JioFi 2 M2S 4G router unlock R&D

Search This thread

subhash_india

Senior Member
Jul 1, 2021
53
8
Yup bro @.a.y.u.s.h provided us these files. Hoping senior developer will see that firmware files and modify it for making jiofi work in other sim cards
My M2 device not detected in fastboot when I use Qualcomm drivers , but with adb composite bridge as driver, it's get detected in fastboot mode , even when Qualcomm drivers get installed successfully and M2 device port 9008/902d showing in device manager when in fastboot mode. But it's not detected in fastboot devices list ,? Putty also not responding in serial mode ?
 

subhash_india

Senior Member
Jul 1, 2021
53
8
Password of engineer page is , adb_key ( private or pub key ) value, inside the code it goes through below process .

Adb_key is then converted into md5 which is in turn is converted into substring and passed as ori_key to translated key of strings ( "[email protected]@JmTQt9S#I" ) so this is how it's converted internally for security reasons,

If adb_key is password, how to get it ?
Answer is through shell command, but how ?

Enable adb, so let's find adb_key .....

.....inside code

$('#open_adb').die().live('click',function(event){
event.preventDefault();
if(!$("#adb_key").val().length){
alert("please input key");
$("#adb_key").focus();
return;
}

var ori_key=hex_md5($("#adb_key").val());

ori_key=ori_key.substr(5,17);

var key=transalte_key(ori_key);
 
  • Like
Reactions: Aakash soni

YOURKIN

Senior Member
May 12, 2015
59
12
Password of engineer page is , adb_key ( private or pub key ) value, inside the code it goes through below process .

Adb_key is then converted into md5 which is in turn is converted into substring and passed as ori_key to translated key of strings ( "[email protected]@JmTQt9S#I" ) so this is how it's converted internally for security reasons,

If adb_key is password, how to get it ?
Answer is through shell command, but how ?

Enable adb, so let's find adb_key .....

.....inside code

$('#open_adb').die().live('click',function(event){
event.preventDefault();
if(!$("#adb_key").val().length){
alert("please input key");
$("#adb_key").focus();
return;
}

var ori_key=hex_md5($("#adb_key").val());

ori_key=ori_key.substr(5,17);

var key=transalte_key(ori_key);
1660434931542.png

this is the location adb_key backup but my collected file don't have any data
 

subhash_india

Senior Member
Jul 1, 2021
53
8
View attachment 5685273
this is the location adb_key backup but my collected file don't have any data
Adb_key don't have any data means: unauthorised or public/private key not generated , debugging or diagnosticmode is not enabled. It's only possible if you get root shell access or try some hacks to get keys without root but by enabling adb , adbd demon should start somehow that will produce keys. Adbkey will be encrypted one.if we Decrypt adbkey and it's engineer password. Keep trying you will get it , I'm sure
 
  • Like
Reactions: YOURKIN

abhimortal6

Senior Member
Mar 6, 2014
187
238
Gwalior
I was able to decrypt the firmware image and it is indeed for M2S, I'll attach a binwalk for decrypted frimware.
I was able to trim boot.img and system.ubi from firmware image.
Sharing the file structure and few files in webui folder. I don't have the actual device once I'll get hands on I'll try some experiments
Screenshot 2022-09-05 at 10.19.47.png
Screenshot 2022-09-05 at 10.19.11.png

Screenshot 2022-09-05 at 10.05.46.png
 

Badger50

Senior Moderator
Staff member
Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:

5. Create a thread topic or post a message only once, this includes external links & streaming media.
As a large forum, we don't need unnecessary clutter. You're free to edit your message as you like, so if you do not receive an answer, revisit your message and see if you can describe your problem better. Not everyone is online at the same time so it might take a while before you receive an answer.
  • You can bump your unanswered question once every 24 hours
  • Duplicate threads and posts will be removed
  • Always post in an existing thread if a topic already exists, before creating a new thread.
  • Use our search function to find the best forum for your device.
  • Links to an external source are only allowed if relevant to the topic in hand. A description must be included, no copy & pasting from the original source.
  • Self-promotion is forbidden, this includes blogs, social media and video channels etc. Random links will be removed.

While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
After all, that's why we are all here in the first place. (y) ;)

Best regards to all: Badger50
 

subhash_india

Senior Member
Jul 1, 2021
53
8
Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:



While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
After all, that's why we are all here in the first place. (y) ;)

Best regards to all: Badger50
I appreciate your effort
 
  • Like
Reactions: Badger50

YOURKIN

Senior Member
May 12, 2015
59
12
Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:



While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
After all, that's why we are all here in the first place. (y) ;)

Best regards to all: Badger50
really sorry for that and also thanks for the information . I will carefully post next time .
 
