Rooting the T-Mobile T9 (Franklin Wireless R717) – Again!

After requests from the online community I am glad to announce that a downgrade method has been found for T-Mobile branded Franklin Wireless R717 Access Points on firmware 2602. In this I will go over how I found this method, how to do the downgrade, and links to the required files.

Research

When I found out that 2602 was released for the T9, I quickly got a copy using their OTA endpoint I documented in my last blog post around rooting the device. Once acquired, I extracted it and was quite surprised by my findings:

  • All passwords that were previously documented were changed/rotated
  • The root user password was now a SHA256 salt, a huge improvement!
  • hidden/engineering pages have new passwords, that are ALSO stored as salted SHA256
  • OTAs are now verified via a public cert on upload, so there is no way to create a custom OTA image.
  • Config Dumps are also signed, and verified. However since devices have to generate these, both the public and private cert are available.
  • Dropbear (SSH server) has been removed from the image completely.

Since I had a copy of the OTA, I decided to flash it on one of my devices, but with the root password changed ahead of time using the decryption/encryption method from my previous blog post. With this, I was able to use UART to have root into the device. This is how I started my initial research around digging inside the new update.

To save everyone a ton of time I will just jump to my findings. At the end of the day, I found that the config dumps allow a user to put files in /data/misc, and /data/configs. These are the only two paths you can create files in. With this, I then messed around with the AP configuration file named mobileap_cfg.xml and was able to find that command line injection was possible on some of the fields.

With the two findings combined, I was then able to successfully create and sign a custom configuration dump that includes a bash script that is executed on boot by the device. This means we can run arbitrary commands on the device as root, and flash a custom OTA image!

But wait, how am I able to use a custom OTA image if there is no way to sign a modified update? Well, since Franklin Wireless implemented the image verification logic in userspace and not the recovery environment itself, we can just skip it all! Below you can find the magic I use to completely bypass the OTA verification process.

# Make the OTA system be OK with the abusive install method
mkdir -p /cache/recovery
echo "--update_package=/cache/ota_update_all.zip" > /cache/recovery/command
echo "--debug_no_reboot" >> /cache/recovery/command
mkdir -p /cache/sec
echo 1 > /cache/sec/download_verified
echo 1 > /cache/update_file_verified

...

# Reboot into recovery to install
/usr/bin/go_recovery.sh

With everything combined, we now have what we need to downgrade devices on 2602!

Usage

To do the downgrade process you will want to download the appropriate configuration for your specific use case. In most cases, the 1311 downgrade is recommended.

  1. Download the appropriate downgrade file for your specific carrier
  2. Make sure your Franklin Wireless R717 T9 access point is on firmware 2602 and has a charged battery, and has a working data connection. This means it has to have a working SIM!
  3. With the downgrade file you downloaded, go to the config restore page at http://192.168.0.1/settings/device-backup_and_restore.html. Once here, select the Downgrade config and click “Restore Now“. It will take a moment to upload.
  4. Once the config is uploaded, the device will reboot on it’s own. Once done, let the device sit for 15 minutes! As long as it has a working data connection, it will download the downgrade image in the background and install it. NOTE: If you had a custom APN, you may need to re-add it before the downgrade will work. To do this, sign into the web UI using the password of “password” and ONLY update the APN. Once done, let the device sit!
  5. You will know the device is downgrading since the LCD screen will show “Updating”.
  6. Once complete, the device will boot up on the downgraded firmware with a factory configuration. Also note the downgraded image “should” also have OTAs disabled!

Downloads

Before you continue, please understand that this may or may not work for you. I am also not responsible for you downloading these files, or for how you use them. If you end up with a bricked and/or broken AP, you understand it was your own doing and to not expect any support.

These were tested to work on T-Mobile SIMs, with mixed reports for SPRINT SIMs. Your results may vary. Also note that the firmware versions being installed are modified to try and disable OTAs.

