Write Imei To Target Failed

1 view

Skip to first unread message

Dhara Lyford

unread,

Aug 3, 2024, 11:22:00 AM8/3/24

to dickprobtabe

I recently acquired a T-Mobile T9 mobile hotspot from a friend who used it with their Test Drive program, and like I do with most embedded devices I poked around. This thread will go over my software findings, and will give you the information needed to gain root access and SIM Unlock the device.

NOTE: I am not responsible for any damage done to your T-Mobile Hotspot. Proceed at your own risk. Note that some of the web pages and tools in this device allow you to modify the device in ways that YOU SHOULD NOT DO since it may be ILLEGAL in your jurisdiction. Please do not proceed unless you know what you are doing.

So for example, my T9 was reporting to check_update.php?carrier=tmobile&rev=891 when it was on firmware revision R717F21.FR.891. Manually calling this URL with any outdated revision will link you to the latest OTA file, which is a .enc

This will then provide you with a .tar file, which contains a file named ota_update_all.zip which has a copy of the rootfs files. On this device, all OTAs are full image releases, so you can upgrade and downgrade as you please using the web interface. As for the decryption key, I extracted this from the binary at /usr/bin/fota_app. I was also able to start a collection of firmwares, including an unreleased update. You can access these OTA files from this Mega Share.

As you can see, the configuration dump is actually aes-128-cbc encrypted, and contains nested tar.gz files. You can now modify the configuration as you wish, repackage it, and re-upload it.

During my research it was found that SSH can be enabled on this device, and once enabled, you can login as the root user. If you are on a firmware version 891 or below, you can run the following command to quickly enable SSH.

Note that if your firmware is above version 891, then to enable SSH you will need to modify the Config File. If you want, I have created a basic python script that can do this for you, which is available on GitHub. Just note it requires OpenSSL 1.1.0 or newer, and is only tested on Ubuntu 18.04.

As for logging in over SSH, I was able to discover the root SSH password for these devices is frk9x07. Sadly, the engineers at Franklin Wireless only used a descrypt (DES) key for the device, which hashcat was able to crack within seconds using my GTX 1080.

On newer OTAs, you can still enable ADB but it needs to be done manually from the /data/configs/mobileap_cfg.xml file. This is done by updating the UsbMode setting value from 9025 to 902D, saving, then rebooting the device. Note you also may need to replace the contents of /data/configs/hsusb_next with 902D as well.

During my digging around the device I found a handful of hidden pages, which were secured by plain text passwords that were statically built into binaries. Below you can find the pages I found, as well as where I found the passwords for said pages.

While exploring the binary at /usr/bin/QCMAP_Web_CLIENT, I accidentally stumbled upon the logic used to SIM Unlock the device. To generate your SIM unlock code, just use the following below in any Linux or Mac Terminal.

Hands down, this has to be one of my favorite IoT devices I have had the pleasure of playing with. I appreciate the fact that Franklin Wireless put minimal effort into securing the device since it makes for a great platform to build on top of. If anyone at Franklin Wireless is reading this, I recommend the following changes to help secure your devices.

It appears that in the latest 2602 update, a good chunk of my recommendations above were incorporated. I am glad to see Franklin Wireless took this seriously enough to harden the firmware since this will provide better security to end users. Note that at this time there is no downgrade path but if I find anything expect to see a followup blog post.

Easiest way to prevent rollback would be to disable the OTA engine and change the URL it points to. This can be done by editing the configuration file at /data/configs/mobileap_cfg.xml and do changes similar to what I have documented at

Is there an ability to root this device and trick it into tethering unlimited from a tmobile phone line sim ? I am using a phone sim with 10 GB hotspot with no issue but to be capped at 50 GB would be nice.

I was wondering.. if I can unlock it and I have access to its terminal/shell, could I use it as a regular wifi hotspot device? I want to boost the range of the wifi at my house for my IoT devices so I can isolate their network.

The only place I have found the band settings referenced via adb are at (/etc/default/configs/DEFAULT # strings mcfg_sw.mbn) when printed it shows a list of nv locations that refer to band preferences explicitly for example (/nv/item_files/modem/mmode/lte_bandpref), but I dont know how to interreact with the non volatile memory.

That works like magic. I was able to unlock my T-Mobile test drive Franklin T9 I bought on eBay, but when I submit the IMEI to Sprint for activation, it says the device cannot be activated on their network, even though Sprint offers the T9 for $90. Apparently the IMEI is blacklisted. Is their any way I can get the device activated on Sprint?

Has anyone else experienced this?
I would recommend NOT using the test-drive SIM if you plan to work with this device and unlock it etc.
I seem to remember previous test-drive sims doing a lock and binding the previous coolpad hotspots to only work with tmobile as well

The hidden menu also has a disabled debranding page (among others) but navigating to it shows that the corresponding cgi (and perhaps the files that debranding would want) are missing, at least at a glance.

This is awesome! I had played around with it a few months ago and managed to gain root access and unlock the SIM on my own through a bit of trial and error. I never reached this level of reverse-engineering, though!

Hi, I received my unlock code but the web page is not allowing me to apply the unlock code. Desired action has no options available and the button it self is greyed out! Please help, can i apply the unlock code through terminal?

For anyone have issues with it auto updating/boot looping take your sim out, restart it, downgrade back to 891, factory reset it, unlock, change your target in the engineering menu to TMOBILE_GCF, reset device again and when you try to update it says your on the latest version 891

2. When I tried to unlock it again manually like I did last time, it said my unlock code is incorrect, which I double checked it was the correct one that I used last time successfully. Looks like tmobile did something on the unlock mechanism.

All this information has proven very useful and educational. Thank for all your effort in sharing it. Using the T-Mobile T9 (Franklin Wireless R717) I noticed that if your firmware if higher than the 891, activating SSH through the hidden menu is not possible. I rolled back mine form 1131 to 891 and ha no issues activating SSH in the hidden menu.

Now the device is switching on but nothing is working. Mobile.hotspot page is working but no information is available on the page. Same with hidden and webpst. I did try to force firmware to device using webpst page but it failed. IT admin page is asking for a password but the one provided here is not working. So i am unable to load .cfg file.

Most of you guys posting are way more talented geeks, but thanks to this thread I turned the free Test Drive Franklin T9 into a budget backup hotspot to cover gaps in the field and at home when the wired Internet and wifi crap out.
Bottom line used for the SIM code unlock. Used my initial $15/mo T-Mobile Connect UNL Talk & Text w/2GB data SIM card to get a number & to confirm speed/coverage. Changed the plan to a mobile data only (2GB) option @ $10/mo. Ran that SIM on my phone, powered off and put that SIM card into my now unlocked Franklin T9 and restarted the T9. Viola! A complimentary Franklin T9 Mobile Hotspot. T-Mobile has the superior LTE data throughput inside my home vs ATT/Verizon. I can upgrade/downgrade the prepaid data plan as needed without carrying the extra expense of a voice/text plan or just activate/deactivate data service as needed.
Yes, T-mobile stuck me for $25 on the initial SIM card cost and activation for the Prepaid phone SIM.
Still not clear if an unlocked T9 works with Mobile data only AT&T SIMs or Verizon SIMS or MVNO data only SIMS plans or what exact tweaks accomplish that.

Ok so I managed to hard-brick my t9 worse than anyone else so far (lol). I accidentally deleted /bin (long story) and it started bootlooping. However, I did find out that you can enter fastboot mode by shorting the two small pads on the PCB next to the display connector while powering on (you might have to pop off the metal EMI shield).

I guess my next course of action is to try to interface with the (very nicely labeled, thanks Franklin!) JTAG pads on the PCB, unless you can get EDL write working, but this will be a hassle and probably require some soldering.

Anyone able to enable the OTG function of T9? We can use this to install Checkra1n and Jailbreak the iPhone.
Also, if the screen could be used to show the status of jailbreak, that would be perfect.

Hello since the 2602 update I no longer have any hidden pages. For some reason I am also not able to downgrade the version with any of the files above anyone have any clue what I should try? Any help is appreciated.

My device came with firmware version 2602 and refuses to be downgraded to 891. I have tried every combination of things I can think of (SIM in, SIM out, reboot, factory reset, connect via USB to PC and Mac) but every time I try to upload the older firmware it fails.

Fuck that shit! Sharing stuff like this is the whole bread and butter of open source and the point of the internet. I say you did an awesome thing, I picked up so much useful knowledge in just attempting and completing the steps you laid out so simply and clearly. One way or another this security flaw was going to get patched, and someone in the company should have rewarded you for discovering and preventing what could eventually have been a major security flaw later if anyone ever used these for more than just unlocked boxes. These were give away throw-away devices long past end of life anyhow. Thank you for sharing. I look often over your blog hoping for more insight.