Unlocking Jiofi M2 Pegasus Router (WIP) JioFi 2

upi-turin

New member
Nov 16, 2017
3
3
0
Bro if you've got the firmware to unlock the device then please give its dropbox or gdrive link.

---------- Post added at 06:55 PM ---------- Previous post was at 06:52 PM ----------



so please do send me the link of it. [email protected]
I'm not sure the exact procedure how it actually enabled adb mode by itself. I can access shell via adb and able to push pull files. Here are files in firmware directory if any useful to you - https :// dropfile.to/ 0U0VHHv Currently my device is not able to connect to network for some reason hoping to get firmware file to update it so fix the issue. Let me know if someone needs any other files from the JioFi2

---------- Post added at 07:26 AM ---------- Previous post was at 07:19 AM ----------

It seems like JioFi2 devices are getting firmware update via TR069 protocol from jio LTE oss servers.
Here is the configuration used for it:

Device.ManagementServer.
URL = https: // macs.oss.jio.com:8443 /ftacs-digest/ACS
Username = 00
Password = zoI6jE0Ia5CC6h3n2mKTyg==
PeriodicInformEnable = 1
PeriodicInformInterval = 86400
PeriodicInformTime = 0001-01-01T00:00:00Z
ConnectionRequestUsername =
ConnectionRequestPassword =
UpgradesManaged = 0
CWMPRetryMinimumWaitInterval = 5
CWMPRetryIntervalMultiplier = 2000

JioFi2 device tries to connect to this server after bootup is complete. This server is reachable from only jio network but I couldn't figure out password to connect to it and try to pull firmware files from other tr-069 client.
 
  • Like
Reactions: innovativesahil

loonix

Senior Member
Jun 27, 2005
161
58
48
Maybe that's the key, no SIM present = shell access? may have to try but adb was not available last time I checked. Or it may be that you are on an older firmware which allows shell access and you also seem to have root access !!(# sign for the shell but no network connectivity) and hence the reason it is trying to update.
Can you please post your firmware and hardware versions from the admin webpage (192.168.1.1). I think with your device, the device can be reversed/hacked for plenty of additional features if we engage the right folks here with the skills in XDA.

fastboot cannot reboot to recovery.

.
 
Last edited:

gshanbhag525

Member
Jun 15, 2017
6
0
0
your uploaded files are expired

I'm not sure the exact procedure how it actually enabled adb mode by itself. I can access shell via adb and able to push pull files. Here are files in firmware directory if any useful to you - https :// dropfile.to/ 0U0VHHv Currently my device is not able to connect to network for some reason hoping to get firmware file to update it so fix the issue. Let me know if someone needs any other files from the JioFi2

---------- Post added at 07:26 AM ---------- Previous post was at 07:19 AM ----------

It seems like JioFi2 devices are getting firmware update via TR069 protocol from jio LTE oss servers.
Here is the configuration used for it:

Device.ManagementServer.
URL = https: // macs.oss.jio.com:8443 /ftacs-digest/ACS
Username = 00
Password = zoI6jE0Ia5CC6h3n2mKTyg==
PeriodicInformEnable = 1
PeriodicInformInterval = 86400
PeriodicInformTime = 0001-01-01T00:00:00Z
ConnectionRequestUsername =
ConnectionRequestPassword =
UpgradesManaged = 0
CWMPRetryMinimumWaitInterval = 5
CWMPRetryIntervalMultiplier = 2000

JioFi2 device tries to connect to this server after bootup is complete. This server is reachable from only jio network but I couldn't figure out password to connect to it and try to pull firmware files from other tr-069 client.

your uploaded files on dropbox are removed. please kindly upload them again
 
Oct 16, 2016
39
17
0
Jammu
jiofi . local . html / to_engineer_login . html

A hidden menu in the JioFi M2 settings
/to_engineer_login.html
Read this post bro. i mentioned it on 8th Nov. :eek:

---------- Post added at 07:55 PM ---------- Previous post was at 07:40 PM ----------

