Greetings ,
Please provide step by step method to unlock the device.Your help is highly appreciated.
Regards
PP
Bro I have linked the firmware file in original post but it is not unlocked yet
Greetings ,
Please provide step by step method to unlock the device.Your help is highly appreciated.
Regards
PP
Bro I have linked the firmware file in original post but it is not unlocked yet
Great to see some progress. BTE, did you try flashing the B04 and managed to run the device? If yes, I'll start the reverse engineering journey through the firmware fileI went to Jio Centre and thanks to the warranty they replaced the whole motherboard of the device free of cost. It now uses firmware version PEG_M2_B20
UPDATE : @sydikm shared a firmware file with me which is exactly meant for our JIOFI 2. I will share its in OP. Its version is PEG_M2_B04 All credits to @sydikm
Did you try to boot into QCOM 9008 mode?
Try powering off device, then while plugging in USB from computer, press power button, see if it is detected as 9008. You can do many more operations then...
yes i have try via qcom 9008 method (for 9008 u need testpoint that i have already have ) for flash 9008 u need friehore xml
I think if we sign successfully login to https : // macs . oss . jio . com : 8443 / ftacs -d igest/ ACS we might be able to enter engineer mode.
The real problem is that the login process goes through internet.
I used google and searched the above url and i came across a page: idm . jio connect . com
i think only an account holder from the above link can access the engineer mode. the problem is the above link account holders are either jio store executive or a technician or a jio partner.
thats why in the firmware there is no user name and password is **
by the way my device jiofi jmr 540
Then can't we redirect the request to a local page and sent a fake authorisation key to jiofi. It think it can be done.
þÊ* www\defaults\acs.xml <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
<!--FXC dongmei add start for acs 2014/9/11-->
<tr069>
<acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url>
<acs_username></acs_username>
<acs_password>***************</acs_password>
<conn_name>ftacs</conn_name>
<conn_psw>ftacs</conn_psw>
<inform_enable>1</inform_enable>
<inform_interval>86400</inform_interval>
<acs_secretmode>1</acs_secretmode>
<!--rollback from 60s to 24h by FXN Hugh 2015.09.18 -->
</tr069>
<management>
<acs_username>administrator</acs_username>
<acs_password>administrator</acs_password>
</management>
<!--FXC dongmei add end for acs 2014/9/11 -->
</RGW>
ÿ þÊ www\defaults\admin.xml <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
<management>
<router_user_list_meta>username%password%authority</router_user_list_meta>
<router_user_list>administrator%administrator%1</router_user_list>
<router_username>administrator</router_username>
<router_password>administrator</router_password>
<multi_account>0</multi_account>
<account_management>
<account_action></account_action>
<account_username></account_username>
<account_password></account_password>
</account_management>
<web_wlan_enable>1</web_wlan_enable>
<httpd_port>8080</httpd_port>
<syslogd_enable>0</syslogd_enable>
<web_wan_enable>0</web_wan_enable>
<syslogd_rem_ip></syslogd_rem_ip>
<turbo_mode>0</turbo_mode>
<qs_complete>0</qs_complete>
<session_timeout>86400</session_timeout>
<!--Modified the session_timeout 30min to 24h, /*24h to 5min by FXN Young 2015.06.09-->
</management>
<sysinfo>
<hardware_version>FXN_B4W013_V2.0</hardware_version>
<odm>FXN</odm>
<!--FXC dongmei modify start for hv 20140912-->
<!--device_name>MIFI</device_name-->
<device_name>B04W013</device_name>
<!--FXC dongmei modify end for hv 20140912-->
<model_name>JMR520</model_name>
<version_num/>
<main_chip_name>PXA1802</main_chip_name>
<version_date1>06/08/2015</version_date1>
<web_version>NZ_MIFI_WEB_V1.05.5.20_r360</web_version>
<project_type/>
</sysinfo>
<log_management>
<acatlog_sd>0</acatlog_sd>
<acatlog_sd_support>0</acatlog_sd_support>
<sd_support_format>255</sd_support_format>
</log_management>
</RGW>
ÿ þÊL www\defaults\custom_fw.xml <?xml version="1.0" encoding="US-ASCII"?>
<RGW>
<custom_fw>
<custom_rules_mode_action>1</custom_rules_mode_action>
<custom_rules_mode>0</custom_rules_mode>
<custom_rules_list_meta>rule_name#proto#enabled#src_ip#src_port#dst_ip#dst_port</custom_rules_list_meta>
<custom_rules_list></custom_rules_list>
</custom_fw>
</RGW>
ÿ þÊd www\defaults\detailed_log.xml
I don't know man, I'm not experienced in these.
But I think it works like logging into google account from a PC and installing an app from PC browser google play and then the app is remotely downloaded and installed in phone.
I'm not even sure that what I mentioned in my previous post is correct. Because when I was just looking in the firmware it was like;
Code:þÊ* www\defaults\acs.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <!--FXC dongmei add start for acs 2014/9/11--> <tr069> <acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url> <acs_username></acs_username> <acs_password>***************</acs_password> <conn_name>ftacs</conn_name> <conn_psw>ftacs</conn_psw> <inform_enable>1</inform_enable> <inform_interval>86400</inform_interval> <acs_secretmode>1</acs_secretmode> <!--rollback from 60s to 24h by FXN Hugh 2015.09.18 --> </tr069> <management> <acs_username>administrator</acs_username> <acs_password>administrator</acs_password> </management> <!--FXC dongmei add end for acs 2014/9/11 --> </RGW> ÿ þÊ www\defaults\admin.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <management> <router_user_list_meta>username%password%authority</router_user_list_meta> <router_user_list>administrator%administrator%1</router_user_list> <router_username>administrator</router_username> <router_password>administrator</router_password> <multi_account>0</multi_account> <account_management> <account_action></account_action> <account_username></account_username> <account_password></account_password> </account_management> <web_wlan_enable>1</web_wlan_enable> <httpd_port>8080</httpd_port> <syslogd_enable>0</syslogd_enable> <web_wan_enable>0</web_wan_enable> <syslogd_rem_ip></syslogd_rem_ip> <turbo_mode>0</turbo_mode> <qs_complete>0</qs_complete> <session_timeout>86400</session_timeout> <!--Modified the session_timeout 30min to 24h, /*24h to 5min by FXN Young 2015.06.09--> </management> <sysinfo> <hardware_version>FXN_B4W013_V2.0</hardware_version> <odm>FXN</odm> <!--FXC dongmei modify start for hv 20140912--> <!--device_name>MIFI</device_name--> <device_name>B04W013</device_name> <!--FXC dongmei modify end for hv 20140912--> <model_name>JMR520</model_name> <version_num/> <main_chip_name>PXA1802</main_chip_name> <version_date1>06/08/2015</version_date1> <web_version>NZ_MIFI_WEB_V1.05.5.20_r360</web_version> <project_type/> </sysinfo> <log_management> <acatlog_sd>0</acatlog_sd> <acatlog_sd_support>0</acatlog_sd_support> <sd_support_format>255</sd_support_format> </log_management> </RGW> ÿ þÊL www\defaults\custom_fw.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <custom_fw> <custom_rules_mode_action>1</custom_rules_mode_action> <custom_rules_mode>0</custom_rules_mode> <custom_rules_list_meta>rule_name#proto#enabled#src_ip#src_port#dst_ip#dst_port</custom_rules_list_meta> <custom_rules_list></custom_rules_list> </custom_fw> </RGW> ÿ þÊd www\defaults\detailed_log.xml
you see the default username and password is administrator
you can also see that it includes a secret mode tag in which the value is 1 which denotes true.
And even this firmware is of jiofi jmr520. Manufactured by Foxconn.
I assumed because jmr540 is also manufactured by Foxconn.
I was also able to boot my device into fastboot but adb is not working.
I don't know man, I'm not experienced in these.
But I think it works like logging into google account from a PC and installing an app from PC browser google play and then the app is remotely downloaded and installed in phone.
I'm not even sure that what I mentioned in my previous post is correct. Because when I was just looking in the firmware it was like;
Code:þÊ* www\defaults\acs.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <!--FXC dongmei add start for acs 2014/9/11--> <tr069> <acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url> <acs_username></acs_username> <acs_password>***************</acs_password> <conn_name>ftacs</conn_name> <conn_psw>ftacs</conn_psw> <inform_enable>1</inform_enable> <inform_interval>86400</inform_interval> <acs_secretmode>1</acs_secretmode> <!--rollback from 60s to 24h by FXN Hugh 2015.09.18 --> </tr069> <management> <acs_username>administrator</acs_username> <acs_password>administrator</acs_password> </management> <!--FXC dongmei add end for acs 2014/9/11 --> </RGW> ÿ þÊ www\defaults\admin.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <management> <router_user_list_meta>username%password%authority</router_user_list_meta> <router_user_list>administrator%administrator%1</router_user_list> <router_username>administrator</router_username> <router_password>administrator</router_password> <multi_account>0</multi_account> <account_management> <account_action></account_action> <account_username></account_username> <account_password></account_password> </account_management> <web_wlan_enable>1</web_wlan_enable> <httpd_port>8080</httpd_port> <syslogd_enable>0</syslogd_enable> <web_wan_enable>0</web_wan_enable> <syslogd_rem_ip></syslogd_rem_ip> <turbo_mode>0</turbo_mode> <qs_complete>0</qs_complete> <session_timeout>86400</session_timeout> <!--Modified the session_timeout 30min to 24h, /*24h to 5min by FXN Young 2015.06.09--> </management> <sysinfo> <hardware_version>FXN_B4W013_V2.0</hardware_version> <odm>FXN</odm> <!--FXC dongmei modify start for hv 20140912--> <!--device_name>MIFI</device_name--> <device_name>B04W013</device_name> <!--FXC dongmei modify end for hv 20140912--> <model_name>JMR520</model_name> <version_num/> <main_chip_name>PXA1802</main_chip_name> <version_date1>06/08/2015</version_date1> <web_version>NZ_MIFI_WEB_V1.05.5.20_r360</web_version> <project_type/> </sysinfo> <log_management> <acatlog_sd>0</acatlog_sd> <acatlog_sd_support>0</acatlog_sd_support> <sd_support_format>255</sd_support_format> </log_management> </RGW> ÿ þÊL www\defaults\custom_fw.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <custom_fw> <custom_rules_mode_action>1</custom_rules_mode_action> <custom_rules_mode>0</custom_rules_mode> <custom_rules_list_meta>rule_name#proto#enabled#src_ip#src_port#dst_ip#dst_port</custom_rules_list_meta> <custom_rules_list></custom_rules_list> </custom_fw> </RGW> ÿ þÊd www\defaults\detailed_log.xml
you see the default username and password is administrator
you can also see that it includes a secret mode tag in which the value is 1 which denotes true.
And even this firmware is of jiofi jmr520. Manufactured by Foxconn.
I assumed because jmr540 is also manufactured by Foxconn.
I was also able to boot my device into fastboot but adb is not working.
---------- Post added at 01:00 PM ---------- Previous post was at 12:19 PM ----------
SSO login seems to be a different concept. I don't think it'll work. Sorry for wrong info.
I don't know man, I'm not experienced in these.
But I think it works like logging into google account from a PC and installing an app from PC browser google play and then the app is remotely downloaded and installed in phone.
I'm not even sure that what I mentioned in my previous post is correct. Because when I was just looking in the firmware it was like;
Code:þÊ* www\defaults\acs.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <!--FXC dongmei add start for acs 2014/9/11--> <tr069> <acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url> <acs_username></acs_username> <acs_password>***************</acs_password> <conn_name>ftacs</conn_name> <conn_psw>ftacs</conn_psw> <inform_enable>1</inform_enable> <inform_interval>86400</inform_interval> <acs_secretmode>1</acs_secretmode> <!--rollback from 60s to 24h by FXN Hugh 2015.09.18 --> </tr069> <management> <acs_username>administrator</acs_username> <acs_password>administrator</acs_password> </management> <!--FXC dongmei add end for acs 2014/9/11 --> </RGW> ÿ þÊ www\defaults\admin.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <management> <router_user_list_meta>username%password%authority</router_user_list_meta> <router_user_list>administrator%administrator%1</router_user_list> <router_username>administrator</router_username> <router_password>administrator</router_password> <multi_account>0</multi_account> <account_management> <account_action></account_action> <account_username></account_username> <account_password></account_password> </account_management> <web_wlan_enable>1</web_wlan_enable> <httpd_port>8080</httpd_port> <syslogd_enable>0</syslogd_enable> <web_wan_enable>0</web_wan_enable> <syslogd_rem_ip></syslogd_rem_ip> <turbo_mode>0</turbo_mode> <qs_complete>0</qs_complete> <session_timeout>86400</session_timeout> <!--Modified the session_timeout 30min to 24h, /*24h to 5min by FXN Young 2015.06.09--> </management> <sysinfo> <hardware_version>FXN_B4W013_V2.0</hardware_version> <odm>FXN</odm> <!--FXC dongmei modify start for hv 20140912--> <!--device_name>MIFI</device_name--> <device_name>B04W013</device_name> <!--FXC dongmei modify end for hv 20140912--> <model_name>JMR520</model_name> <version_num/> <main_chip_name>PXA1802</main_chip_name> <version_date1>06/08/2015</version_date1> <web_version>NZ_MIFI_WEB_V1.05.5.20_r360</web_version> <project_type/> </sysinfo> <log_management> <acatlog_sd>0</acatlog_sd> <acatlog_sd_support>0</acatlog_sd_support> <sd_support_format>255</sd_support_format> </log_management> </RGW> ÿ þÊL www\defaults\custom_fw.xml <?xml version="1.0" encoding="US-ASCII"?> <RGW> <custom_fw> <custom_rules_mode_action>1</custom_rules_mode_action> <custom_rules_mode>0</custom_rules_mode> <custom_rules_list_meta>rule_name#proto#enabled#src_ip#src_port#dst_ip#dst_port</custom_rules_list_meta> <custom_rules_list></custom_rules_list> </custom_fw> </RGW> ÿ þÊd www\defaults\detailed_log.xml
you see the default username and password is administrator
you can also see that it includes a secret mode tag in which the value is 1 which denotes true.
And even this firmware is of jiofi jmr520. Manufactured by Foxconn.
I assumed because jmr540 is also manufactured by Foxconn.
I was also able to boot my device into fastboot but adb is not working.
---------- Post added at 01:00 PM ---------- Previous post was at 12:19 PM ----------
SSO login seems to be a different concept. I don't think it'll work. Sorry for wrong info.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
FileDownload
</title><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /><meta http-equiv="X-UA-Compatible" content="IE=7" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" /><meta http-equiv="X-UA-Compatible" content="IE=8" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9" /><meta http-equiv="X-UA-Compatible" content="IE=9" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE10" /><meta http-equiv="X-UA-Compatible" content="IE=10" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE11" /><meta http-equiv="X-UA-Compatible" content="IE=11" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><link type="text/css" rel="Stylesheet" href="../style.css" /><link href="scripts/photogallery.css" rel="stylesheet" type="text/css" /></head>
<body>
<form name="form1" method="post" action="filedownload.aspx?FileId=174193" id="form1">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJODAxMzY1NzQ2D2QWAgIDD2QWBAIDDw8WAh4HVmlzaWJsZWhkZAIFDw8WAh8AaGRkZB5WHB3EuVXhJFlenLG0hPzh6AwQ" />
</div>
<div>
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="72BA71D8" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwLNpcbwBAK5wrnPBQLU1smIAuJPy/IavxNF0z+gK4zygpzLHVl7" />
</div>
<div style="width: 484px; height: 389px; top: 1px; left: 4px; position: absolute;" class="font1">
<table>
<tr>
<td><span id="Label1">Enter Password to Download File:</span></td>
<td>
</td>
</tr>
<tr>
<td colspan="2" align="center">
</td>
</tr>
<tr>
<td colspan="2">
<span id="lblmsg"></span>
</td>
</tr>
<tr>
<td colspan="2">
<input type="hidden" name="hdnFilename" id="hdnFilename" value="PEG_M2S_B04.bin" />
<input type="hidden" name="hdnPassword" id="hdnPassword" />
</td>
</tr>
</table>
</div>
</form>
Hello friends,
I have recently bought a new JioFi 2 M2S device and was trying to unlock it somehow.
After lots of trying I am able to figure out few things that I think can be helpful for unlocking by senior and experienced developers.
1. After logging in the Web Admin if we go to a page 192.168.1.1/engineer.html it asks for some engineer key which might open up some hidden settings of the router.
2. I have tried to figure out the javascript and it is some kind of md5 algorithm
3. On googling I found a post which says
a. Device made by Pegasus Telecom (Raysan technology) which is subdivision of Haier
b. Same device as Smartfren Andromax M2Y (Indonesian).
c. Also same as Beeline Uzbekistan Mobile router
d. Runs an embedded linux webserver: Boa version 0.94.14rc21
4. There is a directory of xml files if it helps at 192.168.1.1/wxml/
5. The device supports fastboot mode by pressing WPS button and power button fo 3 secs
Please experienced developers and geeks see if you can do something to unlock.Best of luck :good:
If you find anything please reply back or PM me
PEG_M2_B04 FIRMWARE LINK
Click here
All Credits To @sydikm
Decompress the file and use the bin file to upgrade from the web ui
Please note that this firmware is not unlocked. I am trying and it may be available in next few days.
Also try not to downgrade the firmware. Check your version before updating.
AND I AM NOT RESPONSIBLE FOR ANY BRICKED DEVICE
sudo fastboot oem device-info
...
(bootloader) Device tampered: false
(bootloader) Device unlocked: false
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
OKAY [ 0.005s]
finished. total time: 0.005s
5. Create a thread topic or post a message only once, this includes external links & streaming media.
As a large forum, we don't need unnecessary clutter. You're free to edit your message as you like, so if you do not receive an answer, revisit your message and see if you can describe your problem better. Not everyone is online at the same time so it might take a while before you receive an answer.
- You can bump your unanswered question once every 24 hours
- Duplicate threads and posts will be removed
- Always post in an existing thread if a topic already exists, before creating a new thread.
- Use our search function to find the best forum for your device.
- Links to an external source are only allowed if relevant to the topic in hand. A description must be included, no copy & pasting from the original source.
- Self-promotion is forbidden, this includes blogs, social media and video channels etc. Random links will be removed.
Bro the firmware provided by @upi-turin has adb access as he himself extracted the firmware using adb. But I am unable to flash the zip through the fastboot mode. If we can somehow make a bin file and upgrade through the web UI maybe we get adb access.
I don't use special software for those links. They are just hit and trial results and some through burpsuite spider.
Also the engineer key page uses anti-csrf tokens so it becomes more difficult to attack. The password length is not necessarily 12 as it is first encoded using md5 and a substring is chosen. This substring is then further encoded using the character set of 15 and posted in HTML request along with anti-csrf token.
Do you know how to decompile or open a firmware bin file?