JioFi 2 M2S 4G router unlock R&D

Search This thread

shihabsoft

Senior Member
Nov 1, 2013
118
44
I went to Jio Centre and thanks to the warranty they replaced the whole motherboard of the device free of cost. It now uses firmware version PEG_M2_B20
UPDATE : @sydikm shared a firmware file with me which is exactly meant for our JIOFI 2. I will share its in OP. Its version is PEG_M2_B04 All credits to @sydikm
Great to see some progress. BTE, did you try flashing the B04 and managed to run the device? If yes, I'll start the reverse engineering journey through the firmware file
 

nareshkumarcool

New member
Feb 24, 2018
1
0
hello friends ,i dont it may help you or not,i purchased jiofi m2s in sept ,at that time frimware was PEG_M2S_B04,but now it automatically changed to PEG_M2S_B08,when i searched on google ,i found nothing about this frimware,so whats going on,
i only connected jiofi 4-5 times via usb,but most of the time its on wifi mode
 

deve678

Member
Mar 20, 2017
39
12
Ernakulam
Found New Pages

192.168.1.1/set_ad_secu.html
192.168.1.1/status_lte.html
192.168.1.1/status_dev.html
192.168.1.1/status_per.html
192.168.1.1/home.html
C:\Users\Google\Desktop\Capture.JPG


---------- Post added at 11:32 AM ---------- Previous post was at 11:08 AM ----------

I Saw This Image When I Open Dashboard
open
 

sydikm

Member
Aug 19, 2008
9
3
Did you try to boot into QCOM 9008 mode?
Try powering off device, then while plugging in USB from computer, press power button, see if it is detected as 9008. You can do many more operations then...

yes i have try via qcom 9008 method (for 9008 u need testpoint that i have already have ) for flash 9008 u need friehore xml
 

deve678

Member
Mar 20, 2017
39
12
Ernakulam
Look This

Look this Image
http*s://drive*.google.*com/*open?id=1Dw*VqQ*JIE-F*EY1Yxs4*pR1fMy*t6KiaX*SD*i

---------- Post added at 10:41 AM ---------- Previous post was at 10:40 AM ----------

Remove The * in the link
 

dipraj

New member
Dec 21, 2013
1
0
yes i have try via qcom 9008 method (for 9008 u need testpoint that i have already have ) for flash 9008 u need friehore xml

could you tell me how to put m2s or m2 in 9008 mode ?
I want to change it's NV items, I want to lock it on band 40, which I already did on my oneplus one, if you press power button + wps it open fast boot mode.
 
Last edited:

Yogi_k

New member
Mar 16, 2017
2
0
How To Unlock Jiofi 6 jmr815 ?

how to unlock jiofi for other sim support pls forward link of firmware update that device.
 

Vismay G S

Member
Jun 10, 2017
10
2
little something i figured out

I think if we sign successfully login to https : // macs . oss . jio . com : 8443 / ftacs -d igest/ ACS we might be able to enter engineer mode.

The real problem is that the login process goes through internet.
I used google and searched the above url and i came across a page: idm . jio connect . com
i think only an account holder from the above link can access the engineer mode. the problem is the above link account holders are either jio store executive or a technician or a jio partner.

thats why in the firmware there is no user name and password is **

by the way my device jiofi jmr 540
 

deve678

Member
Mar 20, 2017
39
12
Ernakulam
I think if we sign successfully login to https : // macs . oss . jio . com : 8443 / ftacs -d igest/ ACS we might be able to enter engineer mode.

The real problem is that the login process goes through internet.
I used google and searched the above url and i came across a page: idm . jio connect . com
i think only an account holder from the above link can access the engineer mode. the problem is the above link account holders are either jio store executive or a technician or a jio partner.

thats why in the firmware there is no user name and password is **

by the way my device jiofi jmr 540

Then can't we redirect the request to a local page and sent a fake authorisation key to jiofi. It think it can be done.
 

Vismay G S

Member
Jun 10, 2017
10
2
Then can't we redirect the request to a local page and sent a fake authorisation key to jiofi. It think it can be done.

I don't know man, I'm not experienced in these.

But I think it works like logging into google account from a PC and installing an app from PC browser google play and then the app is remotely downloaded and installed in phone.

I'm not even sure that what I mentioned in my previous post is correct. Because when I was just looking in the firmware it was like;

Code:
þÊ* www\defaults\acs.xml                                                                                                            <?xml version="1.0" encoding="US-ASCII"?>
<RGW>

	<!--FXC dongmei add start for acs 2014/9/11-->
	<tr069>
		<acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url>
		<acs_username></acs_username>
		<acs_password>***************</acs_password>
		<conn_name>ftacs</conn_name>
		<conn_psw>ftacs</conn_psw>
		<inform_enable>1</inform_enable>
		<inform_interval>86400</inform_interval>
		<acs_secretmode>1</acs_secretmode>
		<!--rollback from 60s to 24h by FXN Hugh 2015.09.18 -->
	</tr069>
	<management>

		<acs_username>administrator</acs_username>
		<acs_password>administrator</acs_password>

	</management>
	<!--FXC dongmei add end for acs 2014/9/11 -->
</RGW>
ÿ þÊ www\defaults\admin.xml                                                                                                          <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<management>
		<router_user_list_meta>username%password%authority</router_user_list_meta>
		<router_user_list>administrator%administrator%1</router_user_list>
		<router_username>administrator</router_username>
		<router_password>administrator</router_password>
		<multi_account>0</multi_account>
		<account_management>
			<account_action></account_action>
			<account_username></account_username>
			<account_password></account_password>
		</account_management>
		<web_wlan_enable>1</web_wlan_enable>
		<httpd_port>8080</httpd_port>
		<syslogd_enable>0</syslogd_enable>
		<web_wan_enable>0</web_wan_enable>
		<syslogd_rem_ip></syslogd_rem_ip>
		<turbo_mode>0</turbo_mode>
		<qs_complete>0</qs_complete>
		<session_timeout>86400</session_timeout>
		<!--Modified the session_timeout 30min to 24h, /*24h to 5min by FXN Young 2015.06.09-->
	</management>
	<sysinfo>
		<hardware_version>FXN_B4W013_V2.0</hardware_version>
		<odm>FXN</odm>
                <!--FXC dongmei modify start for hv 20140912-->
		<!--device_name>MIFI</device_name-->
		<device_name>B04W013</device_name>
		<!--FXC dongmei modify end for hv 20140912-->
		<model_name>JMR520</model_name>
		<version_num/>
		<main_chip_name>PXA1802</main_chip_name>
		<version_date1>06/08/2015</version_date1>
		<web_version>NZ_MIFI_WEB_V1.05.5.20_r360</web_version>
		<project_type/>
	</sysinfo>
	<log_management>
		<acatlog_sd>0</acatlog_sd>
		<acatlog_sd_support>0</acatlog_sd_support>
		<sd_support_format>255</sd_support_format>
	</log_management>
</RGW>
ÿ þÊL www\defaults\custom_fw.xml                                                                                                      <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<custom_fw>
		<custom_rules_mode_action>1</custom_rules_mode_action>
		<custom_rules_mode>0</custom_rules_mode>
		<custom_rules_list_meta>rule_name#proto#enabled#src_ip#src_port#dst_ip#dst_port</custom_rules_list_meta>
		<custom_rules_list></custom_rules_list>
	</custom_fw>
</RGW>
ÿ þÊd www\defaults\detailed_log.xml


you see the default username and password is administrator

you can also see that it includes a secret mode tag in which the value is 1 which denotes true.


And even this firmware is of jiofi jmr520. Manufactured by Foxconn.
I assumed because jmr540 is also manufactured by Foxconn.

I was also able to boot my device into fastboot but adb is not working.

---------- Post added at 01:00 PM ---------- Previous post was at 12:19 PM ----------

I don't know man, I'm not experienced in these.

But I think it works like logging into google account from a PC and installing an app from PC browser google play and then the app is remotely downloaded and installed in phone.

I'm not even sure that what I mentioned in my previous post is correct. Because when I was just looking in the firmware it was like;

Code:
þÊ* www\defaults\acs.xml                                                                                                            <?xml version="1.0" encoding="US-ASCII"?>
<RGW>

	<!--FXC dongmei add start for acs 2014/9/11-->
	<tr069>
		<acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url>
		<acs_username></acs_username>
		<acs_password>***************</acs_password>
		<conn_name>ftacs</conn_name>
		<conn_psw>ftacs</conn_psw>
		<inform_enable>1</inform_enable>
		<inform_interval>86400</inform_interval>
		<acs_secretmode>1</acs_secretmode>
		<!--rollback from 60s to 24h by FXN Hugh 2015.09.18 -->
	</tr069>
	<management>

		<acs_username>administrator</acs_username>
		<acs_password>administrator</acs_password>

	</management>
	<!--FXC dongmei add end for acs 2014/9/11 -->
</RGW>
ÿ þÊ www\defaults\admin.xml                                                                                                          <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<management>
		<router_user_list_meta>username%password%authority</router_user_list_meta>
		<router_user_list>administrator%administrator%1</router_user_list>
		<router_username>administrator</router_username>
		<router_password>administrator</router_password>
		<multi_account>0</multi_account>
		<account_management>
			<account_action></account_action>
			<account_username></account_username>
			<account_password></account_password>
		</account_management>
		<web_wlan_enable>1</web_wlan_enable>
		<httpd_port>8080</httpd_port>
		<syslogd_enable>0</syslogd_enable>
		<web_wan_enable>0</web_wan_enable>
		<syslogd_rem_ip></syslogd_rem_ip>
		<turbo_mode>0</turbo_mode>
		<qs_complete>0</qs_complete>
		<session_timeout>86400</session_timeout>
		<!--Modified the session_timeout 30min to 24h, /*24h to 5min by FXN Young 2015.06.09-->
	</management>
	<sysinfo>
		<hardware_version>FXN_B4W013_V2.0</hardware_version>
		<odm>FXN</odm>
                <!--FXC dongmei modify start for hv 20140912-->
		<!--device_name>MIFI</device_name-->
		<device_name>B04W013</device_name>
		<!--FXC dongmei modify end for hv 20140912-->
		<model_name>JMR520</model_name>
		<version_num/>
		<main_chip_name>PXA1802</main_chip_name>
		<version_date1>06/08/2015</version_date1>
		<web_version>NZ_MIFI_WEB_V1.05.5.20_r360</web_version>
		<project_type/>
	</sysinfo>
	<log_management>
		<acatlog_sd>0</acatlog_sd>
		<acatlog_sd_support>0</acatlog_sd_support>
		<sd_support_format>255</sd_support_format>
	</log_management>
</RGW>
ÿ þÊL www\defaults\custom_fw.xml                                                                                                      <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<custom_fw>
		<custom_rules_mode_action>1</custom_rules_mode_action>
		<custom_rules_mode>0</custom_rules_mode>
		<custom_rules_list_meta>rule_name#proto#enabled#src_ip#src_port#dst_ip#dst_port</custom_rules_list_meta>
		<custom_rules_list></custom_rules_list>
	</custom_fw>
</RGW>
ÿ þÊd www\defaults\detailed_log.xml


you see the default username and password is administrator

you can also see that it includes a secret mode tag in which the value is 1 which denotes true.


And even this firmware is of jiofi jmr520. Manufactured by Foxconn.
I assumed because jmr540 is also manufactured by Foxconn.

I was also able to boot my device into fastboot but adb is not working.

SSO login seems to be a different concept. I don't think it'll work. Sorry for wrong info.
 
Last edited:

BhejaDry

New member
Sep 13, 2018
1
0
Hi everyone,
I am not a hacker but just happened to luckily find something useful which could be far more simple to crack with more knowledge than I possess. Here's what I have done. Refer me as the MadMan
1) Connect to the Jiofi dongle using wifi
2) Open jiofi.local.html/index.html in a browser
3) Login with username/password
4) You are not allowed to right click on any of the page but
5) If you are using Chrome browser, open the Developers toolbar given in the browser
6) Inspect the HTML page in developers toolbar.
7) You will see many fields which have display: none on them, which you have to either remove or turn them into display: block. You need very simple debugging skills to do that.
Since most of you are coders, I am sure this will be helpful. Look for Wifi Settings, Internet Protocol etc.
All the best.

I do not have any further knowledge than this. But the end result of my Jiofi dongle is it no longer detects the jio sim card even after reset.

Please do this at your own risk and help yourselves. Let me know if that works.
 

shammymz601

Member
Oct 12, 2011
7
1
any one found the stock firmware for jiofi m2 device

Hey guys,
looked into the jiofi 520 bin file provided via binwalk.
there is this ACS provided by friendly tech hosted on jio

did any one notice that the pasw.htaccess file in the bin file.
seems the user name and authtoken are embedded there.

also if someone has linux machine try easycwmp client with jiofi as the hotspot and try to create the ACS (https://macs.oss.jio.com:8443/ftacs-digest/ACS) soap request.

can any of you atleast post the pegasus bin file link here??

---------- Post added at 08:35 PM ---------- Previous post was at 08:28 PM ----------

there should be another file above this called pasw.htaccess there is some kind on username and password/authtoken being used.
If we could somehow create an send a request to the tr069 server it should respond us with the link to firmware file hopefully :)

Can you do one this.
with jiofi as the hotspot can you try to login to the ACS url provided. Atleast it should throw some error or redirect to some page ( as its a jio internal server )

Also findout if there is a switch to make firmware upgrade manual i.e. once we click update now it should then go and hit the server.
in this case we can put a breakpoint into the jio webui javascript and try to traceback the original/ upgrade firmware path.

I don't know man, I'm not experienced in these.

But I think it works like logging into google account from a PC and installing an app from PC browser google play and then the app is remotely downloaded and installed in phone.

I'm not even sure that what I mentioned in my previous post is correct. Because when I was just looking in the firmware it was like;

Code:
þÊ* www\defaults\acs.xml                                                                                                            <?xml version="1.0" encoding="US-ASCII"?>
<RGW>

	<!--FXC dongmei add start for acs 2014/9/11-->
	<tr069>
		<acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url>
		<acs_username></acs_username>
		<acs_password>***************</acs_password>
		<conn_name>ftacs</conn_name>
		<conn_psw>ftacs</conn_psw>
		<inform_enable>1</inform_enable>
		<inform_interval>86400</inform_interval>
		<acs_secretmode>1</acs_secretmode>
		<!--rollback from 60s to 24h by FXN Hugh 2015.09.18 -->
	</tr069>
	<management>

		<acs_username>administrator</acs_username>
		<acs_password>administrator</acs_password>

	</management>
	<!--FXC dongmei add end for acs 2014/9/11 -->
</RGW>
ÿ þÊ www\defaults\admin.xml                                                                                                          <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<management>
		<router_user_list_meta>username%password%authority</router_user_list_meta>
		<router_user_list>administrator%administrator%1</router_user_list>
		<router_username>administrator</router_username>
		<router_password>administrator</router_password>
		<multi_account>0</multi_account>
		<account_management>
			<account_action></account_action>
			<account_username></account_username>
			<account_password></account_password>
		</account_management>
		<web_wlan_enable>1</web_wlan_enable>
		<httpd_port>8080</httpd_port>
		<syslogd_enable>0</syslogd_enable>
		<web_wan_enable>0</web_wan_enable>
		<syslogd_rem_ip></syslogd_rem_ip>
		<turbo_mode>0</turbo_mode>
		<qs_complete>0</qs_complete>
		<session_timeout>86400</session_timeout>
		<!--Modified the session_timeout 30min to 24h, /*24h to 5min by FXN Young 2015.06.09-->
	</management>
	<sysinfo>
		<hardware_version>FXN_B4W013_V2.0</hardware_version>
		<odm>FXN</odm>
                <!--FXC dongmei modify start for hv 20140912-->
		<!--device_name>MIFI</device_name-->
		<device_name>B04W013</device_name>
		<!--FXC dongmei modify end for hv 20140912-->
		<model_name>JMR520</model_name>
		<version_num/>
		<main_chip_name>PXA1802</main_chip_name>
		<version_date1>06/08/2015</version_date1>
		<web_version>NZ_MIFI_WEB_V1.05.5.20_r360</web_version>
		<project_type/>
	</sysinfo>
	<log_management>
		<acatlog_sd>0</acatlog_sd>
		<acatlog_sd_support>0</acatlog_sd_support>
		<sd_support_format>255</sd_support_format>
	</log_management>
</RGW>
ÿ þÊL www\defaults\custom_fw.xml                                                                                                      <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<custom_fw>
		<custom_rules_mode_action>1</custom_rules_mode_action>
		<custom_rules_mode>0</custom_rules_mode>
		<custom_rules_list_meta>rule_name#proto#enabled#src_ip#src_port#dst_ip#dst_port</custom_rules_list_meta>
		<custom_rules_list></custom_rules_list>
	</custom_fw>
</RGW>
ÿ þÊd www\defaults\detailed_log.xml


you see the default username and password is administrator

you can also see that it includes a secret mode tag in which the value is 1 which denotes true.


And even this firmware is of jiofi jmr520. Manufactured by Foxconn.
I assumed because jmr540 is also manufactured by Foxconn.

I was also able to boot my device into fastboot but adb is not working.

---------- Post added at 01:00 PM ---------- Previous post was at 12:19 PM ----------



SSO login seems to be a different concept. I don't think it'll work. Sorry for wrong info.


---------- Post added at 08:35 PM ---------- Previous post was at 08:35 PM ----------

there should be another file above this called pasw.htaccess there is some kind on username and password/authtoken being used.
If we could somehow create an send a request to the tr069 server it should respond us with the link to firmware file hopefully :)

Can you do one this.
with jiofi as the hotspot can you try to login to the ACS url provided. Atleast it should throw some error or redirect to some page ( as its a jio internal server )

Also findout if there is a switch to make firmware upgrade manual i.e. once we click update now it should then go and hit the server.
in this case we can put a breakpoint into the jio webui javascript and try to traceback the original/ upgrade firmware path.

I don't know man, I'm not experienced in these.

But I think it works like logging into google account from a PC and installing an app from PC browser google play and then the app is remotely downloaded and installed in phone.

I'm not even sure that what I mentioned in my previous post is correct. Because when I was just looking in the firmware it was like;

Code:
þÊ* www\defaults\acs.xml                                                                                                            <?xml version="1.0" encoding="US-ASCII"?>
<RGW>

	<!--FXC dongmei add start for acs 2014/9/11-->
	<tr069>
		<acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url>
		<acs_username></acs_username>
		<acs_password>***************</acs_password>
		<conn_name>ftacs</conn_name>
		<conn_psw>ftacs</conn_psw>
		<inform_enable>1</inform_enable>
		<inform_interval>86400</inform_interval>
		<acs_secretmode>1</acs_secretmode>
		<!--rollback from 60s to 24h by FXN Hugh 2015.09.18 -->
	</tr069>
	<management>

		<acs_username>administrator</acs_username>
		<acs_password>administrator</acs_password>

	</management>
	<!--FXC dongmei add end for acs 2014/9/11 -->
</RGW>
ÿ þÊ www\defaults\admin.xml                                                                                                          <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<management>
		<router_user_list_meta>username%password%authority</router_user_list_meta>
		<router_user_list>administrator%administrator%1</router_user_list>
		<router_username>administrator</router_username>
		<router_password>administrator</router_password>
		<multi_account>0</multi_account>
		<account_management>
			<account_action></account_action>
			<account_username></account_username>
			<account_password></account_password>
		</account_management>
		<web_wlan_enable>1</web_wlan_enable>
		<httpd_port>8080</httpd_port>
		<syslogd_enable>0</syslogd_enable>
		<web_wan_enable>0</web_wan_enable>
		<syslogd_rem_ip></syslogd_rem_ip>
		<turbo_mode>0</turbo_mode>
		<qs_complete>0</qs_complete>
		<session_timeout>86400</session_timeout>
		<!--Modified the session_timeout 30min to 24h, /*24h to 5min by FXN Young 2015.06.09-->
	</management>
	<sysinfo>
		<hardware_version>FXN_B4W013_V2.0</hardware_version>
		<odm>FXN</odm>
                <!--FXC dongmei modify start for hv 20140912-->
		<!--device_name>MIFI</device_name-->
		<device_name>B04W013</device_name>
		<!--FXC dongmei modify end for hv 20140912-->
		<model_name>JMR520</model_name>
		<version_num/>
		<main_chip_name>PXA1802</main_chip_name>
		<version_date1>06/08/2015</version_date1>
		<web_version>NZ_MIFI_WEB_V1.05.5.20_r360</web_version>
		<project_type/>
	</sysinfo>
	<log_management>
		<acatlog_sd>0</acatlog_sd>
		<acatlog_sd_support>0</acatlog_sd_support>
		<sd_support_format>255</sd_support_format>
	</log_management>
</RGW>
ÿ þÊL www\defaults\custom_fw.xml                                                                                                      <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<custom_fw>
		<custom_rules_mode_action>1</custom_rules_mode_action>
		<custom_rules_mode>0</custom_rules_mode>
		<custom_rules_list_meta>rule_name#proto#enabled#src_ip#src_port#dst_ip#dst_port</custom_rules_list_meta>
		<custom_rules_list></custom_rules_list>
	</custom_fw>
</RGW>
ÿ þÊd www\defaults\detailed_log.xml


you see the default username and password is administrator

you can also see that it includes a secret mode tag in which the value is 1 which denotes true.


And even this firmware is of jiofi jmr520. Manufactured by Foxconn.
I assumed because jmr540 is also manufactured by Foxconn.

I was also able to boot my device into fastboot but adb is not working.

---------- Post added at 01:00 PM ---------- Previous post was at 12:19 PM ----------



SSO login seems to be a different concept. I don't think it'll work. Sorry for wrong info.
 

shammymz601

Member
Oct 12, 2011
7
1
is this firmware file stock one??

I see the following at the end of the bin file. so is this a working stock firmware or something else.It is asking for some password to download file.which should be the legit one.

seems the firmware file is encrypted one?? ideally it should not be as the other JMR520 bin file is not encrypted.

Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
        FileDownload
</title><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /><meta http-equiv="X-UA-Compatible" content="IE=7" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" /><meta http-equiv="X-UA-Compatible" content="IE=8" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9" /><meta http-equiv="X-UA-Compatible" content="IE=9" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE10" /><meta http-equiv="X-UA-Compatible" content="IE=10" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE11" /><meta http-equiv="X-UA-Compatible" content="IE=11" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><link type="text/css" rel="Stylesheet" href="../style.css" /><link href="scripts/photogallery.css" rel="stylesheet" type="text/css" /></head>
<body>
    <form name="form1" method="post" action="filedownload.aspx?FileId=174193" id="form1">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJODAxMzY1NzQ2D2QWAgIDD2QWBAIDDw8WAh4HVmlzaWJsZWhkZAIFDw8WAh8AaGRkZB5WHB3EuVXhJFlenLG0hPzh6AwQ" />
</div>

<div>

        <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="72BA71D8" />
        <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwLNpcbwBAK5wrnPBQLU1smIAuJPy/IavxNF0z+gK4zygpzLHVl7" />
</div>
    <div style="width: 484px; height: 389px; top: 1px; left: 4px; position: absolute;" class="font1">
    <table>
        <tr>
            <td><span id="Label1">Enter Password to Download File:</span></td>
            <td>
                </td>
        </tr>
        <tr>
            <td colspan="2" align="center">

            </td>
        </tr>
        <tr>
            <td colspan="2">
                <span id="lblmsg"></span>
            </td>
        </tr>
        <tr>
            <td colspan="2">
                <input type="hidden" name="hdnFilename" id="hdnFilename" value="PEG_M2S_B04.bin" />
                <input type="hidden" name="hdnPassword" id="hdnPassword" />
            </td>
        </tr>
    </table>
    </div>
    </form>



Hello friends,
I have recently bought a new JioFi 2 M2S device and was trying to unlock it somehow.
After lots of trying I am able to figure out few things that I think can be helpful for unlocking by senior and experienced developers.

1. After logging in the Web Admin if we go to a page 192.168.1.1/engineer.html it asks for some engineer key which might open up some hidden settings of the router.
2. I have tried to figure out the javascript and it is some kind of md5 algorithm
3. On googling I found a post which says
a. Device made by Pegasus Telecom (Raysan technology) which is subdivision of Haier
b. Same device as Smartfren Andromax M2Y (Indonesian).
c. Also same as Beeline Uzbekistan Mobile router
d. Runs an embedded linux webserver: Boa version 0.94.14rc21
4. There is a directory of xml files if it helps at 192.168.1.1/wxml/
5. The device supports fastboot mode by pressing WPS button and power button fo 3 secs

Please experienced developers and geeks see if you can do something to unlock.Best of luck :good:
If you find anything please reply back or PM me

PEG_M2_B04 FIRMWARE LINK

Click here
All Credits To @sydikm
Decompress the file and use the bin file to upgrade from the web ui
Please note that this firmware is not unlocked. I am trying and it may be available in next few days.
Also try not to downgrade the firmware. Check your version before updating.
AND I AM NOT RESPONSIBLE FOR ANY BRICKED DEVICE
 
Last edited:

swapnil823

New member
Dec 8, 2013
1
0
sudo fastboot oem device-info gives following info

sudo fastboot oem device-info
...
(bootloader) Device tampered: false
(bootloader) Device unlocked: false
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
OKAY [ 0.005s]
finished. total time: 0.005s
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Hello friends,
    I have recently bought a new JioFi 2 M2S device and was trying to unlock it somehow.
    After lots of trying I am able to figure out few things that I think can be helpful for unlocking by senior and experienced developers.

    1. After logging in the Web Admin if we go to a page 192.168.1.1/engineer.html it asks for some engineer key which might open up some hidden settings of the router.
    2. I have tried to figure out the javascript and it is some kind of md5 algorithm
    3. On googling I found a post which says
    a. Device made by Pegasus Telecom (Raysan technology) which is subdivision of Haier
    b. Same device as Smartfren Andromax M2Y (Indonesian).
    c. Also same as Beeline Uzbekistan Mobile router
    d. Runs an embedded linux webserver: Boa version 0.94.14rc21
    4. There is a directory of xml files if it helps at 192.168.1.1/wxml/
    5. The device supports fastboot mode by pressing WPS button and power button fo 3 secs

    Please experienced developers and geeks see if you can do something to unlock.Best of luck :good:
    If you find anything please reply back or PM me

    PEG_M2_B04 FIRMWARE LINK

    Click here
    All Credits To @sydikm
    Decompress the file and use the bin file to upgrade from the web ui
    Please note that this firmware is not unlocked. I am trying and it may be available in next few days.
    Also try not to downgrade the firmware. Check your version before updating.
    AND I AM NOT RESPONSIBLE FOR ANY BRICKED DEVICE
    3
    Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:

    5. Create a thread topic or post a message only once, this includes external links & streaming media.
    As a large forum, we don't need unnecessary clutter. You're free to edit your message as you like, so if you do not receive an answer, revisit your message and see if you can describe your problem better. Not everyone is online at the same time so it might take a while before you receive an answer.
    • You can bump your unanswered question once every 24 hours
    • Duplicate threads and posts will be removed
    • Always post in an existing thread if a topic already exists, before creating a new thread.
    • Use our search function to find the best forum for your device.
    • Links to an external source are only allowed if relevant to the topic in hand. A description must be included, no copy & pasting from the original source.
    • Self-promotion is forbidden, this includes blogs, social media and video channels etc. Random links will be removed.

    While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
    After all, that's why we are all here in the first place. (y) ;)

    Best regards to all: Badger50
    2
    Bro the firmware provided by @upi-turin has adb access as he himself extracted the firmware using adb. But I am unable to flash the zip through the fastboot mode. If we can somehow make a bin file and upgrade through the web UI maybe we get adb access.
    I don't use special software for those links. They are just hit and trial results and some through burpsuite spider.
    Also the engineer key page uses anti-csrf tokens so it becomes more difficult to attack. The password length is not necessarily 12 as it is first encoded using md5 and a substring is chosen. This substring is then further encoded using the character set of 15 and posted in HTML request along with anti-csrf token.
    Do you know how to decompile or open a firmware bin file?

    If you carefully read the JS code, the ultimate length of encrypted password is 12 and it comes only from the characters in 15 length character set. It's still a probability game, who knows if JioFi manufacturers have made the JS look like that, to waste the reverse engineer's time.

    For the system folder part from the gdrive, it is still debatable. It's not sure enough for me, that guy has accessed the device through ADB and providing the original files, or just some other files from unlocked firmwares of previous JioFi.

    The firmware bin file is mostly just a zip file, if security aware, a magic hashed zip file. If you're using Linux, try binwalker it will tell you exactly the file type, even if it's magic hashed.
    2
    I've managed it to reverse engineer and unlock JioFi3 JMR 540. Enabled diagnostic mode and adb. Custom firmwares are possible in this devices. Once modified firmware can be flashed via fastboot mode which is easily accessible without any modification.
    Check my Twitter thread here
    2
    I went to Jio Centre and thanks to the warranty they replaced the whole motherboard of the device free of cost. It now uses firmware version PEG_M2_B20
    UPDATE : @sydikm shared a firmware file with me which is exactly meant for our JIOFI 2. I will share its in OP. Its version is PEG_M2_B04 All credits to @sydikm