JioFi 2 M2S 4G router unlock R&D

Search This thread


Senior Member
May 12, 2015
I Found this EDL thing



that mean we need to short the pin to get edl mode ( Not Sure )


Senior Member
Jul 1, 2021

sv ramana

New member
Dec 20, 2022
Jiofi jmr 540 blinking


  • 16715581715063252054075912209124.jpg
    3.4 MB · Views: 5
  • video_20221220_231403.mp4
    9.4 MB · Views: 0


Senior Member
Jul 1, 2021
INSIDE BeelineUz 4G Mi-Fi Router ZTE MF672S
Similar to jio fi M2

Found 5 pins TX Rx Gnd , usb boot. And 1vb ?


  • Screenshot_20221226-123859.png
    2.1 MB · Views: 23

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Hello friends,
    I have recently bought a new JioFi 2 M2S device and was trying to unlock it somehow.
    After lots of trying I am able to figure out few things that I think can be helpful for unlocking by senior and experienced developers.

    1. After logging in the Web Admin if we go to a page it asks for some engineer key which might open up some hidden settings of the router.
    2. I have tried to figure out the javascript and it is some kind of md5 algorithm
    3. On googling I found a post which says
    a. Device made by Pegasus Telecom (Raysan technology) which is subdivision of Haier
    b. Same device as Smartfren Andromax M2Y (Indonesian).
    c. Also same as Beeline Uzbekistan Mobile router
    d. Runs an embedded linux webserver: Boa version 0.94.14rc21
    4. There is a directory of xml files if it helps at
    5. The device supports fastboot mode by pressing WPS button and power button fo 3 secs

    Please experienced developers and geeks see if you can do something to unlock.Best of luck :good:
    If you find anything please reply back or PM me


    Click here
    All Credits To @sydikm
    Decompress the file and use the bin file to upgrade from the web ui
    Please note that this firmware is not unlocked. I am trying and it may be available in next few days.
    Also try not to downgrade the firmware. Check your version before updating.
    Greetings to all. Just dropped in for a little "Discord" cleaning as per XDA Rule #5:

    5. Create a thread topic or post a message only once, this includes external links & streaming media.
    As a large forum, we don't need unnecessary clutter. You're free to edit your message as you like, so if you do not receive an answer, revisit your message and see if you can describe your problem better. Not everyone is online at the same time so it might take a while before you receive an answer.
    • You can bump your unanswered question once every 24 hours
    • Duplicate threads and posts will be removed
    • Always post in an existing thread if a topic already exists, before creating a new thread.
    • Use our search function to find the best forum for your device.
    • Links to an external source are only allowed if relevant to the topic in hand. A description must be included, no copy & pasting from the original source.
    • Self-promotion is forbidden, this includes blogs, social media and video channels etc. Random links will be removed.

    While we always appreciate development discussion, we would be most gratedful if you would please keep discussions relegated to XDA without re-direction to other social media sites.
    After all, that's why we are all here in the first place. (y) ;)

    Best regards to all: Badger50
    Bro the firmware provided by @upi-turin has adb access as he himself extracted the firmware using adb. But I am unable to flash the zip through the fastboot mode. If we can somehow make a bin file and upgrade through the web UI maybe we get adb access.
    I don't use special software for those links. They are just hit and trial results and some through burpsuite spider.
    Also the engineer key page uses anti-csrf tokens so it becomes more difficult to attack. The password length is not necessarily 12 as it is first encoded using md5 and a substring is chosen. This substring is then further encoded using the character set of 15 and posted in HTML request along with anti-csrf token.
    Do you know how to decompile or open a firmware bin file?

    If you carefully read the JS code, the ultimate length of encrypted password is 12 and it comes only from the characters in 15 length character set. It's still a probability game, who knows if JioFi manufacturers have made the JS look like that, to waste the reverse engineer's time.

    For the system folder part from the gdrive, it is still debatable. It's not sure enough for me, that guy has accessed the device through ADB and providing the original files, or just some other files from unlocked firmwares of previous JioFi.

    The firmware bin file is mostly just a zip file, if security aware, a magic hashed zip file. If you're using Linux, try binwalker it will tell you exactly the file type, even if it's magic hashed.
    I've managed it to reverse engineer and unlock JioFi3 JMR 540. Enabled diagnostic mode and adb. Custom firmwares are possible in this devices. Once modified firmware can be flashed via fastboot mode which is easily accessible without any modification.
    Check my Twitter thread here
    I went to Jio Centre and thanks to the warranty they replaced the whole motherboard of the device free of cost. It now uses firmware version PEG_M2_B20
    UPDATE : @sydikm shared a firmware file with me which is exactly meant for our JIOFI 2. I will share its in OP. Its version is PEG_M2_B04 All credits to @sydikm