And for those who are curious on what these configs do, the source code used to create them can be found at https://github.com/riptidewave93/franklin-r717-t9-downgrade

For Franklin Wireless

Thank you for spending the time to harden the firmware for the T9 after my last research post. Even if it makes it harder as a researcher, it’s good to see effort being put in to harden the OS, since IoT devices like this are targets for newer generations of malware. I would argue there isn’t much left to improve on, but I expect you will patch my findings in a future OTA update. Just note that giving users choice around what runs on their AP isn’t a bad thing, it just shouldn’t be as wide open as it was previously. Also, please consider offering a bug bounty program.

42 thoughts on “Rooting the T-Mobile T9 (Franklin Wireless R717) – Again!

  1. M

    So this might be a stupid question but am I supposed to run that code stuff before trying to upload the file? If so how exactly should I go about doing that?

    Reply
  2. Nathan

    Very cool. Just a couple issues with the configuration files you link. You say to wait 15 minutes, but the timeout without a connection is only 10 minutes. It would also be nice if the display timeout could also be extended.

    Reply
    1. Chris B - Admin Post author

      The reason for the 15 min wait is for the actual download and verification, since when the script is ran it should have network connectivity within 30 seconds. I hope that helps explain the reasoning.

      Reply
  3. Nathan

    Worked for me, eventually. After an hour I still had the 2602 firmware, but the wifi re-enabled but was named “Franklin Downgrade” (or nearly that). I tried rebooting, and then waiting more. After maybe another hour, I decided to try re-uploading… but the web UI password had changed to something that wasn’t what I programmed it to, nor the default from Franklin. Finally I used the reset button near the battery, then got into the web UI again, uploaded the downgrade config, and then it rebooted a few times and finally displayed “updating”. After just a few minutes it was back online and I was able to see the old firmware version, turn on bandlocking, etc.

    Reply
  4. Justin Rider

    Hello, I currently have one of the TMobile test drive hotspots that they give out for the free 30 day or 30gb to check the availability of their Network. It looks very similar to the Franklin T9 and is even a Franklin device. Would there be a way to flash it through one of the above methods and possibly put one of the T9 OTAs on it and unlock the sim so I could then use it as a regular hotspot with a monthly service plan? As of right now it’s kinda useless but whenever it was working I really liked the little guy. I’m not really concerned about unlocking the sim so much as just being able to get a monthly service plan on it the TMobile network picks up pretty well in my location. Thanks for the help!

    Reply
    1. Chris B - Admin Post author

      This will only work on the T9 device (R717). If your device’s model sticker under the battery doesn’t say the Model as T9, then you should not attempt to use these files to downgrade it.

      Reply
  5. Steve

    Hi Chris. Thanks so much for your work. I’ve been using 2 T9’s for several months, one at 891 and the other at 1311.

    On 1311, people should also stop OMA DM from running when on Sprint and possibly other carriers. OMA DM allows carriers to make almost any change to your device remotely – they can also use it to remotely do firmware updates. For me, OMA DM was causing 100% CPU while failing to activate the Sprint SIM. However, data works and activation is not necessary. The device works completely fine without it running. I suggest :

    mv /etc/init.d/start_omadm /home/root

    On 891, OMA DM isn’t even part of the firmware so that also showed me that it is completely unnecessary for full functionality [it’s also on Sprint]. It is only there to give carriers the power to remotely provision or modify your device.

    I’ve also written a battery management system in a shell script that lets you keep the battery at a voltage of your choice. The default charging logic in this hotspot tries to keep it at 4.34 volts – that’s quite a bit higher than 4.2 volts, which is 100% charged. This 4.34 volt issue is why the batteries swell in these if you operate them for 6+ months on the charger.

    I prefer to keep mine at 4.1 volts which still provides 80% charge when it’s necessary. For long term life it’s recommended to keep Li-Ion batteries between 20% to 80% charge.

    I will release the script on your other T9 thread once it’s been thoroughly tested.

    Finally, regarding this topic of roll back and requiring internet, couldn’t you also put in a tftp option to get it from a local computer on WiFi? On the hotspot use tftp which is part of busybox. On the computer you can use a TFTP utility on Windows (and Mac/Linux) to serve the firmware. You could tell people it will attempt to TFTP from a certain IP or you could pull a list of IP’s from “arp -an” and start concurrent attempts to TFTP the file from them all.

    I’m getting 2 more T9’s in a few days. If they have 2602 on them I can modify your root.sh to provide this functionality.

    Reply
    1. Chris B - Admin Post author

      Hey Steve,

      Good callout on the OMA DM. I didn’t dig into it much since I don’t use Sprint, so I’m glad to see you calling this out.

      As for the rollback and internet requirement, I wanted the downgrade solution to be usable for anyone non tech-literate. Sure I could have just had a tftp server or sftp server setup, but for users who have never used ssh/CLI, this would have made the downgrade impossible.

      Reply
      1. Steve

        Don’t get me wrong – I like your solution of doing it easily over the internet (properly via https too!). I just like having options. 🙂

        I received the 2 “parts” T9’s today. One has even older firmware than 891! It’s running R717F21.FR.635 with a build date of Dec 5 2019. I’m going to go over the build closely, but so far I can report it has even worse security than 891, which should be expected.

        /hidden and /webpst don’t even have passwords. /itadmin wasn’t written yet. /engineering/franklin exists with the same credentials as 891.

        It’s not showing bands 66 and 71 in the hidden DATA>LTE list with no SIM installed. I’m not sure if it’s because of no SIM (brand issue) or because the bands were possibly added in modem firmware updates in 891+.

        The other unit shows Welcome on power up, then goes permanently to a blank screen. If you hold the power button it does show Goodbye and turns off. The factory reset button shows the factory reset message on the screen, but it never reboots and just sits there. It never broadcasts any WiFi signal.

        Any ideas how I can get to recovery somehow or get into it via ADB?

        Reply
        1. Chris B - Admin Post author

          Sadly I don’t know of any way to force access to recovery. As for the one with the permanent black screen, it may be worth wiring up UART and using that to see if you can get a root shell using the login for the older firmwares. It may also help you see what exactly is failing on the device during boot.

          Reply
          1. Steve

            This black screen one is odd. I know from a note on the battery cover that the previous owner was using a modified IMEI (so it was hacked/modified). Looks like they didn’t block updates. It doesn’t broadcast wifi but it does pop up using RNDIS on my Windows 7 machine.

            Now I can bring up the web pages, but whenever I enter in any password the password box disappears and I’m left with a greyed out page. That’s instead of saying Wrong password in red like old firmware. To be ultra specific, with browser dev tools, login.cgi is returning a

            {}

            response instead of the response from 891 firmware:

            {
            “msg”: “Wrong Password.”,
            “result”: “F_LOGIN”
            }

            Everything is behind login.cgi protection and to top it off it’s running build 2661, which I didn’t know was out. I can’t even bring up the about page, but I realized I could use the following 2 URLs to check the firmware.

            $ curl “http://192.168.0.1/fti_sw_ver”
            R717F21.FR.A2661

            $ curl “http://192.168.0.1/build_date”
            Tue Jun 8 11:42:16 KST 2021

            I will mess around some more, but at least I have 1 working T9 and I only paid $10 total for both of them. Correct me if I’m wrong, but wiring up the UART would not be useful if the root password got changed during the 2661 update, right?

            **Total speculation here BUT : This could indicate a warning about firmware updates of modified devices to 2661 and it causing them to stop working. Always be careful people.

            My name above should link to my Reddit user page if anyone wants to reach me.

    2. Nguyen

      Please can I have the testing battery script? I have these device unattended for wifi cameras and 2 out 5 battery is swollen up, These device do not start themselves when unexpected shutdown so I have to have the battery in. Right now my remedy is the smart plug that have schedule of 2 hours off/on.

      Reply
      1. Steve

        This is my current implementation, but I will likely change the logic. This works decent, but it doesn’t always strictly maintain the voltage. Don’t worry, no harm can come from this script. All it does is *limit* the input current the device can pull over USB. The worst it could do in complete failure is 1) not allow enough current and deplete the battery or 2) allow the same current that is allowed by stock settings anyway.

