FRANKLIN T9 AKA R717 HOTSPOT THREAD
Posted: Fri Jan 05, 2024 6:26 pm
I know this is an old device, I just got one, well a few of them so I had to tinker a bit.
it is a Qualcomm MDM9x07 device containing 15 basic partitions, nothing fancy here.
dev: size erasesize name
mtd0: 00140000 00020000 "sbl"
mtd1: 00140000 00020000 "mibib"
mtd2: 00c00000 00020000 "efs2"
mtd3: 000c0000 00020000 "tz"
mtd4: 00060000 00020000 "rpm"
mtd5: 000a0000 00020000 "aboot"
mtd6: 007e0000 00020000 "boot"
mtd7: 01040000 00020000 "scrub"
mtd8: 02900000 00020000 "modem"
mtd9: 00140000 00020000 "misc"
mtd10: 007e0000 00020000 "recovery"
mtd11: 00180000 00020000 "fota"
mtd12: 011e0000 00020000 "recoveryfs"
mtd13: 00040000 00020000 "sec"
mtd14: 091e0000 00020000 "system"
anything can be written to it such as IMEI, MEID, ESN, MAC ID'S, FID, SERIAL NUMS, NV, EFS, ETC.
A simple little tool to load them
made a build that is flashed with zeroed IMEI, hard-coded ttl and comports, and SPC set to 000000
SSh root enabled as well as ADB, I made a build for each of the bigger carriers.
some info for it
The SPC needs to be read and set to 0's which is right up my ally as my background is in
CDMA so everything was SPC dependent.
it can be found by simply sending this AT cmd
at$SPC_WRITE?
Not very secure lol
The ports are pretty easy also to enable
Use the usbd tool to do it
To pick the one you want
Just send
usb_composition
if you need SSH
frk9x07 <--is the ssh pass
if you dont have SSH at 192.168.0.1
Then in the admin pages restore config page
Send this config
Then you will have SSH
here are some useful URL'S
http://192.168.0.1/webpst/usb_mode.html
use the web ui pass
frk@r717
http://192.168.0.1/engineering/franklin/
some of the hardware id's so you know what driver type to load
modem
USB\VID_05C6&PID_9025&REV_0318&MI_02
USB\VID_05C6&PID_9025&MI_02
diag
USB\VID_05C6&PID_9025&REV_0318&MI_00
USB\VID_05C6&PID_9025&MI_00
adb
USB\VID_05C6&PID_9025&REV_0318&MI_01
USB\VID_05C6&PID_9025&MI_01
there are alot of (.enc) type of firmwares all over the web that can be loaded thru the admin page
but I wanted the full firmware for it.
these files can recover borked devices and recover dead devices
much more useful than the leaked encrypted partial builds and update files that are out there.
Please feel free to add to this thread
it is a Qualcomm MDM9x07 device containing 15 basic partitions, nothing fancy here.
dev: size erasesize name
mtd0: 00140000 00020000 "sbl"
mtd1: 00140000 00020000 "mibib"
mtd2: 00c00000 00020000 "efs2"
mtd3: 000c0000 00020000 "tz"
mtd4: 00060000 00020000 "rpm"
mtd5: 000a0000 00020000 "aboot"
mtd6: 007e0000 00020000 "boot"
mtd7: 01040000 00020000 "scrub"
mtd8: 02900000 00020000 "modem"
mtd9: 00140000 00020000 "misc"
mtd10: 007e0000 00020000 "recovery"
mtd11: 00180000 00020000 "fota"
mtd12: 011e0000 00020000 "recoveryfs"
mtd13: 00040000 00020000 "sec"
mtd14: 091e0000 00020000 "system"
anything can be written to it such as IMEI, MEID, ESN, MAC ID'S, FID, SERIAL NUMS, NV, EFS, ETC.
A simple little tool to load them
made a build that is flashed with zeroed IMEI, hard-coded ttl and comports, and SPC set to 000000
SSh root enabled as well as ADB, I made a build for each of the bigger carriers.
some info for it
The SPC needs to be read and set to 0's which is right up my ally as my background is in
CDMA so everything was SPC dependent.
it can be found by simply sending this AT cmd
at$SPC_WRITE?
Not very secure lol
The ports are pretty easy also to enable
Use the usbd tool to do it
To pick the one you want
Just send
usb_composition
if you need SSH
frk9x07 <--is the ssh pass
if you dont have SSH at 192.168.0.1
Then in the admin pages restore config page
Send this config
Then you will have SSH
here are some useful URL'S
http://192.168.0.1/webpst/usb_mode.html
use the web ui pass
frk@r717
http://192.168.0.1/engineering/franklin/
some of the hardware id's so you know what driver type to load
modem
USB\VID_05C6&PID_9025&REV_0318&MI_02
USB\VID_05C6&PID_9025&MI_02
diag
USB\VID_05C6&PID_9025&REV_0318&MI_00
USB\VID_05C6&PID_9025&MI_00
adb
USB\VID_05C6&PID_9025&REV_0318&MI_01
USB\VID_05C6&PID_9025&MI_01
there are alot of (.enc) type of firmwares all over the web that can be loaded thru the admin page
but I wanted the full firmware for it.
these files can recover borked devices and recover dead devices
much more useful than the leaked encrypted partial builds and update files that are out there.
Please feel free to add to this thread