Download the appropriate downgrade file for your specific carrier.
In most cases, the 1311 downgrade is recommended. To do the downgrade process you will want to download the appropriate configuration for your specific use case. With everything combined, we now have what we need to downgrade devices on 2602! Usage
QXDM ACCIDENTALLY RESET INSTALL
# Make the OTA system be OK with the abusive install methodĮcho "-update_package=/cache/ota_update_all.zip" > /cache/recovery/commandĮcho "-debug_no_reboot" > /cache/recovery/command
QXDM ACCIDENTALLY RESET VERIFICATION
This means we can run arbitrary commands on the device as root, and flash a custom OTA image!īut wait, how am I able to use a custom OTA image if there is no way to sign a modified update? Well, since Franklin Wireless implemented the image verification logic in userspace and not the recovery environment itself, we can just skip it all! Below you can find the magic I use to completely bypass the OTA verification process. With the two findings combined, I was then able to successfully create and sign a custom configuration dump that includes a bash script that is executed on boot by the device. With this, I then messed around with the AP configuration file named mobileap_cfg.xml and was able to find that command line injection was possible on some of the fields. These are the only two paths you can create files in. At the end of the day, I found that the config dumps allow a user to put files in /data/misc, and /data/configs. To save everyone a ton of time I will just jump to my findings. This is how I started my initial research around digging inside the new update. With this, I was able to use UART to have root into the device. Since I had a copy of the OTA, I decided to flash it on one of my devices, but with the root password changed ahead of time using the decryption/encryption method from my previous blog post. Dropbear (SSH server) has been removed from the image completely.However since devices have to generate these, both the public and private cert are available. Config Dumps are also signed, and verified.OTAs are now verified via a public cert on upload, so there is no way to create a custom OTA image.hidden/engineering pages have new passwords, that are ALSO stored as salted SHA256.The root user password was now a SHA256 salt, a huge improvement!.All passwords that were previously documented were changed/rotated.Once acquired, I extracted it and was quite surprised by my findings:
When I found out that 2602 was released for the T9, I quickly got a copy using their OTA endpoint I documented in my last blog post around rooting the device.
QXDM ACCIDENTALLY RESET HOW TO
In this I will go over how I found this method, how to do the downgrade, and links to the required files. After requests from the online community I am glad to announce that a downgrade method has been found for T-Mobile branded Franklin Wireless R717 Access Points on firmware 2602.