        Create /etc/init.d/bms.sh with the contents of this pastebin : https://pastebin.com/VjDVrGhw
        chmod 755 /etc/init.d/bms.sh
        ln -s ../init.d/bms.sh /etc/rc5.d/S99bms.sh

        then reboot or run /etc/init.d/bms.sh from the shell

        * This pastebin is only good for a month as I hope to have a better version by then. Currently if you have very strong cell signal it will keep it slightly higher than 4.1 volts and if you have a very weak signal it will be slightly lower than 4.1.

        This logs to /var/log/bms.log where you can see the voltage, the current limit, and the CPU temperature every minute. This log is stored in RAM. Use “tail -f /var/log/bms.log” to monitor.

        Again, this is designed mostly to keep the batteries from bulging. The hardware has no way to set the charge voltage, you can only vary the current. The battery may slightly charge and discharge throughout the day. From my knowledge of batteries, this script cannot be worse than Franklin’s stock charge logic of holding the battery at far too high of voltage. Standard disclaimer: I’m not responsible for anything that may happen to your battery or device. I am 1 month into testing on 2 devices.

        It might take a few hours for your battery to stabilize around 4.1 volts when it is first run.

        Reply
        1. Nguyen

          Can you re-check the scrips? I’m checking on my side like 5 times but couldn’t produce the log, it just not there. I’m on the 891 Firmware.

          Reply
          1. Steve

            I have verified the script I posted and I’m running it on 891 and 1311. Make sure your bms.sh file is correct. If you downloaded it from pastebin or your computer instead of copy/pasting it, it could have carriage returns in it. In VI it will show “^M” characters and they will cause it to fail. The best way is to copy/paste the raw version on pastebin via PUTTY.

            The script should be 690 bytes after you copy/paste, press return, and then end the file.

            If you need further help, click my name in the post above to go to my Reddit profile and chat with me there for more troubleshooting. Right now these instructions are for people familiar with command line UNIX usage.

        2. Nguyen

          You rock man, working as intended now, right at around 78%, log did show up today and wonder if you could add in the timestamp to the log? and what if I just want around 50%, should I change the target to 390? or low as 20%?

          Reply
        3. Nguyen

          After few days only 1 out 3 devices work, the first one just magical work the day after running the code, there are no timestamp so didn’t know when it start running. Then I start same process for the next two devices, seem not to work even left overnight, poke around for log and probably been stop during boot, on both device. ALL device are on 891
          Completed starting miscellaneous daemons/etc/init.d/rc: /etc/rc5.d/S99bms.sh: line 8: syntax error: unexpected “elif” (expecting “then”)
          Should have warning on the use of script is device will shut down like in 30 mins without the battery.

          Reply
        4. Luke

          Pastebin has expired. Is the better version ready? This would be useful for me since I’m leaving mine plugged in for home internet. Thanks.

          Reply
  6. Marc

    Yes! Thank you for making this SO EASY.

    However, is there an EASY way to stop OMA DM from running when on Sprint.

    Steve suggests:
    mv /etc/init.d/start_omadm /home/root

    Or

    Does your downgrade file block OTA updates?

    Reply
      1. Steve

        OMA DM has the capability to send update binaries over the OMA data connection directly – no DNS used. However, the document I read said it would be limited to 20 MB, which wouldn’t be enough for a complete T9 firmware. It could send a partial update, but I believe it still uses FOTA to apply it – so if that’s disabled it might block that.

        Marc : That’s why I said it’s best to just keep it from starting altogether on 1311+, which is all my “mv” command does. You can get rid of “/etc/init.d/start_omadm” however you want, but it should not be in that directory when using Sprint. “check_qcmap_pdc_status.sh” starts it on every boot when the current brand (/data/configs/brand) is “SPRINT”.