I'm not sure the exact procedure how it actually enabled adb mode by itself. I can access shell via adb and able to push pull files. Here are files in firmware directory if any useful to you - https :// dropfile.to/ 0U0VHHv Currently my device is not able to connect to network for some reason hoping to get firmware file to update it so fix the issue. Let me know if someone needs any other files from the JioFi2

---------- Post added at 07:26 AM ---------- Previous post was at 07:19 AM ----------

It seems like JioFi2 devices are getting firmware update via TR069 protocol from jio LTE oss servers.
Here is the configuration used for it:

Device.ManagementServer.
URL = https: // macs.oss.jio.com:8443 /ftacs-digest/ACS
Username = 00
Password = zoI6jE0Ia5CC6h3n2mKTyg==
PeriodicInformEnable = 1
PeriodicInformInterval = 86400
PeriodicInformTime = 0001-01-01T00:00:00Z
ConnectionRequestUsername =
ConnectionRequestPassword =
UpgradesManaged = 0
CWMPRetryMinimumWaitInterval = 5
CWMPRetryIntervalMultiplier = 2000

JioFi2 device tries to connect to this server after bootup is complete. This server is reachable from only jio network but I couldn't figure out password to connect to it and try to pull firmware files from other tr-069 client.
Are you sure you have JioFi2 as I have found this in the JioFi 3 JMR520 firmware file
Code:
<tr069>
		<acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url>
		<acs_username></acs_username>
		<acs_password>***************</acs_password>
		<conn_name>ftacs</conn_name>
		<conn_psw>ftacs</conn_psw>
		<inform_enable>1</inform_enable>
		<inform_interval>86400</inform_interval>
		<acs_secretmode>1</acs_secretmode>
		<!--rollback from 60s to 24h by FXN Hugh 2015.09.18 -->
	</tr069>


---------- Post added at 08:14 PM ---------- Previous post was at 07:55 PM ----------

Can a JioFi 3 user confirm if this file is present on their devices. Please login to your web UI before browsing to this file
jiofi.local.html/xmldata/acs.xml @upi-turin @loonix @Archaider
Code:
www\js\panel\user_management\acs_management.js                                                                                  (function ($) {
    $.fn.objAcsManage = function (InIt) {
	var xmlName = '';
	var controlMapExisting=new Array(0);
	var controlMapCurrent=new Array(0);
	var g_bInformEnabled;
	var _url;
	var _userName;
	var _password;
	var _connName;
	var _connPsw ;
	var _informInterval;
	var _informEnable;
	var _secretMode;
	var oldMap=new Array(0);
	var newMap=new Array(0);
	
	this.onLoad = function () {
		var index = 0;
		this.loadHTML();
		document.getElementById("title").innerHTML = jQuery.i18n.prop(InIt);
		var arrayLabels = document.getElementsByTagName("label");
		lableLocaliztion(arrayLabels);
		/*Modified for reduce the admin.xml reads */
		_userName = $(getData("locale")).find("serial_number").text(); 
       $(getData("acs")).find("tr069").each(function() {
			_url = $(this).find("acs_url").text();
			_password = $(this).find("acs_password").text();
			_connName = $(this).find("conn_name").text();
			_connPsw = $(this).find("conn_psw").text();
			_informInterval = $(this).find("inform_interval").text();
			_informEnable = $(this).find("inform_enable").text();
			_secretMode = $(this).find("acs_secretmode").text();
			});
		/*Modified end for reduce the admin.xml reads */
		document.getElementById("tr069AcsUrl").value = _url; 
		document.getElementById("tr069AcsUsername").value = _userName;
		document.getElementById("tr069AcsPassword").value = _password;
		document.getElementById("tr069SecretMode").value = _secretMode;
				
		/*Added for lInformEnabled & lInformDisabled by Young 2015.03.16*/
		document.getElementById("lInformEnabled").innerHTML = jQuery.i18n.prop("lInformEnabled");
		document.getElementById("lInformDisabled").innerHTML = jQuery.i18n.prop("lInformDisabled");
		
		document.getElementById("tr069ConnName").value = _connName;
		document.getElementById("tr069ConnPassword").value = _connPsw;
		document.getElementById("tr069InformInterval").value = _informInterval;
		document.getElementById("lTr069InformEnable").value = _informEnable;
		document.getElementById("Acs_Management_div").style.display = "block";
		document.getElementById("tbacsreenter_password").value = _password;
		var buttonID = document.getElementById("btUpdate").id;/*Added by Young 2015.03.14*/
        buttonLocaliztion(buttonID); 

		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/acs_url", _url);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/acs_username", _userName);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/acs_password", _password);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/conn_name", _connName);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/conn_psw", _connPsw);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/inform_interval", _informInterval);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/inform_enable", _informEnable);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/acs_secretmode", _secretMode);
		controlMapCurrent = g_objXML.copyArray(controlMapExisting,controlMapCurrent);
		oldMap = g_objXML.copyArray(controlMapExisting,oldMap);	
	}
		this.getPostData = function(){
		var index = 0;
		var mapData = new Array(0);
		controlMapCurrent[index++][1] = document.getElementById("tr069AcsUrl").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069AcsUsername").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069AcsPassword").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069ConnName").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069ConnPassword").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069InformInterval").value;
		controlMapCurrent[index++][1] = document.getElementById("lTr069InformEnable").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069SecretMode").value;

		if(controlMapCurrent[2][1] != controlMapExisting[2][1]){
                       document.getElementById("tr069SecretMode").value = 0;
		}
		mapData = g_objXML.copyArray(controlMapCurrent,mapData);
		newMap = mapData;
		return newMap;
		}
/*Foxconn dongmei add start for reboot after modify acs settings 20151103*/
		this.acsSave =function(){
		if(oldMap.sort().toString() != newMap.sort().toString()){
		 if(confirm("Are you sure you want to Reboot the Router?")){
		 	setData();
                        hm();
			callProductXML("reset");
			hm();
			sm('rebootRouterModalBox',319,170);
                        document.getElementById("h1RebootRouter").innerHTML = jQuery.i18n.prop("h1RebootRouter");
                        document.getElementById("lRebootedRouter").innerHTML = jQuery.i18n.prop("lRebootedRouter");
                        afterRebootID =  setInterval("afterReboot()", 45000);
		}
		}else{}
		}
		

                 this.afterReboot = function () {
                        hm();
                        clearInterval(afterRebootID);
                        clearAuthheader();
                 }
/*Foxconn dongmei add end for reboot after modify acs settings 20151103*/

			

		 this.onPost = function(){
/*Modified isinvalid for acs by FXN Young 2015.05.29*/
		 	if(this.isValid()) {
				var _controlMap ;
				_controlMap = this.getPostData();
		        if(_controlMap.length>0) {
		            postXML(xmlName, g_objXML.getXMLDocToString(g_objXML.createXML(_controlMap)));
		            }

			}
/*Modified end isinvalid for acs by FXN Young 2015.05.29*/
	 	}
	    this. isValid = function(){
/*Add invalid pwd for acs by FXN Young 2015.05.29*/
			if (!Password_Validation($("#tr069AcsUsername").val())||!Password_Validation($("#tr069AcsPassword").val())||!Password_Validation($("#tr069ConnName").val())||!Password_Validation($("#tr069ConnPassword").val())) 
				{
		            document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('ErrInvalidUserPwd_ACS');
		            return false;
		        }
			else if (isChineseChar($("#tr069AcsUsername").val())||isChineseChar($("#tr069AcsPassword").val())||isChineseChar($("#tr069ConnName").val())||isChineseChar($("#tr069ConnPassword").val())) 
				{
		            document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('lChineseCharError_ACS');
		            return false;
		        }
			else if(isChineseChar($("#tr069AcsUrl").val()))
				{            
					document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('lChineseCharError_ACS_URL_zh');
		            return false;
				}
			else if(!deviceNameValidation_ACS_URL($("#tr069AcsUrl").val()))
				{            
					document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('lChineseCharError_ACS_URL_en');
		            return false;
				}
			else if(!isNumber($("#tr069InformInterval").val()))
				{
					document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('lNumberCharError_ACS');
		            return false;

				}
			else
/*Add end invalid pwd for acs by FXN Young 2015.05.29*/

	 	/*if(isNumber(document.getElementById('tr069AcsUrl').value) 
			&& isNumber(document.getElementById('tr069AcsUsername').value)
			&& isNumber(document.getElementById('tr069AcsPassword').value))
			return true;
		else {
			alert("it should be number!");*/
			return true;
		}
		this.onPostSuccess = function() {
	        this.onLoad();
	    }
	 
	    this.setXMLName = function (_xmlname) {
			xmlName = _xmlname;
	    }

	    this.loadHTML = function() {
			document.getElementById('Content').innerHTML = "";
			document.getElementById('Content').innerHTML = callProductHTML("html/user_management/acs_management.html");
	    }
	        return this.each(function () {

	        });
	}
})(jQuery);

function InformStatusChanged() {
    var linkObj = document.getElementById("lTr069InformEnable");
    var value = linkObj.options[linkObj.selectedIndex].value;
}
/*Foxconn dongmei add start for reboot after modify acs settings 20151103*/
function setDataReboot() {	
        g_objContent.getPostData();
	if(document.getElementById('tr069AcsPassword').value!=document.getElementById('tbacsreenter_password').value) {
	    document.getElementById('lPassErrorMes').style.display = 'block';
	    document.getElementById('lPassErrorMes').innerHTML=jQuery.i18n.prop('lPassErrorMes');
	    document.getElementById("tbacsreenter_password").value = '';
	} else {
	    document.getElementById('lPassErrorMes').style.display = 'none';
	    g_objContent.acsSave();
	}		
}
/*Foxconn dongmei add end for reboot after modify acs settings 20151103*/
function pswChanged() {
    document.getElementById("tbacsreenter_password").value = '';
    document.getElementById('lReAcsPassword').style.display = 'block';
    document.getElementById('tbacsreenter_password').style.display = 'block';

}
See this line
/*Modified for reduce the admin.xml reads */
_userName = $(getData("locale")).find("serial_number").text();

I think Engineering mode contains the following settings
Code:
 <Engi>
          <LTE>
			<mcc/>
			<lenOfMnc/>
			<mnc/>
			<tac/>
			<phyCellId/>
			<dlEuArfcn/>	
			<ulEuArfcn/>			
			<band/>
			<dlBandwidth/>
			<cellId/>
			<rsrp/>
			<rsrq/>
			<sinr/>
			<mainRsrp/>			
			<diversityRsrp/>
			<mainRsrq/>
			<diversityRsrq/>
			<rssi/>
			<cqi/>
			<eutran_cellid/>
			<ECGI/>
	  </LTE>
	</Engi>
You see we can change the band through Engineer Mode
 
Last edited:
Oct 16, 2016
39
17
0
Jammu
/etc/init.d # df -h
Filesystem Size Used Available Use% Mounted on
ubi0:rootfs 55.8M 29.1M 26.7M 52% /
tmpfs 64.0K 4.0K 60.0K 6% /dev
tmpfs 77.4M 20.0K 77.4M 0% /run
tmpfs 77.4M 488.0K 76.9M 1% /var/volatile
tmpfs 77.4M 0 77.4M 0% /media/ram
ubi0:usrfs 14.3M 88.0K 14.3M 1% /data
/dev/ubi7_0 123.4M 36.0K 118.7M 0% /cache
/dev/ubi1_0 37.1M 29.9M 7.2M 81% /firmware
/dev/ubi3_0 696.0K 108.0K 484.0K 18% /ww_data
/etc/init.d #

/etc # cat version
JIO_PEGASUS_M2_MF6727S_42_100_B37_Build03
Can you please pull the ww_data and data partitions and provide a google drive link for it.
 

Ablayr

New member
Mar 25, 2018
1
0
0
Pathankot
How to Unlock JioFi PEG_M2_B37 Device for all SIM Cards?

i've JioFi M2 device with Firmware Version PEG_M2_B37 , Hardware Version PEG_M2_D04, Firmware Creation date 2017-10-25 and Frequency Bands Supported is B3,B5,B40. how to unlock this device to use any other sim?
the file named "JioFi_JMR520_R6.20.bin" downloaded from internet is giving an error "Version Check Fail" :(
or
Kindly tell me how to Extract the current firmware from the device?? so that i can send you that firmware.
 
Last edited: