FORUMS
Remove All Ads from XDA

JioFi 2 M2S 4G router unlock R&D

39 posts
Thanks Meter: 17
 
By innovativesahil, Member on 8th November 2017, 03:18 AM
Post Reply Email Thread
Hello friends,
I have recently bought a new JioFi 2 M2S device and was trying to unlock it somehow.
After lots of trying I am able to figure out few things that I think can be helpful for unlocking by senior and experienced developers.

1. After logging in the Web Admin if we go to a page 192.168.1.1/engineer.html it asks for some engineer key which might open up some hidden settings of the router.
2. I have tried to figure out the javascript and it is some kind of md5 algorithm
3. On googling I found a post which says
a. Device made by Pegasus Telecom (Raysan technology) which is subdivision of Haier
b. Same device as Smartfren Andromax M2Y (Indonesian).
c. Also same as Beeline Uzbekistan Mobile router
d. Runs an embedded linux webserver: Boa version 0.94.14rc21
4. There is a directory of xml files if it helps at 192.168.1.1/wxml/
5. The device supports fastboot mode by pressing WPS button and power button fo 3 secs

Please experienced developers and geeks see if you can do something to unlock.Best of luck
If you find anything please reply back or PM me

PEG_M2_B04 FIRMWARE LINK

Click here
All Credits To @sydikm
Decompress the file and use the bin file to upgrade from the web ui
Please note that this firmware is not unlocked. I am trying and it may be available in next few days.
Also try not to downgrade the firmware. Check your version before updating.
AND I AM NOT RESPONSIBLE FOR ANY BRICKED DEVICE
The Following 3 Users Say Thank You to innovativesahil For This Useful Post: [ View ] Gift innovativesahil Ad-Free
 
 
8th November 2017, 08:13 AM |#2  
innovativesahil's Avatar
OP Member
Flag Jammu
Thanks Meter: 17
 
More
I forgot to mention my device details
ODM Pegasus
Product ID M2S
Firmware Version PEG_M2S_B04
Firmware Creation Date 2017-02-16
Hardware Version PEG_M2S_D01

I am trying to attack using burp suite
From the script the min & max length of password is 8 & 15 respectively. Can anyone suggest if I am going right and which wordlist shoud be used?
9th November 2017, 01:12 PM |#3  
innovativesahil's Avatar
OP Member
Flag Jammu
Thanks Meter: 17
 
More
After reading some files in the wxml files it seems possible to open ports send sms in the device there is also a cmd(xml) file which might bring up router interface and allow command execution .
Please some web developers can help
10th November 2017, 07:48 PM |#4  
innovativesahil's Avatar
OP Member
Flag Jammu
Thanks Meter: 17
 
More
i found two pages at 192.168.1.1/sys.html and 192.168.1.1/update.html
16th November 2017, 09:12 PM |#5  
Junior Member
Thanks Meter: 0
 
More
send unlock firmware
please aap k jiofi m2s firmware version PEG_M2S_B04 ka unlock kiya hua firmware send on [email protected]
23rd November 2017, 10:58 AM |#6  
innovativesahil's Avatar
OP Member
Flag Jammu
Thanks Meter: 17
 
More
Web developers help required
Hey guys PLEASE HELP
Below is the Javascript in the page 192.168.1.1/to_engineer_login.html
What I can figure out of it is that the password is first given to function hex_md5 then a substring is taken from its result. The new obtained value is given to function transalte_key() . The result obtained is then posted to a page at 192.168.1.1/wxml/eng_login.xml . In the XML file there is a single line
<eng>login_engineer_check(password)</eng>

Since i am not an expert web developer I need some help. How can we know what is happening inside the function called in the xml file. Also I want to know if can somehow call this function and get the result for analyzing.
Please share this to as many developers you know

Code:
//if(window==top) top.location.href="index.htm";
			//if(top.location.href.indexOf("to_engineer_login.html")>-1) top.location.href="index.htm";
			var Min_PWD_Ln = 8;
			var Max_PWD_Ln = 15;
			var timeout_update;

			function update_lang_rand() {
				$.ajax({
					url: 'mark_lang.w.xml',
					type: "Get",
					timeout: 8000,
					cache: false,
					datatype: "xml",
					//    data: { path:curr_path,page:curr_page,filter:'255'  }, 
					success: function(data, status) {
						lang = $(data).find("lang").text();
						rand = $(data).find("rand").text();
						// if(lang=='id') $('#show_lang').html('IND');
						// else $('#show_lang').html('ENG');
					},
					error: function(x, t, m) {
						if(t === "timeout") {