        Reply
  7. Chris

    If the up/down arrows are not present after loading the config file does that indicate an issue with the signal or that it is working? I tried both config files and they both just sat there with no internet (but with full LTE bars indicated) for about an hour without ever showing the updating screen. Wondering now if I am in a dead zone or something.

    I also tried changing the APN from the otasn to r.ispsn, to no effect. Only after doing a factory reset with the button on the back was I able to get my pitiful slow internet back again (sprint bands I presume).

    Reply
      1. Chris

        I see, I will give that a try later. So the signal strength (bars) is not the metric I should use for signal strength?

        Reply
  8. Steve

    Your site has eaten 2 messages from me. One was a response to you and another to Nguyen. The comments I posted never showed up for moderation, just disappeared. I saved each comment in my Notepad and when I tried to post it again later it said “You already said that”, so it knows my message and it’s stored somewhere.

    Just thought you would like to know.

    Reply
  9. Jack

    after downgrading, the password isn’t “password” and I keep getting locked out. A factory reset did not help unfortunately.

    Reply
      1. Rc

        does anyone have a step by step for dummy’s, on how to make the t9 run on a regular phone line tmo sim and adjust TTL to avoid throttling.

        Reply
  10. Rc

    does anyone have a step by step for dummy’s, on how to make the t9 run on a regular phone line tmo sim and adjust TTL to avoid throttling.

    Reply
  11. JT

    I’m trying to get ADB/QXDM access on my T9 device with SW 2602.

    I tried the ‘Root Only’ download and restore method, but I’m unsure what the next step is to verify root/ADB access.

    All the old URLs, passwords, and methods from the previous posts don’t seem applicable.

    Can someone please share the next steps for enabling SSH/ADB/QXDM access on SW 2602?

    Reply
  12. Jeff

    After running the 1311 file. I have no service on my T9. With a Sprint SIM and calyx plan. I switched to the correct APN. Network is disconnected.

    Reply
    1. Nguyen

      Yeah same thing happen to my last device too, I have flash all older firmware all week and no matter what sim I have in and correct APN, it will not connect at all. Work soon as I flash the newest 2602. Thank to root access it work like 1311 anyway. Now only wait for the engineer password if some one able to crack it.

      Reply
  13. Peter

    Downgrading ended up locking my Sprint SIM. When I check the SIM it says disabled. Is there any way around this? Sprint told me that they will have to consider the unit defective when I tried to call them for an unlock code. SIM works fine in my Nighthawk.

    Reply
  14. Q

    Chris B.:

    Thank you for your work and publishing of your Franklin Wireless R717 / Franklin Wireless T9 articles.
    The information provided has been both useful and interesting.

    There is something you should be aware of: Sometimes security is left weak, but existent on purpose. The reasoning behind this is oftentimes to dissuade many simpletons from proceeding further, but allowing a different class (whomever they may be) to progress after some work. This can be thought of as a trade-off to allow most of the target audience to be happy enough given constraints of a project.

    In the case of firmware/software of devices, oftentimes there is security preventing the enabling of features or against the access of configuration pages; the security is, however, weak and after experimentation of some simple and skilled work (trying easy to guess passwords, for example), access or use may be gained. As one example (and there are many), many Android firmware restrict the stock recovery menu from being accessed until a key combination in entered; the key combination usually is easy to discover. In this security case, the Android recovery menu is secured against those thought to be too simple to make well use of the feature and that can accidentally break something, but allows those are more competent to use and enjoy the feature.

    In the specific case of Franklin Wireless mobile access point devices, Franklin Wireless oftentimes produces devices and tailors them and their firmware to a party that hires/contracts them for it (such as Sprint or T-Mobile). Oftentimes, the hiring/contracting party will not want various features presented to the user or want anti-features presented to the user. Franklin Wireless might still want to present more features or more capability to those users that can make use of them. Thus, they may still incorporate the features, but hide or restrict them with weak security. Simple users will typically not access such features and the skilled power users can enjoy the product more after unlocking the hidden features, oftentimes without failing to fulfill the contractual obligations to the hiring party.

    A takeaway is that weak security might not necessarily be a bad thing.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *