Unlocking Jiofi M2 Pegasus Router (WIP) JioFi 2

[upi-turin]

Bro if you've got the firmware to unlock the device then please give its dropbox or gdrive link.

---------- Post added at 06:55 PM ---------- Previous post was at 06:52 PM ----------



so please do send me the link of it. briju07@gmail.com

I'm not sure the exact procedure how it actually enabled adb mode by itself. I can access shell via adb and able to push pull files. Here are files in firmware directory if any useful to you - https :// dropfile.to/ 0U0VHHv Currently my device is not able to connect to network for some reason hoping to get firmware file to update it so fix the issue. Let me know if someone needs any other files from the JioFi2

---------- Post added at 07:26 AM ---------- Previous post was at 07:19 AM ----------

It seems like JioFi2 devices are getting firmware update via TR069 protocol from jio LTE oss servers.
Here is the configuration used for it:

Device.ManagementServer.
URL = https: // macs.oss.jio.com:8443 /ftacs-digest/ACS
Username = 00
Password = zoI6jE0Ia5CC6h3n2mKTyg==
PeriodicInformEnable = 1
PeriodicInformInterval = 86400
PeriodicInformTime = 0001-01-01T00:00:00Z
ConnectionRequestUsername =
ConnectionRequestPassword =
UpgradesManaged = 0
CWMPRetryMinimumWaitInterval = 5
CWMPRetryIntervalMultiplier = 2000

JioFi2 device tries to connect to this server after bootup is complete. This server is reachable from only jio network but I couldn't figure out password to connect to it and try to pull firmware files from other tr-069 client.

 

[loonix]

Maybe that's the key, no SIM present = shell access? may have to try but adb was not available last time I checked. Or it may be that you are on an older firmware which allows shell access and you also seem to have root access !!(# sign for the shell but no network connectivity) and hence the reason it is trying to update.
Can you please post your firmware and hardware versions from the admin webpage (192.168.1.1). I think with your device, the device can be reversed/hacked for plenty of additional features if we engage the right folks here with the skills in XDA.

fastboot cannot reboot to recovery.

.

 

[gshanbhag525]

your uploaded files are expired

I'm not sure the exact procedure how it actually enabled adb mode by itself. I can access shell via adb and able to push pull files. Here are files in firmware directory if any useful to you - https :// dropfile.to/ 0U0VHHv Currently my device is not able to connect to network for some reason hoping to get firmware file to update it so fix the issue. Let me know if someone needs any other files from the JioFi2

---------- Post added at 07:26 AM ---------- Previous post was at 07:19 AM ----------

It seems like JioFi2 devices are getting firmware update via TR069 protocol from jio LTE oss servers.
Here is the configuration used for it:

Device.ManagementServer.
URL = https: // macs.oss.jio.com:8443 /ftacs-digest/ACS
Username = 00
Password = zoI6jE0Ia5CC6h3n2mKTyg==
PeriodicInformEnable = 1
PeriodicInformInterval = 86400
PeriodicInformTime = 0001-01-01T00:00:00Z
ConnectionRequestUsername =
ConnectionRequestPassword =
UpgradesManaged = 0
CWMPRetryMinimumWaitInterval = 5
CWMPRetryIntervalMultiplier = 2000

JioFi2 device tries to connect to this server after bootup is complete. This server is reachable from only jio network but I couldn't figure out password to connect to it and try to pull firmware files from other tr-069 client.

your uploaded files on dropbox are removed. please kindly upload them again

 

[upi-turin]

Download link for firmware files extracted from /firmware directory

https: // drive.google. com/ open?id=1wWsJHPC8C8gX2Sv5SaPQC7FqzFurAadz

 

[innovativesahil]

https: // drive.google. com/ open?id=1wWsJHPC8C8gX2Sv5SaPQC7FqzFurAadz

Thank you very much bro. I will see what I can do

 

[Kuntal11x]

Link to the JIOFI M2 Peg firmware

MOD EDIT: Link Removed

 

[innovativesahil]

https://www.dropbox.com/s/hzpd7kgbfe57nbw/config_bak.bin?dl=0

This is not a firmware file. This is just the configuration backup of 3kB. Please nobody use it as it will change the username and password of web UI and you will have to reset the device.

 

[amit_aks_007]

Any updates...

Thank you very much bro. I will see what I can do

Any updates...

 

[innovativesahil]

Any updates...

no bro I can't seem to flash it via fastboot

 

[VinayanHari]

Engineering menu

jiofi . local . html / to_engineer_login . html

A hidden menu in the JioFi M2 settings
/to_engineer_login.html

 

[innovativesahil]

jiofi . local . html / to_engineer_login . html

A hidden menu in the JioFi M2 settings
/to_engineer_login.html

Read this post bro. i mentioned it on 8th Nov.

---------- Post added at 07:55 PM ---------- Previous post was at 07:40 PM ----------

I'm not sure the exact procedure how it actually enabled adb mode by itself. I can access shell via adb and able to push pull files. Here are files in firmware directory if any useful to you - https :// dropfile.to/ 0U0VHHv Currently my device is not able to connect to network for some reason hoping to get firmware file to update it so fix the issue. Let me know if someone needs any other files from the JioFi2

---------- Post added at 07:26 AM ---------- Previous post was at 07:19 AM ----------

It seems like JioFi2 devices are getting firmware update via TR069 protocol from jio LTE oss servers.
Here is the configuration used for it:

Device.ManagementServer.
URL = https: // macs.oss.jio.com:8443 /ftacs-digest/ACS
Username = 00
Password = zoI6jE0Ia5CC6h3n2mKTyg==
PeriodicInformEnable = 1
PeriodicInformInterval = 86400
PeriodicInformTime = 0001-01-01T00:00:00Z
ConnectionRequestUsername =
ConnectionRequestPassword =
UpgradesManaged = 0
CWMPRetryMinimumWaitInterval = 5
CWMPRetryIntervalMultiplier = 2000

JioFi2 device tries to connect to this server after bootup is complete. This server is reachable from only jio network but I couldn't figure out password to connect to it and try to pull firmware files from other tr-069 client.

Are you sure you have JioFi2 as I have found this in the JioFi 3 JMR520 firmware file

<tr069>
		<acs_url>https://macs.oss.jio.com:8443/ftacs-digest/ACS</acs_url>
		<acs_username></acs_username>
		<acs_password>***************</acs_password>
		<conn_name>ftacs</conn_name>
		<conn_psw>ftacs</conn_psw>
		<inform_enable>1</inform_enable>
		<inform_interval>86400</inform_interval>
		<acs_secretmode>1</acs_secretmode>
		<!--rollback from 60s to 24h by FXN Hugh 2015.09.18 -->
	</tr069>

---------- Post added at 08:14 PM ---------- Previous post was at 07:55 PM ----------

Can a JioFi 3 user confirm if this file is present on their devices. Please login to your web UI before browsing to this file
jiofi.local.html/xmldata/acs.xml @upi-turin @loonix @Archaider

www\js\panel\user_management\acs_management.js                                                                                  (function ($) {
    $.fn.objAcsManage = function (InIt) {
	var xmlName = '';
	var controlMapExisting=new Array(0);
	var controlMapCurrent=new Array(0);
	var g_bInformEnabled;
	var _url;
	var _userName;
	var _password;
	var _connName;
	var _connPsw ;
	var _informInterval;
	var _informEnable;
	var _secretMode;
	var oldMap=new Array(0);
	var newMap=new Array(0);
	
	this.onLoad = function () {
		var index = 0;
		this.loadHTML();
		document.getElementById("title").innerHTML = jQuery.i18n.prop(InIt);
		var arrayLabels = document.getElementsByTagName("label");
		lableLocaliztion(arrayLabels);
		/*Modified for reduce the admin.xml reads */
		_userName = $(getData("locale")).find("serial_number").text(); 
       $(getData("acs")).find("tr069").each(function() {
			_url = $(this).find("acs_url").text();
			_password = $(this).find("acs_password").text();
			_connName = $(this).find("conn_name").text();
			_connPsw = $(this).find("conn_psw").text();
			_informInterval = $(this).find("inform_interval").text();
			_informEnable = $(this).find("inform_enable").text();
			_secretMode = $(this).find("acs_secretmode").text();
			});
		/*Modified end for reduce the admin.xml reads */
		document.getElementById("tr069AcsUrl").value = _url; 
		document.getElementById("tr069AcsUsername").value = _userName;
		document.getElementById("tr069AcsPassword").value = _password;
		document.getElementById("tr069SecretMode").value = _secretMode;
				
		/*Added for lInformEnabled & lInformDisabled by Young 2015.03.16*/
		document.getElementById("lInformEnabled").innerHTML = jQuery.i18n.prop("lInformEnabled");
		document.getElementById("lInformDisabled").innerHTML = jQuery.i18n.prop("lInformDisabled");
		
		document.getElementById("tr069ConnName").value = _connName;
		document.getElementById("tr069ConnPassword").value = _connPsw;
		document.getElementById("tr069InformInterval").value = _informInterval;
		document.getElementById("lTr069InformEnable").value = _informEnable;
		document.getElementById("Acs_Management_div").style.display = "block";
		document.getElementById("tbacsreenter_password").value = _password;
		var buttonID = document.getElementById("btUpdate").id;/*Added by Young 2015.03.14*/
        buttonLocaliztion(buttonID); 

		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/acs_url", _url);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/acs_username", _userName);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/acs_password", _password);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/conn_name", _connName);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/conn_psw", _connPsw);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/inform_interval", _informInterval);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/inform_enable", _informEnable);
		controlMapExisting = g_objXML.putMapElement(controlMapExisting,index++, "RGW/tr069/acs_secretmode", _secretMode);
		controlMapCurrent = g_objXML.copyArray(controlMapExisting,controlMapCurrent);
		oldMap = g_objXML.copyArray(controlMapExisting,oldMap);	
	}
		this.getPostData = function(){
		var index = 0;
		var mapData = new Array(0);
		controlMapCurrent[index++][1] = document.getElementById("tr069AcsUrl").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069AcsUsername").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069AcsPassword").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069ConnName").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069ConnPassword").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069InformInterval").value;
		controlMapCurrent[index++][1] = document.getElementById("lTr069InformEnable").value;
		controlMapCurrent[index++][1] = document.getElementById("tr069SecretMode").value;

		if(controlMapCurrent[2][1] != controlMapExisting[2][1]){
                       document.getElementById("tr069SecretMode").value = 0;
		}
		mapData = g_objXML.copyArray(controlMapCurrent,mapData);
		newMap = mapData;
		return newMap;
		}
/*Foxconn dongmei add start for reboot after modify acs settings 20151103*/
		this.acsSave =function(){
		if(oldMap.sort().toString() != newMap.sort().toString()){
		 if(confirm("Are you sure you want to Reboot the Router?")){
		 	setData();
                        hm();
			callProductXML("reset");
			hm();
			sm('rebootRouterModalBox',319,170);
                        document.getElementById("h1RebootRouter").innerHTML = jQuery.i18n.prop("h1RebootRouter");
                        document.getElementById("lRebootedRouter").innerHTML = jQuery.i18n.prop("lRebootedRouter");
                        afterRebootID =  setInterval("afterReboot()", 45000);
		}
		}else{}
		}
		

                 this.afterReboot = function () {
                        hm();
                        clearInterval(afterRebootID);
                        clearAuthheader();
                 }
/*Foxconn dongmei add end for reboot after modify acs settings 20151103*/

			

		 this.onPost = function(){
/*Modified isinvalid for acs by FXN Young 2015.05.29*/
		 	if(this.isValid()) {
				var _controlMap ;
				_controlMap = this.getPostData();
		        if(_controlMap.length>0) {
		            postXML(xmlName, g_objXML.getXMLDocToString(g_objXML.createXML(_controlMap)));
		            }

			}
/*Modified end isinvalid for acs by FXN Young 2015.05.29*/
	 	}
	    this. isValid = function(){
/*Add invalid pwd for acs by FXN Young 2015.05.29*/
			if (!Password_Validation($("#tr069AcsUsername").val())||!Password_Validation($("#tr069AcsPassword").val())||!Password_Validation($("#tr069ConnName").val())||!Password_Validation($("#tr069ConnPassword").val())) 
				{
		            document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('ErrInvalidUserPwd_ACS');
		            return false;
		        }
			else if (isChineseChar($("#tr069AcsUsername").val())||isChineseChar($("#tr069AcsPassword").val())||isChineseChar($("#tr069ConnName").val())||isChineseChar($("#tr069ConnPassword").val())) 
				{
		            document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('lChineseCharError_ACS');
		            return false;
		        }
			else if(isChineseChar($("#tr069AcsUrl").val()))
				{            
					document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('lChineseCharError_ACS_URL_zh');
		            return false;
				}
			else if(!deviceNameValidation_ACS_URL($("#tr069AcsUrl").val()))
				{            
					document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('lChineseCharError_ACS_URL_en');
		            return false;
				}
			else if(!isNumber($("#tr069InformInterval").val()))
				{
					document.getElementById('lPassErrorMesPN').style.display = 'block';
		            document.getElementById('lPassErrorMesPN').innerHTML = jQuery.i18n.prop('lNumberCharError_ACS');
		            return false;

				}
			else
/*Add end invalid pwd for acs by FXN Young 2015.05.29*/

	 	/*if(isNumber(document.getElementById('tr069AcsUrl').value) 
			&& isNumber(document.getElementById('tr069AcsUsername').value)
			&& isNumber(document.getElementById('tr069AcsPassword').value))
			return true;
		else {
			alert("it should be number!");*/
			return true;
		}
		this.onPostSuccess = function() {
	        this.onLoad();
	    }
	 
	    this.setXMLName = function (_xmlname) {
			xmlName = _xmlname;
	    }

	    this.loadHTML = function() {
			document.getElementById('Content').innerHTML = "";
			document.getElementById('Content').innerHTML = callProductHTML("html/user_management/acs_management.html");
	    }
	        return this.each(function () {

	        });
	}
})(jQuery);

function InformStatusChanged() {
    var linkObj = document.getElementById("lTr069InformEnable");
    var value = linkObj.options[linkObj.selectedIndex].value;
}
/*Foxconn dongmei add start for reboot after modify acs settings 20151103*/
function setDataReboot() {	
        g_objContent.getPostData();
	if(document.getElementById('tr069AcsPassword').value!=document.getElementById('tbacsreenter_password').value) {
	    document.getElementById('lPassErrorMes').style.display = 'block';
	    document.getElementById('lPassErrorMes').innerHTML=jQuery.i18n.prop('lPassErrorMes');
	    document.getElementById("tbacsreenter_password").value = '';
	} else {
	    document.getElementById('lPassErrorMes').style.display = 'none';
	    g_objContent.acsSave();
	}		
}
/*Foxconn dongmei add end for reboot after modify acs settings 20151103*/
function pswChanged() {
    document.getElementById("tbacsreenter_password").value = '';
    document.getElementById('lReAcsPassword').style.display = 'block';
    document.getElementById('tbacsreenter_password').style.display = 'block';

}

See this line
/*Modified for reduce the admin.xml reads */
_userName = $(getData("locale")).find("serial_number").text();

I think Engineering mode contains the following settings

 <Engi>
          <LTE>
			<mcc/>
			<lenOfMnc/>
			<mnc/>
			<tac/>
			<phyCellId/>
			<dlEuArfcn/>	
			<ulEuArfcn/>			
			<band/>
			<dlBandwidth/>
			<cellId/>
			<rsrp/>
			<rsrq/>
			<sinr/>
			<mainRsrp/>			
			<diversityRsrp/>
			<mainRsrq/>
			<diversityRsrq/>
			<rssi/>
			<cqi/>
			<eutran_cellid/>
			<ECGI/>
	  </LTE>
	</Engi>

You see we can change the band through Engineer Mode

 

[innovativesahil]

/etc/init.d # df -h
Filesystem Size Used Available Use% Mounted on
ubi0:rootfs 55.8M 29.1M 26.7M 52% /
tmpfs 64.0K 4.0K 60.0K 6% /dev
tmpfs 77.4M 20.0K 77.4M 0% /run
tmpfs 77.4M 488.0K 76.9M 1% /var/volatile
tmpfs 77.4M 0 77.4M 0% /media/ram
ubi0:usrfs 14.3M 88.0K 14.3M 1% /data
/dev/ubi7_0 123.4M 36.0K 118.7M 0% /cache
/dev/ubi1_0 37.1M 29.9M 7.2M 81% /firmware
/dev/ubi3_0 696.0K 108.0K 484.0K 18% /ww_data
/etc/init.d #

/etc # cat version
JIO_PEGASUS_M2_MF6727S_42_100_B37_Build03

Can you please pull the ww_data and data partitions and provide a google drive link for it.

 

[stefinbenny]

my jiofi device id peg-m2-b37 . Is there any scope for unlocking this

 

[swaroopjesus]

How to take the backup of firmware in Jiofi M2?

Sent from my Nexus 5 using Tapatalk

 

[swaroopjesus]

my jiofi device id peg-m2-b37 . Is there any scope for unlocking this

After this b37 update my jiofi's speed is dropped what about yours?

Sent from my Nexus 5 using Tapatalk

 

[tigerstigers]

I have a jiofi 2 device. Can i use anyother(airtel) SIM, please let me know.

 

[rahuljha581]

hello

 

[sydikm]

finaly i have arrange og stock bin of jiofi PEG_M2S_B04 43mb but need unlock one if any one can edit pls pm me or mail me s y d i k m 2 @ gm ail . c o m

 

[loveablekrish]

Any update?

 

[Ablayr]

How to Unlock JioFi PEG_M2_B37 Device for all SIM Cards?

i've JioFi M2 device with Firmware Version PEG_M2_B37 , Hardware Version PEG_M2_D04, Firmware Creation date 2017-10-25 and Frequency Bands Supported is B3,B5,B40. how to unlock this device to use any other sim?
the file named "JioFi_JMR520_R6.20.bin" downloaded from internet is giving an error "Version Check Fail"
or
Kindly tell me how to Extract the current firmware from the device?? so that i can send you that firmware.