FRANKLIN T9 AKA R717 HOTSPOT THREAD

[Rich Hathaway]

I know this is an old device, I just got one, well a few of them so I had to tinker a bit.
it is a Qualcomm MDM9x07 device containing 15 basic partitions, nothing fancy here.


dev: size erasesize name
mtd0: 00140000 00020000 "sbl"
mtd1: 00140000 00020000 "mibib"
mtd2: 00c00000 00020000 "efs2"
mtd3: 000c0000 00020000 "tz"
mtd4: 00060000 00020000 "rpm"
mtd5: 000a0000 00020000 "aboot"
mtd6: 007e0000 00020000 "boot"
mtd7: 01040000 00020000 "scrub"
mtd8: 02900000 00020000 "modem"
mtd9: 00140000 00020000 "misc"
mtd10: 007e0000 00020000 "recovery"
mtd11: 00180000 00020000 "fota"
mtd12: 011e0000 00020000 "recoveryfs"
mtd13: 00040000 00020000 "sec"
mtd14: 091e0000 00020000 "system"

anything can be written to it such as IMEI, MEID, ESN, MAC ID'S, FID, SERIAL NUMS, NV, EFS, ETC.

A simple little tool to load them
made a build that is flashed with zeroed IMEI, hard-coded ttl and comports, and SPC set to 000000
SSh root enabled as well as ADB, I made a build for each of the bigger carriers.

load 1.PNG

load 2.PNG

some info for it
The SPC needs to be read and set to 0's which is right up my ally as my background is in
CDMA so everything was SPC dependent.
it can be found by simply sending this AT cmd

at$SPC_WRITE?

Not very secure lol

The ports are pretty easy also to enable
Use the usbd tool to do it
To pick the one you want
Just send

usb_composition



if you need SSH
frk9x07 <--is the ssh pass

if you dont have SSH at 192.168.0.1
Then in the admin pages restore config page
Send this config

root_config.bin

Then you will have SSH

here are some useful URL'S

http://192.168.0.1/webpst/usb_mode.html
use the web ui pass
frk@r717



http://192.168.0.1/engineering/franklin/

some of the hardware id's so you know what driver type to load

modem
USB\VID_05C6&PID_9025&REV_0318&MI_02
USB\VID_05C6&PID_9025&MI_02


diag
USB\VID_05C6&PID_9025&REV_0318&MI_00
USB\VID_05C6&PID_9025&MI_00

adb

USB\VID_05C6&PID_9025&REV_0318&MI_01
USB\VID_05C6&PID_9025&MI_01

there are alot of (.enc) type of firmwares all over the web that can be loaded thru the admin page

but I wanted the full firmware for it.
these files can recover borked devices and recover dead devices
much more useful than the leaked encrypted partial builds and update files that are out there.
Please feel free to add to this thread

[Chin0]

Hello. Great work. Any insights on how to go into DL mode on these devices? QCOM DL or EDL modes or 9008? Thanks in advance

[Rich Hathaway]

I enabled the ports then just erased sbl and it will be stuck in 9008 mode but fair warning if you do that you will need to
reload at least the sbl after sending a proper loader to it or it will never come out of 9008 mode and boot back up.
Or there is a testpoint for this one, one that goes to 9008 and one that goes to fastboot if you take it apart.

[Chin0]

Nice trick deleting sbl, any qcom would go to to emergency download after that. Taking apart the modem isnt a problem, its already disassembled. I found the fastboot testpoint which is pretty obvious as soon as you pull the plates. Theres another point just above the qcom chip that i thought it was for edl but it didnt work for me. I tried to go fastboot to edl but no answer. Could you help me finding the edl testpoint? i tried a couple of points around the qcom chip with no success, i tried shorting them to GND. That way i can do a backup of all the partitions before i do anything with it. Thanks Rich.

[Rich Hathaway]

Ok here it is I circled it red for you, or for 9008 via fastboot use fastboot erase sbl

testpoint t9-R717.jpg

[Chin0]

Man, Thanks. At the time i got your answer with attached pic i was already at 9008. I was able to do it via fastboot erase command. Now on my way to find a working loader to connect thru sahara protocol, tried a couple i got online but neither of them have worked so far. I really appreciate your help. Ill let u know wether i need further help. Again, thanks.

[Rich Hathaway]

Sure np, I hope you backed up sbl before you deleted it.

[Chin0]

Sure i did thru adb. Thanks