						}
					}
				})
			}

			//MD5
			var hexcase = 0;
			var b64pad = "";
			var chrsz = 8;

			function hex_md5(s) {
				return binl2hex(core_md5(str2binl(s), s.length * chrsz));
			}

			function b64_md5(s) {
				return binl2b64(core_md5(str2binl(s), s.length * chrsz));
			}

			function str_md5(s) {
				return binl2str(core_md5(str2binl(s), s.length * chrsz));
			}

			function hex_hmac_md5(key, data) {
				return binl2hex(core_hmac_md5(key, data));
			}

			function b64_hmac_md5(key, data) {
				return binl2b64(core_hmac_md5(key, data));
			}

			function str_hmac_md5(key, data) {
				return binl2str(core_hmac_md5(key, data));
			}

			function md5_vm_test() {
				return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72";
			}

			function core_md5(x, len) {
				x[len >> 5] |= 0x80 << ((len) % 32);
				x[(((len + 64) >>> 9) << 4) + 14] = len;

				var a = 1732584193;
				var b = -271733879;
				var c = -1732584194;
				var d = 271733878;

				for(var i = 0; i < x.length; i += 16) {
					var olda = a;
					var oldb = b;
					var oldc = c;
					var oldd = d;

					a = md5_ff(a, b, c, d, x[i + 0], 7, -680876936);
					d = md5_ff(d, a, b, c, x[i + 1], 12, -389564586);
					c = md5_ff(c, d, a, b, x[i + 2], 17, 606105819);
					b = md5_ff(b, c, d, a, x[i + 3], 22, -1044525330);
					a = md5_ff(a, b, c, d, x[i + 4], 7, -176418897);
					d = md5_ff(d, a, b, c, x[i + 5], 12, 1200080426);
					c = md5_ff(c, d, a, b, x[i + 6], 17, -1473231341);
					b = md5_ff(b, c, d, a, x[i + 7], 22, -45705983);
					a = md5_ff(a, b, c, d, x[i + 8], 7, 1770035416);
					d = md5_ff(d, a, b, c, x[i + 9], 12, -1958414417);
					c = md5_ff(c, d, a, b, x[i + 10], 17, -42063);
					b = md5_ff(b, c, d, a, x[i + 11], 22, -1990404162);
					a = md5_ff(a, b, c, d, x[i + 12], 7, 1804603682);
					d = md5_ff(d, a, b, c, x[i + 13], 12, -40341101);
					c = md5_ff(c, d, a, b, x[i + 14], 17, -1502002290);
					b = md5_ff(b, c, d, a, x[i + 15], 22, 1236535329);

					a = md5_gg(a, b, c, d, x[i + 1], 5, -165796510);
					d = md5_gg(d, a, b, c, x[i + 6], 9, -1069501632);
					c = md5_gg(c, d, a, b, x[i + 11], 14, 643717713);
					b = md5_gg(b, c, d, a, x[i + 0], 20, -373897302);
					a = md5_gg(a, b, c, d, x[i + 5], 5, -701558691);
					d = md5_gg(d, a, b, c, x[i + 10], 9, 38016083);
					c = md5_gg(c, d, a, b, x[i + 15], 14, -660478335);
					b = md5_gg(b, c, d, a, x[i + 4], 20, -405537848);
					a = md5_gg(a, b, c, d, x[i + 9], 5, 568446438);
					d = md5_gg(d, a, b, c, x[i + 14], 9, -1019803690);
					c = md5_gg(c, d, a, b, x[i + 3], 14, -187363961);
					b = md5_gg(b, c, d, a, x[i + 8], 20, 1163531501);
					a = md5_gg(a, b, c, d, x[i + 13], 5, -1444681467);
					d = md5_gg(d, a, b, c, x[i + 2], 9, -51403784);
					c = md5_gg(c, d, a, b, x[i + 7], 14, 1735328473);
					b = md5_gg(b, c, d, a, x[i + 12], 20, -1926607734);

					a = md5_hh(a, b, c, d, x[i + 5], 4, -378558);
					d = md5_hh(d, a, b, c, x[i + 8], 11, -2022574463);
					c = md5_hh(c, d, a, b, x[i + 11], 16, 1839030562);
					b = md5_hh(b, c, d, a, x[i + 14], 23, -35309556);
					a = md5_hh(a, b, c, d, x[i + 1], 4, -1530992060);
					d = md5_hh(d, a, b, c, x[i + 4], 11, 1272893353);
					c = md5_hh(c, d, a, b, x[i + 7], 16, -155497632);
					b = md5_hh(b, c, d, a, x[i + 10], 23, -1094730640);
					a = md5_hh(a, b, c, d, x[i + 13], 4, 681279174);
					d = md5_hh(d, a, b, c, x[i + 0], 11, -358537222);
					c = md5_hh(c, d, a, b, x[i + 3], 16, -722521979);
					b = md5_hh(b, c, d, a, x[i + 6], 23, 76029189);
					a = md5_hh(a, b, c, d, x[i + 9], 4, -640364487);
					d = md5_hh(d, a, b, c, x[i + 12], 11, -421815835);
					c = md5_hh(c, d, a, b, x[i + 15], 16, 530742520);
					b = md5_hh(b, c, d, a, x[i + 2], 23, -995338651);

					a = md5_ii(a, b, c, d, x[i + 0], 6, -198630844);
					d = md5_ii(d, a, b, c, x[i + 7], 10, 1126891415);
					c = md5_ii(c, d, a, b, x[i + 14], 15, -1416354905);
					b = md5_ii(b, c, d, a, x[i + 5], 21, -57434055);
					a = md5_ii(a, b, c, d, x[i + 12], 6, 1700485571);
					d = md5_ii(d, a, b, c, x[i + 3], 10, -1894986606);
					c = md5_ii(c, d, a, b, x[i + 10], 15, -1051523);
					b = md5_ii(b, c, d, a, x[i + 1], 21, -2054922799);
					a = md5_ii(a, b, c, d, x[i + 8], 6, 1873313359);
					d = md5_ii(d, a, b, c, x[i + 15], 10, -30611744);
					c = md5_ii(c, d, a, b, x[i + 6], 15, -1560198380);
					b = md5_ii(b, c, d, a, x[i + 13], 21, 1309151649);
					a = md5_ii(a, b, c, d, x[i + 4], 6, -145523070);
					d = md5_ii(d, a, b, c, x[i + 11], 10, -1120210379);
					c = md5_ii(c, d, a, b, x[i + 2], 15, 718787259);
					b = md5_ii(b, c, d, a, x[i + 9], 21, -343485551);

					a = safe_add(a, olda);
					b = safe_add(b, oldb);
					c = safe_add(c, oldc);
					d = safe_add(d, oldd);
				}
				return Array(a, b, c, d);
			}

			function md5_cmn(q, a, b, x, s, t) {
				return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s), b);
			}

			function md5_ff(a, b, c, d, x, s, t) {
				return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);
			}

			function md5_gg(a, b, c, d, x, s, t) {
				return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);
			}

			function md5_hh(a, b, c, d, x, s, t) {
				return md5_cmn(b ^ c ^ d, a, b, x, s, t);
			}

			function md5_ii(a, b, c, d, x, s, t) {
				return md5_cmn(c ^ (b | (~d)), a, b, x, s, t);
			}

			function core_hmac_md5(key, data) {
				var bkey = str2binl(key);
				if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz);

				var ipad = Array(16),
					opad = Array(16);
				for(var i = 0; i < 16; i++) {
					ipad[i] = bkey[i] ^ 0x36363636;
					opad[i] = bkey[i] ^ 0x5C5C5C5C;
				}

				var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz);
				return core_md5(opad.concat(hash), 512 + 128);
			}

			function safe_add(x, y) {
				var lsw = (x & 0xFFFF) + (y & 0xFFFF);
				var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
				return(msw << 16) | (lsw & 0xFFFF);
			}

			function bit_rol(num, cnt) {
				return(num << cnt) | (num >>> (32 - cnt));
			}

			function transalte_key(key) {
				var result = "";
//				for(var i in key) {
				for(var i=0;i<key.length;i++){
					var n = parseInt(key[i], 16);
					if(n >= 0 && n < 16) result += keyss[n];
					else result += keyss[15];
				}
				return result;
			}

			function str2binl(str) {
				var bin = Array();
				var mask = (1 << chrsz) - 1;
				for(var i = 0; i < str.length * chrsz; i += chrsz)
					bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32);
				return bin;
			}

			function binl2str(bin) {
				var str = "";
				var mask = (1 << chrsz) - 1;
				for(var i = 0; i < bin.length * 32; i += chrsz)
					str += String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask);
				return str;
			}

			function binl2hex(binarray) {
				var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
				var str = "";
				for(var i = 0; i < binarray.length * 4; i++) {
					str += hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8 + 4)) & 0xF) +
						hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 0xF);
				}
				return str;
			}

			var keyss = "[email protected]@JmTQt9S#I";

			/*
			 * Convert an array of little-endian words to a base-64 string
			 */
			function binl2b64(binarray) {
				var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
				var str = "";
				for(var i = 0; i < binarray.length * 4; i += 3) {
					var triplet = (((binarray[i >> 2] >> 8 * (i % 4)) & 0xFF) << 16) |
						(((binarray[i + 1 >> 2] >> 8 * ((i + 1) % 4)) & 0xFF) << 8) |
						((binarray[i + 2 >> 2] >> 8 * ((i + 2) % 4)) & 0xFF);
					for(var j = 0; j < 4; j++) {
						if(i * 8 + j * 6 > binarray.length * 32) str += b64pad;
						else str += tab.charAt((triplet >> 6 * (3 - j)) & 0x3F);
					}
				}
				return str;
			}

			$(document).ready(function() {
				//	hide_menu();
				$("#LOGIN_PWD").focus();
				//	disable_button();

			$("#BTN_Login").die().live('click', function() {
				var ori_key = hex_md5($("#LOGIN_PWD").val());
				ori_key = ori_key.substr(5, 17);

				var password = transalte_key(ori_key);

				//	password=hex_md5("6ff89c");
				var headers = {};
				headers["__RequestVerificationToken"] = $("#csrf_token2").val();
				$.ajax({
					url: '/wxml/eng_login.xml',
					type: "Post",
					headers: headers,
					timeout: 8000,
					cache: false,
					datatype: "xml",
					data: {
						password: password
					},
					success: function(data, status) {
						var new_token = $(data).find("token").text();
						if(new_token == "-1") {
							top.location.reload(true);
							return false;
						}
						$("#csrf_token2").val(new_token);
						$('input[type="button"], button').attr("disabled", false);
						var result = parseInt($(data).find("eng").text());

						if(result == 0) $('#error_info').html("password error");
						else top.location.href = 'index.htm';
						return true;

					},
					error: function(x, t, m) {
						if(t === "timeout") {

						}
					}
				})
			})


			});

$(document).keyup(function(e){
	var keyCode;
	var e = e || event;
	if(window.event) {
	keyCode = window.event.keyCode;
	} else if(e) {
	keyCode = e.which;
	} else keyCode = e.keyCode;


    if (e.ctrlKey || e.altKey)// Exclude key press "CRTL+key" & "ALT+key"
    {
        return;
    }

    if (13 == keyCode && ( $("#LOGIN_PWD").length)  )// Enter key
    {
        $('#BTN_Login').trigger('click');
    }
})

			

			function ID_PW_keydown(e) /* AMO5510.knkim.20140214.add */ {
				var keyCode;
				var e = e || event;
				if(window.event) {
					keyCode = window.event.keyCode;
				} else if(e) {
					keyCode = e.which;
				} else keyCode = e.keyCode;

				/*console.log("keyCode" + keyCode );*/

				if(keyCode == 13) { /* if EnterKey */
					$('input[type="button"], button').attr("disabled", true); /* 20150708-ghjggm after click diabled button */
					login_submit();
				}
			}
23rd November 2017, 03:13 PM |#7  
innovativesahil's Avatar
OP Member
Flag Jammu
Thanks Meter: 17
 
More
Ok here is the thing
1. If a hex number 0-F is fed to the transalte_key() function it returns one of the character in
var keyss = "[email protected]@JmTQt9S#I";
2 If anything else is fed it returns char 'I' always
So I think the final password string should be made up of characters from var keyss i.e. 3,5,9,S,F,J,T,Q,I,m,t,@,# only
and the length is 17 as done in the substr() method.