Last edited:
  • Like
Reactions: Badger50

phoedroid

New member
Jul 24, 2015
1
0
I was able to decrypt the firmware image and it is indeed for M2S, I'll attach a binwalk for decrypted frimware.
I was able to trim boot.img and system.ubi from firmware image.
Sharing the file structure and few files in webui folder. I don't have the actual device once I'll get hands on I'll try some experiments View attachment 5704483View attachment 5704481
View attachment 5704479
I would like to share my device with you. Please ping me. I'm unable to reach out to you directly.
My device is Router M2S
 

Horbell

New member
Sep 18, 2022
4
0
My jiofi m2s not working and making 900e port and i able to open 9008 port
please help
 
Last edited:

Horbell

New member
Sep 18, 2022
4
0
now try to backup file

But how i am new in this field
Please guide me
I have a laptop
Arduino
Esp32
Uart module
 

YOURKIN

Senior Member
May 12, 2015
59
12
How i found back-up file
And how i flash the file
fast thing to do if your devices is avail to access the adb console

just backup the firmware


STEP : 1
---------

connect your SD Card

STEP : 2
---------

logged into the adb panel using user and password

User : root

Password: oelinux1


STEP : 3
---------

Type in Console the command

  • cat /proc/mtd
Then you Console show a list of your system Partition file list


Example :



[email protected]:~# cat /proc/mtd
dev: size erasesize name
mtd0: 00140000 00020000 "sbl"
mtd1: 00140000 00020000 "mibib"
mtd2: 00b40000 00020000 "efs2"
mtd3: 00240000 00020000 "foxnv"
mtd4: 00100000 00020000 "tz"
mtd5: 00080000 00020000 "rpm"
mtd6: 000c0000 00020000 "aboot"
mtd7: 000c0000 00020000 "aboot_bak"
mtd8: 00720000 00020000 "boot"
mtd9: 00420000 00020000 "scrub"
mtd10: 02600000 00020000 "modem"
mtd11: 02600000 00020000 "modem_bak"
mtd12: 00080000 00020000 "sec"
mtd13: 00120000 00020000 "misc"
mtd14: 00720000 00020000 "recovery"
mtd15: 00060000 00020000 "fota"
mtd16: 000a0000 00020000 "fwinfo"
mtd17: 02700000 00020000 "recoveryfs"
mtd18: 00060000 00020000 "cache"
mtd19: 00120000 00020000 "nvram"
mtd20: 00a20000 00020000 "foxusr"
mtd21: 008e0000 00020000 "foxcal"
mtd22: 02980000 00020000 "foximg"
mtd23: 02700000 00020000 "system"




STEP : 4
---------

After that change *** to the showing file list name

cat /dev/mtd*** > /sdcard/***.img


Example :

Type in Console the command
  • cat /dev/mtd23 > /sdcard/system.img

-------
More command
-------

Example :



cat /dev/mtd0 > /sdcard/sbl.img
cat /dev/mtd1 > /sdcard/mibib.img # not done
cat /dev/mtd2 > /sdcard/efs2.img # not done
cat /dev/mtd3 > /sdcard/foxnv.img
cat /dev/mtd4 > /sdcard/tz.img
cat /dev/mtd5 > /sdcard/rpm.img
cat /dev/mtd6 > /sdcard/aboot.img
cat /dev/mtd7 > /sdcard/aboot_bak.img
cat /dev/mtd8 > /sdcard/boot.img
cat /dev/mtd9 > /sdcard/scrub.img
cat /dev/mtd10 > /sdcard/modem.img
cat /dev/mtd11 > /sdcard/modem_bak.img
cat /dev/mtd12 > /sdcard/sec.img
cat /dev/mtd13 > /sdcard/misc.img
cat /dev/mtd14 > /sdcard/recovery.img
cat /dev/mtd15 > /sdcard/fota.img
cat /dev/mtd16 > /sdcard/fwinfo.img
cat /dev/mtd17 > /sdcard/recoveryfs.img
cat /dev/mtd18 > /sdcard/cache.img
cat /dev/mtd19 > /sdcard/nvram.img
cat /dev/mtd20 > /sdcard/foxusr.img
cat /dev/mtd21 > /sdcard/foxcal.img
cat /dev/mtd22 > /sdcard/foximg.img
cat /dev/mtd23 > /sdcard/system.img

STEP : 5
---------

Next work is check the back up is success or not , if your backup success then check your SD Card using your PC or Laptop

STEP : 6
---------

Then copy the file from your SD Card to PC or Laptop


*************
END
*************


Now Upload the File to any Cloud File Share and Post the File Link to https://forum.xda-developers.com/

so we check the file and Modify the file and test the Firmware and upload it to https://forum.xda-developers.com/ so people Flash the file and get update there device .
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:

    5. Create a thread topic or post a message only once, this includes external links & streaming media.
    As a large forum, we don't need unnecessary clutter. You're free to edit your message as you like, so if you do not receive an answer, revisit your message and see if you can describe your problem better. Not everyone is online at the same time so it might take a while before you receive an answer.
    • You can bump your unanswered question once every 24 hours
    • Duplicate threads and posts will be removed
    • Always post in an existing thread if a topic already exists, before creating a new thread.
    • Use our search function to find the best forum for your device.
    • Links to an external source are only allowed if relevant to the topic in hand. A description must be included, no copy & pasting from the original source.
    • Self-promotion is forbidden, this includes blogs, social media and video channels etc. Random links will be removed.

    While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
    After all, that's why we are all here in the first place. (y) ;)

    Best regards to all: Badger50
    1
    Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:



    While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
    After all, that's why we are all here in the first place. (y) ;)

    Best regards to all: Badger50
    I appreciate your effort
    1
    Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:



    While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
    After all, that's why we are all here in the first place. (y) ;)

    Best regards to all: Badger50
    really sorry for that and also thanks for the information . I will carefully post next time .
  • 3
    Hello friends,
    I have recently bought a new JioFi 2 M2S device and was trying to unlock it somehow.
    After lots of trying I am able to figure out few things that I think can be helpful for unlocking by senior and experienced developers.

    1. After logging in the Web Admin if we go to a page 192.168.1.1/engineer.html it asks for some engineer key which might open up some hidden settings of the router.
    2. I have tried to figure out the javascript and it is some kind of md5 algorithm
    3. On googling I found a post which says
    a. Device made by Pegasus Telecom (Raysan technology) which is subdivision of Haier
    b. Same device as Smartfren Andromax M2Y (Indonesian).
    c. Also same as Beeline Uzbekistan Mobile router
    d. Runs an embedded linux webserver: Boa version 0.94.14rc21
    4. There is a directory of xml files if it helps at 192.168.1.1/wxml/
    5. The device supports fastboot mode by pressing WPS button and power button fo 3 secs

    Please experienced developers and geeks see if you can do something to unlock.Best of luck :good:
    If you find anything please reply back or PM me

    PEG_M2_B04 FIRMWARE LINK

    Click here
    All Credits To @sydikm
    Decompress the file and use the bin file to upgrade from the web ui
    Please note that this firmware is not unlocked. I am trying and it may be available in next few days.
    Also try not to downgrade the firmware. Check your version before updating.
    AND I AM NOT RESPONSIBLE FOR ANY BRICKED DEVICE
    3
    Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:

    5. Create a thread topic or post a message only once, this includes external links & streaming media.
    As a large forum, we don't need unnecessary clutter. You're free to edit your message as you like, so if you do not receive an answer, revisit your message and see if you can describe your problem better. Not everyone is online at the same time so it might take a while before you receive an answer.
    • You can bump your unanswered question once every 24 hours
    • Duplicate threads and posts will be removed
    • Always post in an existing thread if a topic already exists, before creating a new thread.
    • Use our search function to find the best forum for your device.
    • Links to an external source are only allowed if relevant to the topic in hand. A description must be included, no copy & pasting from the original source.
    • Self-promotion is forbidden, this includes blogs, social media and video channels etc. Random links will be removed.

    While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
    After all, that's why we are all here in the first place. (y) ;)

    Best regards to all: Badger50
    2
    Bro the firmware provided by @upi-turin has adb access as he himself extracted the firmware using adb. But I am unable to flash the zip through the fastboot mode. If we can somehow make a bin file and upgrade through the web UI maybe we get adb access.
    I don't use special software for those links. They are just hit and trial results and some through burpsuite spider.
    Also the engineer key page uses anti-csrf tokens so it becomes more difficult to attack. The password length is not necessarily 12 as it is first encoded using md5 and a substring is chosen. This substring is then further encoded using the character set of 15 and posted in HTML request along with anti-csrf token.
    Do you know how to decompile or open a firmware bin file?

    If you carefully read the JS code, the ultimate length of encrypted password is 12 and it comes only from the characters in 15 length character set. It's still a probability game, who knows if JioFi manufacturers have made the JS look like that, to waste the reverse engineer's time.

    For the system folder part from the gdrive, it is still debatable. It's not sure enough for me, that guy has accessed the device through ADB and providing the original files, or just some other files from unlocked firmwares of previous JioFi.

    The firmware bin file is mostly just a zip file, if security aware, a magic hashed zip file. If you're using Linux, try binwalker it will tell you exactly the file type, even if it's magic hashed.
    2
    I've managed it to reverse engineer and unlock JioFi3 JMR 540. Enabled diagnostic mode and adb. Custom firmwares are possible in this devices. Once modified firmware can be flashed via fastboot mode which is easily accessible without any modification.
    Check my Twitter thread here
    2
    I went to Jio Centre and thanks to the warranty they replaced the whole motherboard of the device free of cost. It now uses firmware version PEG_M2_B20
    UPDATE : @sydikm shared a firmware file with me which is exactly meant for our JIOFI 2. I will share its in OP. Its version is PEG_M2_B04 All credits to @sydikm