Reminder: There is no fee to participate in this lab exercise. If you wish to take the hotspot with you when you leave, find Matt or Jeff to submit $20 payment.
This hacking project will take you through the process of taking control of the T-Mobile Franklin T9
hotspot. This device was included in a free test drive promotion of their hotspot service. Over a few
months, hackers figured out how software on the device works, found security flaws and exploits for
them, and discovered default passwords and hidden web menus.
Much of the preliminary work was done by a researcher and he documented his findings for the
public and for the manufacturer to use. Others added to his discoveries and found easier ways to
accomplish the hacking goals of enabling SSH (Secure Shell), getting root access, unlocking the
device to use non- T-Mobile SIMs, improve throughput, and prevent the device from automatically
updating which would remove the documented flaws and your hacking changes.
The researcher’s web page is below. Think of his information as a glimpse at the world of IoT
pentesting, and the interaction between members of this community. The document is not a
cookbook-style recipe, but more of an adventure. You will need to look for hidden web pages,
passwords, actions to perform to gain and keep control of the device and various workable and
misguided methods to do it. Just because a commenter suggests something doesn’t mean it is a
good idea.
NOTES:
- Plug the hotspot into your laptop with a USB cord – access the hotspot web interface via 192.168.0.1 — you can connect via wifi, but it’s easier to use the USB ethernet connection.
- DO NOT install SIM cards into hotspot before completing the blocking OTA hack. Failure to
follow this will cause the hotspot to update and undo all the hacks permanently. - If the web interface prompts you to change the password, please ONLY change the password if you are going to keep the hotspot. If you are working through the lab activity and plan to return the hotspot when you’re done, please press the ESCAPE key to get past password change prompts without changing the password.
- To gain SSH access, there is no need to use CURL or any obscure methods. In the link
below, there is reference to a hidden page where SSH can be enabled from the web
interface. - Each hotspot has a unique SSID broadcast that you will need to use to complete the
modifications. I have Verizon SIM’s for you to use/test the sim unlock code. - Goals for this project are to:
- Log into various hidden web pages
- Enable SSH
- Change IMEI
- Unlock SIM,
- Disable OTA updates
- Modify TTL (Time To Live) – requires SSH
Load this page up in new tab — notes and instructions are all here
https://snt.sh/2020/09/rooting-the-t-mobile-t9-franklin-wireless-r717/
TLDR:
- TTL Traffic Prioritization Link to persistent TTL modification to force all traffic to be prioritized:
- SIM Unlocking
- Link to SIM Unlock JS Fiddle web page:
- https://jsfiddle.net/4zds6531/
- OTA (Over the Air) update disable
- In the hotspot’s page at http://192.168.0.1/webpst/ , there is a “FOTA Test” section to change the FOTA (Firmware Over The Air) server path. Change this/apply/reboot to prevent firmware upgrade. It is critical to change the upgrade path to prevent the firmware of the hotspot from updating when it has a live data connection. If firmware upgrades, the ability to do most of the things covered in this guide are locked out and not possible.
- Change IMEI
- To change the IMEI, see the hidden engineering menus. Apply/reboot/verify the change on the “info” screen in the web interface. This is a very unique capability and extremely useful for lots of reasons.
If you finish the lab activity and don’t want to keep the hotspot, please give the hotspot back
to Matt, Jeff or another HHV volunteer. It needs to be tagged as “modified” so it can be returned to default state