Rooting the T-Mobile T9 (Franklin Wireless R717) – Again!

After requests from the online community I am glad to announce that a downgrade method has been found for T-Mobile branded Franklin Wireless R717 Access Points on firmware 2602. In this I will go over how I found this method, how to do the downgrade, and links to the required files.

Research

When I found out that 2602 was released for the T9, I quickly got a copy using their OTA endpoint I documented in my last blog post around rooting the device. Once acquired, I extracted it and was quite surprised by my findings:

  • All passwords that were previously documented were changed/rotated
  • The root user password was now a SHA256 salt, a huge improvement!
  • hidden/engineering pages have new passwords, that are ALSO stored as salted SHA256
  • OTAs are now verified via a public cert on upload, so there is no way to create a custom OTA image.
  • Config Dumps are also signed, and verified. However since devices have to generate these, both the public and private cert are available.
  • Dropbear (SSH server) has been removed from the image completely.

Since I had a copy of the OTA, I decided to flash it on one of my devices, but with the root password changed ahead of time using the decryption/encryption method from my previous blog post. With this, I was able to use UART to have root into the device. This is how I started my initial research around digging inside the new update.

To save everyone a ton of time I will just jump to my findings. At the end of the day, I found that the config dumps allow a user to put files in /data/misc, and /data/configs. These are the only two paths you can create files in. With this, I then messed around with the AP configuration file named mobileap_cfg.xml and was able to find that command line injection was possible on some of the fields.

With the two findings combined, I was then able to successfully create and sign a custom configuration dump that includes a bash script that is executed on boot by the device. This means we can run arbitrary commands on the device as root, and flash a custom OTA image!

But wait, how am I able to use a custom OTA image if there is no way to sign a modified update? Well, since Franklin Wireless implemented the image verification logic in userspace and not the recovery environment itself, we can just skip it all! Below you can find the magic I use to completely bypass the OTA verification process.

# Make the OTA system be OK with the abusive install method
mkdir -p /cache/recovery
echo "--update_package=/cache/ota_update_all.zip" > /cache/recovery/command
echo "--debug_no_reboot" >> /cache/recovery/command
mkdir -p /cache/sec
echo 1 > /cache/sec/download_verified
echo 1 > /cache/update_file_verified

...

# Reboot into recovery to install
/usr/bin/go_recovery.sh

With everything combined, we now have what we need to downgrade devices on 2602!

Usage

To do the downgrade process you will want to download the appropriate configuration for your specific use case. In most cases, the 1311 downgrade is recommended.

  1. Download the appropriate downgrade file for your specific carrier
  2. Make sure your Franklin Wireless R717 T9 access point is on firmware 2602 and has a charged battery, and has a working data connection. This means it has to have a working SIM!
  3. With the downgrade file you downloaded, go to the config restore page at http://192.168.0.1/settings/device-backup_and_restore.html. Once here, select the Downgrade config and click “Restore Now“. It will take a moment to upload.
  4. Once the config is uploaded, the device will reboot on it’s own. Once done, let the device sit for 15 minutes! As long as it has a working data connection, it will download the downgrade image in the background and install it. NOTE: If you had a custom APN, you may need to re-add it before the downgrade will work. To do this, sign into the web UI using the password of “password” and ONLY update the APN. Once done, let the device sit!
  5. You will know the device is downgrading since the LCD screen will show “Updating”.
  6. Once complete, the device will boot up on the downgraded firmware with a factory configuration. Also note the downgraded image “should” also have OTAs disabled!

Downloads

Before you continue, please understand that this may or may not work for you. I am also not responsible for you downloading these files, or for how you use them. If you end up with a bricked and/or broken AP, you understand it was your own doing and to not expect any support.

These were tested to work on T-Mobile SIMs, with mixed reports for SPRINT SIMs. Your results may vary. Also note that the firmware versions being installed are modified to try and disable OTAs.

And for those who are curious on what these configs do, the source code used to create them can be found at https://github.com/riptidewave93/franklin-r717-t9-downgrade

For Franklin Wireless

Thank you for spending the time to harden the firmware for the T9 after my last research post. Even if it makes it harder as a researcher, it’s good to see effort being put in to harden the OS, since IoT devices like this are targets for newer generations of malware. I would argue there isn’t much left to improve on, but I expect you will patch my findings in a future OTA update. Just note that giving users choice around what runs on their AP isn’t a bad thing, it just shouldn’t be as wide open as it was previously. Also, please consider offering a bug bounty program.

2 thoughts on “Rooting the T-Mobile T9 (Franklin Wireless R717) – Again!

  1. M

    So this might be a stupid question but am I supposed to run that code stuff before trying to upload the file? If so how exactly should I go about doing that?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *