month into testing on 2 devices.
It might take a few hours for your battery to stabilize around 4.1 volts when it is first run.
Can you re-check the scrips? I’m checking on my side like 5 times but couldn’t produce the log, it just not there. I’m on the 891 Firmware.
I have verified the script I posted and I’m running it on 891 and 1311. Make sure your bms.sh file is correct. If you downloaded it from pastebin or your computer instead of copy/pasting it, it could have carriage returns in it. In VI it will show “^M” characters and they will cause it to fail. The best way is to copy/paste the raw version on pastebin via PUTTY.
The script should be 690 bytes after you copy/paste, press return, and then end the file.
If you need further help, click my name in the post above to go to my Reddit profile and chat with me there for more troubleshooting. Right now these instructions are for people familiar with command line UNIX usage.
You rock man, working as intended now, right at around 78%, log did show up today and wonder if you could add in the timestamp to the log? and what if I just want around 50%, should I change the target to 390? or low as 20%?
After few days only 1 out 3 devices work, the first one just magical work the day after running the code, there are no timestamp so didn’t know when it start running. Then I start same process for the next two devices, seem not to work even left overnight, poke around for log and probably been stop during boot, on both device. ALL device are on 891
Completed starting miscellaneous daemons/etc/init.d/rc: /etc/rc5.d/S99bms.sh: line 8: syntax error: unexpected “elif” (expecting “then”)
Should have warning on the use of script is device will shut down like in 30 mins without the battery.
Pastebin has expired. Is the better version ready? This would be useful for me since I’m leaving mine plugged in for home internet. Thanks.
Thanks for posting all of this, and your previous work! Could you post the scripts again? If the new ones aren’t ready or abandoned, that’s cool. Ty
Hi Steve! I’d love to try your battery voltage optimization solution. Any chance you have a current version posted somewhere? I’m considering an “always-plugged-in” use for my T9, so I’d like to limit the battery’s charge capacity.
Hello everyone, I just found the paste bin battery script and so here it is for good this time. Enjoy. Very helpful.
/etc/init.d/bms.sh
Just copy and past the following into the above named file, save it, and reboot for it to work
#!/bin/sh
TARGETV=410
while [ true ]; do
VOLTAGE=`cut -c1-3 /sys/class/power_supply/fuelgauge/voltage_now`
VDIFF=`expr $VOLTAGE – $TARGETV`
if [ “$VDIFF” -gt 10 ]; then
CUR=133
elif [ “$VDIFF” -gt 5 ]; then
CUR=167
elif [ “$VDIFF” -gt 0 ]; then
CUR=200
elif [ “$VDIFF” -gt -5 ]; then
CUR=233
elif [ “$VDIFF” -gt -10 ]; then
CUR=267
else
CUR=500
fi
read LAST /sys/class/power_supply/battery/input_current_max
fi
read TEMP /var/log/bms.log &
Part of that post got cut off. Here is the complete code
#!/bin/sh
TARGETV=410
while [ true ]; do
VOLTAGE=`cut -c1-3 /sys/class/power_supply/fuelgauge/voltage_now`
VDIFF=`expr $VOLTAGE – $TARGETV`
if [ “$VDIFF” -gt 10 ]; then
CUR=133
elif [ “$VDIFF” -gt 5 ]; then
CUR=167
elif [ “$VDIFF” -gt 0 ]; then
CUR=200
elif [ “$VDIFF” -gt -5 ]; then
CUR=233
elif [ “$VDIFF” -gt -10 ]; then
CUR=267
else
CUR=500
fi
read LAST /sys/class/power_supply/battery/input_current_max
fi
read TEMP /var/log/bms.log &
The new 2062 firmware has a smart charging feature. Will this script work with that feature enabled and just limit the maximum voltage it charges to?
after messing around with this i figured out it was still cut off so i made a non-expiring pastebin of the script for everyone
https://pastebin.com/0RiY3ATe
Yes! Thank you for making this SO EASY.
However, is there an EASY way to stop OMA DM from running when on Sprint.
Steve suggests:
mv /etc/init.d/start_omadm /home/root
Or
Does your downgrade file block OTA updates?
The downgrade “should” block downgrades, unless omadm has a way to bypass my blocks, which I kinda doubt due to the fact I block the OTA servers at the DNS level.
OMA DM has the capability to send update binaries over the OMA data connection directly – no DNS used. However, the document I read said it would be limited to 20 MB, which wouldn’t be enough for a complete T9 firmware. It could send a partial update, but I believe it still uses FOTA to apply it – so if that’s disabled it might block that.
Marc : That’s why I said it’s best to just keep it from starting altogether on 1311+, which is all my “mv” command does. You can get rid of “/etc/init.d/start_omadm” however you want, but it should not be in that directory when using Sprint. “check_qcmap_pdc_status.sh” starts it on every boot when the current brand (/data/configs/brand) is “SPRINT”.
If the up/down arrows are not present after loading the config file does that indicate an issue with the signal or that it is working? I tried both config files and they both just sat there with no internet (but with full LTE bars indicated) for about an hour without ever showing the updating screen. Wondering now if I am in a dead zone or something.
I also tried changing the APN from the otasn to r.ispsn, to no effect. Only after doing a factory reset with the button on the back was I able to get my pitiful slow internet back again (sprint bands I presume).
You may want to try relocating to a better location before applying the downgrade config then, since the weak signal in your area could be at play here.
I see, I will give that a try later. So the signal strength (bars) is not the metric I should use for signal strength?
Bars just show your signal to the tower, but if your tower has no bandwidth it will still be slow.
Your site has eaten 2 messages from me. One was a response to you and another to Nguyen. The comments I posted never showed up for moderation, just disappeared. I saved each comment in my Notepad and when I tried to post it again later it said “You already said that”, so it knows my message and it’s stored somewhere.
Just thought you would like to know.
Thanks for the heads up, the spam filter hates links so I manually approved your 2x comments.
after downgrading, the password isn’t “password” and I keep getting locked out. A factory reset did not help unfortunately.
Please re-read the post. After the downgrade is complete, the password resets back to the default of “admin”.
does anyone have a step by step for dummy’s, on how to make the t9 run on a regular phone line tmo sim and adjust TTL to avoid throttling.
does anyone have a step by step for dummy’s, on how to make the t9 run on a regular phone line tmo sim and adjust TTL to avoid throttling.
I’m trying to get ADB/QXDM access on my T9 device with SW 2602.
I tried the ‘Root Only’ download and restore method, but I’m unsure what the next step is to verify root/ADB access.
All the old URLs, passwords, and methods from the previous posts don’t seem applicable.
Can someone please share the next steps for enabling SSH/ADB/QXDM access on SW 2602?
The root tool enables access via telnet and SSH.
Can I use the root bin after already having downgraded to 1311?
no, it is for 2602 only. You can refer to my original blog post if you want root access on 1311.
After running the 1311 file. I have no service on my T9. With a Sprint SIM and calyx plan. I switched to the correct APN. Network is disconnected.
Yeah same thing happen to my last device too, I have flash all older firmware all week and no matter what sim I have in and correct APN, it will not connect at all. Work soon as I flash the newest 2602. Thank to root access it work like 1311 anyway. Now only wait for the engineer password if some one able to crack it.
how did you restore service?
Downgrading ended up locking my Sprint SIM. When I check the SIM it says disabled. Is there any way around this? Sprint told me that they will have to consider the unit defective when I tried to call them for an unlock code. SIM works fine in my Nighthawk.
Chris B.:
Thank you for your work and publishing of your Franklin Wireless R717 / Franklin Wireless T9 articles.
The information provided has been both useful and interesting.
There is something you should be aware of: Sometimes security is left weak, but existent on purpose. The reasoning behind this is oftentimes to dissuade many simpletons from proceeding further, but allowing a different class (whomever they may be) to progress after some work. This can be thought of as a trade-off to allow most of the target audience to be happy enough given constraints of a project.
In the case of firmware/software of devices, oftentimes there is security preventing the enabling of features or against the access of configuration pages; the security is, however, weak and after experimentation of some simple and skilled work (trying easy to guess passwords, for example), access or use may be gained. As one example (and there are many), many Android firmware restrict the stock recovery menu from being accessed until a key combination in entered; the key combination usually is easy to discover. In this security case, the Android recovery menu is secured against those thought to be too simple to make well use of the feature and that can accidentally break something, but allows those are more competent to use and enjoy the feature.
In the specific case of Franklin Wireless mobile access point devices, Franklin Wireless oftentimes produces devices and tailors them and their firmware to a party that hires/contracts them for it (such as Sprint or T-Mobile). Oftentimes, the hiring/contracting party will not want various features presented to the user or want anti-features presented to the user. Franklin Wireless might still want to present more features or more capability to those users that can make use of them. Thus, they may still incorporate the features, but hide or restrict them with weak security. Simple users will typically not access such features and the skilled power users can enjoy the product more after unlocking the hidden features, oftentimes without failing to fulfill the contractual obligations to the hiring party.
A takeaway is that weak security might not necessarily be a bad thing.
I know very well that I might currently not belong here but hey, I need help. I want to download Franklin R711 (the old model of course).
I can access adb but I really don’t know what to do since the tricks posted don’t work on the device.
Hey Chris, I was wondering – Have you poked around at all with the newer model TMOHS1? It seems they aren’t sending out Franklins at all anymore, and Ive tried poking at it and examining the management website but to no avail.
I have not as I do not own one. I wouldn’t mind poking around at it, but even if I get one there’s no guarantees I would find anything worthwhile.
Fair enough. You can probably get one from T-mobile if you’re interested, considering that they let you sign up for the test drive thing again once it’s been 6 months since your initial signup. Anyway I look forward to hearing your results if/when you get your hands on one.
Hi Chris ,
I just would like take this time to thank you for your effort in bringing this . I had bought 3 t9s begining of this year but by the time firmware 2602 was out before I figure out your posts exists to root them . Thankfully I waited sometime and found your posts again now and I was able to successfully root them and I can enjoy the freedom of being root of my device . I like freedom especially when I purchased it and I want to be owner of the device . Thanks again for your hard work .
Thank you So Much .
Ignore the “to no avail” part — I’ve achieved root! See my comment below.
Hi Chris, just wanted to take a minute to thank you for all the work you put into creating your downgrading script as well as documenting everything. I received a T9 with a T-Mo SIM and while it was initially on firmware 1311 after just a few days it upgraded to 2602 and I lost access to the bandlocking feature which I use heavily. I used your scripts and the easy to follow directions and now over a month later am still happily running my T9 at the 1311 revision. I appreciate your work and throughness. Thanks and have a Happy New Year!
Great news for everyone: I have managed to root the newer device (TMOHS1) through a shell command injection vulnerability I found in one of the cgi binaries that handles the webserver backend. I’ll have a proof-of-concept on github in the next few days; the result of the exploit is an ADB root shell. The device is indeed very similar to the T9, but with some notable differences, like a different cgi backend for the web server for example and no SSH server.
Even though I have root now, I am still not sure how to SIM unlock it. If anyone has any advice on how to proceed with attempting to unlock it, please share! I will note that the firmware contains a utility to send AT commands to the modem, if that proves to be any use. It also does not have a SSH daemon installed, and I can’t figure out how to get busybox telnet to cooperate with root logins, so I’ve just been using ADB. Looking forward to experimenting further!
Here’s the output of uname:
# uname -a
Linux mdm9607 3.18.44 #1 PREEMPT Fri Dec 11 20:22:17 CST 2020 armv7l GNU/Linux
And I have uploaded the output of a few other informational commands, including dmesg, here: https://mega.nz/file/EpElXIDI#YXqRKuDZTwPptx34NGt30uGlnKTWCHSOJDDnq22nRLw
Screw Proof-of-Concepts, here’s a fully-fledged root script for the TMOHS1 with multiple options like enabling ADB, disabling FOTA and more. 🙂
Enjoy!
https://github.com/natthawk/TMOHS1-Root-Utility
Hi natthawk,
Its pure gold. Neat .I tried it on TMOHS1 and its works as you explained . if we can enable or install persistent ssh ,it would be sweet.
Thanks for your hardworking bro.
Thank you ! This worked and I had a blast with it. Glad this community is still alive (kudos to Admin Chris too!) Revelations like this kick ass..
Any update on bootloader unlocking either hotspot? Would be fun to put an open source distro on it with a gui. Thoughts were to go about flashing a rom with a gui like LUCI flashed with r00ter (openwrt for lte devices)-, or even traditionally just TWRP, and using custom android firmware with gui like lineage, sailfish, replicant, etc..
Then installing the correct kernel, to it for awesome usb-c to display adapter connectivity. on that note, since its got a rooted shell, is trying to get termux on this just redundant? I’m fairly a novice as developer from scratch with linux and for that matter a hotspot variant of android (with busybox) linux
THANK YOU!!! I have two cellular modem… hotspot… router… things. One is a Franklin T9, branded “T–Mobile” in red – which uses a $14.99/month carrier, apparently operating on the Sprint network. I am poor and trying to also support my elderly mother, so this is not merely my only Internet access, it is my only option for Internet access. This device is “kind of” slow, and appears to be stuck on band 41. Being older, and unable to replace anything that I break, I have been way too terrified to attempt to modify it.
However, the other device I have is the TMOHS1 “freebie.” The free trial period expired last month. I only used 6 of the 30 gigabytes of data (received my T9 and activated my paid Internet access at that point) – but I noticed that its data speed was, on average, 50% faster on download, and 300%+ faster on upload. Yesterday, I experienced an issue with the T9 (device was plugged in – but, instead of charging the battery that was at 15% when I plugged it in, it ended up at 0% and stayed there). Whilst dealing with that , I had it unplugged and with the battery out, and found myself thinking, “What if…?” So I removed the SIM card and stuck it in the TMOHS1 (which *appears* to be a much nicer device, even though it only has idiot lights instead of a tiny OLED display… bigger battery, USB-C charging/access port, heavier, slightly larger (less confined heat?), not known for destroying its own battery). I eagerly powered on the TMOHS1 with the other SIM card in it, waited a couple of minutes, connected my laptop to it via WiFi, and…
Nope. No Internet access.
I assume this is because the TMOHS1 is “SIM locked,” is this correct? When (if) you manage to break that, should I then be able to use my Sprint-based poor folks’ MVNO SIM card in it, and get Internet access with this device? If so, I am rooting for you to succeed, sir! And thanks, again.
Thanks!
I dowgraded a T9 to 1311 and also discovered that it no longer connects. Several people mentioned restoring their device to 2602. Where can the 2602 firmware be downloaded?
Thanks!
In my original blog post at https://snt.sh/2020/09/rooting-the-t-mobile-t9-franklin-wireless-r717/ I share a link to Mega.io which has an archive of firmwares for the device. From there you can get a copy of 2602.
Thanks! I found that and another post that recommended the 2000 version. I was able to flash that version and restore service. The 2000 version also supports the hidden menus and ssh. So far so good.
I had the same issue, downgraded to 1311 and had no connection regardless of how many times I reset. Upgraded to 2000 and works great. But now in 2000, i can’t find the hidden engineering page (the hidden config and ITadmin pages are fine), is that the same for you?
Never mind, I figured it out. I didn’t read the instructions well.. now it works.. instructions say:
Note: On firmwares newer than 891, you need to first run the following as root before you can access the engineering pages.
/usr/bin/copy_htdocs.sh eng
Hi, how to set vpn on T9 or bypass the hotspot speed limit? My T9 speed is around 10-15mbps. But when I test speed on my phone I can get 50+mbps
Cell phone devices are prioritized at a much higher level than cellular hotspot devices (which are prioritized at the lowest). On a relatively busy tower – which is most of them, these days, I suspect – a cell phone will always be capable of attaining a higher data throughput speed. With that having been stated, use one of the many available tools to locate the cell towers in your area, then go to each with your hotspot device. If your data speed increases significantly when very close to a tower, consider buying (or making) a pair of *directional* (to point at a specific tower) antennas with TS9 connectors, and cracking open the case so you can access the Franklin T9’s internal TS9 ports. Of course, if signal strength and/or tower selection is not the cause of your issue… then this would be pointless, lol.
any interest in trying to unlock the 2022 device?
https://www.t-mobile.com/support/coverage/test-drive-hotspot
I software version 1311, i cannot sim unlock it, either root, making a video will be so helpful.
I rooted a T9 from a sealed box that had version 1311 firmware.
I ran the command “mv /etc/init.d/start_omadm /home/root” to prevent updates.
However, after leaving the device connected for a while, it updated automatically to version 2602.
Apparently moving the start_omadm file did not prevent updates. Fortunately the downgrade process worked and so far the T9 is stable with 1311.
I plan to root another T9 and I prefer not to have to go through this upgrade/downgrade cycle.
Is it possible to prevent updates from a clean, rooted version 1311?
This is a great article
I have 2 questions.
I have tmobile voice lines, no data only lines, can the T9 still be used? Does downgrading it allow for use with only a voice line?
How can I force update without the internet? I dont have a data only sim at the moment, can it be done without the internet?
thanks
J
Hi there,
Just wondering why 1311 is the recommended version? Why not 1312 or 2000?
What are some of the differences between the versions, other than:
* starting with 2602 it’s locked down
* starting with 1311 you need to modify the config file to enable SSH, ADB
Also, for 1311, what is the difference between all_sm and all.new ?
I recently purchased the Franklin T9, cheap. It came new with the 1311 firmware installed, and I promptly rooted it, following the first guide, but unfortunately got an immediate OTA for 2602.
Please consider updating the initial root guide page to stop users from performing any of that work without first disabling the OTA.
I tried followed your rooting again, but it just sits. I applied the downgrade config, and the web page shows it’s connected, but it doesn’t download the 1311 firmware. I have the firmware sitting in the same directory. A guide that would allow applying downgraded firmware from a file, either local or sftp would be excellent.
Nevermind 🙂 I figured it out, even with no SIM
Uploading and applying your new config also enables ssh. That allows one to follow the procedure from first rooting instruction page to get the ota_update_all.zip file from R717F21.FR.1311_ota_update_all_sm.enc
and then scp ota_update_all.zip file to /cache, ssh as root and follow the instructions at the start of this page. Voila, updated with no SIM!
Hi I’m trying to downgrad my t9 but can’t get into the backup and restore page, none of the passwords work that I tried.
Another day, another hack. I’ve rooted, ssh enabled, SIM unlocked, OTA disabled, added new APN for ATT, inserted ATT SIM, Now, playing with one band at a time, and speedtesting, I want to try a band that’s not enabled. How can one enable a band other than those in the band dropdown dialog, say B14 or B17 for instance?
I recently acquired a Franklin T9 that was on the 2602 firmware. After attempting to downgrade using the “downgrade_2602_to_1311_config.bin” file, the router no longer connects to the internet. The hotspot’s home page shows “Network Status Disconnected” and “Network WCDMA”. Seems like “WCDMA” shows up if I choose “Automatic” or “3G Only” for the connection mode. And it changes to “No Service” if I choose “LTE”.
I can no longer perform any Software Updates because file uploads never complete. I can ssh and scp so I still have some hope that I can fix something. I know this is a long shot but is there any hope? Suggestions on things to try? Thanks.
Did you get any resolution?
I downgraded to firmware 891 and faced the same no connection issue. A reset using the button on the bottom returned the connection.
This may not be the right place to ask, but I recently learned my goofy niche phone only supports 5Ghz channels 51-128.
In the Franklin T9 settings, I cannot select a 5Ghz channel within that range.
If I root the device would it be possible to modify this? or is this a hardware limitation?
Thanks for any feedback.
For those of you who experience problems with their Franklin T9 such as, lag, websites not connecting, wifi devices not connecting, and not being able to client or bridge to the Franklin hotspot, I think I have a solution. I think the problem is the Tmobile’s Ipv6. Add a new APN using fast.t-mobile.com with just ipv4. It solved my problems with this Franklin hotspot. Not sure why their Ipv6 is causing so much problems.
I keep getting a “No Service Available” after doing the update…any options for this?
same here…..891 and no service available for all sims ive tried. Any solution?
For those with no service on 891 or 1311, I have heard reports that the 2000 firmware will work. Just note it may try and self-update as I did not package a 2000 firmware with OTAs disabled, so proceed at your own risk.
For reference, I just received one running 2602 and the process worked. First install the downgrade script (mine didn’t come back up without a factory reset, but then came up fine), remember to use the admin password ‘admin’, then generate your unlock code using the link in the previous post and reboot. Voila, unlocked.
Is it possible to run this downgrade on a 2602 T9 with a sim card that is locked to the IMEI of another hotspot? I purchased a refurb T9 with the intention of rooting it and spoofing the IMEI of the new router to work with my current SIM, but I’m not sure if that will work after reading that the hotspot must have a working sim and a data connection.
Pingback: Tmobile home internetas well as the web ui login password - Ui login
Is there way to restore from local file?
This method requires working data only SIM. Without it, it wont work.
Can we download the right file to local and upload the whole thing and restore?
Or is it possible to use a phone tether into the USB of T9 to get network connection?
Cheers
Pingback: Amazing Site
What DNS records need to be blocked to prevent OTA updates? I’m not able to use the firmware here as I couldn’t get a cellular connection with it. Had to upgrade to something newer. But I do have root.
Also, does anyone have Steve’s battery management script, or know how it worked? I’d love to keep my new T9’s battery from getting killed.
Thanks for all your work!
Hi Brandon,
I don’t have the battery scripts, but I developed a solution to monitor charge percentage and trigger a smart plug on/off at designated intervals. Happy to share some details if you are interested. I’m using Wyze smart plugs. Why they do not offer their own offical API, they do integrate with IFTTT, which let’s you use Webhooks. And that can be triggered with cURL. While the linux distro on the T9 does not have cURL, you can put cURL static binaries on the T9.
M
For those who are experiencing “No Service Available” and finding their sim inserted not working after downgrade to either 891 or 1311, I found a way to stick with 1311 firmware and not rely on the fix upgrading your t9 to 2000 firmware.
Quick solution to stay to 1311 firmware on T9 Franklin from a 2602 downgrade.
***for users who successfully downgrade to firmware 1311 with no service available with inserted sim****
1. do reset to factory setting (do it once or twice)
2. and using the ota 1311 file that chris provided in megashare. reflash your t9 with R717F21.FR.1311_ota_update_all.new.enc
3. at this point if you have sim inserted in t9 and configure your apn setting. youd be connected to the internet. im recommending you to turn off your t9 device right away to stop it from downloading the update 2602.
two optional:
a) remove your sim because this gonna keep your t9 from dl 2602 and updating your device.
b) you can again reset your device so you would start with fresh setting.
4. to disable the automatic ota
a) by changing ota url in the hidden webpage
b) by adding lines of 127.0.0.1 url of ota in /etc/hosts
c) renaming or moving /etc/rc5.d/S99fota to other location or editing the s99fota file and putting # in the line of /usr/bin/fota_app to #/usr/bin/fota_app
5. your device is now safe from auto update to 2602 firmware.
**For users who downgrade to 891 and getting no service available….same steps as above to get to firmware 1311 with working service. Take note I tried reflashing OTA 891 again, but it would not fix the problem of No service available, so theres no way to downgrade successfully to firmware 891. it can only be done with 1311 firmware. **
Enjoy your Franklin T9 with 1311 firmware. Thanks again to Chris for hacking T9 and sharing his findings to us.
Hello, I know I know, I shouldn’t have done anything, but I did, can someone please take pity on me and help me fix this, I want to go back to the latest software but I am not good at anything, please help me, I have tried everything to update from 1311 to 2602, there is nothing out there.
Has anyone found a way to get SSH access to the Franklin T10? I recently bought a T9 on amazon, but got sent a T10. Before I send it back, thought I’d see if anyone knows how to get root access to it.
Thanks!
Hi Chris,
i am less talented compared to anyone on here so i have this area of confusion
the firmware you uploaded vs the firmware vs the firmware uploaded by “ServError” on
December 30, 2020 firmware link – https://mega.nz/file/Lk8k2TgI#DwuWhvQh2nd-Gv2247cFB0rnVodqNP9M0_k751o0XJw which is 1311 which is the same as your that you uploaded on here.
for the life of me i cant activate the engineer page from your firmware so i have used firmware uploaded by ServError is there a difference between his and yours firmware beside the engineer page already up?
using WinSCP i was able to SSH: [email protected].0.1 password frk9x07 and first thing i did was delete /etc/init.d/start_omadm
and than using my computer i opened notepad and copy and pasted this
#!/bin/bash
### BEGIN INIT INFO
# Provides: ttl
# Required-Start: $remote_fs $syslog $networking
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 1
# Short-Description: Set TTL in iptables
### END INIT INFO
TTL=64
INTERFACE=rmnet_data0
case “$1” in
start)
echo “Setting TTL on $INTERFACE to $TTL…”
ip6tables -t mangle -I POSTROUTING -o $INTERFACE -j HL –hl-set $TTL
ip6tables -t mangle -I PREROUTING -i $INTERFACE -j HL –hl-set $TTL
iptables -t mangle -I POSTROUTING -o $INTERFACE -j TTL –ttl-set $TTL
iptables -t mangle -I PREROUTING -i $INTERFACE -j TTL –ttl-set $TTL
;;
*)
echo “$1 is not implemented”
;;
esac
exit 0
and saved the text file named it as S99set_ttl
and than using WinSCP i ssh into the hotspot and dragged and dropped S99set_ttl.txt directly into etc/rc5.d/ folder then rename it to remove the .txt from the file name then right clicked, select properties and gave it 755 rights. then rebooted.
and everything worked out
with your firmware i kept getting no sim error and to fix that i need engineer page on that way i can change imei but i was not able to activate the engineer page nor was i able able to SSH into device only option for me that worked out was the file uploaded by “ServError” so please let me know if there is difference between his firmware and yours
Could you share the bin file for Serverrors firmware? The megaz link has been taken down.
My software version 1311, i cannot sim unlock it, either root, making a video will be so helpful.
ssh [email protected].0.1 connection refused/
@Douva which version 1311 you got? the one from chris or by ServError i recommend to use serverror firmware and after flashing it u can login into http://192.168.0.1/engineering/franklin/ and there enable ssh for unlocking u can use this link: https://jsfiddle.net/4zds6531/ and input ur imei
Does anyone have instructions or even a rough guide of how to do this with TFTP/ some kind of local server? I do not have a working SIM and I need to downgrade before my SIM will start to work. Chicken and egg and I bet that is the case for a lot of folks.
I have software/linux/ssh knowledge.
Nevermind, here’s how you do it.
First, flash the root only image that snt so thoughtfully provided.
Wait for reboot. Connect to hotspot (or use usb to keep your home wifi internet going also, very recommended)
Telnet in with `telnet 192.168.0.1`. Very nice of snt to include the telnet root shell totally open since I couldnt figure the root password.
Change the root password to something you can remember with `passwd` command, since the change in the root script doesn’t seem to work and we need it to ssh in.
Now you can SSH in, nice since thats better than telnet for me.
Now, back on your computer set up a tftp server on your computer. On arch that was just a matter of installing the starting the tftp-hpa package.
Download this file https://snt.sh/uploads/t9/T9_1311_ota_update_all_block_otas.zip and put it in /srv/tftp ( you may need to chmod the folder or do this as root)
Also take a copy of my modified script from here and put it in the /srv/tftp folder. https://raw.githubusercontent.com/factoidforrest/franklin-r717-t9-downgrade/main/src/downgrade_no_internet.sh
Find out your computers IP that the hotspot gave you (ifconfig works on linux, ipconfig on windows)
From the hotspot shell, run `tftp tftp [email protected] -l /cache/ota_update_all.zip -r ota_update_all.zip -g`
You may need to `touch /cache/ota_update_all.zip` first because tftp is really old and dumb and needs the file to prexist I guess.
Do the same thing with my modified script.
Now just execute the script. You’ll need to make it executable first with chmod +x downgrade_no_internet.sh
Piece of pie!
Sorry that tftp command was a little wrong, take my name out of the IP address. It should just be the IP, no username
To make this a bit easier, once I had the files on my machine, I transferred them to the device using SFTP (MobaXTerm) which was drag and drop. From there, I simply enabled the script (chmod +x) and ran it.
Note: Since I had copied the script and pasted via VScode, I had to remove some line breaks for the script to run properly.
Can you please explain more
I deleted all the “change target” in the engineering menu, except the default, and my hotspot no longer works. Does anyone have the files that I can load to restore the targets?
Getting 4G with T-Mobile T9 using other SIMs (US Mobile and Freedom 🇨🇦. US Mobile unlimited data plan caps hotspot at 10 GB. Is there any way to modify the T9 to overcome this? I read that some Android devices could do so with apps or changing TTL, DUN, or MAC address. Would something be similar with T9? Thanks 🙏
Not likely, Usually I believe the data caps are controlled on the server side, not the hotspot its self, Although I wonder if since any data used by the hotspot itself for updates and whatnot aren’t supposed to count towards your monthly allotment if you might be able to disguise user data to look like the hotspot is using that data itself, Not likely, they probably track the updates come from “XYZ.COM/Updates”, so any data used coming from the I.P. of XYZ.COM simply are ignored towards the monthly allotment. but I’m not sure, it’s just a theory.
Here is a non-expiring pastebin link for the battery charge limiting script that “Steve” wrote, follow his instructions in his comment to set it up.
https://pastebin.com/0RiY3ATe
Admin Chris, I posted in the old t9/R717 thread but thought I’d throw a message in here as well in the hopes that you might see it. I’d be happy to provide you with a T10 for “Exploratory surgery” to help you. If you want to dig into the T10 give me a yell.
Thanks,
Clay
To all the people posting their IMEI#s and not reading the whole thread where several people have already posted their IMEI and been told “I WILL NOT be providing unlock codes” Several times, and instructions posted about a linux terminal command and even links to virtual terminals where one can EASILY do this, For you special people I will post a link to a tool someone created where you don’t even need to use a virtual terminal and copy/paste a simple command, Nope, this is the laziest of the lazy, It couldn’t get any simpler, With this tool, All you need to do is enter your IMEI and click “Generate code” and easy peasy lemon squeezy Bobs your uncle. Visit https://steftodor.github.io/franklin-unlock/
It literally couldn’t be any simpler. You’re welcome.
I am trying to fix the R717 model and I am trying to read where to begin this process.
Did the battery management script ever get released anywhere?
Thanks to whoever made the config for downgrading Thank you for bricking my device now it cant connect to any tmobile network saying no service and upgrading it doesnt work only downgrading and factory reseting doesnt work thank yall so much for nothing
Would this bypass the blacklisted IMEI I’ve just purchased the of these t9 all have blacklisted IMEI numbers…