Does anybody know how to send raw requests to the server. I know it can be done using Burpsuite but I don't know how exactly is it done?

Edit:
Actually the characters # and @ are URl encoded as %23 and %40 in the string passed to server
server then returns an xml which contains new csrf token and a <eng>0</eng> which I think shows whether engineer is logged in or not
27th November 2017, 05:19 AM |#8  
innovativesahil's Avatar
OP Member
Flag Jammu
Thanks Meter: 17
 
More
I found a new file 192.168.1.1/Makefile
But I dont know how to use it please someone reply
8th December 2017, 06:36 AM |#9  
innovativesahil's Avatar
OP Member
Flag Jammu
Thanks Meter: 17
 
More
https://drive.google.com/open?id=1wW...PQC7FqzFurAadz
This is a link provided by @upi-turin for firmware extracted from Jiofi 2 through adb shell
19th December 2017, 11:23 AM |#10  
Senior Member
Thanks Meter: 45
 
More
Quote:
Originally Posted by innovativesahil

Hello friends,
I have recently bought a new JioFi 2 M2S device and was trying to unlock it somehow.
After lots of trying I am able to figure out few things that I think can be helpful for unlocking by senior and experienced developers.

1. After logging in the Web Admin if we go to a page 192.168.1.1/engineer.html it asks for some engineer key which might open up some hidden settings of the router.
2. I have tried to figure out the javascript and it is some kind of md5 algorithm
3. On googling I found a post which says
a. Device made by Pegasus Telecom (Raysan technology) which is subdivision of Haier
b. Same device as Smartfren Andromax M2Y (Indonesian).
c. Also same as Beeline Uzbekistan Mobile router
d. Runs an embedded linux webserver: Boa version 0.94.14rc21
4. There is a directory of xml files if it helps at 192.168.1.1/wxml/
5. The device supports fastboot mode by pressing WPS button and power button fo 3 secs

Please experienced developers and geeks see if you can do something to unlock.Best of luck
If you find anything please reply back or PM me

Quote:
Originally Posted by innovativesahil

i found two pages at 192.168.1.1/sys.html and 192.168.1.1/update.html

Quote:
Originally Posted by innovativesahil

I found a new file 192.168.1.1/Makefile
But I dont know how to use it please someone reply

How are you finding the above links? Do you use any special software or manual scraping?

And for the engineer key thing. It's impossible to do a bruteforce attack as it would take more than a billion requests to the server considering the number of password character is 12 (as from the script code) and the character set length is 15.

Our only option is to gain access to system via adb(as it is an Android OS, it might be possible by shorting some IC pins to enter recovery mode) , as fastboot is of no luck, with limited options. Or ultimately, someone from Jio generous enough to provide the firmware file.
21st December 2017, 09:14 AM |#11  
innovativesahil's Avatar
OP Member
Flag Jammu
Thanks Meter: 17
 
More
Quote:
Originally Posted by shihabsoft

How are you finding the above links? Do you use any special software or manual scraping?

And for the engineer key thing. It's impossible to do a bruteforce attack as it would take more than a billion requests to the server considering the number of password character is 12 (as from the script code) and the character set length is 15.

Our only option is to gain access to system via adb(as it is an Android OS, it might be possible by shorting some IC pins to enter recovery mode) , as fastboot is of no luck, with limited options. Or ultimately, someone from Jio generous enough to provide the firmware file.

Bro the firmware provided by @upi-turin has adb access as he himself extracted the firmware using adb. But I am unable to flash the zip through the fastboot mode. If we can somehow make a bin file and upgrade through the web UI maybe we get adb access.
I don't use special software for those links. They are just hit and trial results and some through burpsuite spider.
Also the engineer key page uses anti-csrf tokens so it becomes more difficult to attack. The password length is not necessarily 12 as it is first encoded using md5 and a substring is chosen. This substring is then further encoded using the character set of 15 and posted in HTML request along with anti-csrf token.
Do you know how to decompile or open a firmware bin file?
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread